Skip to content

fix: restore vault sonar env and TS tailwind scan for QA screenshots #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Mehdi-Bl merged 8 commits into from
Feb 8, 2026
Merged

fix: restore vault sonar env and TS tailwind scan for QA screenshots #26

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
8197657
fix: restore vault-backed sonar env and tailwind TS scanning
Mehdi-Bl Feb 8, 2026
18af30c
ci: enforce secret scanning in pre-commit and PR gate
Mehdi-Bl Feb 8, 2026
f19b820
docs: remove updates and signing planning document
Mehdi-Bl Feb 8, 2026
f5d72aa
chore: redact sonar server URL in scanner logs
Mehdi-Bl Feb 8, 2026
05ba98e
test: beef up mock repo and resized tree screenshot coverage
Mehdi-Bl Feb 8, 2026
cc493cb
docs: add lightweight agent rules for quality and local env
Mehdi-Bl Feb 8, 2026
216afe6
docs: add lightweight test catalog and reference for agents
Mehdi-Bl Feb 8, 2026
3f21fd1
Add Dependabot config and finalize TS UI fixes
Mehdi-Bl Feb 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 58 additions & 0 deletions .env
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
# This file is committed to git no secrets.

#!/usr/bin/env bash

# Vault environment loader wrapper
# Usage: source .env (never run directly)

set -o pipefail

if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
echo "This script must be sourced: source .env" >&2
exit 1
fi
Comment on lines +3 to +13

@qodo-free-for-open-source-projects qodo-free-for-open-source-projects Bot Feb 8, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

2. Windows sonar env broken 🐞 Bug ✓ Correctness

make.bat still assumes .env is a line-oriented KEY=VALUE file, but this PR converts .env
  into a bash script.
• On Windows, make sonar will not load SONAR_* variables correctly, so npm run sonar may run
  with missing config (and now defaults to localhost).
• This is a breaking change for Windows developers using make.bat sonar.
Agent Prompt 
### Issue description
`make.bat sonar` expects `.env` to be a simple `KEY=VALUE` file, but `.env` is now a bash script. This breaks environment loading on Windows.

### Issue Context
Windows batch parsing cannot interpret bash constructs (`#!/usr/bin/env bash`, `[[ ... ]]`, `source`, function calls). As a result, SONAR-related env vars won't be loaded.

### Fix Focus Areas
- .env[1-58]
- make.bat[30-50]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
HELPER_PATH="${VAULT_HELPER_PATH:-${SCRIPT_DIR}/scripts/vault-helper.sh}"

if [[ ! -r "$HELPER_PATH" ]]; then
echo "Vault helper not found at $HELPER_PATH" >&2
return 1
fi

# shellcheck source=./scripts/vault-helper.sh
source "$HELPER_PATH"

DEFAULT_VAULT_SECRET_DEFS=$'kv/Sonarqube/sonarqube|SONAR_TOKEN=SONAR_TOKEN SONAR_TOKEN=sonar_token SONAR_TOKEN=token\nkv/dependencytrack|DTRACK_API_KEY=DTRACK_API_KEY DTRACK_API_KEY=api_key DTRACK_API_KEY=token'
DEFAULT_VAULT_REQUIRED_VARS="SONAR_TOKEN DTRACK_API_KEY"

if [[ -z "${VAULT_TOKEN:-}" ]]; then
token_candidates=()
if [[ -n "${VAULT_TOKEN_FILE:-}" ]]; then
token_candidates+=("$VAULT_TOKEN_FILE")
fi
token_candidates+=("${HOME}/.vault-token" "/home/vscode/.vault-token" "/root/.vault-token")
for token_path in "${token_candidates[@]}"; do
if [[ -r "$token_path" ]]; then
VAULT_TOKEN_FILE="$token_path"
export VAULT_TOKEN_FILE
break
fi
done
fi

SECRET_DEFS="${VAULT_SECRET_PATHS:-$DEFAULT_VAULT_SECRET_DEFS}"
REQUIRED_VARS="${VAULT_REQUIRED_VARS:-$DEFAULT_VAULT_REQUIRED_VARS}"

vault_helper::load_from_definitions "$SECRET_DEFS" "$REQUIRED_VARS" "$VAULT_TOKEN_FILE"
Comment on lines +44 to +47

@qodo-free-for-open-source-projects qodo-free-for-open-source-projects Bot Feb 8, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

4. Vault prompts can hang 🐞 Bug ⛯ Reliability

.env unconditionally calls vault_helper::load_from_definitions, which may invoke interactive
  read prompts when a token is missing/invalid.
• scripts/sonar-scan.js runs .env inside a spawned bash with stdin inherited; in
  non-interactive contexts this can block until timeout.
• This makes npm run sonar fragile on machines that have vault+jq installed but no valid token
  file/env configured.
Agent Prompt 
### Issue description
Running `.env` can trigger interactive Vault login prompts, which can hang `npm run sonar` in non-interactive environments.

### Issue Context
`.env` always calls `vault_helper::load_from_definitions`, and the helper will prompt via `read` if a token is missing/invalid.

### Fix Focus Areas
- .env[29-47]
- scripts/vault-helper.sh[59-84]
- scripts/vault-helper.sh[205-220]
- scripts/sonar-scan.js[92-147]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


# Commented out for CI/automated testing
# SONAR_TOKEN=""
DTR_PROJECT_KEY=
# DTRACK_API_KEY=""
DTRACK_PROJECT=ai-code-fusion
DTRACK_PROJECT_VERSION=main

# Local SonarQube defaults (cross-platform, no secrets)
SONAR_PROJECT_KEY=ai-code-fusion
# SONAR_TOKEN=
19 changes: 19 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
version: 2
updates:
- package-ecosystem: npm
directory: "/"
schedule:
interval: weekly
open-pull-requests-limit: 10
labels:
- dependencies
- dependabot

- package-ecosystem: github-actions
directory: "/"
schedule:
interval: weekly
open-pull-requests-limit: 10
labels:
- dependencies
- dependabot
66 changes: 66 additions & 0 deletions .github/workflows/secrets-gate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
name: Secrets Gate

on:
pull_request:
branches: ['main']
push:
branches: ['main']
workflow_dispatch:

permissions:
contents: read

jobs:
gitleaks:
name: Gitleaks Secret Scan
runs-on: ubuntu-latest

steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
fetch-depth: 0
persist-credentials: false

- name: Install gitleaks
env:
GITLEAKS_VERSION: 8.24.3
run: |
set -euo pipefail
curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" -o gitleaks.tar.gz
tar -xzf gitleaks.tar.gz gitleaks
chmod +x gitleaks
echo "${PWD}" >> "${GITHUB_PATH}"
Comment on lines +25 to +33

@coderabbitai coderabbitai Bot Feb 8, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

gitleaks releases GitHub checksums SHA256

💡 Result:

Yes—Gitleaks publishes SHA256 checksums on GitHub Releases:

  • In each release, there is a dedicated asset named like gitleaks_<version>_checksums.txt (e.g., gitleaks_8.30.0_checksums.txt) that contains SHA256 hashes for the release artifacts. [1]
  • Additionally, GitHub itself displays an SHA256 digest next to each uploaded release asset (computed by GitHub at upload time), so you can verify without relying only on the project-provided checksum file. [2]

To verify locally, GitHub recommends using the CLI command gh release verify-asset <tag> <artifact-path>. [3]

Sources: [1] [2] [3]

🌐 Web query:

gitleaks-action GitHub official repository

💡 Result:

The official GitHub repository for gitleaks-action is gitleaks/gitleaks-action. [1]

https://github.com/gitleaks/gitleaks-action

Verify the downloaded gitleaks binary's checksum to mitigate supply-chain risk.

The gitleaks binary is fetched directly from GitHub Releases without verifying its SHA256 digest. If the release asset were ever tampered with, a malicious binary would be installed silently. Gitleaks publishes SHA256 checksums for each release in a dedicated checksum file, and GitHub also displays digests alongside each asset.

🔒 Proposed fix — add checksum verification 
       - name: Install gitleaks
         env:
           GITLEAKS_VERSION: 8.24.3
+          GITLEAKS_SHA256: "<expected-sha256-for-linux-x64-tarball>"
         run: |
           set -euo pipefail
           curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" -o gitleaks.tar.gz
+          echo "${GITLEAKS_SHA256}  gitleaks.tar.gz" | sha256sum -c -
           tar -xzf gitleaks.tar.gz gitleaks
           chmod +x gitleaks
           echo "${PWD}" >> "${GITHUB_PATH}"

Alternatively, use the official gitleaks/gitleaks-action, which handles installation and verification automatically.

🤖 Prompt for AI Agents 
In @.github/workflows/secrets-gate.yml around lines 25 - 33, Add SHA256 checksum
verification for the downloaded gitleaks release: in the "Install gitleaks" step
(where GITLEAKS_VERSION is used and gitleaks.tar.gz is saved), also curl the
corresponding checksums file from the same release, extract the expected
checksum for gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz, compute the SHA256
of the downloaded gitleaks.tar.gz (e.g., using sha256sum) and compare them, and
exit non‑zero if they do not match; alternatively replace this manual install
with the official gitleaks/gitleaks-action which performs verification
automatically.


- name: Determine git scan range
id: scan-range
shell: bash
run: |
set -euo pipefail
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
echo "log_opts=${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}" >> "${GITHUB_OUTPUT}"
elif [[ "${{ github.event.before }}" != "0000000000000000000000000000000000000000" ]]; then
echo "log_opts=${{ github.event.before }}..${{ github.sha }}" >> "${GITHUB_OUTPUT}"
else
echo "log_opts=${{ github.sha }}" >> "${GITHUB_OUTPUT}"
fi

- name: Scan commit range for secrets
run: |
set -euo pipefail
gitleaks git \
--redact \
--no-banner \
--exit-code 1 \
--log-opts="${{ steps.scan-range.outputs.log_opts }}" \
--report-format json \
--report-path gitleaks-report.json

- name: Upload gitleaks report
if: always()
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
with:
name: gitleaks-report
path: gitleaks-report.json
if-no-files-found: ignore
retention-days: 14
4 changes: 3 additions & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,6 @@ $RECYCLE.BIN/
._*

# Environment variables and local config
.env
.env.local
.env.*
.scannerwork/
Expand All @@ -74,3 +73,6 @@ start/*
src/renderer/bundle.js.LICENSE.txt
src/renderer/bundle.js.map
src/renderer/bundle.js

# Test artifacts
/test-results
5 changes: 5 additions & 0 deletions .husky/pre-commit
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
#!/usr/bin/env sh
. "$(dirname -- "$0")/_/husky.sh"

set -e

# Run lint-staged (works on both Windows with Git Bash and Linux)
npx lint-staged

# Block commits that introduce secrets.
npm run gitleaks
32 changes: 32 additions & 0 deletions AGENTS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# AGENTS.md

Lightweight rules for automated agents and contributors in this repository.

## Scope

- Keep changes focused and minimal.
- Do not make unrelated refactors.

## Tests and Quality

- Before proposing merge-ready changes, run:
- `npm run lint`
- `npm test -- --runInBand`
- If UI behavior/layout is changed, also run:
- `npm run qa:screenshot`
- Do not mark work complete while required CI checks are failing.
- Use `tests/catalog.md` as the source of truth for test targets and use cases.

## `.env` Policy (Local-Only)

- `.env` in this repo is for local development bootstrap only.
- Keep `.env` tracked; do not remove/rename it.
- Do not over-engineer or heavily refactor `.env` for non-local use.
- Never commit secrets/tokens in `.env`.
- Use Vault/environment-provided secrets for real credentials.

## Review Focus for Agents

- Treat `.env` changes as sensitive even when local-only.
- Ensure `.env` updates are minimal, intentional, and documented in PR notes.
- Reject any hardcoded secret, token, or credential exposure in code, docs, or PR text.
2 changes: 0 additions & 2 deletions docs/DEVELOPMENT.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,5 +94,3 @@ node scripts/index.js release <version>
```

Where `<version>` is a semantic version (`1.2.3`) or one of `patch`, `minor`, `major`.

For update metadata and signing rollout planning, see `docs/UPDATES_AND_SIGNING.md`.
72 changes: 0 additions & 72 deletions docs/UPDATES_AND_SIGNING.md
View file
Open in desktop

This file was deleted.

Loading
Loading