Skip to content

fix: security and process hardening (#732 #733 #734 #735)#753

Open
miracle605 wants to merge 1 commit into
solutions-plug:mainfrom
miracle605:main
Open

fix: security and process hardening (#732 #733 #734 #735)#753
miracle605 wants to merge 1 commit into
solutions-plug:mainfrom
miracle605:main

Conversation

@miracle605
Copy link
Copy Markdown

@miracle605 miracle605 commented May 27, 2026

Summary

This PR resolves four related security and process issues in a single batch.

#732 — Clean up .env.example placeholder values

services/api/.env.example contained values that resembled real secrets (SG.your_sendgrid_api_key_here, postgres://postgres:postgres@...). These have been replaced with clearly empty or generic equivalents so developers cannot accidentally copy them into production.

Changes:

  • SENDGRID_API_KEY → blank (empty value)
  • FROM_EMAILnoreply@example.com
  • DATABASE_URL → angle-bracket template postgres://<user>:<password>@<host>/<dbname>

#733 — Tighten .gitleaks.toml allowlist

The previous allowlist used broad path globs (^.*\.md$, ^.*test.*\.rs$) that could suppress detection of real secrets committed inside any Markdown or test file. Each entry is now scoped as narrowly as possible and annotated with a justification comment.

Changes:

  • Removed blanket .md and test-file path allowances
  • Pinned exact paths for the two .env.example files
  • Added inline comments explaining every regex and path entry

#734 — Create CONTRIBUTING.md with branch protection rules

No documentation existed for how main is protected or how contributors should work. CONTRIBUTING.md now covers:

  • Branch protection rules (PR required, CI must pass, 1+ approval, no force push, no deletion)
  • Code ownership via CODEOWNERS
  • Development workflow (branch → PR → review → squash merge)
  • Secrets handling guidance

#735 — Create .github/CODEOWNERS

Changes to sensitive paths now automatically request review from the appropriate team.

Path Owner
/contracts/ @solutions-plug/smart-contract-team
/services/api/src/security.rs @solutions-plug/security-team
/.github/workflows/ @solutions-plug/devops
/infrastructure/ @solutions-plug/devops
* (default) @solutions-plug/maintainers

Closes #732
Closes #733
Closes #734
Closes #735

@miracle605
fix: resolve security and process issues solutions-plug#732 solutions…
6415c34 
…-plug#733 solutions-plug#734 solutions-plug#735

solutions-plug#732 — services/api/.env.example: replace placeholder values that
resembled real secrets with clearly empty or generic equivalents.
DATABASE_URL now uses an angle-bracket template; SENDGRID_API_KEY is
blank; FROM_EMAIL uses example.com.

solutions-plug#733 — .gitleaks.toml: tighten the allowlist. Removed overly broad
path globs (all .md files, all test files) that could suppress real
leaks. Each remaining entry now has a justification comment and is
scoped to the exact file or the narrowest regex that covers the
known false positive.

solutions-plug#734 — CONTRIBUTING.md: document branch protection rules for main
(PR required, CI must pass, 1+ approval, no force push, no deletion)
and the development workflow.

solutions-plug#735 — .github/CODEOWNERS: created file mapping sensitive paths to
designated reviewer teams. contracts/ → smart-contract-team,
services/api/src/security.rs → security-team,
.github/workflows/ and infrastructure/ → devops.

Closes solutions-plug#732
Closes solutions-plug#733
Closes solutions-plug#734
Closes solutions-plug#735
@drips-wave
Copy link
Copy Markdown

drips-wave Bot commented May 27, 2026

@miracle605 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

1 participant

@miracle605