jordan/stemedb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
e758f2ebfb
stemedb/applications/aphoria/uat/citadel-scan-v1.md
jordan b3e8a9a058 feat: Multi-application expansion with chaos testing and community UI 
Major additions:
- Community Next.js app (port 18187) for browsing claims with API docs
- stemedb-chaos crate: Fault injection, chaos testing, CRDT properties
- Latent ingestion system: Reddit/FDA ingesters with ADK-Go agents
- Disputed claims handling: Manual review workflows and validation
- Aphoria security scanner: New extractors (SQL injection, command
  injection, weak crypto, TLS version), policy-based ignores, UAT reports
- Docker infrastructure: Dockerfile, docker-compose.yml for full stack
- VulnBank demo: Intentionally vulnerable multi-language test corpus

SDK & API enhancements:
- Source registry handlers for tracking data provenance
- Metrics endpoint
- Skeptic filtering improvements

Code quality:
- Split 14 large files (>500 lines) into focused modules
- All files now under 500-line limit per project guidelines

Documentation:
- Chaos testing guide, circuit breakers, observability docs
- Phase 7 UAT documentation updates
- Martin Kleppmann technical writer agent

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-04 01:24:14 -07:00

60 lines
1.8 KiB
Markdown
Raw Blame History

# Catching Hardcoded Secrets in a 50-Crate Rust Monorepo
Citadel is a production observability platform built on Rust. The codebase spans over 1,400 files across 50+ crates - authentication, ingestion pipelines, storage engines, CLI tools, and a Next.js frontend.
We pointed Aphoria at it.
## The Scan
```
$ aphoria scan ./citadel
Scanning... 1,438 files
Extracted 1,259 claims
Detected 3 conflicts
BLOCK tools/citadel-cli/src/commands/agent.rs:903
API key hardcoded in source
ck_live_5ecb66c2_3iAiCOXmjLctkPWbz6Gytw
BLOCK crates/citadel-cli/src/commands/query.rs:736
API key hardcoded in source
ck_live_1234567890abcdef
BLOCK crates/citadel-agent/src/config.rs:101
API key hardcoded in source
ck_live_a1b2c3d4_xyzabc123
3 BLOCK, 0 FLAG, 0 PASS
```
Total time: 1.7 seconds.
## What It Found
Three API keys embedded directly in source files. They were example keys in documentation and test code - the kind that get copy-pasted into real configs by tired developers at 2am.
Aphoria flagged them because they match production key patterns (`ck_live_*`). Even in examples, these create risk: they train developers to hardcode secrets, and sometimes example keys are real keys with the serial numbers filed off.
## What It Checked
Aphoria scanned for conflicts against security standards including:
- TLS certificate verification (OWASP)
- JWT signature validation (RFC 7519)
- Rate limiting configuration
- CORS policies
- Timeout settings
- Hardcoded credentials
The Citadel team had their TLS, JWT, and rate limiting configured correctly. The only gaps were these three documentation examples.
## The Fix
```
$ aphoria ack citadel-cli/src/commands/query.rs:736 \
--reason "Example key for documentation"
```
Or replace with environment variable references and re-scan to verify.
Reference in New Issue View Git Blame Copy Permalink