chore(security): enhance environment configuration, CI workflows, and wallet daemon with security improvements

- Restructure .env.example with security-focused documentation, service-specific environment file references, and AWS Secrets Manager integration - Update CLI tests workflow to single Python 3.13 version, add pytest-mock dependency, and consolidate test execution with coverage - Add comprehensive security validation to package publishing workflow with manual approval gates, secret scanning, and release
2026-03-03 10:33:46 +01:00
parent 00d00cb964
commit f353e00172
220 changed files with 42506 additions and 921 deletions
--- a/config/security/secret-validation.yaml
+++ b/config/security/secret-validation.yaml
@@ -0,0 +1,73 @@
+# Secret Validation Rules
+# Defines which environment variables must use secret references
+
+production_secrets:
+  coordinator:
+    required_secrets:
+      - pattern: "DATABASE_URL"
+        secret_ref: "db-credentials"
+        validation: "postgresql://"
+      
+      - pattern: "ADMIN_API_KEY"
+        secret_ref: "api-keys:admin"
+        validation: "^[a-zA-Z0-9]{32,}$"
+      
+      - pattern: "CLIENT_API_KEY"
+        secret_ref: "api-keys:client"
+        validation: "^[a-zA-Z0-9]{32,}$"
+      
+      - pattern: "ENCRYPTION_KEY"
+        secret_ref: "security-keys:encryption"
+        validation: "^[a-fA-F0-9]{64}$"
+      
+      - pattern: "HMAC_SECRET"
+        secret_ref: "security-keys:hmac"
+        validation: "^[a-fA-F0-9]{64}$"
+      
+      - pattern: "JWT_SECRET"
+        secret_ref: "security-keys:jwt"
+        validation: "^[a-fA-F0-9]{64}$"
+      
+      - pattern: "OPENAI_API_KEY"
+        secret_ref: "external-services:openai"
+        validation: "^sk-"
+      
+      - pattern: "SENTRY_DSN"
+        secret_ref: "monitoring:sentry"
+        validation: "^https://"
+
+  wallet_daemon:
+    required_secrets:
+      - pattern: "COORDINATOR_API_KEY"
+        secret_ref: "api-keys:coordinator"
+        validation: "^[a-zA-Z0-9]{32,}$"
+
+forbidden_patterns:
+  # These patterns should never appear in ANY configs
+  - "your-.*-key-here"
+  - "change-this-.*"
+  - "password="
+  - "secret_key="
+  - "api_secret="
+
+production_forbidden_patterns:
+  # These patterns should never appear in PRODUCTION configs
+  - "localhost"
+  - "127.0.0.1"
+  - "sqlite://"
+  - "debug.*true"
+
+validation_rules:
+  # Minimum security requirements
+  min_key_length: 32
+  require_complexity: true
+  no_default_values: true
+  no_localhost_in_prod: true
+  
+  # Database security
+  require_ssl_database: true
+  forbid_sqlite_in_prod: true
+  
+  # API security
+  require_https_urls: true
+  validate_api_key_format: true