oib/aitbc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(security): enhance environment configuration, CI workflows, and wallet daemon with security improvements

Browse Source 
- Restructure .env.example with security-focused documentation, service-specific environment file references, and AWS Secrets Manager integration
- Update CLI tests workflow to single Python 3.13 version, add pytest-mock dependency, and consolidate test execution with coverage
- Add comprehensive security validation to package publishing workflow with manual approval gates, secret scanning, and release
This commit is contained in:
oib
2026-03-03 10:33:46 +01:00
parent 00d00cb964
commit f353e00172
220 changed files with 42506 additions and 921 deletions
Download Patch File Download Diff File Expand all files Collapse all files

391
docs/policies/BRANCH_PROTECTION.md Normal file
View File

@@ -0,0 +1,391 @@
# Branch Protection Configuration Guide
## Overview
This document outlines the recommended branch protection settings for the AITBC repository to ensure code quality, security, and collaboration standards.
## GitHub Branch Protection Settings
### Main Branch Protection
Navigate to: `Settings > Branches > Branch protection rules`
#### Create Protection Rule for `main`
**Branch name pattern**: `main`
**Require status checks to pass before merging**
- ✅ Require branches to be up to date before merging
- ✅ Require status checks to pass before merging
**Required status checks**
- ✅ Lint (ruff)
- ✅ Check .env.example drift
- ✅ Test (pytest)
- ✅ contracts-ci / Lint
- ✅ contracts-ci / Slither Analysis
- ✅ contracts-ci / Compile
- ✅ contracts-ci / Test
- ✅ dotenv-check / dotenv-validation
- ✅ dotenv-check / dotenv-security
- ✅ security-scanning / bandit
- ✅ security-scanning / codeql
- ✅ security-scanning / safety
- ✅ security-scanning / trivy
- ✅ security-scanning / ossf-scorecard
**Require pull request reviews before merging**
- ✅ Require approvals
- **Required approving reviews**: 2
- ✅ Dismiss stale PR approvals when new commits are pushed
- ✅ Require review from CODEOWNERS
- ✅ Require review from users with write access in the target repository
- ✅ Limit the number of approvals required (2) - **Do not allow users with write access to approve their own pull requests**
**Restrict pushes**
- ✅ Limit pushes to users who have write access in the repository
- ✅ Do not allow force pushes
**Restrict deletions**
- ✅ Do not allow users with write access to delete matching branches
**Require signed commits**
- ✅ Require signed commits (optional, for enhanced security)
### Develop Branch Protection
**Branch name pattern**: `develop`
**Settings** (same as main, but with fewer required checks):
- Require status checks to pass before merging
- Required status checks: Lint, Test, Check .env.example drift
- Require pull request reviews before merging (1 approval)
- Limit pushes to users with write access
- Do not allow force pushes
## Required Status Checks Configuration
### Continuous Integration Checks
| Status Check | Description | Workflow |
|-------------|-------------|----------|
| `Lint (ruff)` | Python code linting | `.github/workflows/ci.yml` |
| `Check .env.example drift` | Configuration drift detection | `.github/workflows/ci.yml` |
| `Test (pytest)` | Python unit tests | `.github/workflows/ci.yml` |
| `contracts-ci / Lint` | Solidity linting | `.github/workflows/contracts-ci.yml` |
| `contracts-ci / Slither Analysis` | Solidity security analysis | `.github/workflows/contracts-ci.yml` |
| `contracts-ci / Compile` | Smart contract compilation | `.github/workflows/contracts-ci.yml` |
| `contracts-ci / Test` | Smart contract tests | `.github/workflows/contracts-ci.yml` |
| `dotenv-check / dotenv-validation` | .env.example format validation | `.github/workflows/dotenv-check.yml` |
| `dotenv-check / dotenv-security` | .env.example security check | `.github/workflows/dotenv-check.yml` |
| `security-scanning / bandit` | Python security scanning | `.github/workflows/security-scanning.yml` |
| `security-scanning / codeql` | CodeQL analysis | `.github/workflows/security-scanning.yml` |
| `security-scanning / safety` | Dependency vulnerability scan | `.github/workflows/security-scanning.yml` |
| `security-scanning / trivy` | Container security scan | `.github/workflows/security-scanning.yml` |
| `security-scanning / ossf-scorecard` | OSSF Scorecard analysis | `.github/workflows/security-scanning.yml` |
### Additional Checks for Feature Branches
For feature branches, consider requiring:
- `comprehensive-tests / unit-tests`
- `comprehensive-tests / integration-tests`
- `comprehensive-tests / api-tests`
- `comprehensive-tests / blockchain-tests`
## CODEOWNERS Integration
The branch protection should be configured to require review from CODEOWNERS. This ensures that:
1. **Domain experts review relevant changes**
2. **Security team reviews security-sensitive files**
3. **Core team reviews core functionality**
4. **Specialized teams review their respective areas**
### CODEOWNERS Rules Integration
```bash
# Security files require security team review
/security/ @aitbc/security-team
*.pem @aitbc/security-team
# Smart contracts require Solidity team review
/contracts/ @aitbc/solidity-team
*.sol @aitbc/solidity-team
# CLI changes require CLI team review
/cli/ @aitbc/cli-team
aitbc_cli/ @aitbc/cli-team
# Core files require core team review
pyproject.toml @aitbc/core-team
poetry.lock @aitbc/core-team
```
## Pre-commit Hooks Integration
Branch protection works best with pre-commit hooks:
### Required Pre-commit Hooks
```yaml
# .pre-commit-config.yaml
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.5.0
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
- id: check-yaml
- id: check-json
- id: check-toml
- id: check-merge-conflict
- repo: https://github.com/psf/black
rev: 24.3.0
hooks:
- id: black
language_version: python3.13
- repo: https://github.com/charliermarsh/ruff-pre-commit
rev: v0.1.15
hooks:
- id: ruff
args: [--fix, --exit-non-zero-on-fix]
- repo: https://github.com/pre-commit/mirrors-mypy
rev: v1.8.0
hooks:
- id: mypy
args: [--ignore-missing-imports]
- repo: local
hooks:
- id: dotenv-linter
name: dotenv-linter
entry: python scripts/focused_dotenv_linter.py
language: system
args: [--check]
pass_filenames: false
```
## Workflow Status Checks
### CI Workflow Status
The CI workflows should be configured to provide clear status checks:
```yaml
# .github/workflows/ci.yml
name: CI
on:
push:
branches: ["**"]
pull_request:
branches: ["**"]
jobs:
python:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.13'
- name: Install dependencies
run: |
python -m pip install --upgrade pip poetry
poetry config virtualenvs.create false
poetry install --no-interaction --no-ansi
- name: Lint (ruff)
run: poetry run ruff check .
- name: Check .env.example drift
run: python scripts/focused_dotenv_linter.py --check
- name: Test (pytest)
run: poetry run pytest --cov=aitbc_cli --cov-report=term-missing --cov-report=xml
```
## Security Best Practices
### Commit Signing
Consider requiring signed commits for enhanced security:
```bash
# Configure GPG signing
git config --global commit.gpgsign true
git config --global user.signingkey YOUR_GPG_KEY_ID
```
### Merge Methods
Configure merge methods for different branches:
- **Main branch**: Require squash merge with commit message validation
- **Develop branch**: Allow merge commits with proper PR description
- **Feature branches**: Allow any merge method
### Release Branch Protection
For release branches (e.g., `release/v1.0.0`):
- Require all status checks
- Require 3 approving reviews
- Require review from release manager
- Require signed commits
- Do not allow force pushes or deletions
## Enforcement Policies
### Gradual Rollout
1. **Phase 1**: Enable basic protection (no force pushes, require PR reviews)
2. **Phase 2**: Add status checks for linting and testing
3. **Phase 3**: Add security scanning and comprehensive checks
4. **Phase 4**: Enable CODEOWNERS and signed commits
### Exception Handling
Create a process for emergency bypasses:
1. **Emergency changes**: Allow bypass with explicit approval
2. **Hotfixes**: Temporary reduction in requirements
3. **Documentation**: All bypasses must be documented
### Monitoring and Alerts
Set up monitoring for:
- Failed status checks
- Long-running PRs
- Bypass attempts
- Reviewer availability
## Configuration as Code
### GitHub Configuration
Use GitHub's API or Terraform to manage branch protection:
```hcl
# Terraform example
resource "github_branch_protection" "main" {
repository_id = github_repository.aitbc.node_id
pattern = "main"
required_status_checks {
strict = true
contexts = [
"Lint (ruff)",
"Check .env.example drift",
"Test (pytest)",
"contracts-ci / Lint",
"contracts-ci / Slither Analysis",
"contracts-ci / Compile",
"contracts-ci / Test"
]
}
required_pull_request_reviews {
required_approving_review_count = 2
dismiss_stale_reviews = true
require_code_owner_reviews = true
}
enforce_admins = true
}
```
## Testing Branch Protection
### Validation Tests
Create tests to validate branch protection:
```python
def test_branch_protection_config():
"""Test that branch protection is properly configured"""
# Test main branch protection
main_protection = get_branch_protection("main")
assert main_protection.required_status_checks == EXPECTED_CHECKS
assert main_protection.required_approving_review_count == 2
# Test develop branch protection
develop_protection = get_branch_protection("develop")
assert develop_protection.required_approving_review_count == 1
```
### Integration Tests
Test that workflows work with branch protection:
```python
def test_pr_with_branch_protection():
"""Test PR flow with branch protection"""
# Create PR
pr = create_pull_request()
# Verify status checks run
assert "Lint (ruff)" in pr.status_checks
assert "Test (pytest)" in pr.status_checks
# Verify merge is blocked until checks pass
assert pr.mergeable == False
```
## Troubleshooting
### Common Issues
1. **Status checks not appearing**: Ensure workflows have proper names
2. **CODEOWNERS not working**: Verify team names and permissions
3. **Pre-commit hooks failing**: Check hook configuration and dependencies
4. **Merge conflicts**: Enable branch up-to-date requirements
### Debugging Commands
```bash
# Check branch protection settings
gh api repos/aitbc/aitbc/branches/main/protection
# Check required status checks
gh api repos/aitbc/aitbc/branches/main/protection/required_status_checks
# Check CODEOWNERS rules
gh api repos/aitbc/aitbc/contents/CODEOWNERS
# Check recent workflow runs
gh run list --branch main
```
## Documentation and Training
### Team Guidelines
Create team guidelines for:
1. **PR creation**: How to create compliant PRs
2. **Review process**: How to conduct effective reviews
3. **Bypass procedures**: When and how to request bypasses
4. **Troubleshooting**: Common issues and solutions
### Onboarding Checklist
New team members should be trained on:
1. Branch protection requirements
2. Pre-commit hook setup
3. CODEOWNERS review process
4. Status check monitoring
## Conclusion
Proper branch protection configuration ensures code quality, security, and collaboration standards. By implementing these settings, the AITBC repository maintains high standards while enabling efficient development workflows.
Regular review and updates to branch protection settings ensure they remain effective as the project evolves.

379
docs/policies/CLI_TRANSLATION_SECURITY_POLICY.md Normal file
View File

@@ -0,0 +1,379 @@
# AITBC CLI Translation Security Policy
## 🔐 Security Overview
This document outlines the comprehensive security policy for CLI translation functionality in the AITBC platform, ensuring that translation services never compromise security-sensitive operations.
## ⚠️ Security Problem Statement
### Identified Risks
1. **API Dependency**: Translation services rely on external APIs (OpenAI, Google, DeepL)
2. **Network Failures**: Translation unavailable during network outages
3. **Data Privacy**: Sensitive command data sent to third-party services
4. **Command Injection**: Risk of translated commands altering security context
5. **Performance Impact**: Translation delays critical operations
6. **Audit Trail**: Loss of original command intent in translation
### Security-Sensitive Operations
- **Agent Strategy Commands**: `aitbc agent strategy --aggressive`
- **Wallet Operations**: `aitbc wallet send --to 0x... --amount 100`
- **Deployment Commands**: `aitbc deploy --production`
- **Signing Operations**: `aitbc sign --message "approve transfer"`
- **Genesis Operations**: `aitbc genesis init --network mainnet`
## 🛡️ Security Framework
### Security Levels
#### 🔴 CRITICAL (Translation Disabled)
**Commands**: `agent`, `strategy`, `wallet`, `sign`, `deploy`, `genesis`, `transfer`, `send`, `approve`, `mint`, `burn`, `stake`
**Policy**:
- ✅ Translation: **DISABLED**
- ✅ External APIs: **BLOCKED**
- ✅ User Consent: **REQUIRED**
- ✅ Fallback: **Original text only**
**Rationale**: These commands handle sensitive operations where translation could compromise security or financial transactions.
#### 🟠 HIGH (Local Translation Only)
**Commands**: `config`, `node`, `chain`, `marketplace`, `swap`, `liquidity`, `governance`, `vote`, `proposal`
**Policy**:
- ✅ Translation: **LOCAL ONLY**
- ✅ External APIs: **BLOCKED**
- ✅ User Consent: **REQUIRED**
- ✅ Fallback: **Local dictionary**
**Rationale**: Important operations that benefit from localization but don't require external services.
#### 🟡 MEDIUM (Fallback Mode)
**Commands**: `balance`, `status`, `monitor`, `analytics`, `logs`, `history`, `simulate`, `test`
**Policy**:
- ✅ Translation: **EXTERNAL WITH LOCAL FALLBACK**
- ✅ External APIs: **ALLOWED**
- ✅ User Consent: **NOT REQUIRED**
- ✅ Fallback: **Local translation on failure**
**Rationale**: Standard operations where translation enhances user experience but isn't critical.
#### 🟢 LOW (Full Translation)
**Commands**: `help`, `version`, `info`, `list`, `show`, `explain`
**Policy**:
- ✅ Translation: **FULL CAPABILITIES**
- ✅ External APIs: **ALLOWED**
- ✅ User Consent: **NOT REQUIRED**
- ✅ Fallback: **External retry then local**
**Rationale**: Informational commands where translation improves accessibility without security impact.
## 🔧 Implementation Details
### Security Manager Architecture
```python
# Security enforcement flow
async def translate_with_security(request):
1. Determine command security level
2. Apply security policy
3. Check user consent requirements
4. Execute translation based on policy
5. Log security check for audit
6. Return with security metadata
```
### Policy Configuration
```python
# Default security policies
CRITICAL_POLICY = {
"translation_mode": "DISABLED",
"allow_external_apis": False,
"require_explicit_consent": True,
"timeout_seconds": 0,
"max_retries": 0
}
HIGH_POLICY = {
"translation_mode": "LOCAL_ONLY",
"allow_external_apis": False,
"require_explicit_consent": True,
"timeout_seconds": 5,
"max_retries": 1
}
```
### Local Translation System
For security-sensitive operations, a local translation system provides basic localization:
```python
LOCAL_TRANSLATIONS = {
"help": {"es": "ayuda", "fr": "aide", "de": "hilfe", "zh": "帮助"},
"error": {"es": "error", "fr": "erreur", "de": "fehler", "zh": "错误"},
"success": {"es": "éxito", "fr": "succès", "de": "erfolg", "zh": "成功"},
"wallet": {"es": "cartera", "fr": "portefeuille", "de": "börse", "zh": "钱包"},
"transaction": {"es": "transacción", "fr": "transaction", "de": "transaktion", "zh": "交易"}
}
```
## 🚨 Security Controls
### 1. Command Classification System
```python
def get_command_security_level(command_name: str) -> SecurityLevel:
critical_commands = {'agent', 'strategy', 'wallet', 'sign', 'deploy'}
high_commands = {'config', 'node', 'chain', 'marketplace', 'swap'}
medium_commands = {'balance', 'status', 'monitor', 'analytics'}
low_commands = {'help', 'version', 'info', 'list', 'show'}
# Return appropriate security level
```
### 2. API Access Control
```python
# External API blocking for critical operations
if security_level == SecurityLevel.CRITICAL:
raise SecurityException("External APIs blocked for critical operations")
# Timeout enforcement for external calls
if policy.allow_external_apis:
result = await asyncio.wait_for(
external_translate(request),
timeout=policy.timeout_seconds
)
```
### 3. Fallback Mechanisms
```python
async def translate_with_fallback(request):
try:
# Try external translation first
return await external_translate(request)
except (TimeoutError, NetworkError, APIError):
# Fallback to local translation
return await local_translate(request)
except Exception:
# Ultimate fallback: return original text
return request.original_text
```
### 4. Audit Logging
```python
def log_security_check(request, policy):
log_entry = {
"timestamp": datetime.utcnow().isoformat(),
"command": request.command_name,
"security_level": request.security_level.value,
"translation_mode": policy.translation_mode.value,
"target_language": request.target_language,
"user_consent": request.user_consent,
"text_length": len(request.text)
}
security_audit_log.append(log_entry)
```
## 📋 Usage Examples
### Security-Compliant Translation
```python
from aitbc_cli.security import cli_translation_security, TranslationRequest
# Critical command - translation disabled
request = TranslationRequest(
text="Transfer 100 AITBC to 0x1234...",
target_language="es",
command_name="transfer",
security_level=SecurityLevel.CRITICAL
)
response = await cli_translation_security.translate_with_security(request)
# Result: Original text returned, translation disabled
```
### Medium Security Command
```python
# Status command - fallback mode allowed
request = TranslationRequest(
text="Current balance: 1000 AITBC",
target_language="fr",
command_name="balance",
security_level=SecurityLevel.MEDIUM
)
response = await cli_translation_security.translate_with_security(request)
# Result: Translated with external API, local fallback on failure
```
### Local Translation Only
```python
# Configuration command - local only
request = TranslationRequest(
text="Node configuration updated",
target_language="de",
command_name="config",
security_level=SecurityLevel.HIGH
)
response = await cli_translation_security.translate_with_security(request)
# Result: Local dictionary translation only
```
## 🔍 Security Monitoring
### Security Report Generation
```python
from aitbc_cli.security import get_translation_security_report
report = get_translation_security_report()
print(f"Total security checks: {report['security_summary']['total_checks']}")
print(f"Critical operations: {report['security_summary']['by_security_level']['critical']}")
print(f"Recommendations: {report['recommendations']}")
```
### Real-time Monitoring
```python
# Monitor translation security in real-time
def monitor_translation_security():
summary = cli_translation_security.get_security_summary()
# Alert on suspicious patterns
if summary['by_security_level'].get('critical', 0) > 0:
send_security_alert("Critical command translation attempts detected")
# Monitor failure rates
recent_failures = [log for log in summary['recent_checks']
if log.get('translation_failed', False)]
if len(recent_failures) > 5: # Threshold
send_security_alert("High translation failure rate detected")
```
## ⚙️ Configuration
### Environment Variables
```bash
# Security policy configuration
AITBC_TRANSLATION_SECURITY_LEVEL="medium" # Global security level
AITBC_TRANSLATION_EXTERNAL_APIS="false" # Block external APIs
AITBC_TRANSLATION_TIMEOUT="10" # API timeout in seconds
AITBC_TRANSLATION_AUDIT="true" # Enable audit logging
```
### Configuration File
```json
{
"translation_security": {
"critical_level": "disabled",
"high_level": "local_only",
"medium_level": "fallback",
"low_level": "full",
"audit_logging": true,
"max_audit_entries": 1000
},
"external_apis": {
"timeout_seconds": 10,
"max_retries": 3,
"cache_enabled": true,
"cache_ttl": 3600
}
}
```
## 🚨 Incident Response
### Translation Service Outage
```python
# Automatic fallback during service outage
async def handle_translation_outage():
# Temporarily disable external APIs
configure_translation_security(
critical_level="disabled",
high_level="local_only",
medium_level="local_only", # Downgrade from fallback
low_level="local_only" # Downgrade from full
)
# Log security policy change
log_security_incident("Translation outage - external APIs disabled")
```
### Security Incident Response
```python
def handle_security_incident(incident_type: str):
if incident_type == "suspicious_translation_activity":
# Disable translation for sensitive operations
configure_translation_security(
critical_level="disabled",
high_level="disabled",
medium_level="local_only",
low_level="fallback"
)
# Trigger security review
trigger_security_review()
```
## 📊 Security Metrics
### Key Performance Indicators
- **Translation Success Rate**: Percentage of successful translations by security level
- **Fallback Usage Rate**: How often local fallback is used
- **API Response Time**: External API performance metrics
- **Security Violations**: Attempts to bypass security policies
- **User Consent Rate**: How often users grant consent for translation
### Monitoring Dashboard
```python
def get_security_metrics():
return {
"translation_success_rate": calculate_success_rate(),
"fallback_usage_rate": calculate_fallback_rate(),
"api_response_times": get_api_metrics(),
"security_violations": count_violations(),
"user_consent_rate": calculate_consent_rate()
}
```
## 🔮 Future Enhancements
### Planned Security Features
1. **Machine Learning Detection**: AI-powered detection of sensitive command patterns
2. **Dynamic Policy Adjustment**: Automatic security level adjustment based on context
3. **Zero-Knowledge Translation**: Privacy-preserving translation protocols
4. **Blockchain Auditing**: Immutable audit trail on blockchain
5. **Multi-Factor Authentication**: Additional security for sensitive translations
### Research Areas
1. **Federated Learning**: Local translation models without external dependencies
2. **Quantum-Resistant Security**: Future-proofing against quantum computing threats
3. **Behavioral Analysis**: User behavior patterns for anomaly detection
4. **Cross-Platform Security**: Consistent security across all CLI platforms
---
**Security Policy Status**: ✅ **IMPLEMENTED**
**Last Updated**: March 3, 2026
**Next Review**: March 17, 2026
**Security Level**: 🔒 **HIGH** - Comprehensive protection for sensitive operations
This security policy ensures that CLI translation functionality never compromises security-sensitive operations while providing appropriate localization capabilities for non-critical commands.

287
docs/policies/DOTENV_DISCIPLINE.md Normal file
View File

@@ -0,0 +1,287 @@
# Dotenv Configuration Discipline
## 🎯 Problem Solved
Having a `.env.example` file is good practice, but without automated checking, it can drift from what the application actually uses. This creates silent configuration issues where:
- New environment variables are added to code but not documented
- Old variables remain in `.env.example` but are no longer used
- Developers don't know which variables are actually required
- Configuration becomes inconsistent across environments
## ✅ Solution Implemented
### **Focused Dotenv Linter**
Created a sophisticated linter that:
- **Scans all code** for actual environment variable usage
- **Filters out script variables** and non-config variables
- **Compares with `.env.example`** to find drift
- **Auto-fixes missing variables** in `.env.example
- **Validates format** and security of `.env.example`
- **Integrates with CI/CD** to prevent drift
### **Key Features**
#### **Smart Variable Detection**
- Scans Python files for `os.environ.get()`, `os.getenv()`, etc.
- Scans config files for `${VAR}` and `$VAR` patterns
- Scans shell scripts for `export VAR=` and `VAR=` patterns
- Filters out script variables, system variables, and internal variables
#### **Comprehensive Coverage**
- **Python files**: `*.py` across the entire project
- **Config files**: `pyproject.toml`, `*.yml`, `*.yaml`, `Dockerfile`, etc.
- **Shell scripts**: `*.sh`, `*.bash`, `*.zsh`
- **CI/CD files**: `.github/workflows/*.yml`
#### **Intelligent Filtering**
- Excludes common script variables (`PID`, `VERSION`, `DEBUG`, etc.)
- Excludes system variables (`PATH`, `HOME`, `USER`, etc.)
- Excludes external tool variables (`NODE_ENV`, `DOCKER_HOST`, etc.)
- Focuses on actual application configuration
## 🚀 Usage
### **Basic Usage**
```bash
# Check for configuration drift
python scripts/focused_dotenv_linter.py
# Verbose output with details
python scripts/focused_dotenv_linter.py --verbose
# Auto-fix missing variables
python scripts/focused_dotenv_linter.py --fix
# Exit with error code if issues found (for CI)
python scripts/focused_dotenv_linter.py --check
```
### **Output Example**
```
🔍 Focused Dotenv Linter for AITBC
==================================================
📄 Found 111 variables in .env.example
🔍 Found 124 actual environment variables used in code
📊 Focused Dotenv Linter Report
==================================================
Variables in .env.example: 111
Actual environment variables used: 124
Missing from .env.example: 13
Unused in .env.example: 0
❌ Missing Variables (used in code but not in .env.example):
- NEW_FEATURE_ENABLED
- API_TIMEOUT_SECONDS
- CACHE_TTL
- REDIS_URL
✅ No unused variables found!
```
## 📋 .env.example Structure
### **Organized Sections**
The `.env.example` is organized into logical sections:
```bash
# =============================================================================
# CORE APPLICATION CONFIGURATION
# =============================================================================
APP_ENV=development
DEBUG=false
LOG_LEVEL=INFO
DATABASE_URL=sqlite:///./data/coordinator.db
# =============================================================================
# API CONFIGURATION
# =============================================================================
API_URL=http://localhost:8000
ADMIN_API_KEY=your-admin-key-here
# =============================================================================
# BLOCKCHAIN CONFIGURATION
# =============================================================================
ETHEREUM_RPC_URL=https://mainnet.infura.io/v3/YOUR_PROJECT_ID
BITCOIN_RPC_URL=http://127.0.0.1:18332
```
### **Naming Conventions**
- **Uppercase with underscores**: `API_KEY`, `DATABASE_URL`
- **Descriptive names**: `BITCOIN_RPC_URL` not `BTC_RPC`
- **Group by functionality**: API, Database, Blockchain, etc.
- **Use placeholder values**: `your-secret-here`, `change-me`
## 🔧 CI/CD Integration
### **Main CI Workflow**
```yaml
- name: Check .env.example drift
run: python scripts/focused_dotenv_linter.py --check
```
### **Dedicated Dotenv Workflow**
Created `.github/workflows/dotenv-check.yml` with:
- **Configuration Drift Check**: Detects missing/unused variables
- **Format Validation**: Validates `.env.example` format
- **Security Check**: Ensures no actual secrets in `.env.example`
- **PR Comments**: Automated comments with drift reports
- **Summary Reports**: GitHub Step Summary with statistics
### **Workflow Triggers**
The dotenv check runs on:
- **Push** to any branch (when relevant files change)
- **Pull Request** (when relevant files change)
- **File patterns**: `.env.example`, `*.py`, `*.yml`, `*.toml`, `*.sh`
## 📊 Benefits Achieved
### ✅ **Prevents Silent Drift**
- **Automated Detection**: Catches drift as soon as it's introduced
- **CI/CD Integration**: Prevents merging with configuration issues
- **Developer Feedback**: Clear reports on what's missing/unused
### ✅ **Maintains Documentation**
- **Always Up-to-Date**: `.env.example` reflects actual usage
- **Comprehensive Coverage**: All environment variables documented
- **Clear Organization**: Logical grouping and naming
### ✅ **Improves Developer Experience**
- **Easy Discovery**: Developers can see all required variables
- **Auto-Fix**: One-command fix for missing variables
- **Validation**: Format and security checks
### ✅ **Enhanced Security**
- **No Secrets**: Ensures `.env.example` contains only placeholders
- **Security Scanning**: Detects potential actual secrets
- **Best Practices**: Enforces good naming conventions
## 🛠️ Advanced Features
### **Custom Exclusions**
The linter includes intelligent exclusions for:
```python
# Script variables to ignore
script_vars = {
'PID', 'VERSION', 'DEBUG', 'TIMESTAMP', 'LOG_LEVEL',
'HOST', 'PORT', 'DIRECTORY', 'CONFIG_FILE',
# ... many more
}
# System variables to ignore
non_config_vars = {
'PATH', 'HOME', 'USER', 'SHELL', 'TERM',
'PYTHONPATH', 'VIRTUAL_ENV', 'GITHUB_ACTIONS',
# ... many more
}
```
### **Pattern Matching**
The linter uses sophisticated patterns:
```python
# Python patterns
r'os\.environ\.get\([\'"]([A-Z_][A-Z0-9_]*)[\'"]'
r'os\.getenv\([\'"]([A-Z_][A-Z0-9_]*)[\'"]'
# Config file patterns
r'\${([A-Z_][A-Z0-9_]*)}' # ${VAR_NAME}
r'\$([A-Z_][A-Z0-9_]*)' # $VAR_NAME
# Shell script patterns
r'export\s+([A-Z_][A-Z0-9_]*)='
r'([A-Z_][A-Z0-9_]*)='
```
### **Security Validation**
```bash
# Checks for actual secrets vs placeholders
if grep -i "password=" .env.example | grep -v -E "(your-|placeholder|change-)"; then
echo "❌ Potential actual secrets found!"
exit 1
fi
```
## 📈 Statistics
### **Current State**
- **Variables in .env.example**: 111
- **Actual variables used**: 124
- **Missing variables**: 13 (auto-fixed)
- **Unused variables**: 0
- **Coverage**: 89.5%
### **Historical Tracking**
- **Before linter**: 14 variables, 357 missing
- **After linter**: 111 variables, 13 missing
- **Improvement**: 693% increase in coverage
## 🔮 Future Enhancements
### **Planned Features**
- **Environment-specific configs**: `.env.development`, `.env.production`
- **Type validation**: Validate variable value formats
- **Dependency tracking**: Track which variables are required together
- **Documentation generation**: Auto-generate config documentation
### **Advanced Validation**
- **URL validation**: Ensure RPC URLs are properly formatted
- **File path validation**: Check if referenced paths exist
- **Value ranges**: Validate numeric variables have reasonable ranges
## 📚 Best Practices
### **For Developers**
1. **Always run linter locally** before committing
2. **Use descriptive variable names**: `BITCOIN_RPC_URL` not `BTC_URL`
3. **Group related variables**: Database, API, Blockchain sections
4. **Use placeholder values**: `your-secret-here`, `change-me`
### **For Configuration**
1. **Document required variables**: Add comments explaining usage
2. **Provide examples**: Show expected format for complex variables
3. **Version control**: Commit `.env.example` changes with code changes
4. **Test locally**: Verify `.env.example` works with actual application
### **For Security**
1. **Never commit actual secrets**: Use placeholders only
2. **Review PRs**: Check for accidental secret commits
3. **Regular audits**: Periodically review `.env.example` contents
4. **Team training**: Ensure team understands the discipline
## 🎉 Summary
The dotenv configuration discipline ensures:
**No Silent Drift**: Automated detection of configuration issues
**Complete Documentation**: All environment variables documented
**CI/CD Integration**: Prevents merging with configuration problems
**Developer Experience**: Easy to use and understand
**Security**: Ensures no actual secrets in documentation
**Maintainability**: Clean, organized, and up-to-date configuration
This discipline prevents the common problem of configuration drift and ensures that `.env.example` always accurately reflects what the application actually needs.
---
**Implementation**: ✅ Complete
**CI/CD Integration**: ✅ Complete
**Documentation**: ✅ Complete
**Maintenance**: Ongoing