oib/aitbc
1
0
Fork 0
Code Issues Pull Requests Actions 7 Packages Projects Releases Wiki Activity
Files
b4b5a57390250935ac6865bca18a19c285cb654f
aitbc/docs/9_security/1_security-cleanup-guide.md
AITBC System b033923756 chore: normalize file permissions across repository 
- Remove executable permissions from configuration files (.editorconfig, .env.example, .gitignore)
- Remove executable permissions from documentation files (README.md, LICENSE, SECURITY.md)
- Remove executable permissions from web assets (HTML, CSS, JS files)
- Remove executable permissions from data files (JSON, SQL, YAML, requirements.txt)
- Remove executable permissions from source code files across all apps
- Add executable permissions to Python
2026-03-08 11:26:18 +01:00

6.9 KiB
Raw Blame History

AITBC Security Cleanup & GitHub Setup Guide

COMPLETE SECURITY FIXES (2026-02-19)

Critical Vulnerabilities Resolved

  1. Smart Contract Security Audit Complete
    • 0 vulnerabilities found in actual contract code
    • 35 Slither findings (34 OpenZeppelin informational warnings, 1 Solidity version note)
    • OpenZeppelin v5.0.0 upgrade completed for latest security features
    • Contracts verified as production-ready

Critical Vulnerabilities Resolved

  1. Hardcoded Secrets Eliminated

    • JWT secret removed from config_pg.py - now required from environment
    • PostgreSQL credentials removed from db_pg.py - parsed from DATABASE_URL
    • Added validation to fail-fast if secrets aren't provided

  2. Authentication Gaps Closed

    • Exchange API now uses session-based authentication
    • Fixed hardcoded user_id=1 - uses authenticated context
    • Added login/logout endpoints with wallet authentication

  3. CORS Restrictions Implemented

    • Replaced wildcard origins with specific localhost URLs
    • Applied across all services (Coordinator, Exchange, Blockchain, Gossip)
    • Unauthorized origins now receive 400 Bad Request

  4. Wallet Encryption Enhanced

    • Replaced weak XOR encryption with Fernet (AES-128 CBC)
    • Added PBKDF2 key derivation with SHA-256
    • Integrated keyring for password management

  5. Database Sessions Unified

    • Migrated all routers to use storage.SessionDep
    • Removed legacy session dependencies
    • Consistent session management across services

  6. Structured Error Responses

    • Implemented standardized error responses across all APIs
    • Added ErrorResponse and ErrorDetail Pydantic models
    • All exceptions now have error_code, status_code, and to_response() method

  7. Health Check Endpoints

    • Added liveness and readiness probes
    • /health/live - Simple alive check
    • /health/ready - Database connectivity check

🔐 SECURITY FINDINGS

Files Currently Tracked That Should Be Removed

High Priority - Remove Immediately:

  1. .windsurf/ - Entire IDE configuration directory

    • Contains local IDE settings, skills, and workflows
    • Should never be in a public repository

  2. Infrastructure secrets files:

    • infra/k8s/sealed-secrets.yaml - Contains sealed secrets configuration
    • infra/terraform/environments/secrets.tf - References AWS Secrets Manager

Files With Hardcoded Credentials (Documentation/Examples)

Low Priority - These are examples but should be cleaned:

  • website/docs/coordinator-api.html - Contains SECRET_KEY=your-secret-key
  • website/docs/wallet-daemon.html - Contains password="password"
  • website/docs/pool-hub.html - Contains POSTGRES_PASSWORD=pass

🚨 IMMEDIATE ACTIONS REQUIRED

1. Remove Sensitive Files from Git History

# Remove .windsurf directory completely
git filter-branch --force --index-filter 'git rm -rf --cached --ignore-unmatch .windsurf/' --prune-empty --tag-name-filter cat -- --all

# Remove infrastructure secrets files
git filter-branch --force --index-filter 'git rm -rf --cached --ignore-unmatch infra/k8s/sealed-secrets.yaml infra/terraform/environments/secrets.tf' --prune-empty --tag-name-filter cat -- --all

# Clean up
git for-each-ref --format='delete %(refname)' refs/original | git update-ref --stdin
git reflog expire --expire=now --all && git gc --prune=now --aggressive

2. Update .gitignore

Add these lines to .gitignore:

# IDE configurations
.windsurf/
.snapshots/
.vscode/
.idea/

# Additional security
*.env
*.env.*
*.key
*.pem
*.crt
*.p12
secrets/
credentials/
infra/k8s/sealed-secrets.yaml
infra/terraform/environments/secrets.tf

3. Replace Hardcoded Examples

Replace documentation examples with placeholder variables:

  • SECRET_KEY=your-secret-keySECRET_KEY=${SECRET_KEY}
  • password="password"password="${DB_PASSWORD}"
  • POSTGRES_PASSWORD=passPOSTGRES_PASSWORD=${POSTGRES_PASSWORD}

🐙 GITHUB REPOSITORY SETUP

Repository Description

AITBC - AI Trusted Blockchain Computing Platform
A comprehensive blockchain-based marketplace for AI computing services with zero-knowledge proof verification and confidential transaction support.

Recommended Topics

blockchain ai-computing marketplace zero-knowledge-proofs confidential-transactions web3 python fastapi react typescript kubernetes terraform helm decentralized gpu-computing zk-proofs cryptography smart-contracts

Repository Settings to Configure

Security Settings:

  • Enable "Security advisories"
  • Enable "Dependabot alerts"
  • Enable "Dependabot security updates"
  • Enable "Code security" (GitHub Advanced Security if available)
  • Enable "Secret scanning"

Branch Protection:

  • Require pull request reviews
  • Require status checks to pass
  • Require up-to-date branches
  • Include administrators
  • Require conversation resolution

Integration Settings:

  • Enable "Issues"
  • Enable "Projects"
  • Enable "Wikis"
  • Enable "Discussions"
  • Enable "Packages"

📋 FINAL CHECKLIST

Before Pushing to GitHub:

  • Remove .windsurf/ directory from git history
  • Remove infra/k8s/sealed-secrets.yaml from git history
  • Remove infra/terraform/environments/secrets.tf from git history
  • Update .gitignore with all exclusions
  • Replace hardcoded credentials in documentation
  • Scan for any remaining sensitive files
  • Test that the repository still builds/works

After GitHub Setup:

  • Configure repository settings
  • Set up branch protection rules
  • Enable security features
  • Add README with proper setup instructions
  • Add SECURITY.md for vulnerability reporting
  • Add CONTRIBUTING.md for contributors

🔍 TOOLS FOR VERIFICATION

Scan for Credentials:

# Install truffleHog
pip install trufflehog

# Scan repository
trufflehog filesystem --directory /path/to/repo

# Alternative: git-secrets
git secrets --scan -r

Git History Analysis:

# Check for large files
git rev-list --objects --all | git cat-file --batch-check='%(objecttype) %(objectname) %(objectsize) %(rest)' | sed -n 's/^blob //p' | sort -n --key=2 | tail -20

# Check for sensitive patterns
git log -p --all | grep -E "(password|secret|key|token)" | head -20

⚠️ IMPORTANT NOTES

  1. Force Push Required: After removing files from history, you'll need to force push:

    git push origin --force --all
git push origin --force --tags

  2. Team Coordination: Notify all team members before force pushing as they'll need to re-clone the repository.

  3. Backup: Create a backup of the current repository before making these changes.

  4. CI/CD Updates: Update any CI/CD pipelines that might reference the removed files.

  5. Documentation: Update deployment documentation to reflect the changes in secrets management.