add detailed sitemap#119
Open
pinkycollie wants to merge 133 commits into
Open
Conversation
Co-authored-by: pinkycollie <199848471+pinkycollie@users.noreply.github.com>
Co-authored-by: pinkycollie <199848471+pinkycollie@users.noreply.github.com>
Co-authored-by: pinkycollie <199848471+pinkycollie@users.noreply.github.com>
Co-authored-by: pinkycollie <199848471+pinkycollie@users.noreply.github.com>
Co-authored-by: pinkycollie <199848471+pinkycollie@users.noreply.github.com>
Co-authored-by: pinkycollie <199848471+pinkycollie@users.noreply.github.com>
…amples Co-authored-by: pinkycollie <199848471+pinkycollie@users.noreply.github.com>
- Add GitHub Actions CI/CD pipeline with testing, linting, and build jobs - Add security scanning workflow with CodeQL and npm audit - Add Dependabot configuration for automated dependency updates - Add pre-commit hooks with Husky and lint-staged - Create comprehensive ARCHITECTURE.md documentation - Create CONTRIBUTING.md guide for contributors - Add Terraform IaC templates and structure - Enhance README with badges and improved documentation - Add Prettier configuration for code formatting Co-authored-by: pinkycollie <199848471+pinkycollie@users.noreply.github.com>
- Enhance Docker Compose with health checks and proper networking - Add Dockerfile templates for all services - Create Kubernetes manifests for production deployment - Add accessibility testing workflow - Create deployment documentation - Enhance frontend with performance optimizations - Add loading states and smooth scroll behavior Co-authored-by: pinkycollie <199848471+pinkycollie@users.noreply.github.com>
- Fix Terraform availability zones to be region-agnostic - Fix Docker Compose frontend URLs to use service names - Update Docker commands to use docker compose (V2) - Fix TypeScript CSS custom property typing - Remove weak default secrets in docker-compose.yml - Add validation for required environment variables - Update terraform example with availability zones comment Co-authored-by: pinkycollie <199848471+pinkycollie@users.noreply.github.com>
…ation [WIP] Enhance workflows and architecture in DEAF-FIRST-PLATFORM
Bumps [bcrypt](https://github.com/kelektiv/node.bcrypt.js) from 5.1.1 to 6.0.0. - [Release notes](https://github.com/kelektiv/node.bcrypt.js/releases) - [Changelog](https://github.com/kelektiv/node.bcrypt.js/blob/master/CHANGELOG.md) - [Commits](kelektiv/node.bcrypt.js@v5.1.1...v6.0.0) --- updated-dependencies: - dependency-name: bcrypt dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) from 2.1.9 to 4.0.15. - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.0.15/packages/vitest) --- updated-dependencies: - dependency-name: vitest dependency-version: 4.0.15 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [dotenv](https://github.com/motdotla/dotenv) from 16.6.1 to 17.2.3. - [Changelog](https://github.com/motdotla/dotenv/blob/master/CHANGELOG.md) - [Commits](motdotla/dotenv@v16.6.1...v17.2.3) --- updated-dependencies: - dependency-name: dotenv dependency-version: 17.2.3 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Remove XANO webhook secret from README
Co-authored-by: pinkycollie <199848471+pinkycollie@users.noreply.github.com>
Co-authored-by: pinkycollie <199848471+pinkycollie@users.noreply.github.com>
Co-authored-by: pinkycollie <199848471+pinkycollie@users.noreply.github.com>
Co-authored-by: pinkycollie <199848471+pinkycollie@users.noreply.github.com>
Co-authored-by: pinkycollie <199848471+pinkycollie@users.noreply.github.com>
Co-authored-by: pinkycollie <199848471+pinkycollie@users.noreply.github.com>
Co-authored-by: pinkycollie <199848471+pinkycollie@users.noreply.github.com>
…ntain permissions' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Pinky Collie <199848471+pinkycollie@users.noreply.github.com>
Signed-off-by: Pinky Collie <199848471+pinkycollie@users.noreply.github.com>
Signed-off-by: Pinky Collie <199848471+pinkycollie@users.noreply.github.com>
Signed-off-by: Pinky Collie <199848471+pinkycollie@users.noreply.github.com>
Signed-off-by: Pinky Collie <199848471+pinkycollie@users.noreply.github.com>
Signed-off-by: Pinky Collie <199848471+pinkycollie@users.noreply.github.com>
Signed-off-by: Pinky Collie <199848471+pinkycollie@users.noreply.github.com>
Signed-off-by: Pinky Collie <199848471+pinkycollie@users.noreply.github.com>
Signed-off-by: Pinky Collie <199848471+pinkycollie@users.noreply.github.com>
Signed-off-by: Pinky Collie <199848471+pinkycollie@users.noreply.github.com>
Signed-off-by: Pinky Collie <199848471+pinkycollie@users.noreply.github.com>
Comment on lines
+46
to
+63
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v3 | ||
|
|
||
| - name: Use Node.js | ||
| uses: actions/setup-node@v3 | ||
| with: | ||
| node-version: '20.x' | ||
| cache: 'npm' | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Validate all OpenAPI specifications | ||
| run: npm run validate:openapi | ||
|
|
||
| generate-sdks: |
| run: npm run validate:openapi | ||
|
|
||
| generate-sdks: | ||
| runs-on: ubuntu-latest |
Signed-off-by: Pinky Collie <199848471+pinkycollie@users.noreply.github.com>
Signed-off-by: Pinky Collie <199848471+pinkycollie@users.noreply.github.com>
Signed-off-by: Pinky Collie <199848471+pinkycollie@users.noreply.github.com>
Signed-off-by: Pinky Collie <199848471+pinkycollie@users.noreply.github.com>
Signed-off-by: Pinky Collie <199848471+pinkycollie@users.noreply.github.com>
Signed-off-by: Pinky Collie <199848471+pinkycollie@users.noreply.github.com>
Signed-off-by: Pinky Collie <199848471+pinkycollie@users.noreply.github.com>
…pes/node-25.9.0' into main
This workflow runs security checks on pull requests and pushes to main, including audits, banned imports, secret detection, and rate limiting checks. Signed-off-by: Pinky Collie <199848471+pinkycollie@users.noreply.github.com>
Comment on lines
+14
to
+92
| name: Security Audit and Dependency Scan | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '20' | ||
| cache: 'npm' | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Run npm audit | ||
| run: | | ||
| echo "Running npm audit..." | ||
| npm audit --audit-level=high | ||
| continue-on-error: false | ||
|
|
||
| - name: Check for banned imports in /api | ||
| run: | | ||
| echo "Checking for banned database imports in /api directory..." | ||
| if grep -r "import.*drizzle" ./api/ 2>/dev/null; then | ||
| echo "ERROR: Direct drizzle imports found in /api directory" | ||
| exit 1 | ||
| fi | ||
| if grep -r "import.*pg\>" ./api/ 2>/dev/null; then | ||
| echo "ERROR: Direct pg imports found in /api directory" | ||
| exit 1 | ||
| fi | ||
| if grep -r "from ['\"]drizzle" ./api/ 2>/dev/null; then | ||
| echo "ERROR: Direct drizzle imports found in /api directory" | ||
| exit 1 | ||
| fi | ||
| echo "✓ No banned imports found in /api directory" | ||
|
|
||
| - name: Check for committed secrets | ||
| run: | | ||
| echo "Checking for accidentally committed secrets..." | ||
| # Check for common secret patterns | ||
| if grep -r "sk_live_" . --exclude-dir=node_modules --exclude-dir=.git 2>/dev/null; then | ||
| echo "ERROR: Stripe live secret key found in repository" | ||
| exit 1 | ||
| fi | ||
| if grep -r "sk_test_" . --exclude-dir=node_modules --exclude-dir=.git --exclude=".env.example" 2>/dev/null; then | ||
| echo "WARNING: Stripe test secret key found - should be in environment variables" | ||
| fi | ||
| if grep -r "PRIVATE_KEY" . --exclude-dir=node_modules --exclude-dir=.git --exclude="*.md" 2>/dev/null | grep -v "PRIVATE_KEY_PATH"; then | ||
| echo "ERROR: Private key found in repository" | ||
| exit 1 | ||
| fi | ||
| echo "✓ No obvious secrets found in repository" | ||
|
|
||
| - name: Check SECURITY.md exists | ||
| run: | | ||
| if [ ! -f "SECURITY.md" ]; then | ||
| echo "ERROR: SECURITY.md not found in repository root" | ||
| exit 1 | ||
| fi | ||
| echo "✓ SECURITY.md exists" | ||
|
|
||
| - name: Check agents.md exists | ||
| run: | | ||
| if [ ! -f "agents.md" ]; then | ||
| echo "ERROR: agents.md not found in repository root" | ||
| exit 1 | ||
| fi | ||
| echo "✓ agents.md exists" | ||
|
|
||
| - name: Verify TypeScript compilation | ||
| run: | | ||
| echo "Checking TypeScript compilation..." | ||
| npm run check || echo "TypeScript errors found - review before merge" | ||
| continue-on-error: true | ||
|
|
||
| api-security: |
Comment on lines
+93
to
+126
| name: API Security Checks | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '20' | ||
| cache: 'npm' | ||
|
|
||
| - name: Install dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Check API routes for content-type enforcement | ||
| run: | | ||
| echo "Checking API routes for proper content-type handling..." | ||
| # Check for HTML responses in API routes (potential security issue) | ||
| if grep -r "text/html\|<html\|<body" ./server/routes.ts ./server/api/ --exclude="*.test.*" 2>/dev/null; then | ||
| echo "WARNING: HTML content detected in API routes - API should return JSON only" | ||
| fi | ||
| echo "✓ API content-type check complete" | ||
|
|
||
| - name: Check for SQL injection vulnerabilities | ||
| run: | | ||
| echo "Checking for potential SQL injection patterns..." | ||
| if grep -r "db.query.*\${" ./server/ --exclude-dir=node_modules 2>/dev/null; then | ||
| echo "WARNING: Template literal found in db.query - verify parameterized queries are used" | ||
| fi | ||
| echo "✓ SQL injection check complete" | ||
|
|
||
| pii-detection: |
Comment on lines
+127
to
+151
| name: PII and Sensitive Data Detection | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Check for PII in test files | ||
| run: | | ||
| echo "Checking for real PII in test files..." | ||
| # Look for real SSN patterns (not test data) | ||
| if grep -r "[0-9]\{3\}-[0-9]\{2\}-[0-9]\{4\}" ./test* --exclude-dir=node_modules 2>/dev/null | grep -v "000-00-0000" | grep -v "123-45-6789"; then | ||
| echo "WARNING: Real SSN patterns found in tests - use synthetic data only" | ||
| fi | ||
| echo "✓ PII detection check complete" | ||
|
|
||
| - name: Check for hardcoded credentials | ||
| run: | | ||
| echo "Checking for hardcoded credentials..." | ||
| if grep -ri "password\s*=\s*['\"][^'\"]*['\"]" . --exclude-dir=node_modules --exclude-dir=.git --exclude="*.md" 2>/dev/null; then | ||
| echo "WARNING: Hardcoded passwords found - use environment variables" | ||
| fi | ||
| echo "✓ Credential check complete" | ||
|
|
||
| dependency-pinning: |
Comment on lines
+152
to
+168
| name: Verify Dependency Pinning | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Check for unpinned dependencies | ||
| run: | | ||
| echo "Checking package.json for unpinned dependencies..." | ||
| if grep -E '"\^|"~' package.json; then | ||
| echo "WARNING: Unpinned dependencies found in package.json" | ||
| echo "For production, consider using exact versions (remove ^ and ~)" | ||
| fi | ||
| echo "✓ Dependency pinning check complete" | ||
|
|
||
| rate-limit-check: |
Comment on lines
+169
to
+186
| name: Verify Rate Limiting | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Check for rate limiting implementation | ||
| run: | | ||
| echo "Checking for rate limiting in API routes..." | ||
| if ! grep -r "rateLimit\|rate-limit" ./server/ 2>/dev/null; then | ||
| echo "WARNING: No rate limiting implementation detected" | ||
| echo "Consider adding express-rate-limit or similar middleware" | ||
| else | ||
| echo "✓ Rate limiting implementation found" | ||
| fi | ||
|
|
||
| summary: |
Comment on lines
+187
to
+208
| name: Security Check Summary | ||
| runs-on: ubuntu-latest | ||
| needs: [security-audit, api-security, pii-detection, dependency-pinning, rate-limit-check] | ||
| if: always() | ||
|
|
||
| steps: | ||
| - name: Summary | ||
| run: | | ||
| echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" | ||
| echo "Security Hardening Checks Complete" | ||
| echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" | ||
| echo "" | ||
| echo "Review any warnings above and ensure:" | ||
| echo " ✓ No high/critical vulnerabilities in dependencies" | ||
| echo " ✓ No banned imports in /api directory" | ||
| echo " ✓ SECURITY.md and agents.md are present" | ||
| echo " ✓ No secrets committed to repository" | ||
| echo " ✓ API routes enforce proper content-types" | ||
| echo " ✓ Rate limiting is implemented" | ||
| echo "" | ||
| echo "For security concerns, contact: security@mbtq.dev" | ||
| echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" |
Contributor
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
Contributor
There was a problem hiding this comment.
CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.