azaion/ui
1
0
Fork 0
mirror of https://github.com/azaion/ui.git synced 2026-06-21 08:01:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-501] [AZ-502] Cycle 2 Step 14 security audit + inline fixes
ci/woodpecker/push/build-arm Pipeline failed
Details

Browse Source 
Security audit (5 phases) → reports under _docs/05_security/.

AZ-501 (F-SAST-1, HIGH): Externalize hardcoded Google Geocode key
from mission-planner/src/config.ts to VITE_GOOGLE_GEOCODE_KEY via
new GeocodeService.ts; fail-soft warn when unset; STC-SEC1D static
deny-list gate; +5 unit tests in tests/mission_planner_geocode.test.ts.

AZ-502 (F-DEP-1, HIGH): Force vite>=6.4.2 and postcss>=8.5.10 via
package.json overrides in both roots; clean reinstall clears all
bun audit advisories.

Test-spec sync (Step 12) + Update Docs (Step 13) deltas: AC-43, AC-44,
NFT-SEC-09b, FT-P-61, FT-N-17, ripple log, batch_12 report.

Pending user actions: revoke Google + OWM keys (AC-6 / AZ-499 AC-7).

229 PASS / 13 SKIP / 0 FAIL on static + fast suites.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-05-12 05:31:11 +03:00
parent b016fd8207
commit f7dd6c98d8
32 changed files with 1833 additions and 502 deletions
Download Patch File Download Diff File Expand all files Collapse all files
scripts/check-banned-deps.mjs
+2 -1
View File
@@ -199,7 +199,8 @@ function main() {
kind === 'legacy_integrations' ||
kind === 'concurrent_edit_patterns' ||
kind === 'alert_calls' ||
kind === 'owm_key_in_source'
kind === 'owm_key_in_source' ||
kind === 'google_key_in_source'
) {
hits = checkSourceTree(section, root, ['src', 'mission-planner'])
} else if (kind === 'destructive_surfaces') {
scripts/run-tests.sh
+10
View File
@@ -224,6 +224,15 @@ if [ "$RUN_STATIC" = "true" ]; then
node "$PROJECT_ROOT/scripts/check-banned-deps.mjs" --kind=owm_key_in_source
}
# AZ-501 — F-SAST-1 — defense-in-depth gate that the literal Google Geocode
# API key cannot reappear in src/ or mission-planner/. The user revokes the
# key out-of-band (AZ-501 AC-6); this static check guards against an
# accidental git-history-paste reintroducing the same string. Mirrors the
# STC-SEC1C pattern (literal-string scan across both source trees).
static_check_no_google_key_in_source() {
node "$PROJECT_ROOT/scripts/check-banned-deps.mjs" --kind=google_key_in_source
}
# Source-tree text search. Prefer ripgrep when available (much faster on
# large trees), fall back to POSIX grep -r so the CI runner doesn't need rg.
# Test files (*.test.{ts,tsx}, *.spec.{ts,tsx}) are EXCLUDED — production
@@ -567,6 +576,7 @@ if [ "$RUN_STATIC" = "true" ]; then
run_static "STC-RES10" "nginx prefix-strip on every /api/<S>/ route" "NFT-RES-LIM-10" "n/a" static_check_nginx_prefix_strip
run_static "STC-SEC1B" "no literal OWM key in dist/" "SEC-09" "63" static_check_no_owm_key_in_dist
run_static "STC-SEC1C" "no literal OWM key in src/ + mission-planner/" "SEC-09" "AZ-499" static_check_no_owm_key_in_source
run_static "STC-SEC1D" "no literal Google Geocode key in src/ + mission-planner/" "F-SAST-1" "AZ-501" static_check_no_google_key_in_source
if [ "$STATIC_FAIL" = "1" ]; then
echo "[run-tests] static profile FAILED — see $STATIC_REPORT"