Mosas2000 · Mosas2000 · Mar 11, 2026 · Mar 9, 2026 · Mar 9, 2026 · Mar 9, 2026
@@ -1,13 +1,16 @@
 # TipStream Root Environment Variables
 # Copy this file to .env and fill in real values.
+#
+# These variables are used by scripts/test-contract.cjs and any future
+# deployment automation.  The .env file is listed in .gitignore.
 
-# Mnemonic for test scripts (scripts/test-contract.cjs)
-# NEVER use a real wallet mnemonic here.
-MNEMONIC=your_test_mnemonic_here
+# Deployer / sender mnemonic (24-word BIP-39 phrase).
+# Keep this in a password manager; paste here only when deploying.
+MNEMONIC="<YOUR DEPLOYER MNEMONIC HERE>"
 
-# Recipient address for test-contract.cjs  (required)
+# Recipient address for test-contract.cjs (required).
 # Must be a valid SP... mainnet address and different from the sender.
-RECIPIENT=SP_YOUR_TEST_RECIPIENT_ADDRESS
+RECIPIENT="<SP ADDRESS OF TEST RECIPIENT>"
 
 # Tip amount in microSTX (default: 1000, minimum: 1000 = 0.001 STX)
 AMOUNT=1000
@@ -18,3 +21,9 @@ MESSAGE=On-chain test tip
 # Set to 1 to build the transaction without broadcasting.
 # Useful for verifying post-conditions and transaction size.
 DRY_RUN=0
+
+# Network override for the frontend build (mainnet | testnet | devnet).
+VITE_NETWORK=mainnet
+
+# Application URL used for social sharing metadata.
+VITE_APP_URL=https://tipstream-silk.vercel.app
@@ -0,0 +1,16 @@
+# Code owners for TipStream
+# These users are automatically requested for review on PRs
+# that touch the specified paths.
+
+# Default owner for all files
+* @Mosas2000
+
+# Security-sensitive paths require explicit review
+.gitignore @Mosas2000
+.gitleaks.toml @Mosas2000
+.env.example @Mosas2000
+settings/ @Mosas2000
+scripts/ @Mosas2000
+SECURITY.md @Mosas2000
+contracts/ @Mosas2000
+.github/workflows/ @Mosas2000
@@ -0,0 +1,38 @@
+---
+name: Bug Report
+about: Report a bug in TipStream
+labels: bug
+---
+
+## Description
+
+<!-- A clear description of the bug. -->
+
+## Steps to Reproduce
+
+1.
+2.
+3.
+
+## Expected Behavior
+
+<!-- What should have happened. -->
+
+## Actual Behavior
+
+<!-- What happened instead. -->
+
+## Environment
+
+- Browser:
+- Wallet: (Leather / Xverse / other)
+- Network: (mainnet / testnet / devnet)
+- OS:
+
+## Screenshots
+
+<!-- If applicable. -->
+
+## Additional Context
+
+<!-- Any other relevant information. -->
@@ -0,0 +1,21 @@
+---
+name: Feature Request
+about: Suggest a new feature or improvement
+labels: enhancement
+---
+
+## Problem
+
+<!-- What problem does this feature solve? -->
+
+## Proposed Solution
+
+<!-- Describe your proposed approach. -->
+
+## Alternatives Considered
+
+<!-- Any alternative solutions or workarounds. -->
+
+## Additional Context
+
+<!-- Screenshots, links, or related issues. -->
@@ -0,0 +1,24 @@
+---
+name: Security Vulnerability
+about: Report a security issue (prefer private disclosure)
+labels: security
+---
+
+> If this is a sensitive vulnerability, please do **not** open a public
+> issue.  Follow the private disclosure process in [SECURITY.md](../../SECURITY.md).
+
+## Description
+
+<!-- Describe the vulnerability. -->
+
+## Impact
+
+<!-- Who is affected and what could an attacker do? -->
+
+## Reproduction
+
+<!-- Steps or proof-of-concept to demonstrate the issue. -->
+
+## Suggested Fix
+
+<!-- If you have one. -->
@@ -0,0 +1,32 @@
+## Summary
+
+<!-- Brief description of what this PR does. -->
+
+## Related Issue
+
+<!-- Link to the GitHub issue: Closes #NNN -->
+
+## Changes
+
+<!-- List the key changes made in this PR. -->
+
+-
+
+## Testing
+
+<!-- How were these changes tested? -->
+
+- [ ] Contract tests pass (`npm test`)
+- [ ] Frontend builds without errors (`cd frontend && npm run build`)
+- [ ] Linting passes (`cd frontend && npm run lint`)
+- [ ] Manual testing (describe below)
+
+## Deployment Notes
+
+<!-- Any special steps needed after merging? Leave blank if none. -->
+
+## Security Checklist
+
+- [ ] No secrets or mnemonics are included in this PR.
+- [ ] Post conditions are set to `Deny` on any new contract calls.
+- [ ] Environment variables are documented in `.env.example` if added.
@@ -0,0 +1,33 @@
+name: Secret Scanning
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  gitleaks:
+    name: Detect leaked secrets
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: gitleaks/gitleaks-action@v2
+        with:
+          config-path: .gitleaks.toml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  verify:
+    name: Verify credential exclusion
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run secret verification checks
+        run: ./scripts/verify-no-secrets.sh
@@ -18,13 +18,23 @@ npm-debug.log*
 coverage/
 *.info
 
-# Clarinet
-**/settings/Mainnet.toml
-**/settings/Testnet.toml
-settings/Mainnet.toml
+# Clarinet session artifacts
 history.txt
 costs-reports.json
 
+# Network credentials — mainnet and testnet hold real or funded keys
+settings/Mainnet.toml
+settings/Testnet.toml
+**/settings/Mainnet.toml
+**/settings/Testnet.toml
+
+# Catch any stray key/mnemonic exports
+*.pem
+*.key
+*.p12
+**/secrets/
+*.secret
+
 # OS files
 .DS_Store
 Thumbs.db
@@ -34,4 +44,7 @@ Thumbs.db
 .idea/
 *.swp
 *.swo
-settings/Testnet.toml
+
+# Hosting platform local state
+.vercel/
+.netlify/
@@ -0,0 +1,52 @@
+# Gitleaks configuration for TipStream
+# Detects accidentally committed secrets such as mnemonics or private keys.
+# Run locally:  gitleaks detect --source . --config .gitleaks.toml
+# CI:           integrate via GitHub Actions or pre-commit hook.
+
+title = "TipStream secret scanning rules"
+
+# BIP-39 mnemonic phrases (12 or 24 words separated by spaces)
+[[rules]]
+id = "bip39-mnemonic"
+description = "Potential BIP-39 mnemonic phrase"
+regex = '''(?i)mnemonic\s*=\s*"[a-z ]{20,}"'''
+tags = ["key", "mnemonic"]
+
+[[rules.allowlist]]
+paths = [
+    '''settings/Devnet\.toml''',
+    '''settings/.*\.example''',
+]
+
+# Stacks private key (64-hex + 01 suffix)
+[[rules]]
+id = "stacks-private-key"
+description = "Stacks private key"
+regex = '''(?i)(secret_key|private_key|senderKey)\s*[:=]\s*["\']?[0-9a-f]{64,66}["\']?'''
+tags = ["key", "private-key"]
+
+[[rules.allowlist]]
+paths = [
+    '''settings/Devnet\.toml''',
+]
+
+# Generic high-entropy secrets
+[[rules]]
+id = "generic-secret"
+description = "Hardcoded secret or API key assignment"
+regex = '''(?i)(api_key|apikey|secret|token|password)\s*[:=]\s*["'][A-Za-z0-9/+=]{16,}["']'''
+tags = ["key", "generic"]
+
+[[rules.allowlist]]
+paths = [
+    '''\.env\.example''',
+    '''settings/.*\.example''',
+]
+
+[allowlist]
+paths = [
+    '''node_modules/''',
+    '''frontend/dist/''',
+    '''.cache/''',
+    '''\.gitleaks\.toml''',
+]