From 9a28636f761480a6a8f0de02149f3821f29ef777 Mon Sep 17 00:00:00 2001 From: Coding-Dev-Tools Date: Sun, 28 Jun 2026 22:15:32 -0400 Subject: [PATCH] improve: add requirements.txt, enhance SECURITY.md, update CONTRIBUTING.md --- .github/workflows/ci.yml | 54 ++++++++++++++++++++++++++++++++++++++++ CONTRIBUTING.md | 26 ++++++++++++++----- SECURITY.md | 32 ++++++++++++++++++++++++ requirements.txt | 5 ++++ 4 files changed, 111 insertions(+), 6 deletions(-) create mode 100644 requirements.txt diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b50fba8..801c0fc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,3 +42,57 @@ jobs: apiauth --version apiauth --help apiauth generate --help + + security: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + with: + persist-credentials: false + + - name: Set up Python + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 + with: + python-version: "3.12" + + - name: Install pip-audit + run: pip install pip-audit + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install -e ".[dev]" + + - name: Security audit (pip-audit) + run: pip-audit -r requirements.txt || pip-audit --desc + + - name: Check for secrets + uses: trufflesecurity/trufflehog@34ed34b8e678b826e3e4a3d28426ac8bdfc4e1f2 + with: + path: ./ + base: "" + head: ${{ github.sha }} + + build: + runs-on: ubuntu-latest + needs: [test, security] + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + with: + persist-credentials: false + + - name: Set up Python + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 + with: + python-version: "3.12" + + - name: Install build tools + run: | + python -m pip install --upgrade pip + pip install build twine + + - name: Build package + run: python -m build + + - name: Check package + run: twine check dist/* diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index e93a00c..93c2fe5 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -5,18 +5,19 @@ Thanks for your interest in contributing! ## Development Setup 1. Fork and clone the repo -2. Create a virtual environment: python -m venv .venv && source .venv/bin/activate -3. Install dev dependencies: pip install -e ".[dev]" -4. Run tests: pytest tests/ -v -5. Lint: uff check src/ +2. Create a virtual environment: `python -m venv .venv && source .venv/bin/activate` +3. Install dev dependencies: `pip install -e ".[dev]"` +4. Run tests: `pytest tests/ -v` +5. Lint: `ruff check src/` ## Pull Requests - Fork the repo and create a feature branch - Add tests for any new functionality - Ensure all existing tests pass -- Run uff check src/ --fix before committing +- Run `ruff check src/ --fix` before committing - Keep PRs focused on a single change +- Ensure CI passes (ruff lint, pytest, CLI checks) ## Reporting Issues @@ -29,7 +30,20 @@ Thanks for your interest in contributing! - Python 3.10+ - Type hints where practical - Follow ruff defaults (Black-compatible formatting) +- Use conventional commits for commit messages (feat:, fix:, docs:, chore:, refactor:, test:) + +## Testing + +- Write unit tests for new functions in `tests/test_cli.py` +- Run full test suite: `pytest tests/ -v --tb=short` +- Target: 100% coverage for new code + +## Security + +- Never commit secrets or API keys +- Use `pip audit` before adding dependencies +- Follow the security practices in SECURITY.md ## License -By contributing, you agree your work will be licensed under the same license as this project. \ No newline at end of file +By contributing, you agree your work will be licensed under the same license as this project (MIT). \ No newline at end of file diff --git a/SECURITY.md b/SECURITY.md index 7c23301..0f1374f 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,6 +2,11 @@ ## Supported Versions +| Version | Supported | +| ------- | ------------------ | +| 0.2.x | :white_check_mark: | +| < 0.2 | :x: | + We release patches for security vulnerabilities in the latest version. ## Reporting a Vulnerability @@ -21,3 +26,30 @@ We aim to respond within 48 hours and will keep you updated on the fix. - Keep your dependencies up to date - Use `pip audit` to check for known vulnerabilities - Report any security concerns promptly + +## Security Architecture + +APIAuth uses several security controls: + +- **Encryption**: AES-256-GCM for keystore encryption +- **Key Derivation**: PBKDF2 with 100,000 iterations for master key derivation +- **Storage**: Only SHA-256 hashes of API keys and JWT signing secrets are stored +- **Key Rotation**: Previous key values are hashed out on rotation +- **Verification**: Constant-time hash comparison for API key verification +- **Offline Operation**: No telemetry, no network calls, fully air-gapped capable + +## Threat Model + +| Threat | Mitigation | +|--------|------------| +| Keystore theft | AES-256-GCM encryption with PBKDF2-derived key | +| Key exposure on rotation | Previous values hashed with SHA-256 before rotation | +| Timing attacks | Constant-time comparison for hash verification | +| Replay attacks | JTI-based JWT tracking with revocation support | +| Supply chain | Dependabot weekly updates, pinned GitHub Actions SHAs | + +## Compliance + +- No PII stored in keystore +- GDPR-compliant by design (no personal data collection) +- SOC 2 compatible audit trail via `apiauth audit` command diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..5837e75 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,5 @@ +click>=8.1.0 +cryptography>=46.0.6 +pyjwt>=2.12.0 +rich>=13.0.0 +python-dateutil>=2.8.0 \ No newline at end of file