From 6415c34f34fc3bd8e1226ec18df33115dda9c193 Mon Sep 17 00:00:00 2001 From: MiracleOfWebfi Date: Wed, 27 May 2026 16:31:56 +0000 Subject: [PATCH] fix: resolve security and process issues #732 #733 #734 #735 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit #732 — services/api/.env.example: replace placeholder values that resembled real secrets with clearly empty or generic equivalents. DATABASE_URL now uses an angle-bracket template; SENDGRID_API_KEY is blank; FROM_EMAIL uses example.com. #733 — .gitleaks.toml: tighten the allowlist. Removed overly broad path globs (all .md files, all test files) that could suppress real leaks. Each remaining entry now has a justification comment and is scoped to the exact file or the narrowest regex that covers the known false positive. #734 — CONTRIBUTING.md: document branch protection rules for main (PR required, CI must pass, 1+ approval, no force push, no deletion) and the development workflow. #735 — .github/CODEOWNERS: created file mapping sensitive paths to designated reviewer teams. contracts/ → smart-contract-team, services/api/src/security.rs → security-team, .github/workflows/ and infrastructure/ → devops. Closes #732 Closes #733 Closes #734 Closes #735 --- .github/CODEOWNERS | 19 +++++++++++++++++++ .gitleaks.toml | 15 ++++++++++----- CONTRIBUTING.md | 32 ++++++++++++++++++++++++++++++++ services/api/.env.example | 6 +++--- 4 files changed, 64 insertions(+), 8 deletions(-) create mode 100644 .github/CODEOWNERS create mode 100644 CONTRIBUTING.md diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..0c88e93 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,19 @@ +# CODEOWNERS +# Each line maps a path pattern to one or more GitHub teams or users. +# The last matching rule takes precedence. +# Docs: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners + +# Default owner for everything not matched below +* @solutions-plug/maintainers + +# Smart contract code — requires smart contract team review +/contracts/ @solutions-plug/smart-contract-team + +# Security module — requires security team review +/services/api/src/security.rs @solutions-plug/security-team + +# CI/CD workflows — requires DevOps review +/.github/workflows/ @solutions-plug/devops + +# Infrastructure / Terraform — requires DevOps review +/infrastructure/ @solutions-plug/devops diff --git a/.gitleaks.toml b/.gitleaks.toml index 9f10dc7..ec466be 100644 --- a/.gitleaks.toml +++ b/.gitleaks.toml @@ -34,18 +34,23 @@ regex = '''redis://[a-zA-Z0-9_-]+:[a-zA-Z0-9_-]+@[a-zA-Z0-9.-]+:[0-9]+''' tags = ["redis", "connection"] [allowlist] -description = "Allowlist for false positives" +description = "Allowlist for known false positives — each entry is intentional and scoped as narrowly as possible" + paths = [ - '''^\.env\.example$''', - '''^.*\.md$''', - '''^.*test.*\.rs$''', - '''^.*_test\.ts$''', + # .env.example documents required variables with empty or clearly fake values; never contains real secrets + '''^services/api/\.env\.example$''', + # frontend .env.example follows the same convention + '''^frontend/\.env\.example$''', ] regexes = [ + # Generic placeholder domain used in code examples and templates — not a real host '''example\.com''', + # Loopback addresses are not secrets; they appear in default config and tests '''localhost''', '''127\.0\.0\.1''', + # Canonical Stellar placeholder public key (all X's) used in documentation '''GXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX''', + # Canonical Stellar placeholder secret key (all X's) used in documentation '''SXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX''', ] diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..74ef594 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,32 @@ +# Contributing to PredictIQ + +## Branch Protection Rules + +The `main` branch is protected. The following rules are enforced: + +- **Pull request required** — direct pushes to `main` are not allowed; all changes must go through a PR. +- **CI must pass** — all status checks in `.github/workflows/` must succeed before a PR can be merged. +- **At least 1 approval required** — a PR must receive at least one approving review from a team member. +- **No force pushes** — `git push --force` to `main` is disabled. +- **No branch deletion** — `main` cannot be deleted. + +These rules are configured in the repository settings under **Settings → Branches → Branch protection rules**. + +## Code Ownership + +Sensitive paths have designated reviewers defined in [`.github/CODEOWNERS`](.github/CODEOWNERS). GitHub automatically requests a review from the relevant owner when a PR touches those paths. + +## Development Workflow + +1. Create a feature branch from `main`: `git checkout -b feat/your-feature` +2. Make your changes and commit with a descriptive message. +3. Open a pull request against `main`. +4. Ensure all CI checks pass and at least one reviewer approves. +5. Merge using **Squash and merge** to keep the history clean. + +## Secrets and Environment Variables + +- Never commit real secrets or credentials. +- Copy `services/api/.env.example` to `services/api/.env` and fill in real values locally. The `.env` file is gitignored. +- All placeholder values in `.env.example` are intentionally empty or clearly fake. +- Gitleaks runs on every push to detect accidental secret commits (see `.gitleaks.toml`). diff --git a/services/api/.env.example b/services/api/.env.example index bf5b3f6..cfa9310 100644 --- a/services/api/.env.example +++ b/services/api/.env.example @@ -3,7 +3,7 @@ API_BIND_ADDR=0.0.0.0:8080 BASE_URL=http://localhost:8080 # Database -DATABASE_URL=postgres://postgres:postgres@localhost/predictiq +DATABASE_URL=postgres://:@/ # PostgreSQL connection pool (sqlx); same values as built-in defaults DB_POOL_MIN_CONNECTIONS=5 @@ -35,8 +35,8 @@ PREDICTIQ_CONTRACT_ID=predictiq_contract # CONTRACT_KEY_HEALTH_CHECK=platform:stats # defaults to CONTRACT_KEY_PLATFORM_STATS # Email Service (SendGrid) -SENDGRID_API_KEY=SG.your_sendgrid_api_key_here -FROM_EMAIL=noreply@predictiq.com +SENDGRID_API_KEY= +FROM_EMAIL=noreply@example.com # Optional Configuration RUST_LOG=info