Ci/sast openapi terraform license checks#1010
Open
valoryyaa-byte wants to merge 4 commits into
Open
Conversation
…itleaks pre-push hook, and CONTRIBUTING docs - Extend security-audit CI job to also run cargo-audit in services/api (previously only contracts/predict-iq was covered) - Add p/nodejs to the Semgrep SAST ruleset alongside p/rust, p/typescript, p/javascript, and p/security-audit - Add .githooks/pre-push that runs gitleaks protect --staged so secrets are caught locally before reaching CI; hook is opt-in via git config core.hooksPath .githooks - Document all SAST tools, thresholds, and local setup in CONTRIBUTING.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…catch spec drift
- Add .github/workflows/openapi-validation.yml triggered on changes to
openapi.yaml or API source/tests; runs Spectral OAS ruleset for structural
validity and the contract test suite
- Rewrite tests/openapi_contract_test.rs:
- Correct SPEC_ROUTES to match actual openapi.yaml paths (fixes stale
/api/* entries that missed the /v1/ prefix; adds audit, dead-letter,
blockchain replay, and requeue endpoints introduced since solutions-plug#400)
- Add yaml_routes() parser that extracts (METHOD, path) pairs from
openapi.yaml at test-time without extra dependencies
- Add yaml_paths_match_spec_routes_no_missing: fails if openapi.yaml
gains a route not in SPEC_ROUTES
- Add spec_routes_no_stale_entries: fails if SPEC_ROUTES lists a route
removed from openapi.yaml
- Add every_route_has_operation_id and every_route_has_success_response
checks to enforce spec completeness per the acceptance criteria
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…nfrastructure PR changes - New .github/workflows/terraform.yml triggered on PRs that touch infrastructure/terraform/** - Jobs: terraform-fmt (fails fast on unformatted HCL), terraform-validate (init -backend=false + validate for dev/staging/production), terraform-plan (full plan per environment using AWS credentials from secrets) - Plan output is posted as a PR comment (upserted on re-runs) and uploaded as a retained artifact so reviewers can inspect without running locally - Handles the inconsistent env layout (dev.tfvars flat file vs staging/production/terraform.tfvars subdirectories) via a varfile-resolution step before the plan runs Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…e dependency licenses
- Add deny.toml (contracts workspace) and services/api/deny.toml with
allow-lists for MIT, Apache-2.0, BSD-*, ISC, CC0-1.0, Zlib, 0BSD;
explicitly deny GPL, AGPL, LGPL, OSL, and EUPL variants
- Add frontend/.license-checker.json and services/tts/.license-checker.json
with the same allow-list for npm dependencies
- Add .github/workflows/license-check.yml with four jobs:
- rust-licenses-contracts: cargo deny check licenses in contracts/predict-iq
- rust-licenses-api: cargo deny check licenses in services/api
- npm-licenses-frontend: license-checker --onlyAllow for frontend
- npm-licenses-tts: license-checker --onlyAllow for services/tts
All four must pass before the all-license-checks-passed gate clears
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
@valoryyaa-byte Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Type of Change
Testing Done
Checklist
Related Issues