Scottcjn · Scottcjn · May 14, 2026 · May 13, 2026
@@ -6374,7 +6374,9 @@ def attest_debug():
     """Debug endpoint: show miner's enrollment eligibility"""
     # SECURITY FIX 2026-02-15: Require admin key - exposes internal config + MAC hashes
     admin_key = request.headers.get("X-Admin-Key", "") or request.headers.get("X-API-Key", "")
-    if not hmac.compare_digest(admin_key, ADMIN_KEY or ""):
+    if not ADMIN_KEY:
+        return jsonify({"error": "Admin key not configured"}), 503
+    if not hmac.compare_digest(admin_key, ADMIN_KEY):
         return jsonify({"error": "Unauthorized - admin key required"}), 401
     data = request.get_json()
 

diff --git a/tests/test_api.py b/tests/test_api.py
@@ -100,3 +100,13 @@ def test_pending_list_requires_admin(client):
     """Unauthenticated /pending/list should return 401."""
     response = client.get('/pending/list?limit=abc')
     assert response.status_code == 401
+
+
+def test_attest_debug_fails_closed_when_admin_key_unconfigured(client, monkeypatch):
+    """No configured admin key must not authenticate a missing header."""
+    monkeypatch.setattr(integrated_node, "ADMIN_KEY", None)
+
+    response = client.post('/ops/attest/debug', json={"miner": "miner-test"})
+
+    assert response.status_code == 503
+    assert response.get_json()["error"] == "Admin key not configured"