Add GitHub Actions security scanning workflows

- Secret scanning with detect-secrets (baseline mode)
- Prompt injection detection with baseline support
- Auto-fixes: trailing whitespace, EOF newlines
- Updated baselines with legitimate test patterns
- Scans on push/PR to main, master, develop branches

Security scanning includes:
- 20+ secret types (API keys, tokens, credentials)
- 70+ prompt injection patterns (including Unicode steganography)
- PTAB-specific attack vectors (trial data extraction, API bypass)
- Git history scanning (last 100 commits)

Author: john-walkoe

.github/workflows/secret-scan.yaml

@@ -0,0 +1,98 @@
+name: Secret Scanning
+
+on:
+  push:
+    branches: [ main, master, develop ]
+  pull_request:
+    branches: [ main, master, develop ]
+
+jobs:
+  secret-scan:
+    name: Detect Secrets
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Full history for comprehensive scanning
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install detect-secrets
+        run: |
+          pip install detect-secrets
+
+      - name: Run detect-secrets scan
+        run: |
+          detect-secrets scan \
+            --exclude-files 'configs/.*\.json' \
+            --exclude-files '\.md$' \
+            --exclude-files 'package-lock\.json' \
+            --exclude-files '\.lock$' \
+            --baseline .secrets.baseline
+
+      - name: Check for secrets in git history (last 100 commits)
+        run: |
+          # Scan recent git history for accidentally committed secrets
+          git log --all --pretty=format: -p -100 | \
+          detect-secrets scan --stdin \
+            --exclude-files 'configs/.*\.json' \
+            --exclude-files '\.md$' || true
+
+      - name: Security scan summary
+        if: always()
+        run: |
+          echo "✅ Secret scanning complete"
+          echo "If secrets were detected, the job will fail above"
+          echo "To update baseline: detect-secrets scan --baseline .secrets.baseline"
+
+  prompt-injection-check:
+    name: Prompt Injection Security Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v3
+
+      - name: Install dependencies
+        run: uv sync
+
+      - name: Run prompt injection detection (baseline mode)
+        run: |
+          echo "Scanning for NEW prompt injection patterns (baseline mode)..."
+
+          # Run our custom prompt injection scanner with baseline
+          if uv run python .security/check_prompt_injections.py --baseline src/ tests/ *.md *.yml *.yaml *.json; then
+            echo "✅ No NEW prompt injection patterns detected"
+            echo "   (Known findings are tracked in .prompt_injections.baseline)"
+          else
+            echo "❌ NEW prompt injection patterns found!"
+            echo ""
+            echo "These patterns may indicate attempts to:"
+            echo "- Override system instructions (ignore previous instructions)"
+            echo "- Extract sensitive prompts (show me your instructions)"
+            echo "- Change AI behavior (you are now a different AI)"
+            echo "- Manipulate PTAB data (extract all IPR trial numbers)"
+            echo "- Bypass USPTO API restrictions (bypass PTAB API limits)"
+            echo "- Hide malicious content (Unicode steganography)"
+            echo ""
+            echo "Please review the flagged content to ensure it is not malicious."
+            echo ""
+            echo "If these are legitimate patterns (test cases, documentation):"
+            echo "  1. Verify they are not malicious"
+            echo "  2. Run: uv run python .security/check_prompt_injections.py --update-baseline src/ tests/ *.md"
+            echo "  3. Commit the updated .prompt_injections.baseline file"
+            exit 1
+          fi

.prompt_injections.baseline

@@ -1 +1 @@
-{}
+{}

.secrets.baseline

@@ -90,6 +90,10 @@
     {
       "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
     },
+    {
+      "path": "detect_secrets.filters.common.is_baseline_file",
+      "filename": ".secrets.baseline"
+    },
     {
       "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
       "min_level": 2
@@ -129,6 +133,33 @@
     }
   ],
   "results": {
+    "deploy\\Validation-Helpers.psm1": [
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "deploy\\Validation-Helpers.psm1",
+        "hashed_secret": "b173ce3ab26e49197a0a2c968ae03937ead2c080",
+        "is_verified": false,
+        "line_number": 129
+      }
+    ],
+    "scripts\\debug\\README.md": [
+      {
+        "type": "Secret Keyword",
+        "filename": "scripts\\debug\\README.md",
+        "hashed_secret": "a3e14ca24483c78554c083bc907c7194c7846ef1",
+        "is_verified": false,
+        "line_number": 54
+      }
+    ],
+    "scripts\\debug\\test_server.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "scripts\\debug\\test_server.py",
+        "hashed_secret": "b9615cef6cff3572af1365ff44c8b92ea9266f3e",
+        "is_verified": false,
+        "line_number": 21
+      }
+    ],
     "tests\\test_deployment.py": [
       {
         "type": "Base64 High Entropy String",
@@ -155,5 +186,5 @@
       }
     ]
   },
-  "generated_at": "2026-01-19T04:59:40Z"
+  "generated_at": "2026-01-19T06:52:23Z"
 }

.security/check_prompt_injections.py

@@ -345,4 +345,4 @@ def main():
 
 
 if __name__ == '__main__':
-    sys.exit(main())
+    sys.exit(main())

INSTALL.md

@@ -609,7 +609,7 @@ For workflow automation with **locally hosted n8n instances**, you can integrate
 
    ```bash
    npm install -g n8n
-   
+
    # Or using Docker with required environment variable
    docker run -it --rm --name n8n -p 5678:5678 \
      -e N8N_COMMUNITY_PACKAGES_ALLOW_TOOL_USAGE=true \
@@ -624,10 +624,10 @@ For workflow automation with **locally hosted n8n instances**, you can integrate
    # Method 1: Via n8n UI
    # Go to Settings > Community Nodes > Install
    # Enter: n8n-nodes-mcp
-   
+
    # Method 2: Via npm (for self-hosted)
    npm install n8n-nodes-mcp
-   
+
    # Method 3: Via Docker environment
    # Add to docker-compose.yml:
    # environment:
@@ -694,7 +694,7 @@ For workflow automation with **locally hosted n8n instances**, you can integrate
 
    ![n8n Execute Tool Operation](documentation_photos/n8n_PTAB_3.jpg)
 
-   - 
+   -
 
    - Use "List Tools" operation to see available USPTO PTAB functions
    - Use "Execute Tool" operation with `search_trials_minimal`

reference/PTAB-to-ODP-PTAB-API-Mapping.txt

@@ -268,4 +268,4 @@ GET /api/v1/patent/trials/decisions/search
 GET /api/v1/patent/appeals/decisions/search
 GET /api/v1/patent/ interferences/decisions/search
 
-/decisions
+/decisions

reference/PTAB_swagger.yaml

@@ -103,21 +103,21 @@ components:
       $ref: ./odp-common-base.yaml#/components/schemas/PatentSearchRequest
     PatentDownloadRequest:
       $ref: ./odp-common-base.yaml#/components/schemas/PatentDownloadRequest
-    PatentDataResponse:  
+    PatentDataResponse:
       $ref: ./odp-common-base.yaml#/components/schemas/PatentDataResponse
-    ApplicationMetaData:  
+    ApplicationMetaData:
       $ref: ./odp-common-base.yaml#/components/schemas/ApplicationMetaData
-    PatentTermAdjustment: 
+    PatentTermAdjustment:
       $ref: ./odp-common-base.yaml#/components/schemas/PatentTermAdjustment
     Assignment:
       $ref: ./odp-common-base.yaml#/components/schemas/Assignment
-    RecordAttorney:  
+    RecordAttorney:
       $ref: ./odp-common-base.yaml#/components/schemas/RecordAttorney
-    ParentContinuityData:  
+    ParentContinuityData:
       $ref: ./odp-common-base.yaml#/components/schemas/ParentContinuityData
-    ChildContinuityData:  
+    ChildContinuityData:
       $ref: ./odp-common-base.yaml#/components/schemas/ChildContinuityData
-    ForeignPriority:  
+    ForeignPriority:
       $ref: ./odp-common-base.yaml#/components/schemas/ForeignPriority
     EventData:
       $ref: ./odp-common-base.yaml#/components/schemas/EventData
@@ -128,7 +128,7 @@ components:
     GrantFileMetaData:
       $ref: ./odp-common-base.yaml#/components/schemas/GrantFileMetaData
     StatusCodeSearchResponse:
-      $ref: ./odp-common-base.yaml#/components/schemas/StatusCodeSearchResponse   
+      $ref: ./odp-common-base.yaml#/components/schemas/StatusCodeSearchResponse
     # BulkData
     BdssResponseProductBag:
       $ref: ./odp-common-base.yaml#/components/schemas/BdssResponseProductBag
@@ -138,7 +138,7 @@ components:
       $ref: ./odp-common-base.yaml#/components/schemas/PetitionDecisionResponseBag
     PetitionDecisionIdentifierResponseBag:
       $ref: ./odp-common-base.yaml#/components/schemas/PetitionDecisionIdentifierResponseBag
-   
+
     # Trial – Proceedings
     ProceedingDataResponse:
       $ref: ./trial-proceedings.yaml#/components/schemas/ProceedingDataResponse
@@ -203,5 +203,3 @@ components:
       $ref: ./trial-common.yaml#/components/schemas/Status413
     InternalError:
       $ref: ./trial-common.yaml#/components/schemas/InternalError
-
-    

tests/README.md

@@ -331,10 +331,10 @@ Tests run automatically on:
    # ✅ Good
    def test_trial_number_validation_accepts_valid_format():
        pass
-   
+
    def test_trial_number_validation_rejects_invalid_format():
        pass
-   
+
    # ❌ Bad
    def test_trial_number_validation():
        # Tests too many things