From 1a5ed8a8c6b3f865f5b967bb6b9a4d4405c984e2 Mon Sep 17 00:00:00 2001
From: "Taurai. M" <rusiqe@gmail.com>
Date: Fri, 8 Aug 2025 12:01:26 +0200
Subject: [PATCH 1/2] security: sanitize .env.example, add SECURITY policy,
 ignore certs, and replace committed private key with placeholder

- Replace real-looking secrets in workflow/.env.example with placeholders and warnings
- Add .github/SECURITY.md with Safe Harbor and private reporting guidance
- Add templates/ssl_cert/.gitignore and README; replace demo key with placeholder
- Aligns with BugBounty.md guidance on responsible disclosure and secret handling
---
 .github/SECURITY.md                           | 10 ++++++++
 templates/ssl_cert/.gitignore                 |  7 ++++++
 templates/ssl_cert/README.md                  |  5 ++++
 .../ssl_cert/reverse.aixblock.io.privkey.pem  |  6 ++---
 workflow/.env.example                         | 23 +++++++++++--------
 5 files changed, 37 insertions(+), 14 deletions(-)
 create mode 100644 .github/SECURITY.md
 create mode 100644 templates/ssl_cert/.gitignore
 create mode 100644 templates/ssl_cert/README.md

diff --git a/.github/SECURITY.md b/.github/SECURITY.md
new file mode 100644
index 00000000..1b4eba1d
--- /dev/null
+++ b/.github/SECURITY.md
@@ -0,0 +1,10 @@
+# Security Policy
+
+We take security seriously. If you believe you’ve found a vulnerability, please follow these guidelines.
+
+- For general issues, follow our Bug Bounty program at BugBounty.md.
+- For Critical/High issues or if unsure, report privately to security@aixblock.io. Do not publicly disclose details until a fix is deployed.
+- Safe Harbor: If you make a good-faith effort to comply with this policy, we will not pursue or support legal action against you. Do not perform DoS/DDoS, spam, social engineering, or access data that doesn’t belong to you. If you encounter PII or secrets, stop, report immediately, and purge local data.
+- Authorization: You are authorized to test the in-scope assets listed in BugBounty.md within the rules specified there.
+
+Coordinated Disclosure: We aim to acknowledge within 48 hours and validate within 7 business days as described in BugBounty.md.
diff --git a/templates/ssl_cert/.gitignore b/templates/ssl_cert/.gitignore
new file mode 100644
index 00000000..625451e3
--- /dev/null
+++ b/templates/ssl_cert/.gitignore
@@ -0,0 +1,7 @@
+# Ignore private keys and certs in this folder
+*.key
+*.pem
+*.p12
+*.crt
+*.cer
+*.der
diff --git a/templates/ssl_cert/README.md b/templates/ssl_cert/README.md
new file mode 100644
index 00000000..b030ad2c
--- /dev/null
+++ b/templates/ssl_cert/README.md
@@ -0,0 +1,5 @@
+This directory should never contain real private keys or production certificates.
+
+- The repository previously included a demo private key file. It has been replaced with a non-functional placeholder.
+- Generate your own keys locally for development using OpenSSL and store them outside of version control.
+- Add any real keys to your local .gitignore and secret manager.
diff --git a/templates/ssl_cert/reverse.aixblock.io.privkey.pem b/templates/ssl_cert/reverse.aixblock.io.privkey.pem
index cf4fda7d..73edb07e 100644
--- a/templates/ssl_cert/reverse.aixblock.io.privkey.pem
+++ b/templates/ssl_cert/reverse.aixblock.io.privkey.pem
@@ -1,5 +1,3 @@
 -----BEGIN PRIVATE KEY-----
-MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgUvzPAfxKK3Mz1lB8
-9J8PCKYBzzUswxuuM1qs6M20KfahRANCAARyU3bla6hUmVMFKaDEvtSJE2ag93lO
-ov/nEDxrNCuH2CketxRI+YJBiljCRShQ8EsqhicVC0Vg49VcWnLRJPys
------END PRIVATE KEY-----
\ No newline at end of file
+PLACEHOLDER_DEMO_KEY_DO_NOT_USE
+-----END PRIVATE KEY-----
diff --git a/workflow/.env.example b/workflow/.env.example
index e43a0cde..4793396b 100644
--- a/workflow/.env.example
+++ b/workflow/.env.example
@@ -1,7 +1,9 @@
+# NOTE: Example values below are placeholders ONLY. Do not reuse in any environment.
+# For production, create your own .env with strong, unique secrets.
 AP_ENGINE_EXECUTABLE_PATH="dist/packages/engine/main.js"
-AP_API_KEY="59e72fd5297a9593c1c8a6e862e12aa62564e18e4b652cd00d5574298af002bd49a336395886b97852d804c007bc33365e61eebe9d02b6930b5973bed86d8b29"
-AP_ENCRYPTION_KEY="9c3f8d3f4645950e203cca65f51b49a0"
-AP_JWT_SECRET="6mn9a2bf5f75fee3fecd0947a2caddbcbc1f136651024730480ee821160205uc"
+AP_API_KEY="CHANGE_ME_STRONG_GLOBAL_API_KEY"
+AP_ENCRYPTION_KEY="CHANGE_ME_32_CHAR_HEX_OR_BASE64_KEY"
+AP_JWT_SECRET="CHANGE_ME_LONG_RANDOM_JWT_SECRET"
 AP_ENVIRONMENT="dev"
 AP_FRONTEND_URL="http://127.0.0.1:4200"
 AP_WEBHOOK_TIMEOUT_SECONDS="30"
@@ -10,7 +12,8 @@ AP_POSTGRES_DATABASE="aixblock"
 AP_POSTGRES_HOST="localhost"
 AP_POSTGRES_PORT="5434"
 AP_POSTGRES_USERNAME="postgres"
-AP_POSTGRES_PASSWORD="A79Vm5D4p2VQHOp2gd5"
+AP_POSTGRES_PASSWORD="CHANGE_ME_STRONG_DB_PASSWORD"
+# WARNING: UNSANDBOXED is for local development only. Never use in production.
 AP_EXECUTION_MODE="UNSANDBOXED"
 AP_REDIS_HOST="localhost"
 AP_REDIS_PORT="6379"
@@ -21,19 +24,19 @@ AP_BLOCKS_SYNC_MODE="OFFICIAL_AUTO"
 AP_TEMPLATES_SOURCE_URL=""
 AP_BLOCKS_SOURCE='DB'
 AP_MASTER_NODE='http://127.0.0.1:8080'
-AP_MASTER_TOKEN='2665b145c0140fccc5d3d73d19e5b7e9ceafe2dd'
+AP_MASTER_TOKEN='CHANGE_ME_LOCAL_ONLY_MASTER_TOKEN'
 AP_SHOW_POWERED_BY_IN_FORM="true"
 AP_DEV_BLOCKS="aixblock"
 
 # For login with google
-AP_GOOGLE_CLIENT_ID="******************"
-AP_GOOGLE_CLIENT_SECRET="******************"
+AP_GOOGLE_CLIENT_ID="<your_google_client_id>"
+AP_GOOGLE_CLIENT_SECRET="<your_google_client_secret>"
 
 # For login with aixblock
-AP_AIXBLOCK_CLIENT_ID="*****************"
-AP_AIXBLOCK_CLIENT_SECRET="******************"
+AP_AIXBLOCK_CLIENT_ID="<your_aixblock_client_id>"
+AP_AIXBLOCK_CLIENT_SECRET="<your_aixblock_client_secret>"
 AP_AIXBLOCK_PLATFORM_URI="https://app.aixblock.io/"
 
-
+# Edition and container type
 AP_EDITION="ee"
 AP_CONTAINER_TYPE='WORKER_AND_APP'

From 1ff791d5d001d19ebfd74fae562402a1ddbf7613 Mon Sep 17 00:00:00 2001
From: "Taurai. M" <rusiqe@gmail.com>
Date: Fri, 8 Aug 2025 12:07:13 +0200
Subject: [PATCH 2/2] security(ci): add gitleaks secret scanning and
 production-safe env example

- Add .gitleaks.toml and GitHub Actions workflow to scan secrets on PR/push
- Add workflow/.env.production.example with SANDBOXED defaults and secret-manager placeholders
---
 .github/workflows/secret-scan.yml | 23 +++++++++++++++++
 .gitleaks.toml                    | 19 ++++++++++++++
 workflow/.env.production.example  | 41 +++++++++++++++++++++++++++++++
 3 files changed, 83 insertions(+)
 create mode 100644 .github/workflows/secret-scan.yml
 create mode 100644 .gitleaks.toml
 create mode 100644 workflow/.env.production.example

diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml
new file mode 100644
index 00000000..9207ef77
--- /dev/null
+++ b/.github/workflows/secret-scan.yml
@@ -0,0 +1,23 @@
+name: Secret Scan
+
+on:
+  push:
+    branches: [ "**" ]
+  pull_request:
+    branches: [ "**" ]
+
+jobs:
+  gitleaks:
+    name: Gitleaks Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Run Gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITLEAKS_ENABLE_COMMENTS: false
+        with:
+          args: --config=.gitleaks.toml --no-banner --redact --verbose
diff --git a/.gitleaks.toml b/.gitleaks.toml
new file mode 100644
index 00000000..56dc731a
--- /dev/null
+++ b/.gitleaks.toml
@@ -0,0 +1,19 @@
+title = "AIxBlock Gitleaks Config"
+
+[extend]
+# Use latest default rules from gitleaks
+useDefault = true
+
+[allowlist]
+# Allow listed file patterns and commits here if needed
+regexTarget = "both"
+
+# Example: allow placeholder demo key string used in templates
+[[allowlist.regexes]]
+regex = '''PLACEHOLDER_DEMO_KEY_DO_NOT_USE'''
+
+# Reduce false positives from common test fixture files
+[[allowlist.paths]]
+path = '''general-editor/.*'''
+[[allowlist.paths]]
+path = '''react-image-annotate/.*'''
diff --git a/workflow/.env.production.example b/workflow/.env.production.example
new file mode 100644
index 00000000..64728551
--- /dev/null
+++ b/workflow/.env.production.example
@@ -0,0 +1,41 @@
+# Production-safe example configuration. Copy to your deployment and set real values via your secret manager.
+# DO NOT COMMIT REAL SECRETS.
+
+AP_ENGINE_EXECUTABLE_PATH="dist/packages/engine/main.js"
+# Use strong, rotated secrets managed by your secret store (e.g., AWS Secrets Manager, GCP Secret Manager)
+AP_API_KEY="set_in_secret_manager"
+AP_ENCRYPTION_KEY="set_in_secret_manager"
+AP_JWT_SECRET="set_in_secret_manager"
+AP_ENVIRONMENT="production"
+AP_FRONTEND_URL="https://app.aixblock.io"
+AP_WEBHOOK_TIMEOUT_SECONDS="30"
+AP_TRIGGER_DEFAULT_POLL_INTERVAL="5"
+AP_POSTGRES_DATABASE="aixblock"
+AP_POSTGRES_HOST="postgres"
+AP_POSTGRES_PORT="5432"
+AP_POSTGRES_USERNAME="aixblock"
+AP_POSTGRES_PASSWORD="set_in_secret_manager"
+# Enforce sandboxing in production
+AP_EXECUTION_MODE="SANDBOXED"
+AP_REDIS_HOST="redis"
+AP_REDIS_PORT="6379"
+AP_DB_TYPE="POSTGRES"
+AP_FLOW_TIMEOUT_SECONDS="600"
+AP_TELEMETRY_ENABLED="true"
+AP_BLOCKS_SYNC_MODE="OFFICIAL_AUTO"
+AP_TEMPLATES_SOURCE_URL=""
+AP_BLOCKS_SOURCE='DB'
+AP_MASTER_NODE='https://api.aixblock.io'
+AP_MASTER_TOKEN='set_in_secret_manager'
+AP_SHOW_POWERED_BY_IN_FORM="false"
+AP_DEV_BLOCKS=""
+
+# OAuth
+AP_GOOGLE_CLIENT_ID="your_google_client_id"
+AP_GOOGLE_CLIENT_SECRET="set_in_secret_manager"
+AP_AIXBLOCK_CLIENT_ID="your_aixblock_client_id"
+AP_AIXBLOCK_CLIENT_SECRET="set_in_secret_manager"
+AP_AIXBLOCK_PLATFORM_URI="https://app.aixblock.io/"
+
+AP_EDITION="ee"
+AP_CONTAINER_TYPE='WORKER_AND_APP'