Move explorer AI key loading to secure secrets

docs/EXPLORER_API_ACCESS.md

@@ -215,14 +215,24 @@ Use the dedicated deployment script when you need to:
 - ensure a real `JWT_SECRET`
 - install or refresh the explorer database override used for AI indexed context
 - optionally install `XAI_API_KEY`
+- recommended local secret file: `~/.secure-secrets/explorer-ai.env`
 - normalize nginx for `/explorer-api/v1/*`
 
 ```bash
 cd /path/to/explorer-monorepo
 XAI_API_KEY=... bash scripts/deploy-explorer-ai-to-vmid5000.sh
+
+# or keep the key outside the repo and let the deploy script source it:
+cat > ~/.secure-secrets/explorer-ai.env <<'EOF'
+XAI_BASE_URL=https://api.x.ai/v1
+EXPLORER_AI_MODEL=grok-3
+XAI_API_KEY=...
+EOF
+chmod 600 ~/.secure-secrets/explorer-ai.env
+bash scripts/deploy-explorer-ai-to-vmid5000.sh
 ```
 
-If `XAI_API_KEY` is omitted, the AI context endpoint will still work, but chat will remain disabled with a backend `service_unavailable` response.
+If `XAI_API_KEY` is omitted, the AI context endpoint will still work, but chat will remain disabled with a backend `service_unavailable` response. The deploy script will automatically source `~/.secure-secrets/explorer-ai.env` when it exists.
 
 On VMID `5000`, the script also writes a dedicated `database.conf` drop-in for `explorer-config-api` so AI context can query the live Blockscout Postgres container instead of assuming `localhost:5432`.
 

scripts/deploy-explorer-ai-to-vmid5000.sh

@@ -11,6 +11,14 @@ TMP_DIR="$(mktemp -d)"
 JWT_SECRET_VALUE="${JWT_SECRET_VALUE:-}"
 EXPLORER_AI_MODEL_VALUE="${EXPLORER_AI_MODEL_VALUE:-grok-3}"
 EXPLORER_DATABASE_URL_VALUE="${EXPLORER_DATABASE_URL_VALUE:-}"
+SECURE_AI_ENV_FILE="${SECURE_AI_ENV_FILE:-$HOME/.secure-secrets/explorer-ai.env}"
+
+if [ -f "$SECURE_AI_ENV_FILE" ]; then
+    set -a
+    # Source the local secrets file so deploys do not depend on repo-stored API keys.
+    source "$SECURE_AI_ENV_FILE"
+    set +a
+fi
 
 cleanup() {
     rm -rf "$TMP_DIR"