mirror of
https://github.com/x1xhlol/system-prompts-and-models-of-ai-tools.git
synced 2026-06-17 23:09:35 +00:00
fee51ffb06
TASK-001 (prep) — Repository Extraction Script:
scripts/extract_dealix_repo.sh — automates git filter-repo extraction
of Dealix-only paths to new GitHub org. Preserves commit history.
Awaits founder decision on org name.
TASK-003 — Python Dependency Modernization:
backend/pyproject.toml — full project spec with pinned versions:
- fastapi, pydantic, sqlalchemy, asyncpg pinned
- OpenTelemetry packages now included
- pytest==8.3.4, pytest-asyncio==0.24.0 (stable)
- Dev group with ruff, mypy, testcontainers
Ready for uv sync to generate uv.lock.
TASK-004 — Node Dependency Hygiene:
frontend/package.json — pinned packageManager=pnpm@9.12.0
and engines.node >=20.10.0 <21.0.0
TASK-005 — Secrets Audit Infrastructure:
.pre-commit-config.yaml — gitleaks + detect-private-key + detect-aws
+ ruff auto-fix + truth-registry-validator local hook
docs/internal/rotation_log.md — rotation tracking template with
scan commands (gitleaks, trufflehog3) and forbidden practices
TASK-006 — Legal Foundation Tracker:
docs/internal/legal_status.md — tracks:
- Company incorporation options (MISA vs DIFC vs ADGM)
- IP assignment requirements
- Privacy Policy / ToS / DPA review status
- Trademark filing (KSA, UAE, Egypt, Jordan)
- PDPL / ZATCA / NCA / SDAIA regulatory status
- Professional indemnity + cyber + general insurance
TASK-010 (complete) — Truth Registry Tooling:
scripts/validate_truth_registry.py — validates TRUTH.yaml structure,
status values, and claims_registry.yaml alignment
.github/workflows/truth-validation.yml — CI workflow on changes to
truth registry or claims registry
TASK-101 — Release Readiness Gate (blueprint-spec):
scripts/release_readiness_gate.py:
- Required artifacts check (11 files)
- TRUTH.yaml field validation
- Forbidden claims scan in public docs
- Architecture brief sub-gate
Complements release_readiness_matrix.py (runtime checks).
Blueprint saved:
DEALIX_EXECUTION_BLUEPRINT.md — authoritative execution doc
Updated:
release_readiness_matrix.py — now 53/53 checks (was 41/41)
docs/execution_log.md — full task tracking
All 3 gates GREEN:
Architecture Brief: 40/40
Release Readiness Matrix: 53/53
Release Readiness Gate: PASS
Remaining P0 founder decisions (cannot be automated):
- TASK-001: GitHub org name + run extraction
- TASK-006: Entity incorporation + counsel engagement
https://claude.ai/code/session_01W1rJthWDkasijTdXCfxVHs
1.9 KiB
1.9 KiB
Secret Rotation Log
Rule: Every secret found in git history must be rotated and logged here.
Owner: CTO / Security Lead
Review: Monthly
Rotation Template
| Date | Secret Type | Location Found | Old ID/Prefix | New Location | Rotated By | Verified |
|------------|------------|----------------|---------------|--------------|-----------|----------|
| YYYY-MM-DD | API Key | git history | sk_xxxx... | AWS SM | @user | ✓ |
Active Rotations
| Date | Secret Type | Location Found | Rotated By | Verified |
|---|---|---|---|---|
| TBD | (Run gitleaks detect --source . --log-opts="--all" to populate) |
Scan Commands
# Install tools
pip install gitleaks detect-secrets
# Full history scan
gitleaks detect --source . --log-opts="--all" --report-path /tmp/secret_scan.json
# Current staged files only
gitleaks protect --staged
# Alternative: trufflehog
pipx install trufflehog3
trufflehog3 . --format json --output /tmp/trufflehog_report.json
Mandatory Actions After Scan
For every finding:
- Rotate the credential in the source system (AWS, Stripe, OpenAI, etc.)
- Update environment variables in production
- Revoke the leaked credential
- Add entry to this log
- Add path/pattern to
.gitleaksignoreONLY if it's a known false positive
Secrets Management Hierarchy
| Environment | Manager |
|---|---|
| Local dev | .env file (gitignored) + Doppler |
| Staging | Doppler or AWS Secrets Manager |
| Production | AWS Secrets Manager (me-south-1) |
Escape Hatches (forbidden)
- ❌ Secrets in
.env.example - ❌ Secrets in docker-compose.yml (use Secrets reference)
- ❌ Secrets in code comments
- ❌ Secrets in test fixtures (use generated values)
- ❌ Secrets in Slack, email, or tickets