jordan/stemedb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4360a17dd3
stemedb/docs/demo/vulnbank/config/production.yaml
jordan b3e8a9a058 feat: Multi-application expansion with chaos testing and community UI 
Major additions:
- Community Next.js app (port 18187) for browsing claims with API docs
- stemedb-chaos crate: Fault injection, chaos testing, CRDT properties
- Latent ingestion system: Reddit/FDA ingesters with ADK-Go agents
- Disputed claims handling: Manual review workflows and validation
- Aphoria security scanner: New extractors (SQL injection, command
  injection, weak crypto, TLS version), policy-based ignores, UAT reports
- Docker infrastructure: Dockerfile, docker-compose.yml for full stack
- VulnBank demo: Intentionally vulnerable multi-language test corpus

SDK & API enhancements:
- Source registry handlers for tracking data provenance
- Metrics endpoint
- Skeptic filtering improvements

Code quality:
- Split 14 large files (>500 lines) into focused modules
- All files now under 500-line limit per project guidelines

Documentation:
- Chaos testing guide, circuit breakers, observability docs
- Phase 7 UAT documentation updates
- Martin Kleppmann technical writer agent

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-04 01:24:14 -07:00

56 lines
1.3 KiB
YAML
Raw Blame History

# VulnBank Production Configuration
# DO NOT USE IN PRODUCTION - Contains security vulnerabilities for testing
server:
host: 0.0.0.0
port: 8080
# BLOCK: Hardcoded database credentials in config file
database:
host: db.vulnbank.internal
port: 5432
name: vulnbank_prod
user: admin
password: super_secret_prod_password_123!
# BLOCK: Hardcoded database password (flat pattern)
database_password: production_db_password_2024
# BLOCK: Hardcoded API keys in config file
api:
stripe_secret_key: sk_live_51H7xyz123456789abcdef
sendgrid_api_key: SG.abcdefghijklmnopqrstuvwxyz123456
# BLOCK: TLS verification disabled (flat pattern for detection)
tls_verify: false
verify_certificates: false
tls:
min_version: "1.0" # TLS 1.0 is deprecated per RFC 8996
# BLOCK: CORS allows any origin (flat pattern)
cors_origins: "*"
allowed_origins: "*"
cors:
allow_credentials: true
# BLOCK: Rate limiting disabled (flat pattern)
rate_limiting: false
rate_limit_enabled: false
# Security settings (all misconfigured)
security:
# BLOCK: JWT audience validation disabled
validate_audience: false
jwt:
algorithms:
- HS256
- none # BLOCK: Algorithm 'none' allowed
# Weak session configuration
session:
secure: false
http_only: false
same_site: none
Reference in New Issue View Git Blame Copy Permalink