From ac69dd7f02c94e0197aa5815788a11fc16058da8 Mon Sep 17 00:00:00 2001
From: Chris Sherwood <chris@crosstalksolutions.com>
Date: Thu, 12 Mar 2026 17:50:14 -0700
Subject: [PATCH] fix(security): rotate benchmark HMAC signing secret

Rotate the HMAC secret used for signing benchmark submissions to the
community leaderboard. The previous secret was compromised (hardcoded
in open-source code and used to submit a fake leaderboard entry).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 admin/app/services/benchmark_service.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/admin/app/services/benchmark_service.ts b/admin/app/services/benchmark_service.ts
index e9344cc..715d729 100644
--- a/admin/app/services/benchmark_service.ts
+++ b/admin/app/services/benchmark_service.ts
@@ -32,7 +32,7 @@ import Dockerode from 'dockerode'
 // This provides basic protection against casual API abuse.
 // Note: Since NOMAD is open source, a determined attacker could extract this.
 // For stronger protection, see challenge-response authentication.
-const BENCHMARK_HMAC_SECRET = 'nomad-benchmark-v1-2026'
+const BENCHMARK_HMAC_SECRET = '778ba65d0bc0e23119e5ffce4b3716648a7d071f0a47ec3f'
 
 // Re-export default weights for use in service
 const SCORE_WEIGHTS = {