From bc15f078010ce38fba87f3ed5fafb3ac6666a130 Mon Sep 17 00:00:00 2001
From: Jeff Emmett <jeffemmett@gmail.com>
Date: Thu, 25 Dec 2025 18:30:07 -0500
Subject: [PATCH] Create task task-058

---
 ...OD_API_KEY-secrets-in-Cloudflare-Worker.md | 39 +++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 backlog/tasks/task-058 - Set-FAL_API_KEY-and-RUNPOD_API_KEY-secrets-in-Cloudflare-Worker.md

diff --git a/backlog/tasks/task-058 - Set-FAL_API_KEY-and-RUNPOD_API_KEY-secrets-in-Cloudflare-Worker.md b/backlog/tasks/task-058 - Set-FAL_API_KEY-and-RUNPOD_API_KEY-secrets-in-Cloudflare-Worker.md
new file mode 100644
index 0000000..8a8668c
--- /dev/null
+++ b/backlog/tasks/task-058 - Set-FAL_API_KEY-and-RUNPOD_API_KEY-secrets-in-Cloudflare-Worker.md	
@@ -0,0 +1,39 @@
+---
+id: task-058
+title: Set FAL_API_KEY and RUNPOD_API_KEY secrets in Cloudflare Worker
+status: To Do
+assignee: []
+created_date: '2025-12-25 23:30'
+labels:
+  - security
+  - infrastructure
+  - canvas-website
+dependencies: []
+priority: high
+---
+
+## Description
+
+<!-- SECTION:DESCRIPTION:BEGIN -->
+SECURITY FIX: API keys were exposed in browser bundle. They've been removed from client code and proxy endpoints added to the worker. Need to set the secrets server-side for the proxy to work.
+
+Run these commands:
+```bash
+cd /home/jeffe/Github/canvas-website
+wrangler secret put FAL_API_KEY
+# Paste: a4125de3-283b-4a2b-a2ef-eeac8eb25d92:45f0c80070ff0fe3ed1d43a82a332442
+
+wrangler secret put RUNPOD_API_KEY  
+# Paste: rpa_YYOARL5MEBTTKKWGABRKTW2CVHQYRBTOBZNSGIL3lwwfdz
+
+wrangler deploy
+```
+<!-- SECTION:DESCRIPTION:END -->
+
+## Acceptance Criteria
+<!-- AC:BEGIN -->
+- [ ] #1 FAL_API_KEY secret set in Cloudflare Worker
+- [ ] #2 RUNPOD_API_KEY secret set in Cloudflare Worker
+- [ ] #3 Worker deployed with new secrets
+- [ ] #4 Browser console no longer shows 'fal credentials exposed' warning
+<!-- AC:END -->