25f68781ad
SEC-C-01: Replace Neon PostgreSQL credentials (npg_Ssfy6HKO0cXI) with local dev connection strings in all 19 appsettings.json files. Production credentials must be injected via ConnectionStrings__DefaultConnection env var. Add appsettings.Production.json and appsettings.Staging.json to .gitignore. SEC-C-02: Add services/goodgo-mcp-server/.env to root .gitignore. Create .env.example with safe placeholder values documenting required variables. SEC-C-03: Wrap AddDeveloperSigningCredential() in env check — development only. Non-development environments must provide X.509 certificate via IdentityServer:SigningCertificatePath and IdentityServer:SigningCertificatePassword. SEC-C-04: Remove 4 unauthenticated debug endpoints from StaffController: GET debug/all, POST debug/seed, POST debug/update-userid, POST debug/update-merchant. These endpoints allowed privilege escalation and data exfiltration without auth. SEC-C-05: Removed endpoints containing SQL injection via string interpolation (lines 307, 367 in StaffController). Also removed [AllowAnonymous] from GET lookup endpoint — inherits class-level [Authorize]. BREAKING: debug/* endpoints are permanently removed. BFF lookup endpoint now requires authentication. Co-Authored-By: Paperclip <noreply@paperclip.ing>
103 lines
1.1 KiB
Plaintext
103 lines
1.1 KiB
Plaintext
# Dependencies
|
|
node_modules/
|
|
.pnp
|
|
.pnp.js
|
|
|
|
# Testing
|
|
coverage/
|
|
*.lcov
|
|
.nyc_output
|
|
|
|
# Production
|
|
dist/
|
|
build/
|
|
!scripts/build/
|
|
.next/
|
|
out/
|
|
|
|
# !Environment variables
|
|
!.env.local
|
|
!.env.development.local
|
|
!.env.test.local
|
|
!.env.production.local
|
|
!.env*.local
|
|
|
|
# Logs
|
|
logs/
|
|
*.log
|
|
npm-debug.log*
|
|
yarn-debug.log*
|
|
yarn-error.log*
|
|
pnpm-debug.log*
|
|
lerna-debug.log*
|
|
|
|
# OS
|
|
.DS_Store
|
|
.DS_Store?
|
|
._*
|
|
.Spotlight-V100
|
|
.Trashes
|
|
ehthumbs.db
|
|
Thumbs.db
|
|
|
|
# IDE
|
|
.vscode/
|
|
.idea/
|
|
*.swp
|
|
*.swo
|
|
*~
|
|
.project
|
|
.classpath
|
|
.settings/
|
|
|
|
# Prisma
|
|
prisma/migrations/*.sql
|
|
|
|
# Docker
|
|
.dockerignore
|
|
|
|
# Secrets
|
|
infra/secrets/**/*
|
|
!infra/secrets/**/.env.example
|
|
!infra/secrets/**/.gitignore
|
|
|
|
# .NET appsettings with environment-specific secrets (use env vars instead)
|
|
appsettings.Production.json
|
|
appsettings.Staging.json
|
|
appsettings.production.json
|
|
appsettings.staging.json
|
|
|
|
# MCP server secrets
|
|
services/goodgo-mcp-server/.env
|
|
|
|
# Temporary files
|
|
*.tmp
|
|
*.temp
|
|
.cache/
|
|
.turbo/
|
|
|
|
# Database
|
|
*.db
|
|
*.sqlite
|
|
*.sqlite3
|
|
|
|
# Certificates
|
|
*.pem
|
|
*.key
|
|
*.crt
|
|
infra/traefik/certs/*
|
|
|
|
# Build artifacts
|
|
*.tsbuildinfo
|
|
|
|
*storybook.log
|
|
storybook-static
|
|
|
|
# MAUI
|
|
obj
|
|
bin
|
|
|
|
# .NET build artifacts
|
|
**/bin/
|
|
**/obj/
|