oib/aitbc
1
0
Fork 0
Code Issues Pull Requests Actions 7 Packages Projects Releases Wiki Activity
Files
b03392375623d7ef898d4e4021207c719e5b862e
aitbc/config/security/secret-validation.yaml
AITBC System b033923756 chore: normalize file permissions across repository 
- Remove executable permissions from configuration files (.editorconfig, .env.example, .gitignore)
- Remove executable permissions from documentation files (README.md, LICENSE, SECURITY.md)
- Remove executable permissions from web assets (HTML, CSS, JS files)
- Remove executable permissions from data files (JSON, SQL, YAML, requirements.txt)
- Remove executable permissions from source code files across all apps
- Add executable permissions to Python
2026-03-08 11:26:18 +01:00

74 lines
1.8 KiB
YAML
Raw Blame History

# Secret Validation Rules
# Defines which environment variables must use secret references
production_secrets:
coordinator:
required_secrets:
- pattern: "DATABASE_URL"
secret_ref: "db-credentials"
validation: "postgresql://"
- pattern: "ADMIN_API_KEY"
secret_ref: "api-keys:admin"
validation: "^[a-zA-Z0-9]{32,}$"
- pattern: "CLIENT_API_KEY"
secret_ref: "api-keys:client"
validation: "^[a-zA-Z0-9]{32,}$"
- pattern: "ENCRYPTION_KEY"
secret_ref: "security-keys:encryption"
validation: "^[a-fA-F0-9]{64}$"
- pattern: "HMAC_SECRET"
secret_ref: "security-keys:hmac"
validation: "^[a-fA-F0-9]{64}$"
- pattern: "JWT_SECRET"
secret_ref: "security-keys:jwt"
validation: "^[a-fA-F0-9]{64}$"
- pattern: "OPENAI_API_KEY"
secret_ref: "external-services:openai"
validation: "^sk-"
- pattern: "SENTRY_DSN"
secret_ref: "monitoring:sentry"
validation: "^https://"
wallet_daemon:
required_secrets:
- pattern: "COORDINATOR_API_KEY"
secret_ref: "api-keys:coordinator"
validation: "^[a-zA-Z0-9]{32,}$"
forbidden_patterns:
# These patterns should never appear in ANY configs
- "your-.*-key-here"
- "change-this-.*"
- "password="
- "secret_key="
- "api_secret="
production_forbidden_patterns:
# These patterns should never appear in PRODUCTION configs
- "localhost"
- "127.0.0.1"
- "sqlite://"
- "debug.*true"
validation_rules:
# Minimum security requirements
min_key_length: 32
require_complexity: true
no_default_values: true
no_localhost_in_prod: true
# Database security
require_ssl_database: true
forbid_sqlite_in_prod: true
# API security
require_https_urls: true
validate_api_key_format: true
Reference in New Issue View Git Blame Copy Permalink