fix(security): generate dedicated DREAM_AGENT_KEY in both installers

yasinBursali · yasinBursali · commit dd7cac6b2e7c · 2026-04-17T16:30:36.000+04:00
DREAM_AGENT_KEY was registered in .env.schema.json and preferred
by the host agent, but never generated by either installer. All
installations fell back to DASHBOARD_API_KEY, meaning the
browser-facing dashboard key doubled as the privileged host agent
credential.

Now generated as a separate 32-byte hex secret alongside
DASHBOARD_API_KEY. Existing installs retain their current keys
on re-install (merge logic preserves values).
diff --git a/dream-server/installers/macos/lib/env-generator.sh b/dream-server/installers/macos/lib/env-generator.sh
@@ -132,6 +132,8 @@ generate_dream_env() {
     livekit_api_key=$(new_secure_hex 16)
     local dashboard_api_key
     dashboard_api_key=$(new_secure_hex 32)
+    local dream_agent_key
+    dream_agent_key=$(new_secure_hex 32)
     local openclaw_token
     openclaw_token=$(new_secure_hex 24)
     local qdrant_api_key
@@ -221,6 +223,7 @@ LANGFUSE_PORT=3006
 #=== Security (auto-generated, keep secret!) ===
 WEBUI_SECRET=${webui_secret}
 DASHBOARD_API_KEY=${dashboard_api_key}
+DREAM_AGENT_KEY=${dream_agent_key}
 N8N_USER=admin@dreamserver.local
 N8N_PASS=${n8n_pass}
 LITELLM_KEY=${litellm_key}
diff --git a/dream-server/installers/phases/06-directories.sh b/dream-server/installers/phases/06-directories.sh
@@ -199,6 +199,7 @@ Fix with: sudo chown -R \$(id -u):\$(id -g) $INSTALL_DIR/config $INSTALL_DIR/dat
     LITELLM_KEY=$(_env_get LITELLM_KEY "sk-dream-$(openssl rand -hex 16 2>/dev/null || head -c 16 /dev/urandom | xxd -p)")
     LIVEKIT_SECRET=$(_env_get LIVEKIT_API_SECRET "$(openssl rand -base64 32 2>/dev/null || head -c 32 /dev/urandom | base64)")
     DASHBOARD_API_KEY=$(_env_get DASHBOARD_API_KEY "$(openssl rand -hex 32 2>/dev/null || head -c 32 /dev/urandom | xxd -p)")
+    DREAM_AGENT_KEY=$(_env_get DREAM_AGENT_KEY "$(openssl rand -hex 32 2>/dev/null || head -c 32 /dev/urandom | xxd -p)")
     DIFY_SECRET_KEY=$(_env_get DIFY_SECRET_KEY "$(openssl rand -hex 32 2>/dev/null || head -c 32 /dev/urandom | xxd -p)")
     QDRANT_API_KEY=$(_env_get QDRANT_API_KEY "$(openssl rand -hex 32 2>/dev/null || head -c 32 /dev/urandom | xxd -p)")
     OPENCODE_SERVER_PASSWORD=$(_env_get OPENCODE_SERVER_PASSWORD "$(openssl rand -base64 16 2>/dev/null || head -c 16 /dev/urandom | base64)")
@@ -342,6 +343,7 @@ LANGFUSE_PORT=${LANGFUSE_PORT}
 #=== Security (auto-generated, keep secret!) ===
 WEBUI_SECRET=${WEBUI_SECRET}
 DASHBOARD_API_KEY=${DASHBOARD_API_KEY}
+DREAM_AGENT_KEY=${DREAM_AGENT_KEY}
 N8N_USER=admin@dreamserver.local
 N8N_PASS=${N8N_PASS}
 LITELLM_KEY=${LITELLM_KEY}
