feat(security): Production security hardening (Issue #197) - Rebased

.env.example

@@ -0,0 +1,181 @@
+# SolFoundry environment configuration
+# Copy to .env: cp .env.example .env
+# 
+# IMPORTANT: Never commit .env files with real secrets!
+# All secrets should be set via secure environment variables in production.
+
+# =============================================================================
+# ENVIRONMENT CONFIGURATION
+# =============================================================================
+
+# Environment: development, staging, production
+ENV=development
+
+# Force HTTPS redirect (set to true in production)
+FORCE_HTTPS=true
+
+# =============================================================================
+# DATABASE CONFIGURATION
+# =============================================================================
+
+# PostgreSQL connection
+# Format: postgresql+asyncpg://user:password@host:port/database
+POSTGRES_USER=solfoundry
+POSTGRES_PASSWORD=CHANGE_ME_USE_STRONG_PASSWORD
+POSTGRES_DB=solfoundry
+POSTGRES_PORT=5432
+
+# Full database URL (overrides individual settings)
+DATABASE_URL=postgresql+asyncpg://solfoundry:CHANGE_ME_USE_STRONG_PASSWORD@postgres:5432/solfoundry
+
+# Connection pool settings
+DB_POOL_SIZE=5
+DB_POOL_MAX_OVERFLOW=10
+DB_POOL_TIMEOUT=30
+
+# =============================================================================
+# REDIS CONFIGURATION
+# =============================================================================
+
+REDIS_PORT=6379
+REDIS_URL=redis://redis:6379/0
+
+# =============================================================================
+# APPLICATION SECURITY
+# =============================================================================
+
+# Backend port
+BACKEND_PORT=8000
+
+# JWT Secret Key (REQUIRED in production)
+# Generate with: python -c "import secrets; print(secrets.token_urlsafe(32))"
+JWT_SECRET_KEY=CHANGE_ME_GENERATE_WITH_SECRETS_TOKEN_URLSAFE_32
+
+# General secret key for session/cookie signing
+SECRET_KEY=CHANGE_ME_GENERATE_WITH_SECRETS_TOKEN_URLSAFE_32
+
+# Token expiration
+ACCESS_TOKEN_EXPIRE_MINUTES=60
+REFRESH_TOKEN_EXPIRE_DAYS=7
+
+# =============================================================================
+# GITHUB INTEGRATION
+# =============================================================================
+
+# GitHub OAuth App credentials
+# Create at: https://github.com/settings/developers
+GITHUB_CLIENT_ID=your_github_client_id
+GITHUB_CLIENT_SECRET=your_github_client_secret
+
+# OAuth redirect URI (must match GitHub App settings)
+GITHUB_REDIRECT_URI=http://localhost:3000/auth/callback
+
+# GitHub Personal Access Token (for API access)
+GITHUB_TOKEN=
+
+# Webhook secret for GitHub webhooks
+# Generate with: python -c "import secrets; print(secrets.token_urlsafe(16))"
+GITHUB_WEBHOOK_SECRET=CHANGE_ME_GENERATE_WEBHOOK_SECRET
+
+# =============================================================================
+# SOLANA BLOCKCHAIN
+# =============================================================================
+
+# Solana RPC endpoint
+# Development: https://api.devnet.solana.com
+# Production: https://api.mainnet-beta.solana.com (or your RPC provider)
+SOLANA_RPC_URL=https://api.devnet.solana.com
+
+# Treasury wallet (DO NOT include private key here!)
+# Set via secure environment variable or secrets manager
+# TREASURY_PRIVATE_KEY should be set in production secrets
+
+# =============================================================================
+# CORS & SECURITY HEADERS
+# =============================================================================
+
+# Allowed CORS origins (comma-separated)
+# In production, list your actual domains
+ALLOWED_ORIGINS=https://solfoundry.org,https://www.solfoundry.org
+
+# In development, localhost origins are automatically added
+
+# CSP Report URI (optional)
+CSP_REPORT_URI=/api/csp-report
+
+# =============================================================================
+# RATE LIMITING
+# =============================================================================
+
+# Rate limits per minute per IP/user
+RATE_LIMIT_AUTH=5
+RATE_LIMIT_API=60
+RATE_LIMIT_WEBHOOKS=120
+
+# Maximum request payload size (bytes)
+MAX_PAYLOAD_SIZE=10485760
+
+# =============================================================================
+# BACKUP CONFIGURATION
+# =============================================================================
+
+# PostgreSQL backup settings
+BACKUP_ENABLED=true
+BACKUP_SCHEDULE=0 3 * * *
+BACKUP_RETENTION_DAYS=30
+BACKUP_S3_BUCKET=
+BACKUP_S3_PREFIX=solfoundry/
+
+# =============================================================================
+# MONITORING & LOGGING
+# =============================================================================
+
+# Log level: DEBUG, INFO, WARNING, ERROR, CRITICAL
+LOG_LEVEL=INFO
+
+# Sentry DSN (optional, for error tracking)
+# SENTRY_DSN=https://xxx@sentry.io/xxx
+
+# Health check URLs (set as GitHub repository variables)
+STAGING_HEALTH_URL=https://staging-api.solfoundry.org/health
+PRODUCTION_HEALTH_URL=https://api.solfoundry.org/health
+
+# =============================================================================
+# FRONTEND CONFIGURATION
+# =============================================================================
+
+FRONTEND_PORT=3000
+VITE_API_URL=http://localhost:8000
+
+# =============================================================================
+# DEVELOPMENT ONLY
+# =============================================================================
+
+# Skip authentication (development only!)
+# NEVER set to true in production
+AUTH_ENABLED=true
+
+# SQL echo for debugging
+SQL_ECHO=false
+
+# =============================================================================
+# SECURITY CHECKLIST FOR PRODUCTION
+# =============================================================================
+# 
+# Before deploying to production, ensure:
+# 
+# 1. [ ] All CHANGE_ME values are replaced with strong random values
+# 2. [ ] JWT_SECRET_KEY is at least 32 characters
+# 3. [ ] SECRET_KEY is at least 32 characters
+# 4. [ ] DATABASE_URL uses strong password
+# 5. [ ] GITHUB_CLIENT_SECRET is set
+# 6. [ ] GITHUB_WEBHOOK_SECRET is set
+# 7. [ ] SOLANA_RPC_URL points to mainnet or production RPC
+# 8. [ ] ALLOWED_ORIGINS lists only your production domains
+# 9. [ ] ENV=production
+# 10. [ ] FORCE_HTTPS=true
+# 11. [ ] AUTH_ENABLED=true (never false in production)
+# 12. [ ] Backup S3 bucket is configured
+# 13. [ ] All secrets are in secrets manager, not .env file
+# 
+# =============================================================================

.github/workflows/ci.yml

@@ -256,11 +256,44 @@ jobs:
         run: cargo fmt -- --check
         continue-on-error: true
 
+  # ==================== DOCKER BUILD + SMOKE TEST ====================
+  # Builds both images via compose, starts all 4 services, curls /health.
+  docker-build:
+    name: Docker Build & Smoke Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Validate Dockerfiles exist
+        run: |
+          test -f Dockerfile.backend  || { echo "Missing Dockerfile.backend"; exit 1; }
+          test -f Dockerfile.frontend || { echo "Missing Dockerfile.frontend"; exit 1; }
+      - name: Validate Docker Compose config
+        run: docker compose config --quiet
+      - name: Build and start all services
+        run: docker compose up -d --build --wait --wait-timeout 120
+      - name: Verify backend health
+        run: |
+          for i in $(seq 1 15); do
+            if curl -sf http://localhost:8000/health | grep -q ok; then
+              echo "Backend healthy"; exit 0
+            fi; sleep 5
+          done
+          docker compose logs backend; exit 1
+      - name: Verify all 4 services running
+        run: |
+          running=$(docker compose ps --status running --format json | grep -c '"Service"')
+          if [ "$running" -lt 4 ]; then
+            echo "Expected 4 services, got $running"; docker compose ps; exit 1
+          fi
+      - name: Tear down
+        if: always()
+        run: docker compose down -v
+
   # ==================== SUMMARY ====================
   ci-status:
     name: CI Status Summary
     runs-on: ubuntu-latest
-    needs: [backend-lint, backend-tests, frontend-lint, frontend-typecheck, frontend-tests, frontend-build, contracts-check, rust-lint]
+    needs: [backend-lint, backend-tests, frontend-lint, frontend-typecheck, frontend-tests, frontend-build, contracts-check, rust-lint, docker-build]
     if: always()
     steps:
       - name: Check CI Results
@@ -275,6 +308,7 @@ jobs:
           echo "| Frontend Type Check | ${{ needs.frontend-typecheck.result }} |" >> $GITHUB_STEP_SUMMARY
           echo "| Frontend Tests | ${{ needs.frontend-tests.result }} |" >> $GITHUB_STEP_SUMMARY
           echo "| Frontend Build | ${{ needs.frontend-build.result }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| Docker Build | ${{ needs.docker-build.result }} |" >> $GITHUB_STEP_SUMMARY
           echo "| Contracts Check | ${{ needs.contracts-check.result }} |" >> $GITHUB_STEP_SUMMARY
           echo "| Rust Lint | ${{ needs.rust-lint.result }} |" >> $GITHUB_STEP_SUMMARY