Skip to content

Security hardening for open-source release#2

Merged
Niduank merged 1 commit into
mainfrom
fix/security-hardening
Jun 19, 2026
Merged

Security hardening for open-source release#2
Niduank merged 1 commit into
mainfrom
fix/security-hardening

Conversation

@Niduank

@Niduank Niduank commented Jun 19, 2026

Copy link
Copy Markdown
Collaborator

Pre-open-source security hardening (audit findings #1, #3, #8, #10):

  • Token leak in logs (Migrate bundle identifier to inc.synth.onit.quickedit #3): gate printCurlRequest and its Perplexity call-site behind #if DEBUG so Bearer tokens no longer reach Release logs; remove a stray print("here").
  • Provisioning profile (Remove Secrets.xcconfig + SecretsManager system #1): stop tracking Onit_Developer_ID.provisionprofile and ignore *.provisionprofile / *.mobileprovision. The file stays on disk for local builds.
  • Usage description (docs: standalone QuickEdit README #8): add NSAppleEventsUsageDescription for the Apple Events automation entitlement.
  • CI (#10): remove the onitbot resolver and code-review GitHub workflows — they reference a private repo (synth-inc/onitbot) and use secrets, so they don't belong in a public repo.

Note: the Developer ID provisioning profile was also removed from history — the single root commit was rewritten and origin/main force-pushed accordingly.

@github-actions

Copy link
Copy Markdown

🔍 Onit Code Review

❌ API Error (401): {"type":"error","error":{"type":"authentication_error","message":"x-api-key header is required"},"request_id":"req_011CcCH6k2NbsAxvwAzAcMTf"}


Automated review · 66a43e0

- Gate printCurlRequest and its Perplexity call-site behind #if DEBUG so
  Bearer tokens no longer reach Release logs
- Stop tracking the Developer ID provisioning profile; ignore
  *.provisionprofile and *.mobileprovision
- Add NSAppleEventsUsageDescription for the Apple Events automation entitlement
- Remove the onitbot resolver and code-review GitHub workflows — they reference
  a private repo (synth-inc/onitbot) and use secrets, so they don't belong in a
  public repo
@Niduank Niduank force-pushed the fix/security-hardening branch from 66a43e0 to 3a0d97e Compare June 19, 2026 08:46
@Niduank Niduank merged commit 5f4b345 into main Jun 19, 2026
@Niduank Niduank deleted the fix/security-hardening branch June 19, 2026 08:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant