Get buttercup to run fully locally

[dguido]

1. AI/LLM Services (Anthropic, OpenAI, Azure) - These are appropriately configurable via environment variables and should remain
2. Container Registry - Currently hardcoded to ghcr.io/aixcc-finals/ which needs to be made configurable
3. Optional Services - LangFuse and OpenTelemetry are already optional and safe
4. Local Services - Redis, PostgreSQL, and most APIs default to localhost

The key issues to address:

• Remove hardcoded credentials in deployment/k8s/values.yaml
• Make the container registry URL configurable
• Create clear documentation for API key configuration

[dguido]

Buttercup External Services Dependency Report

Executive Summary

This report identifies all external services that Buttercup currently depends on. The goal is to make it safe for third parties to run this repository without accidentally using any of your services, while maintaining support for necessary AI model providers.

External Service Dependencies

1. AI/LLM Providers (Keep These)

These services are necessary for the core functionality and should be kept, but made configurable:

LiteLLM Service Configuration

• Service: LiteLLM (proxy for multiple LLM providers)
• Configuration: /litellm/litellm_config.yaml and deployment configs
• Environment Variables Required:
  • BUTTERCUP_LITELLM_HOSTNAME - LiteLLM proxy hostname
  • BUTTERCUP_LITELLM_KEY - Master key for LiteLLM
  • AZURE_API_BASE - Azure OpenAI API base URL
  • AZURE_API_KEY - Azure OpenAI API key
  • OPENAI_API_KEY - OpenAI API key
  • ANTHROPIC_API_KEY - Anthropic API key
• Recommendation: Keep but ensure users can easily configure their own keys

2. Container Registries (Need Attention)

These should be made configurable or removed:

GitHub Container Registry (ghcr.io)

• Usage: All Docker images are pulled from ghcr.io/aixcc-finals/
• Files: /deployment/k8s/values.yaml, compose files
• Images:
  • ghcr.io/aixcc-finals/afc-crs-trail-of-bits/buttercup-orchestrator
  • ghcr.io/aixcc-finals/afc-crs-trail-of-bits/buttercup-fuzzer
  • ghcr.io/aixcc-finals/afc-crs-trail-of-bits/buttercup-seed-gen
  • ghcr.io/aixcc-finals/afc-crs-trail-of-bits/buttercup-patcher
  • ghcr.io/aixcc-finals/afc-crs-trail-of-bits/buttercup-program-model
  • ghcr.io/aixcc-finals/example-crs-architecture/competition-test-api
• Recommendation: Make image registry configurable or provide instructions for building locally

3. Monitoring Services (Optional)

These services are optional and already configurable:

LangFuse (Observability)

• Purpose: LLM observability and monitoring
• Configuration: Optional, disabled by default
• Environment Variables:
  • LANGFUSE_HOST (defaults to https://cloud.langfuse.com)
  • LANGFUSE_PUBLIC_KEY
  • LANGFUSE_SECRET_KEY
• Recommendation: Already optional, no changes needed

OpenTelemetry (Metrics)

• Configuration: In /deployment/k8s/values.yaml
• Default: Points to https://127.0.0.1:4318 (localhost)
• Recommendation: Already safe, no changes needed

4. Competition API (Need Attention)

• Purpose: Competition submission API
• Configuration:
  • Default URL: http://localhost:1323
  • Can be configured via BUTTERCUP_TASK_SERVER__COMPETITION_API_URL
• Credentials: Default credentials are hardcoded in values.yaml
• Recommendation: Document that this is for testing only

5. Redis (Local Service)

• Purpose: Message queue and caching
• Default: redis://localhost:6379 or redis://redis:6379
• Recommendation: Safe as-is (local service)

6. PostgreSQL (Local Service)

• Purpose: Database for LiteLLM
• Default: Local PostgreSQL instance
• Recommendation: Safe as-is (local service)

Environment Variables Summary

Required for LLM Functionality

# LiteLLM Configuration
BUTTERCUP_LITELLM_HOSTNAME=http://localhost:8080  # Or your LiteLLM instance
BUTTERCUP_LITELLM_KEY=<your-litellm-master-key>

# At least one of these AI provider keys:
OPENAI_API_KEY=<your-openai-key>
ANTHROPIC_API_KEY=<your-anthropic-key>
AZURE_API_KEY=<your-azure-key>
AZURE_API_BASE=<your-azure-endpoint>

Optional Services

# LangFuse (optional monitoring)
LANGFUSE_HOST=https://cloud.langfuse.com
LANGFUSE_PUBLIC_KEY=<your-key>
LANGFUSE_SECRET_KEY=<your-secret>

Recommendations

1. Immediate Actions

1. Document API Key Requirements: Create clear documentation about which API keys users need to provide
2. Remove Default Credentials: Remove hardcoded API credentials from values.yaml
3. Make Container Registry Configurable: Allow users to specify their own container registry

2. Code Changes Needed

Update deployment/k8s/values.yaml

• Remove hardcoded api_key_token and competition_api_key_token
• Make container registry URL configurable
• Add comments explaining each external service

Create .env.example file

# Required for AI functionality
BUTTERCUP_LITELLM_HOSTNAME=http://localhost:8080
BUTTERCUP_LITELLM_KEY=your-key-here

# AI Provider Keys (at least one required)
OPENAI_API_KEY=
ANTHROPIC_API_KEY=
AZURE_API_KEY=
AZURE_API_BASE=

# Optional monitoring
LANGFUSE_HOST=
LANGFUSE_PUBLIC_KEY=
LANGFUSE_SECRET_KEY=

Update Documentation

• Add "External Services" section to README
• Explain how to configure each service
• Provide instructions for building images locally

3. Safe Defaults

The following services already use safe local defaults:

• Redis (localhost:6379)
• PostgreSQL (local instance)
• Competition API (localhost:1323)
• OpenTelemetry (localhost:4318)

4. Testing Recommendations

1. Test deployment with no external credentials
2. Verify that clear error messages appear when required services are missing
3. Document minimum viable configuration

Conclusion

The main concerns are:

1. Container Registry: Currently hardcoded to your GitHub registry
2. Default Credentials: Some test credentials in values.yaml
3. LLM API Keys: Need clear documentation on configuration

The system is already well-designed for local deployment, with most services defaulting to localhost. The primary work needed is documentation and making the container registry configurable.

[ret2libc]

I think this can be closed. The system already runs well locally without aixcc references. It does need better README, but we are working on that and there are separate issues to track that #214 #174