diff --git a/.github/allowed-workflow-secrets.txt b/.github/allowed-workflow-secrets.txt new file mode 100644 index 0000000..199a713 --- /dev/null +++ b/.github/allowed-workflow-secrets.txt @@ -0,0 +1,7 @@ +CHITTYCONNECT_API_KEY +GITHUB_TOKEN +ORG_AUTOMATION_TOKEN +CHITTY_GATEWAY_TOKEN +CHITTY_AGENT_TOKEN +OP_SERVICE_ACCOUNT_TOKEN +CHITTYCONNECT_BROKER_TOKEN diff --git a/.github/secret-catalog.json b/.github/secret-catalog.json new file mode 100644 index 0000000..bb7b9c5 --- /dev/null +++ b/.github/secret-catalog.json @@ -0,0 +1,29 @@ +{ + "vault": "ChittyOS", + "secrets": [ + { + "name": "ORG_AUTOMATION_TOKEN", + "op_ref": "op://ChittyOS/GitHub Automation Token/token", + "rotation_days": 30, + "owner": "platform-security" + }, + { + "name": "CHITTYCONNECT_BROKER_TOKEN", + "op_ref": "op://ChittyOS/ChittyConnect Broker Token/token", + "rotation_days": 30, + "owner": "platform-security" + }, + { + "name": "CHITTY_GATEWAY_TOKEN", + "op_ref": "op://ChittyOS/ChittyGateway API Token/token", + "rotation_days": 30, + "owner": "platform-security" + }, + { + "name": "CHITTY_AGENT_TOKEN", + "op_ref": "op://ChittyOS/ChittyAgent Orchestrator Token/token", + "rotation_days": 30, + "owner": "platform-security" + } + ] +} diff --git a/.github/workflows/adversarial-review.yml b/.github/workflows/adversarial-review.yml new file mode 100644 index 0000000..76a3f7f --- /dev/null +++ b/.github/workflows/adversarial-review.yml @@ -0,0 +1,46 @@ +name: Adversarial Review Orchestrator + +on: + pull_request_target: + types: [opened, reopened, synchronize, ready_for_review] + +permissions: + contents: read + pull-requests: write + issues: write + +jobs: + orchestrate: + runs-on: ubuntu-latest + steps: + - name: Request Reviewer Agents + uses: actions/github-script@v7 + with: + script: | + const reviewers = ["coderabbitai"]; + try { + await github.rest.pulls.requestReviewers({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: context.payload.pull_request.number, + reviewers + }); + core.info(`Requested reviewers: ${reviewers.join(", ")}`); + } catch (error) { + core.warning(`Reviewer request failed: ${error.message}`); + } + - name: Trigger Bot Review Comments + uses: actions/github-script@v7 + with: + script: | + const lines = [ + "@coderabbitai review", + "@copilot review", + "Adversarial review request: evaluate security, policy bypass paths, and regression risk." + ]; + await github.rest.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.payload.pull_request.number, + body: lines.join("\n") + }); diff --git a/.github/workflows/governance-gates.yml b/.github/workflows/governance-gates.yml new file mode 100644 index 0000000..4c0f1be --- /dev/null +++ b/.github/workflows/governance-gates.yml @@ -0,0 +1,11 @@ +name: Governance Gates + +on: + pull_request: + push: + branches: [ main ] + +jobs: + gates: + uses: ./.github/workflows/reusable-governance-gates.yml + secrets: inherit diff --git a/.github/workflows/identity-context-onboarding.yml b/.github/workflows/identity-context-onboarding.yml new file mode 100644 index 0000000..81e996c --- /dev/null +++ b/.github/workflows/identity-context-onboarding.yml @@ -0,0 +1,17 @@ +name: Identity & Context Onboarding Gate + +on: + pull_request: + push: + branches: [ main ] + +jobs: + identity-onboarding: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Validate ChittyID Context Onboarding + shell: bash + run: | + set -euo pipefail + bash scripts/check-chitty-onboarding.sh .chittyconnect.yml diff --git a/.github/workflows/onepassword-rotation-audit.yml b/.github/workflows/onepassword-rotation-audit.yml new file mode 100644 index 0000000..55435a7 --- /dev/null +++ b/.github/workflows/onepassword-rotation-audit.yml @@ -0,0 +1,56 @@ +name: 1Password Rotation Audit + +on: + workflow_dispatch: + schedule: + - cron: "25 3 * * *" + +permissions: + contents: read + issues: write + +jobs: + audit: + runs-on: ubuntu-latest + env: + GH_TOKEN: ${{ secrets.ORG_AUTOMATION_TOKEN }} + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + steps: + - uses: actions/checkout@v4 + - name: Validate required secrets + shell: bash + run: | + set -euo pipefail + [[ -n "${GH_TOKEN:-}" ]] || { echo "Missing ORG_AUTOMATION_TOKEN"; exit 1; } + [[ -n "${OP_SERVICE_ACCOUNT_TOKEN:-}" ]] || { echo "Missing OP_SERVICE_ACCOUNT_TOKEN"; exit 1; } + - name: Install 1Password CLI + uses: 1password/install-cli-action@v1 + - name: Run rotation audit + id: rotation + shell: bash + run: | + set -euo pipefail + mkdir -p reports/secret-rotation + if bash scripts/onepassword-rotation-audit.sh .github/secret-catalog.json reports/secret-rotation; then + echo "status=pass" >> "$GITHUB_OUTPUT" + else + echo "status=fail" >> "$GITHUB_OUTPUT" + fi + - name: Upload rotation report + uses: actions/upload-artifact@v4 + with: + name: onepassword-rotation-report + path: reports/secret-rotation + - name: Open or update rotation issue on failure + if: ${{ steps.rotation.outputs.status == 'fail' }} + shell: bash + run: | + set -euo pipefail + title="[Security] 1Password rotation policy violations" + body="$(cat reports/secret-rotation/latest.md)" + existing="$(gh issue list --state open --search "\"${title}\" in:title" --json number,title --jq '.[] | select(.title=="'"${title}"'") | .number' | head -n1 || true)" + if [[ -n "${existing}" ]]; then + gh issue comment "${existing}" --body "${body}" >/dev/null + else + gh issue create --title "${title}" --body "${body}" >/dev/null + fi diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 0000000..1d01f3e --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,12 @@ +title = "chittycommand-gitleaks-config" + +[allowlist] +description = "Known test/example files with non-production credential-like strings" +paths = [ + '''_ext/chittyid/chittycontext\.config\.js''', + '''_ext/chittyid/monitoring/scripts/setup-monitoring\.sh''', + '''_ext/chittyid/test-security\.sh''', + '''_ext/chittyid/tests/integration/chittyrouter-gateway\.test\.js''', + '''_ext/chittyid/tests/penetration/bypass-attempts\.test\.js''', + '''_ext/chittyops/project-awareness/test/qa-integration-tests\.js''', +]