Add security audit script

.vscode/launch.json

@@ -1,41 +0,0 @@
-{
-  "version": "0.2.0",
-  "configurations": [
-  
-    {
-      "type": "lldb",
-      "request": "launch",
-      "name": "Debug executable 'botserver'",
-      "cargo": {
-        "args": ["build", "--bin=botserver", "--package=botserver"],
-        "filter": {
-          "name": "botserver",
-          "kind": "bin"
-        }
-      },
-      "args": ["--desktop"],
-      "env": {
-        "RUST_LOG": "trace,aws_sigv4=off,aws_smithy_checksums=off,mio=off,reqwest=off,aws_runtime=off,aws_smithy_http_client=off,rustls=off,hyper_util=off,aws_smithy_runtime=off,aws_smithy_runtime_api=off,tracing=off,aws_sdk_s3=off"
-      
-      },
-      "cwd": "${workspaceFolder}"
-    },
-    {
-      "type": "lldb",
-      "request": "launch",
-      "name": "Debug unit tests in executable 'botserver'",
-      "cargo": {
-        "args": ["test", "--no-run", "--bin=botserver", "--package=botserver"],
-        "filter": {
-          "name": "botserver",
-          "kind": "bin"
-        }
-      },
-      "args": [],
-      "env": {
-        "RUST_LOG": "trace"
-      },
-      "cwd": "${workspaceFolder}"
-    }
-  ]
-}

.zed/debug.json

@@ -1,16 +0,0 @@
-[
-  {
-    "label": "Debug BotServer",
-    "build": {
-      "command": "cargo",
-      "args": ["build"],
-    },
-    "program": "$ZED_WORKTREE_ROOT/target/debug/botserver",
-    "env": {
-      "RUST_LOG": "trace",
-    },
-    "sourceLanguages": ["rust"],
-    "request": "launch",
-    "adapter": "CodeLLDB",
-  },
-]

scripts/security-audit.sh

@@ -0,0 +1,129 @@
+#!/bin/bash
+
+# General Bots Security Audit Script
+# This script helps identify critical security issues in the codebase
+
+set -e
+
+echo "🔒 General Bots Security Audit"
+echo "=============================="
+echo ""
+
+# Check for hardcoded secrets
+echo "1. Checking for hardcoded secrets..."
+if grep -r "password\s*=\s*\"" --include="*.rs" --include="*.toml" --include="*.json" . 2>/dev/null | grep -v "test" | grep -v "example" | head -10; then
+    echo "⚠️  WARNING: Found potential hardcoded passwords"
+else
+    echo "✅ No obvious hardcoded passwords found"
+fi
+
+echo ""
+
+# Check for unwrap/expect calls
+echo "2. Checking for unwrap/expect calls..."
+UNWRAP_COUNT=$(grep -r "\.unwrap()\|\.expect(" --include="*.rs" . 2>/dev/null | wc -l)
+if [ "$UNWRAP_COUNT" -gt 0 ]; then
+    echo "⚠️  WARNING: Found $UNWRAP_COUNT unwrap/expect calls"
+    echo "   Sample locations:"
+    grep -r "\.unwrap()\|\.expect(" --include="*.rs" . 2>/dev/null | head -5
+else
+    echo "✅ No unwrap/expect calls found"
+fi
+
+echo ""
+
+# Check for Command::new usage
+echo "3. Checking for unsafe command execution..."
+if grep -r "Command::new" --include="*.rs" . 2>/dev/null | grep -v "SafeCommand" | head -5; then
+    echo "⚠️  WARNING: Found potential unsafe command execution"
+    echo "   Should use SafeCommand instead"
+else
+    echo "✅ No unsafe Command::new calls found"
+fi
+
+echo ""
+
+# Check for SQL injection patterns
+echo "4. Checking for SQL injection patterns..."
+if grep -r "format!.*SELECT\|format!.*INSERT\|format!.*UPDATE\|format!.*DELETE" --include="*.rs" . 2>/dev/null | grep -v "sanitize" | head -5; then
+    echo "⚠️  WARNING: Found potential SQL injection patterns"
+    echo "   Should use sql_guard functions"
+else
+    echo "✅ No obvious SQL injection patterns found"
+fi
+
+echo ""
+
+# Check security headers in routes
+echo "5. Checking for security middleware usage..."
+if grep -r "security_headers_middleware\|csrf_middleware\|rate_limit_middleware" --include="*.rs" . 2>/dev/null | head -5; then
+    echo "✅ Security middleware found"
+else
+    echo "⚠️  WARNING: No security middleware found in routes"
+fi
+
+echo ""
+
+# Check for SecurityManager usage
+echo "6. Checking for SecurityManager initialization..."
+if grep -r "SecurityManager::new\|SecurityManager::initialize" --include="*.rs" . 2>/dev/null; then
+    echo "✅ SecurityManager usage found"
+else
+    echo "⚠️  WARNING: SecurityManager not initialized"
+fi
+
+echo ""
+
+# Check dependencies
+echo "7. Checking dependencies..."
+if command -v cargo-audit &> /dev/null; then
+    echo "Running cargo audit..."
+    cargo audit
+else
+    echo "⚠️  Install cargo-audit: cargo install cargo-audit"
+fi
+
+echo ""
+
+# Check for .env files in git
+echo "8. Checking for secrets in git..."
+if find . -name ".env" -type f | grep -v node_modules | grep -v target; then
+    echo "⚠️  WARNING: .env files found in repository"
+    echo "   Secrets should be in /tmp/ only"
+else
+    echo "✅ No .env files in repository"
+fi
+
+echo ""
+
+# Check file permissions
+echo "9. Checking critical file permissions..."
+if [ -f "botserver-stack/conf/vault/init.json" ]; then
+    PERMS=$(stat -c "%a" "botserver-stack/conf/vault/init.json")
+    if [ "$PERMS" -gt 600 ]; then
+        echo "⚠️  WARNING: Vault init file permissions too open: $PERMS"
+        echo "   Should be 600 or 400"
+    else
+        echo "✅ Vault init file permissions OK: $PERMS"
+    fi
+fi
+
+echo ""
+
+# Summary
+echo "📊 Security Audit Summary"
+echo "========================"
+echo ""
+echo "Critical Issues to Address:"
+echo "1. $UNWRAP_COUNT unwrap/expect calls need replacement"
+echo "2. SecurityManager initialization missing"
+echo "3. Security middleware may not be applied to all routes"
+echo ""
+echo "Next Steps:"
+echo "1. Review TASKS.md for detailed remediation plan"
+echo "2. Fix P1 issues first (SecurityManager, error handling)"
+echo "3. Run cargo clippy and fix all warnings"
+echo "4. Implement security testing"
+echo ""
+echo "For detailed tasks, see: TASKS.md"
+echo "For quick checklist, see: SECURITY_CHECKLIST.md"