jordan/stemedb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
stemedb/applications/aphoria/uat/citadel-scan-v1.md
jordan b3e8a9a058 feat: Multi-application expansion with chaos testing and community UI 
Major additions:
- Community Next.js app (port 18187) for browsing claims with API docs
- stemedb-chaos crate: Fault injection, chaos testing, CRDT properties
- Latent ingestion system: Reddit/FDA ingesters with ADK-Go agents
- Disputed claims handling: Manual review workflows and validation
- Aphoria security scanner: New extractors (SQL injection, command
  injection, weak crypto, TLS version), policy-based ignores, UAT reports
- Docker infrastructure: Dockerfile, docker-compose.yml for full stack
- VulnBank demo: Intentionally vulnerable multi-language test corpus

SDK & API enhancements:
- Source registry handlers for tracking data provenance
- Metrics endpoint
- Skeptic filtering improvements

Code quality:
- Split 14 large files (>500 lines) into focused modules
- All files now under 500-line limit per project guidelines

Documentation:
- Chaos testing guide, circuit breakers, observability docs
- Phase 7 UAT documentation updates
- Martin Kleppmann technical writer agent

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-04 01:24:14 -07:00

1.8 KiB
Raw Permalink Blame History

Catching Hardcoded Secrets in a 50-Crate Rust Monorepo

Citadel is a production observability platform built on Rust. The codebase spans over 1,400 files across 50+ crates - authentication, ingestion pipelines, storage engines, CLI tools, and a Next.js frontend.

We pointed Aphoria at it.

The Scan

$ aphoria scan ./citadel

Scanning... 1,438 files
Extracted 1,259 claims
Detected 3 conflicts

  BLOCK  tools/citadel-cli/src/commands/agent.rs:903
         API key hardcoded in source
         ck_live_5ecb66c2_3iAiCOXmjLctkPWbz6Gytw

  BLOCK  crates/citadel-cli/src/commands/query.rs:736
         API key hardcoded in source
         ck_live_1234567890abcdef

  BLOCK  crates/citadel-agent/src/config.rs:101
         API key hardcoded in source
         ck_live_a1b2c3d4_xyzabc123

3 BLOCK, 0 FLAG, 0 PASS

Total time: 1.7 seconds.

What It Found

Three API keys embedded directly in source files. They were example keys in documentation and test code - the kind that get copy-pasted into real configs by tired developers at 2am.

Aphoria flagged them because they match production key patterns (ck_live_*). Even in examples, these create risk: they train developers to hardcode secrets, and sometimes example keys are real keys with the serial numbers filed off.

What It Checked

Aphoria scanned for conflicts against security standards including:

  • TLS certificate verification (OWASP)
  • JWT signature validation (RFC 7519)
  • Rate limiting configuration
  • CORS policies
  • Timeout settings
  • Hardcoded credentials

The Citadel team had their TLS, JWT, and rate limiting configured correctly. The only gaps were these three documentation examples.

The Fix

$ aphoria ack citadel-cli/src/commands/query.rs:736 \
    --reason "Example key for documentation"

Or replace with environment variable references and re-scan to verify.