Fix security

bot/services/api_client.py

@@ -32,6 +32,11 @@ class APIClient:
         session = await self._get_session()
         url = f"{self.base_url}/api/v1{endpoint}"
 
+        # Add bot secret header for authentication
+        headers = kwargs.pop("headers", {})
+        if settings.BOT_API_SECRET:
+            headers["X-Bot-Secret"] = settings.BOT_API_SECRET
+
         logger.info(f"[APIClient] {method} {url}")
         if 'json' in kwargs:
             logger.info(f"[APIClient] Request body: {kwargs['json']}")
@@ -39,7 +44,7 @@ class APIClient:
             logger.info(f"[APIClient] Request params: {kwargs['params']}")
 
         try:
-            async with session.request(method, url, **kwargs) as response:
+            async with session.request(method, url, headers=headers, **kwargs) as response:
                 logger.info(f"[APIClient] Response status: {response.status}")
                 response_text = await response.text()
                 logger.info(f"[APIClient] Response body: {response_text[:500]}")