fix: rename MT5_API_KEY to MT5API_SECRET_KEY

[dceoy]

Summary

• rename the server auth environment variable from MT5_API_KEY to MT5API_SECRET_KEY
• preserve MT5_API_KEY as a backward-compatible fallback during the rename so upgrades do not disable auth unexpectedly
• switch API key verification to hmac.compare_digest() and fix the remaining quickstart references to the old env var name

Testing

• /Users/dceoy/util/mt5api/.agents/skills/local-qa/scripts/qa.sh
• pre-push hook QA during git push -u origin bugfix/update-skill

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 59a7a43c4e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[claude]

Clean rename — the env var, constant, config function, auth module, tests, and all user-facing docs are consistent. Two small items worth addressing:

1. Stale API_KEY references in specs/041-mt5-rest-api/quickstart.md

Two references to the old bare API_KEY name were missed (these lines are outside the diff):

• Line 558: "Ensure API_KEY environment variable is set" → should be MT5API_SECRET_KEY
• Line 591: nssm set MT5-API AppEnvironmentExtra API_KEY=your-key-here → should be MT5API_SECRET_KEY=your-key-here

2. Pre-existing: timing-attack vulnerable key comparison in auth.py

Not introduced by this PR, but since auth.py is being touched: line 64 uses != for API key comparison, which is susceptible to timing side-channel attacks (CWE-208). Consider switching to hmac.compare_digest() for constant-time comparison — it's a one-line fix:

import hmac

if not hmac.compare_digest(api_key_header_value, expected_key):

This could be a follow-up PR to keep this one focused on the rename.

[dceoy]

Addressed the review feedback in 9cc23bf.

• preserved MT5_API_KEY as a backward-compatible fallback during the rename to MT5API_SECRET_KEY
• switched API key verification to hmac.compare_digest()
• fixed the remaining quickstart references that still used the old env var name
• reran /Users/dceoy/util/mt5api/.agents/skills/local-qa/scripts/qa.sh and the pre-push QA hook