Security hardening: remove demo key, sanitize env examples, add secret scanning

.github/SECURITY.md

@@ -0,0 +1,10 @@
+# Security Policy
+
+We take security seriously. If you believe you’ve found a vulnerability, please follow these guidelines.
+
+- For general issues, follow our Bug Bounty program at BugBounty.md.
+- For Critical/High issues or if unsure, report privately to [email protected]. Do not publicly disclose details until a fix is deployed.
+- Safe Harbor: If you make a good-faith effort to comply with this policy, we will not pursue or support legal action against you. Do not perform DoS/DDoS, spam, social engineering, or access data that doesn’t belong to you. If you encounter PII or secrets, stop, report immediately, and purge local data.
+- Authorization: You are authorized to test the in-scope assets listed in BugBounty.md within the rules specified there.
+
+Coordinated Disclosure: We aim to acknowledge within 48 hours and validate within 7 business days as described in BugBounty.md.

.github/workflows/secret-scan.yml

@@ -0,0 +1,23 @@
+name: Secret Scan
+
+on:
+  push:
+    branches: [ "**" ]
+  pull_request:
+    branches: [ "**" ]
+
+jobs:
+  gitleaks:
+    name: Gitleaks Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Run Gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITLEAKS_ENABLE_COMMENTS: false
+        with:
+          args: --config=.gitleaks.toml --no-banner --redact --verbose

.gitleaks.toml

@@ -0,0 +1,19 @@
+title = "AIxBlock Gitleaks Config"
+
+[extend]
+# Use latest default rules from gitleaks
+useDefault = true
+
+[allowlist]
+# Allow listed file patterns and commits here if needed
+regexTarget = "both"
+
+# Example: allow placeholder demo key string used in templates
+[[allowlist.regexes]]
+regex = '''PLACEHOLDER_DEMO_KEY_DO_NOT_USE'''
+
+# Reduce false positives from common test fixture files
+[[allowlist.paths]]
+path = '''general-editor/.*'''
+[[allowlist.paths]]
+path = '''react-image-annotate/.*'''

templates/ssl_cert/.gitignore

@@ -0,0 +1,7 @@
+# Ignore private keys and certs in this folder
+*.key
+*.pem
+*.p12
+*.crt
+*.cer
+*.der

templates/ssl_cert/README.md

@@ -0,0 +1,5 @@
+This directory should never contain real private keys or production certificates.
+
+- The repository previously included a demo private key file. It has been replaced with a non-functional placeholder.
+- Generate your own keys locally for development using OpenSSL and store them outside of version control.
+- Add any real keys to your local .gitignore and secret manager.

templates/ssl_cert/reverse.aixblock.io.privkey.pem

@@ -1,5 +1,3 @@
 -----BEGIN PRIVATE KEY-----
-MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgUvzPAfxKK3Mz1lB8
-9J8PCKYBzzUswxuuM1qs6M20KfahRANCAARyU3bla6hUmVMFKaDEvtSJE2ag93lO
-ov/nEDxrNCuH2CketxRI+YJBiljCRShQ8EsqhicVC0Vg49VcWnLRJPys
------END PRIVATE KEY-----
+PLACEHOLDER_DEMO_KEY_DO_NOT_USE
+-----END PRIVATE KEY-----

workflow/.env.example

@@ -1,7 +1,9 @@
+# NOTE: Example values below are placeholders ONLY. Do not reuse in any environment.
+# For production, create your own .env with strong, unique secrets.
 AP_ENGINE_EXECUTABLE_PATH="dist/packages/engine/main.js"
-AP_API_KEY="59e72fd5297a9593c1c8a6e862e12aa62564e18e4b652cd00d5574298af002bd49a336395886b97852d804c007bc33365e61eebe9d02b6930b5973bed86d8b29"
-AP_ENCRYPTION_KEY="9c3f8d3f4645950e203cca65f51b49a0"
-AP_JWT_SECRET="6mn9a2bf5f75fee3fecd0947a2caddbcbc1f136651024730480ee821160205uc"
+AP_API_KEY="CHANGE_ME_STRONG_GLOBAL_API_KEY"
+AP_ENCRYPTION_KEY="CHANGE_ME_32_CHAR_HEX_OR_BASE64_KEY"
+AP_JWT_SECRET="CHANGE_ME_LONG_RANDOM_JWT_SECRET"
 AP_ENVIRONMENT="dev"
 AP_FRONTEND_URL="http://127.0.0.1:4200"
 AP_WEBHOOK_TIMEOUT_SECONDS="30"
@@ -10,7 +12,8 @@ AP_POSTGRES_DATABASE="aixblock"
 AP_POSTGRES_HOST="localhost"
 AP_POSTGRES_PORT="5434"
 AP_POSTGRES_USERNAME="postgres"
-AP_POSTGRES_PASSWORD="A79Vm5D4p2VQHOp2gd5"
+AP_POSTGRES_PASSWORD="CHANGE_ME_STRONG_DB_PASSWORD"
+# WARNING: UNSANDBOXED is for local development only. Never use in production.
 AP_EXECUTION_MODE="UNSANDBOXED"
 AP_REDIS_HOST="localhost"
 AP_REDIS_PORT="6379"
@@ -21,19 +24,19 @@ AP_BLOCKS_SYNC_MODE="OFFICIAL_AUTO"
 AP_TEMPLATES_SOURCE_URL=""
 AP_BLOCKS_SOURCE='DB'
 AP_MASTER_NODE='http://127.0.0.1:8080'
-AP_MASTER_TOKEN='2665b145c0140fccc5d3d73d19e5b7e9ceafe2dd'
+AP_MASTER_TOKEN='CHANGE_ME_LOCAL_ONLY_MASTER_TOKEN'
 AP_SHOW_POWERED_BY_IN_FORM="true"
 AP_DEV_BLOCKS="aixblock"
 
 # For login with google
-AP_GOOGLE_CLIENT_ID="******************"
-AP_GOOGLE_CLIENT_SECRET="******************"
+AP_GOOGLE_CLIENT_ID="<your_google_client_id>"
+AP_GOOGLE_CLIENT_SECRET="<your_google_client_secret>"
 
 # For login with aixblock
-AP_AIXBLOCK_CLIENT_ID="*****************"
-AP_AIXBLOCK_CLIENT_SECRET="******************"
+AP_AIXBLOCK_CLIENT_ID="<your_aixblock_client_id>"
+AP_AIXBLOCK_CLIENT_SECRET="<your_aixblock_client_secret>"
 AP_AIXBLOCK_PLATFORM_URI="https://app.aixblock.io/"
 
-
+# Edition and container type
 AP_EDITION="ee"
 AP_CONTAINER_TYPE='WORKER_AND_APP'

workflow/.env.production.example

@@ -0,0 +1,41 @@
+# Production-safe example configuration. Copy to your deployment and set real values via your secret manager.
+# DO NOT COMMIT REAL SECRETS.
+
+AP_ENGINE_EXECUTABLE_PATH="dist/packages/engine/main.js"
+# Use strong, rotated secrets managed by your secret store (e.g., AWS Secrets Manager, GCP Secret Manager)
+AP_API_KEY="set_in_secret_manager"
+AP_ENCRYPTION_KEY="set_in_secret_manager"
+AP_JWT_SECRET="set_in_secret_manager"
+AP_ENVIRONMENT="production"
+AP_FRONTEND_URL="https://app.aixblock.io"
+AP_WEBHOOK_TIMEOUT_SECONDS="30"
+AP_TRIGGER_DEFAULT_POLL_INTERVAL="5"
+AP_POSTGRES_DATABASE="aixblock"
+AP_POSTGRES_HOST="postgres"
+AP_POSTGRES_PORT="5432"
+AP_POSTGRES_USERNAME="aixblock"
+AP_POSTGRES_PASSWORD="set_in_secret_manager"
+# Enforce sandboxing in production
+AP_EXECUTION_MODE="SANDBOXED"
+AP_REDIS_HOST="redis"
+AP_REDIS_PORT="6379"
+AP_DB_TYPE="POSTGRES"
+AP_FLOW_TIMEOUT_SECONDS="600"
+AP_TELEMETRY_ENABLED="true"
+AP_BLOCKS_SYNC_MODE="OFFICIAL_AUTO"
+AP_TEMPLATES_SOURCE_URL=""
+AP_BLOCKS_SOURCE='DB'
+AP_MASTER_NODE='https://api.aixblock.io'
+AP_MASTER_TOKEN='set_in_secret_manager'
+AP_SHOW_POWERED_BY_IN_FORM="false"
+AP_DEV_BLOCKS=""
+
+# OAuth
+AP_GOOGLE_CLIENT_ID="your_google_client_id"
+AP_GOOGLE_CLIENT_SECRET="set_in_secret_manager"
+AP_AIXBLOCK_CLIENT_ID="your_aixblock_client_id"
+AP_AIXBLOCK_CLIENT_SECRET="set_in_secret_manager"
+AP_AIXBLOCK_PLATFORM_URI="https://app.aixblock.io/"
+
+AP_EDITION="ee"
+AP_CONTAINER_TYPE='WORKER_AND_APP'