From 955b1e86e59d5f60a887c2511e986e860b8d1527 Mon Sep 17 00:00:00 2001 From: Daniel Bedeleanu Date: Sat, 11 Apr 2026 19:37:16 +0300 Subject: [PATCH] security: harden gitignore and add config example files [v1.3.7] - Expanded .gitignore: root venv, npx_cache, AI metadata (.remember, .claude), data/ (SQLite DB), frontend/config/, frontend/public/icons/, certificates, docker-compose.override.yml - Removed backend/config/ldap_config.json from git tracking (contains real IPs/credentials) - Added backend/config/ldap_config.json.example with placeholder template - Updated backend/.env.example: added JWT_SECRET_KEY, ALLOWED_ORIGINS, DATA_DIR, LOGS_DIR --- .gitignore | 81 +++++++++++++++++++++++-- VERSION.json | 12 ++-- backend/.env.example | 28 +++++++-- backend/config/ldap_config.json | 1 - backend/config/ldap_config.json.example | 19 ++++++ 5 files changed, 124 insertions(+), 17 deletions(-) delete mode 100644 backend/config/ldap_config.json create mode 100644 backend/config/ldap_config.json.example diff --git a/.gitignore b/.gitignore index ff109556..a22a58ee 100644 --- a/.gitignore +++ b/.gitignore @@ -1,11 +1,80 @@ +# ============================================================ +# TFM aInventory — .gitignore +# ============================================================ + +# ── Python environments ────────────────────────────────────── +.venv/ backend/venv/ +**/__pycache__/ +*.pyc +*.pyo +*.pyd +*.egg-info/ +dist/ +build/ + +# ── Runtime data (databases, configs w/ secrets) ───────────── +data/ backend/data/ backend/logs/ -frontend/logs/ -__pycache__/ -*.pyc +# LDAP config contains real server IPs and credentials — never commit +# The active config is: backend/config/ldap_config.json (read by the app) +# Duplicate/orphan copies are also excluded: +backend/ldap_config.json +backend/config/ldap_config.json +backend/data/ldap_config.json +# Keep example files tracked: +!backend/config/ldap_config.json.example + +# ── Environment files (secrets) ────────────────────────────── .env -.DS_Store -aInventory-PROD* -aInventory-PROD*.zip +.env.* +!.env.example +backend/.env +backend/.env.* +!backend/.env.example +# Docker environment override file +docker-compose.override.yml +.env.docker + +# ── Application logs ───────────────────────────────────────── logs/ +frontend/logs/ + +# ── Frontend build artifacts ────────────────────────────────── +frontend/.next/ +frontend/out/ +frontend/build/ +frontend/node_modules/ + +# ── Frontend generated/runtime assets ──────────────────────── +# SSL certs and runtime configs (generated by start_server.sh) +frontend/config/ +# PWA icons generated at build time +frontend/public/icons/ + +# ── npm / npx caches ───────────────────────────────────────── +.npx_cache/ +scratch/npm_cache/ +*.log +npm-debug.log* +yarn-debug.log* +yarn-error.log* + +# ── Production bundles (generated by export_prod.sh) ───────── +aInventory-PROD*/ +aInventory-PROD*.zip + +# ── AI / IDE metadata ───────────────────────────────────────── +.remember/ +.claude/ + +# ── macOS system files ──────────────────────────────────────── +.DS_Store +**/.DS_Store + +# ── Certificates & keys ────────────────────────────────────── +*.pem +*.key +*.crt +*.cert diff --git a/VERSION.json b/VERSION.json index 900c90e5..19a45496 100644 --- a/VERSION.json +++ b/VERSION.json @@ -1,10 +1,10 @@ { - "version": "1.3.6", - "last_build": "2026-04-11-1714", - "commit": "ccc69d92", + "version": "1.3.7", + "last_build": "2026-04-11-1936", + "commit": "pending", "changelog": [ - "v1.3.5: Security audit complete. JWT Bearer auth (C-01), rate limiting (H-02), CORS config (M-01), and all code comments translated to English (STRICT ENGLISH POLICY)", - "v1.3.4: Created USER_GUIDE.md for end-users and integrated into export bundle", - "v1.3.3: Added comprehensive project README.md documenting all operational modes" + "v1.3.7: Security hardening — expanded .gitignore (venv, caches, ldap configs, AI metadata), removed backend/config/ldap_config.json from git tracking, added ldap_config.json.example and updated .env.example", + "v1.3.6: Scanner UI redesign (autonomous OCR, countdown), Item Type datalist, save-version automation", + "v1.3.5: Security audit complete. JWT Bearer auth (C-01), rate limiting (H-02), CORS config (M-01), and all code comments translated to English (STRICT ENGLISH POLICY)" ] } \ No newline at end of file diff --git a/backend/.env.example b/backend/.env.example index a2bc5730..e734ffd7 100644 --- a/backend/.env.example +++ b/backend/.env.example @@ -1,5 +1,25 @@ -# Google Gemini API Key -GEMINI_API_KEY=your_gemini_key_here +# ============================================================ +# TFM aInventory — Backend Environment Variables +# Copy this file to .env and fill in real values. +# NEVER commit the real .env file to Git! +# ============================================================ -# Anthropic Claude API Key -CLAUDE_API_KEY=your_claude_key_here +# --- AI API Keys --- +# Google Gemini API Key (required for AI label OCR onboarding) +GEMINI_API_KEY=your_gemini_api_key_here + +# --- Security --- +# JWT secret key — generate a strong random value for production: +# python3 -c "import secrets; print(secrets.token_urlsafe(64))" +# If not set, an ephemeral key is generated per-run (tokens invalidated on restart). +JWT_SECRET_KEY=change-me-generate-a-secure-random-value + +# --- CORS --- +# Comma-separated list of allowed frontend origins +# Example for LAN deployment: +# ALLOWED_ORIGINS=http://192.168.1.100:3000,https://192.168.1.100:3003 +ALLOWED_ORIGINS=http://localhost:3000,https://localhost:3003 + +# --- Data Paths (overridden by start_server.sh / docker-compose) --- +# DATA_DIR=/absolute/path/to/data +# LOGS_DIR=/absolute/path/to/logs diff --git a/backend/config/ldap_config.json b/backend/config/ldap_config.json deleted file mode 100644 index 85fb8642..00000000 --- a/backend/config/ldap_config.json +++ /dev/null @@ -1 +0,0 @@ -{"ldap_enabled": true, "server_uri": "ldap://192.168.84.107:3890", "base_dn": "dc=example,dc=com", "user_template": "cn={username},ou=people,dc=example,dc=com", "groups_dn": "ou=groups", "use_tls": false, "role_mappings": [{"group": "inventory_admins", "role": "admin"}, {"group": "inventory_users", "role": "user"}]} diff --git a/backend/config/ldap_config.json.example b/backend/config/ldap_config.json.example new file mode 100644 index 00000000..9977a9b4 --- /dev/null +++ b/backend/config/ldap_config.json.example @@ -0,0 +1,19 @@ +{ + "_comment": "Copy this file to ldap_config.json and fill in real values. NEVER commit ldap_config.json to Git.", + "ldap_enabled": false, + "server_uri": "ldap://YOUR_LDAP_SERVER_IP:389", + "base_dn": "dc=yourdomain,dc=com", + "user_template": "cn={username},ou=people,dc=yourdomain,dc=com", + "groups_dn": "ou=groups", + "use_tls": false, + "role_mappings": [ + { + "group": "inventory_admins", + "role": "admin" + }, + { + "group": "inventory_users", + "role": "user" + } + ] +}