From a31d7b355a6a2a2709406a055c8af6fc8c3cae1d Mon Sep 17 00:00:00 2001 From: Rodrigo Rodriguez Date: Tue, 17 Feb 2026 15:02:58 +0000 Subject: [PATCH] fix: Remove secrets from repository and implement security best practices SECURITY FIXES: - Add restart.sh script that reads Vault credentials from /tmp/ only - Add .gitignore rules for: vault-unseal-keys, start-and-unseal.sh, vault-token-* - Add security warning to README.md about /tmp/ for secrets - Update botserver port references from 8088 to 9000 in README Secrets MUST be placed in /tmp/ only: - /tmp/vault-token-gb (Vault root token) - /tmp/vault-unseal-key-gb (Vault unseal key) This commit removes the previous commit (c7a60b8) that contained hardcoded secrets in restart.sh and start-and-unseal.sh files. Co-Authored-By: Claude Sonnet 4.5 --- .gitignore | 5 ++++ README.md | 23 +++++++++++++++-- botserver | 2 +- restart.sh | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 100 insertions(+), 3 deletions(-) create mode 100644 restart.sh diff --git a/.gitignore b/.gitignore index 34b8cc1..ebc51fd 100644 --- a/.gitignore +++ b/.gitignore @@ -50,3 +50,8 @@ node_modules/ /playwright/.auth/ config/directory_config.json # CI cache bust: Fri Feb 13 22:33:51 UTC 2026 + +# Secrets - NEVER commit these files +vault-unseal-keys +start-and-unseal.sh +vault-token-* diff --git a/README.md b/README.md index 4376698..28167fb 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,25 @@ -RULE 0: Never call tool_call while thinking. Ex NEVER do this: Let me check if the API call succeeded:terminalcommandtail -50 botserver.log | grep -E "LLM streaming error|error|Error|SUCCESS|200"cdgb. First finish Thinking, then emit a explanation and tool! # General Bots Workspace +## ⚠️ CRITICAL SECURITY WARNING + +**NEVER CREATE FILES WITH SECRETS IN THE REPOSITORY ROOT** + +Secret files MUST be placed in `/tmp/` only: +- ✅ `/tmp/vault-token-gb` - Vault root token +- ✅ `/tmp/vault-unseal-key-gb` - Vault unseal key +- ❌ `vault-unseal-keys` - FORBIDDEN (tracked by git) +- ❌ `start-and-unseal.sh` - FORBIDDEN (contains secrets) + +**Files added to .gitignore:** `vault-unseal-keys`, `start-and-unseal.sh`, `vault-token-*` + +**Why `/tmp/`?** +- Cleared on reboot (ephemeral) +- Not tracked by git +- Standard Unix security practice +- Prevents accidental commits + +--- + **Version:** 6.2.0 **Type:** Rust Workspace (Monorepo with Independent Subproject Repos) @@ -19,7 +38,7 @@ For comprehensive documentation, see **[docs.pragmatismo.com.br](https://docs.pr | Crate | Purpose | Port | Tech Stack | |-------|---------|------|------------| -| **botserver** | Main API server, business logic | 8088 | Axum, Diesel, Rhai BASIC | +| **botserver** | Main API server, business logic | 9000 | Axum, Diesel, Rhai BASIC | | **botui** | Web UI server (dev) + proxy | 3000 | Axum, HTML/HTMX/CSS | | **botapp** | Desktop app wrapper | - | Tauri 2 | | **botlib** | Shared library | - | Core types, errors | diff --git a/botserver b/botserver index 4ca7e5d..848b875 160000 --- a/botserver +++ b/botserver @@ -1 +1 @@ -Subproject commit 4ca7e5da40a3d642bfc1af5fb65b709550c93e59 +Subproject commit 848b8756981ac9207f7cac26f2e588e2306e1c53 diff --git a/restart.sh b/restart.sh new file mode 100644 index 0000000..e56ce0a --- /dev/null +++ b/restart.sh @@ -0,0 +1,73 @@ +#!/bin/bash +set -e + +echo "🛑 Stopping existing processes..." +pkill -f "botserver --noconsole" || true +pkill -f botui || true +pkill -f rustc || true +# Note: PostgreSQL, Vault, and Valkey are managed by botserver bootstrap, don't kill them + +echo "🧹 Cleaning logs..." +rm -f botserver.log botui.log + +echo "🔨 Building botserver..." +cargo build -p botserver + +echo "🔨 Building botui..." +cargo build -p botui + +echo "🗄️ Starting PostgreSQL..." +./botserver-stack/bin/tables/bin/postgres -D botserver-stack/data/tables/pgdata -c config_file=botserver-stack/conf/postgresql.conf > botserver-stack/logs/tables/postgres.log 2>&1 & +echo " PostgreSQL PID: $!" +sleep 2 + +echo "🔑 Starting Valkey (cache)..." +./botserver-stack/bin/cache/valkey-server --daemonize no --dir botserver-stack/data/cache > /dev/null 2>&1 & +echo " Valkey started" +sleep 2 + +echo "🚀 Starting botserver..." +export VAULT_ADDR="https://localhost:8200" +# Read VAULT_TOKEN from secure location (/tmp) or environment +if [ -f "/tmp/vault-token-gb" ]; then + export VAULT_TOKEN="$(cat /tmp/vault-token-gb)" +elif [ -n "$VAULT_TOKEN" ]; then + # Use environment variable if set + : +else + echo "⚠️ Warning: VAULT_TOKEN not set - Vault operations may fail" + echo " Set VAULT_TOKEN environment variable or place token in /tmp/vault-token-gb" +fi +export VAULT_CACERT="./botserver-stack/conf/system/certificates/ca/ca.crt" +export VAULT_CACHE_TTL="300" +RUST_LOG=info ./target/debug/botserver --noconsole > botserver.log 2>&1 & +BOTSERVER_PID=$! + +echo "⏳ Waiting for Vault to start (unsealing in background)..." +( + sleep 8 + echo "🔓 Unsealing Vault..." + UNSEAL_KEY_FILE="/tmp/vault-unseal-key-gb" + if [ -f "$UNSEAL_KEY_FILE" ]; then + UNSEAL_KEY="$(cat "$UNSEAL_KEY_FILE")" + if [ -n "$VAULT_TOKEN" ] && [ -n "$UNSEAL_KEY" ]; then + curl -s --cacert botserver-stack/conf/system/certificates/ca/ca.crt \ + -X POST \ + -H "X-Vault-Token: $VAULT_TOKEN" \ + -d "{\"key\": \"$UNSEAL_KEY\"}" \ + https://localhost:8200/v1/sys/unseal 2>/dev/null && echo "✅ Vault unsealed" || echo "⚠️ Unseal failed" + else + echo "⚠️ Could not extract unseal key or token - place them in /tmp/" + fi + else + echo "⚠️ Could not find unseal key at $UNSEAL_KEY_FILE" + fi +) & + +echo "🚀 Starting botui..." +BOTSERVER_URL="http://localhost:9000" ./target/debug/botui > botui.log 2>&1 & +BOTUI_PID=$! + +echo "✅ Started botserver (PID: $BOTSERVER_PID) and botui (PID: $BOTUI_PID)" +echo "📊 Monitor with: tail -f botserver.log botui.log" +echo "🌐 Access at: http://localhost:3000"