chore: bump botui submodule for theme manager fix

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

SECURITY_CHECKLIST.md

@@ -0,0 +1,156 @@
+# General Bots Security Checklist
+
+## Critical (P1) - Must Fix Immediately
+
+### Authentication & Authorization
+- [ ] **SecurityManager Integration** - Initialize in bootstrap
+- [ ] **CSRF Protection** - Enable for all state-changing endpoints
+- [ ] **Error Handling** - Replace all `unwrap()`/`expect()` calls
+- [ ] **Security Headers** - Apply to all HTTP routes
+
+### Data Protection
+- [ ] **TLS/MTLS** - Ensure certificates are generated and validated
+- [ ] **SafeCommand Usage** - Replace all `Command::new()` calls
+- [ ] **Error Sanitization** - Use `ErrorSanitizer` for all HTTP errors
+
+## High Priority (P2) - Fix Within 2 Weeks
+
+### Authentication
+- [ ] **Passkey Support** - Complete WebAuthn implementation
+- [ ] **MFA Enhancement** - Add backup codes and recovery flows
+- [ ] **API Key Management** - Implement rotation and expiration
+
+### Monitoring & Detection
+- [ ] **Security Monitoring** - Integrate `SecurityMonitor` with app events
+- [ ] **DLP Policies** - Configure default policies for PII/PCI/PHI
+- [ ] **Rate Limiting** - Apply consistent limits across all endpoints
+
+## Medium Priority (P3) - Fix Within 1 Month
+
+### Infrastructure
+- [ ] **Certificate Management** - Add expiration monitoring and auto-renewal
+- [ ] **Audit Logging** - Ensure comprehensive coverage
+- [ ] **Security Testing** - Create dedicated test suite
+
+### Compliance
+- [ ] **Security Documentation** - Update policies and procedures
+- [ ] **Compliance Mapping** - Map controls to SOC2/GDPR/ISO27001
+- [ ] **Evidence Collection** - Implement automated evidence gathering
+
+## Quick Wins (Can be done today)
+
+### Code Quality
+- [ ] Run `cargo clippy --workspace` and fix all warnings
+- [ ] Use `cargo audit` to check for vulnerable dependencies
+- [ ] Replace 10 `unwrap()` calls with proper error handling
+
+### Configuration
+- [ ] Check `.env` files for hardcoded secrets (move to `/tmp/`)
+- [ ] Verify `botserver-stack/conf/` permissions
+- [ ] Review `Cargo.toml` for unnecessary dependencies
+
+### Testing
+- [ ] Test authentication flows with invalid credentials
+- [ ] Verify CSRF tokens are required for POST/PUT/DELETE
+- [ ] Check security headers on main endpoints
+
+## Daily Security Tasks
+
+### Morning Check
+- [ ] Review `botserver.log` for security events
+- [ ] Check `cargo audit` for new vulnerabilities
+- [ ] Monitor failed login attempts
+- [ ] Verify certificate expiration dates
+
+### Ongoing Monitoring
+- [ ] Watch for unusual access patterns
+- [ ] Monitor DLP policy violations
+- [ ] Track security metric trends
+- [ ] Review audit logs for anomalies
+
+### Weekly Tasks
+- [ ] Run full security scan with protection tools
+- [ ] Review and rotate any expiring credentials
+- [ ] Update security dependencies
+- [ ] Backup security configurations
+
+## Emergency Response
+
+### If you suspect a breach:
+1. **Isolate** - Disconnect affected systems
+2. **Preserve** - Don't delete logs or evidence
+3. **Document** - Record all actions and observations
+4. **Escalate** - Contact security team immediately
+5. **Contain** - Implement temporary security measures
+6. **Investigate** - Determine scope and impact
+7. **Remediate** - Fix vulnerabilities and restore services
+8. **Learn** - Update procedures to prevent recurrence
+
+## Security Tools Commands
+
+### Dependency Scanning
+```bash
+cargo audit
+cargo deny check
+cargo geiger
+```
+
+### Code Analysis
+```bash
+cargo clippy --workspace -- -D warnings
+cargo fmt --check
+```
+
+### Security Testing
+```bash
+# Run security tests
+cargo test -p bottest --test security
+
+# Check for unsafe code
+cargo geiger --forbid
+
+# Audit dependencies
+cargo audit --deny warnings
+```
+
+### Protection Tools
+```bash
+# Security scanning
+curl -X POST http://localhost:9000/api/security/protection/scan
+
+# Get security report
+curl http://localhost:9000/api/security/protection/report
+
+# Check tool status
+curl http://localhost:9000/api/security/protection/status
+```
+
+## Common Security Issues to Watch For
+
+### 1. Hardcoded Secrets
+**Bad:** `password = "secret123"` in code
+**Good:** `password = env::var("DB_PASSWORD")?` from `/tmp/`
+
+### 2. Unsafe Command Execution
+**Bad:** `Command::new("rm").arg("-rf").arg(user_input)`
+**Good:** `SafeCommand::new("rm")?.arg("-rf")?.arg(sanitized_input)?`
+
+### 3. Missing Input Validation
+**Bad:** `format!("SELECT * FROM {}", user_table)`
+**Good:** `validate_table_name(&user_table)?; format!("SELECT * FROM {}", safe_table)`
+
+### 4. Information Disclosure
+**Bad:** `Json(json!({ "error": e.to_string() }))`
+**Good:** `let sanitized = log_and_sanitize(&e, "context", None); (StatusCode::INTERNAL_SERVER_ERROR, sanitized)`
+
+## Security Contact Information
+
+**Primary Contact:** security@pragmatismo.com.br  
+**Backup Contact:** Check `security.txt` at `/.well-known/security.txt`
+
+**Emergency Response:** Follow procedures in `botbook/src/12-auth/security-policy.md`
+
+---
+*Last Updated: 2026-02-22*  
+*Review Frequency: Weekly*  
+*Next Review: 2026-03-01*

botserver

@@ -1 +1 @@
-Subproject commit 764f05865348714911be3f2f8d2a3f8c693b20d3
+Subproject commit 0b1b17406db9d4cc91c1a29cf549398e72fd111a

botui

@@ -1 +1 @@
-Subproject commit 6afeeb311f0ed9be0a3058fe07f21e6a476bdf42
+Subproject commit 0c2dd80f30111ea4e74c751687faabb11eacbc12

security_audit.sh

@@ -0,0 +1,129 @@
+#!/bin/bash
+
+# General Bots Security Audit Script
+# This script helps identify critical security issues in the codebase
+
+set -e
+
+echo "🔒 General Bots Security Audit"
+echo "=============================="
+echo ""
+
+# Check for hardcoded secrets
+echo "1. Checking for hardcoded secrets..."
+if grep -r "password\s*=\s*\"" --include="*.rs" --include="*.toml" --include="*.json" . 2>/dev/null | grep -v "test" | grep -v "example" | head -10; then
+    echo "⚠️  WARNING: Found potential hardcoded passwords"
+else
+    echo "✅ No obvious hardcoded passwords found"
+fi
+
+echo ""
+
+# Check for unwrap/expect calls
+echo "2. Checking for unwrap/expect calls..."
+UNWRAP_COUNT=$(grep -r "\.unwrap()\|\.expect(" --include="*.rs" . 2>/dev/null | wc -l)
+if [ "$UNWRAP_COUNT" -gt 0 ]; then
+    echo "⚠️  WARNING: Found $UNWRAP_COUNT unwrap/expect calls"
+    echo "   Sample locations:"
+    grep -r "\.unwrap()\|\.expect(" --include="*.rs" . 2>/dev/null | head -5
+else
+    echo "✅ No unwrap/expect calls found"
+fi
+
+echo ""
+
+# Check for Command::new usage
+echo "3. Checking for unsafe command execution..."
+if grep -r "Command::new" --include="*.rs" . 2>/dev/null | grep -v "SafeCommand" | head -5; then
+    echo "⚠️  WARNING: Found potential unsafe command execution"
+    echo "   Should use SafeCommand instead"
+else
+    echo "✅ No unsafe Command::new calls found"
+fi
+
+echo ""
+
+# Check for SQL injection patterns
+echo "4. Checking for SQL injection patterns..."
+if grep -r "format!.*SELECT\|format!.*INSERT\|format!.*UPDATE\|format!.*DELETE" --include="*.rs" . 2>/dev/null | grep -v "sanitize" | head -5; then
+    echo "⚠️  WARNING: Found potential SQL injection patterns"
+    echo "   Should use sql_guard functions"
+else
+    echo "✅ No obvious SQL injection patterns found"
+fi
+
+echo ""
+
+# Check security headers in routes
+echo "5. Checking for security middleware usage..."
+if grep -r "security_headers_middleware\|csrf_middleware\|rate_limit_middleware" --include="*.rs" . 2>/dev/null | head -5; then
+    echo "✅ Security middleware found"
+else
+    echo "⚠️  WARNING: No security middleware found in routes"
+fi
+
+echo ""
+
+# Check for SecurityManager usage
+echo "6. Checking for SecurityManager initialization..."
+if grep -r "SecurityManager::new\|SecurityManager::initialize" --include="*.rs" . 2>/dev/null; then
+    echo "✅ SecurityManager usage found"
+else
+    echo "⚠️  WARNING: SecurityManager not initialized"
+fi
+
+echo ""
+
+# Check dependencies
+echo "7. Checking dependencies..."
+if command -v cargo-audit &> /dev/null; then
+    echo "Running cargo audit..."
+    cargo audit
+else
+    echo "⚠️  Install cargo-audit: cargo install cargo-audit"
+fi
+
+echo ""
+
+# Check for .env files in git
+echo "8. Checking for secrets in git..."
+if find . -name ".env" -type f | grep -v node_modules | grep -v target; then
+    echo "⚠️  WARNING: .env files found in repository"
+    echo "   Secrets should be in /tmp/ only"
+else
+    echo "✅ No .env files in repository"
+fi
+
+echo ""
+
+# Check file permissions
+echo "9. Checking critical file permissions..."
+if [ -f "botserver-stack/conf/vault/init.json" ]; then
+    PERMS=$(stat -c "%a" "botserver-stack/conf/vault/init.json")
+    if [ "$PERMS" -gt 600 ]; then
+        echo "⚠️  WARNING: Vault init file permissions too open: $PERMS"
+        echo "   Should be 600 or 400"
+    else
+        echo "✅ Vault init file permissions OK: $PERMS"
+    fi
+fi
+
+echo ""
+
+# Summary
+echo "📊 Security Audit Summary"
+echo "========================"
+echo ""
+echo "Critical Issues to Address:"
+echo "1. $UNWRAP_COUNT unwrap/expect calls need replacement"
+echo "2. SecurityManager initialization missing"
+echo "3. Security middleware may not be applied to all routes"
+echo ""
+echo "Next Steps:"
+echo "1. Review TASKS.md for detailed remediation plan"
+echo "2. Fix P1 issues first (SecurityManager, error handling)"
+echo "3. Run cargo clippy and fix all warnings"
+echo "4. Implement security testing"
+echo ""
+echo "For detailed tasks, see: TASKS.md"
+echo "For quick checklist, see: SECURITY_CHECKLIST.md"