Security hardening: input validation, sensitive data handling, and CI/CD

.dockerignore

@@ -0,0 +1,72 @@
+# Dependencies
+node_modules/
+.pnpm-store/
+
+# Build output (we rebuild in Docker)
+dist/
+coverage/
+
+# Environment files - NEVER include in images
+.env
+.env.*
+!.env.example
+.env.clients.json
+
+# Secrets and keys
+*.pem
+*.key
+*.p12
+*.pfx
+secrets.json
+credentials.json
+*-secrets.json
+*-credentials.json
+
+# Editor and IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# macOS
+.DS_Store
+
+# Git
+.git/
+.gitignore
+
+# Documentation (not needed in production image)
+*.md
+!README.md
+docs/
+
+# Development files
+.claude/
+CLAUDE.md
+GEMINI.md
+
+# Logs
+*.log
+logs/
+
+# Test files
+**/*.test.ts
+**/*.spec.ts
+__tests__/
+test/
+tests/
+
+# CI/CD configuration (not needed in image)
+.github/
+
+# Docker files (prevent recursive copying)
+Dockerfile*
+docker-compose*.yml
+.dockerignore
+
+# Certificates (should be mounted, not baked in)
+certs/
+
+# Local development
+caddyfile
+out/

.env.example

@@ -0,0 +1,54 @@
+# Core Exchange Node Example - Environment Configuration
+# =============================================================================
+# Copy this file to .env in the project root to configure the application.
+#
+# IMPORTANT SECURITY NOTES:
+# - Never commit .env files to version control
+# - Use different values for each environment (dev, staging, production)
+# - Generate production secrets with: node scripts/secrets.js all
+# - Store production secrets in a secure secret manager
+# =============================================================================
+
+# ===== SERVICE URLS =====
+# These URLs must match your Caddy/proxy configuration
+OP_ISSUER=https://id.localtest.me
+APP_HOST=https://app.localtest.me
+APP_BASE_URL=https://app.localtest.me
+API_HOST=https://api.localtest.me
+API_BASE_URL=https://api.localtest.me
+
+# ===== SERVICE PORTS =====
+OP_PORT=3001
+APP_PORT=3004
+API_PORT=3003
+
+# ===== OAUTH CLIENT CONFIGURATION =====
+# For development: Use these placeholder values
+# For production: Generate with `node scripts/secrets.js client`
+CLIENT_ID=dev-rp-CHANGE-FOR-PRODUCTION
+CLIENT_SECRET=dev-secret-CHANGE-FOR-PRODUCTION
+REDIRECT_URI=https://app.localtest.me/callback
+
+# ===== APPLICATION SECRETS =====
+# For development: Use this placeholder value
+# For production: Generate with `node scripts/secrets.js secrets`
+COOKIE_SECRET=dev-cookie-secret-CHANGE-FOR-PRODUCTION
+
+# ===== API CONFIGURATION =====
+API_AUDIENCE=api://my-api
+
+# ===== JWKS (Token Signing Keys) =====
+# For development: Leave commented (uses ephemeral keys - tokens invalidate on restart)
+# For production: Generate with `node scripts/secrets.js jwks`
+# JWKS='{"keys":[...]}'
+
+# ===== MULTIPLE OAUTH CLIENTS (Optional) =====
+# To register multiple OAuth clients, either:
+# 1. Copy apps/auth/.env.clients.example.json to .env.clients.json
+# 2. Or set this environment variable as a JSON array
+# OIDC_CLIENTS=[{"client_id":"...","client_secret":"...","redirect_uris":["..."]}]
+
+# ===== LOGGING =====
+# Options: trace, debug, info, warn, error, fatal
+# Use 'debug' for detailed OAuth flow logging during development
+LOG_LEVEL=info

.github/dependabot.yml

@@ -0,0 +1,59 @@
+# Dependabot configuration for automated dependency updates
+# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates
+
+version: 2
+updates:
+  # npm dependencies
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+      timezone: "America/Los_Angeles"
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "deps"
+    labels:
+      - "dependencies"
+      - "automated"
+    # Group minor and patch updates together
+    groups:
+      production-dependencies:
+        patterns:
+          - "*"
+        exclude-patterns:
+          - "@types/*"
+          - "typescript"
+          - "eslint*"
+          - "@eslint/*"
+          - "@stylistic/*"
+          - "@typescript-eslint/*"
+        update-types:
+          - "minor"
+          - "patch"
+      dev-dependencies:
+        patterns:
+          - "@types/*"
+          - "typescript"
+          - "eslint*"
+          - "@eslint/*"
+          - "@stylistic/*"
+          - "@typescript-eslint/*"
+        update-types:
+          - "minor"
+          - "patch"
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+      timezone: "America/Los_Angeles"
+    commit-message:
+      prefix: "ci"
+    labels:
+      - "ci"
+      - "automated"

.github/workflows/ci.yml

@@ -0,0 +1,94 @@
+name: CI
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+# Cancel in-progress runs for the same branch
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          run_install: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22.x'
+          cache: 'pnpm'
+          cache-dependency-path: pnpm-lock.yaml
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Run ESLint
+        run: pnpm lint
+
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          run_install: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22.x'
+          cache: 'pnpm'
+          cache-dependency-path: pnpm-lock.yaml
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build all packages
+        run: pnpm build
+
+  security:
+    name: Security Audit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          run_install: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22.x'
+          cache: 'pnpm'
+          cache-dependency-path: pnpm-lock.yaml
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Run security audit
+        run: pnpm audit --audit-level=high
+        continue-on-error: true  # Don't fail the build, but report issues
+
+      - name: Check for known vulnerabilities
+        run: |
+          echo "## Security Audit Results" >> $GITHUB_STEP_SUMMARY
+          pnpm audit --audit-level=moderate 2>&1 | head -100 >> $GITHUB_STEP_SUMMARY || true