Harden security flows and fix frontend lint blockers

Author: owenisas

.github/workflows/deploy-admin-backend-aws.yml

@@ -156,15 +156,30 @@ jobs:
           print("✅ Admin route validation complete")
           EOF
 
+  secret-scan:
+    name: Secret Scan (Gitleaks)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ env.DEPLOY_REF }}
+
+      - name: Run gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
   quality-gate:
     name: Quality Gate
-    needs: [lint, test, validate-sam, validate-routes]
+    needs: [lint, test, validate-sam, validate-routes, secret-scan]
     runs-on: ubuntu-latest
     steps:
       - name: All checks passed
         run: |
           echo "## ✅ All Admin Backend Checks Passed" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
+          echo "- Secret scan: passed" >> $GITHUB_STEP_SUMMARY
           echo "Proceeding to deployment..." >> $GITHUB_STEP_SUMMARY
 
   deploy:

.github/workflows/deploy-admin-frontend-aws.yml

@@ -61,7 +61,28 @@ jobs:
 
       - name: Install dependencies
         working-directory: admin-frontend
-        run: npm install
+        run: npm ci
+
+      - name: Run npm audit
+        working-directory: admin-frontend
+        run: |
+          set +e
+          npm audit --audit-level=high --json > audit-report.json
+          STATUS=$?
+          set -e
+          if [ "$STATUS" -ne 0 ]; then
+            echo "::error::Security vulnerabilities found in admin frontend dependencies"
+            jq '.metadata.vulnerabilities' audit-report.json || true
+            exit "$STATUS"
+          fi
+
+      - name: Upload npm audit report
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: admin-frontend-audit-report
+          path: admin-frontend/audit-report.json
+          retention-days: 7
 
       - name: Lint
         working-directory: admin-frontend
@@ -78,7 +99,7 @@ jobs:
   deploy:
     name: Deploy Admin Frontend
     runs-on: ubuntu-latest
-    needs: lint-build
+    needs: [lint-build, secret-scan]
     environment: ${{ github.ref_name == 'prod' && 'prod' || 'dev' }}
     env:
       S3_BUCKET: ${{ vars.ADMIN_FRONTEND_S3_BUCKET }}
@@ -116,7 +137,7 @@ jobs:
 
       - name: Install dependencies
         working-directory: admin-frontend
-        run: npm install
+        run: npm ci
 
       - name: Build
         working-directory: admin-frontend
@@ -130,3 +151,17 @@ jobs:
       - name: Invalidate CloudFront
         run: |
           aws cloudfront create-invalidation --distribution-id "$CLOUDFRONT_DISTRIBUTION_ID" --paths "/*"
+
+  secret-scan:
+    name: Secret Scan (Gitleaks)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ env.DEPLOY_REF }}
+
+      - name: Run gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/deploy-backend-aws.yml

@@ -97,20 +97,71 @@ jobs:
           pip install pip-audit bandit
 
       - name: Run pip-audit (dependency vulnerabilities)
+        id: pip_audit
         working-directory: backend
         run: |
           # Audit declared requirements directly; avoid installing heavy runtime deps (e.g. manim)
           # that require OS libraries just to perform vulnerability checks.
+          set +e
           if grep -qE "^[a-zA-Z]" requirements.txt 2>/dev/null; then
-            pip-audit -r requirements.txt || echo "::warning::Security vulnerabilities found in dependencies"
+            pip-audit -r requirements.txt -f json -o pip-audit-report.json
+            STATUS=$?
           else
             echo "No external dependencies to audit"
+            printf '{"message":"No external dependencies to audit"}\n' > pip-audit-report.json
+            STATUS=0
+          fi
+          set -e
+          echo "status=$STATUS" >> "$GITHUB_OUTPUT"
+          if [ "$STATUS" -ne 0 ]; then
+            echo "::error::pip-audit detected vulnerabilities"
           fi
 
       - name: Run Bandit (security linter)
+        id: bandit_scan
         working-directory: backend
         run: |
-          bandit -r . -x ./tests -ll -ii --format github || echo "::warning::Potential security issues found"
+          set +e
+          bandit -r . -x ./tests -ll -ii -f json -o bandit-report.json
+          STATUS=$?
+          set -e
+          echo "status=$STATUS" >> "$GITHUB_OUTPUT"
+          if [ "$STATUS" -ne 0 ]; then
+            echo "::error::Bandit detected security findings"
+          fi
+
+      - name: Upload backend security reports
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: backend-security-reports
+          path: |
+            backend/pip-audit-report.json
+            backend/bandit-report.json
+          retention-days: 7
+
+      - name: Enforce security gate
+        run: |
+          if [ "${{ steps.pip_audit.outputs.status }}" != "0" ]; then
+            exit 1
+          fi
+          if [ "${{ steps.bandit_scan.outputs.status }}" != "0" ]; then
+            exit 1
+          fi
+
+  secret-scan:
+    name: Secret Scan (Gitleaks)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ env.DEPLOY_REF }}
+
+      - name: Run gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   test:
     name: Unit Tests
@@ -346,7 +397,7 @@ jobs:
 
   quality-gate:
     name: Quality Gate
-    needs: [lint, security, test, validate-sam, validate-routes]
+    needs: [lint, security, secret-scan, test, validate-sam, validate-routes]
     runs-on: ubuntu-latest
     steps:
       - name: All checks passed
@@ -357,6 +408,7 @@ jobs:
           echo "|-------|--------|" >> $GITHUB_STEP_SUMMARY
           echo "| Lint & Code Quality | ✅ Passed |" >> $GITHUB_STEP_SUMMARY
           echo "| Security Scan | ✅ Passed |" >> $GITHUB_STEP_SUMMARY
+          echo "| Secret Scan | ✅ Passed |" >> $GITHUB_STEP_SUMMARY
           echo "| Unit Tests | ✅ Passed |" >> $GITHUB_STEP_SUMMARY
           echo "| SAM Validation | ✅ Passed |" >> $GITHUB_STEP_SUMMARY
           echo "| Route Validation | ✅ Passed |" >> $GITHUB_STEP_SUMMARY
@@ -375,6 +427,10 @@ jobs:
       FIREBASE_PROJECT_ID: ${{ vars.BACKEND_FIREBASE_PROJECT_ID || 'fpai-cbcb2' }}
       OPENAI_MODEL: ${{ vars.BACKEND_OPENAI_MODEL || 'gpt-5.2' }}
       API_KEYS_SECRET_ID: ${{ vars.BACKEND_API_KEYS_SECRET_ID }}
+      ALLOWED_ORIGINS: ${{ vars.BACKEND_ALLOWED_ORIGINS || 'http://localhost:3000,http://localhost:5173,https://fpai.io,https://d1gyb6wodlq2q2.cloudfront.net' }}
+      ASSETS_ALLOWED_ORIGINS: ${{ vars.BACKEND_ASSETS_ALLOWED_ORIGINS || 'https://fpai.io,http://localhost:3000' }}
+      SHARE_PUBLIC_BASE_URL: ${{ vars.BACKEND_SHARE_PUBLIC_BASE_URL || 'https://fpai.io' }}
+      REQUIRE_BRAVE_API_KEY: ${{ vars.BACKEND_REQUIRE_BRAVE_API_KEY || 'true' }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -418,7 +474,9 @@ jobs:
           OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
           GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
           GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
+          BRAVE_API_KEY: ${{ secrets.BRAVE_API_KEY }}
           FIREBASE_SERVICE_ACCOUNT_JSON: ${{ secrets.FIREBASE_SERVICE_ACCOUNT_JSON }}
+          REQUIRE_BRAVE_API_KEY: ${{ env.REQUIRE_BRAVE_API_KEY }}
         run: |
           if [ -z "$OPENAI_API_KEY" ]; then
             echo "::error::Missing GitHub secret OPENAI_API_KEY"
@@ -433,6 +491,10 @@ jobs:
             echo "::error::Missing GitHub secret FIREBASE_SERVICE_ACCOUNT_JSON"
             exit 1
           fi
+          if [ "${REQUIRE_BRAVE_API_KEY}" != "false" ] && [ -z "$BRAVE_API_KEY" ]; then
+            echo "::error::Missing GitHub secret BRAVE_API_KEY"
+            exit 1
+          fi
 
           if [ "${{ env.ENVIRONMENT }}" = "prod" ]; then
             DEFAULT_SECRET_ID="fpai/api-keys"
@@ -457,8 +519,9 @@ jobs:
           UPDATED_SECRET=$(printf '%s' "$CURRENT_SECRET" \
             | jq --arg openai_key "$OPENAI_API_KEY" \
                  --arg gemini_key "$EFFECTIVE_GEMINI_API_KEY" \
+                 --arg brave_key "$BRAVE_API_KEY" \
                  --arg firebase_sa "$FIREBASE_SERVICE_ACCOUNT_JSON" \
-              '.OPENAI_API_KEY = $openai_key | .GEMINI_API_KEY = $gemini_key | .FIREBASE_SERVICE_ACCOUNT_JSON = $firebase_sa')
+              '.OPENAI_API_KEY = $openai_key | .GEMINI_API_KEY = $gemini_key | .BRAVE_API_KEY = $brave_key | .FIREBASE_SERVICE_ACCOUNT_JSON = $firebase_sa')
 
           if [ "$SECRET_EXISTS" = "true" ]; then
             aws secretsmanager put-secret-value \
@@ -470,7 +533,32 @@ jobs:
               --secret-string "$UPDATED_SECRET"
           fi
 
-          echo "✅ Updated OPENAI_API_KEY + GEMINI_API_KEY + FIREBASE_SERVICE_ACCOUNT_JSON in Secrets Manager ($SECRET_ID)"
+          echo "✅ Updated OPENAI_API_KEY + GEMINI_API_KEY + BRAVE_API_KEY + FIREBASE_SERVICE_ACCOUNT_JSON in Secrets Manager ($SECRET_ID)"
+
+      - name: Validate required Secrets Manager fields
+        env:
+          REQUIRE_BRAVE_API_KEY: ${{ env.REQUIRE_BRAVE_API_KEY }}
+        run: |
+          if [ "${{ env.ENVIRONMENT }}" = "prod" ]; then
+            DEFAULT_SECRET_ID="fpai/api-keys"
+          else
+            DEFAULT_SECRET_ID="fpai/api-keys-${{ env.ENVIRONMENT }}"
+          fi
+          SECRET_ID="${API_KEYS_SECRET_ID:-$DEFAULT_SECRET_ID}"
+          SECRET_JSON=$(aws secretsmanager get-secret-value \
+            --secret-id "$SECRET_ID" \
+            --query SecretString \
+            --output text)
+
+          echo "$SECRET_JSON" | jq -e '
+            ((.OPENAI_API_KEY // "") | length > 0) and
+            ((.GEMINI_API_KEY // "") | length > 0) and
+            ((.FIREBASE_SERVICE_ACCOUNT_JSON // "") | length > 0)
+          ' >/dev/null
+
+          if [ "${REQUIRE_BRAVE_API_KEY}" != "false" ]; then
+            echo "$SECRET_JSON" | jq -e '(.BRAVE_API_KEY // "") | length > 0' >/dev/null
+          fi
 
       - name: SAM Build
         working-directory: backend
@@ -486,6 +574,9 @@ jobs:
           fi
 
           SECRET_ID="${API_KEYS_SECRET_ID:-$DEFAULT_SECRET_ID}"
+          ALLOWED_ORIGINS_CLEAN=$(echo "${ALLOWED_ORIGINS}" | tr -d '[:space:]')
+          ASSETS_ALLOWED_ORIGINS_CLEAN=$(echo "${ASSETS_ALLOWED_ORIGINS}" | tr -d '[:space:]')
+          SHARE_PUBLIC_BASE_URL_CLEAN=$(echo "${SHARE_PUBLIC_BASE_URL}" | tr -d '[:space:]')
 
           if [ "${{ env.ENVIRONMENT }}" = "prod" ]; then
             BETA_GATE_ENABLED=true
@@ -500,7 +591,7 @@ jobs:
             --resolve-s3 \
             --resolve-image-repos \
             --capabilities CAPABILITY_IAM \
-            --parameter-overrides "Environment=${{ env.ENVIRONMENT }} OpenAIModel=${OPENAI_MODEL} FirebaseProjectId=${FIREBASE_PROJECT_ID} BetaGateEnabled=${BETA_GATE_ENABLED} EnableJobEventStreaming=true ApiKeysSecretId=${SECRET_ID}"
+            --parameter-overrides "Environment=${{ env.ENVIRONMENT }} OpenAIModel=${OPENAI_MODEL} FirebaseProjectId=${FIREBASE_PROJECT_ID} BetaGateEnabled=${BETA_GATE_ENABLED} EnableJobEventStreaming=true ApiKeysSecretId=${SECRET_ID} AllowedOrigins=${ALLOWED_ORIGINS_CLEAN} AssetsAllowedOrigins=${ASSETS_ALLOWED_ORIGINS_CLEAN} SharePublicBaseUrl=${SHARE_PUBLIC_BASE_URL_CLEAN}"
 
       - name: Get API Endpoint
         id: get-endpoint

.github/workflows/deploy-frontend-aws.yml

@@ -85,16 +85,43 @@ jobs:
       - name: Run npm audit
         working-directory: frontend
         run: |
-          npm audit --audit-level=high || {
-            echo "::warning::Security vulnerabilities found in dependencies"
-            npm audit --json > audit-report.json || true
-          }
+          set +e
+          npm audit --audit-level=high --json > audit-report.json
+          STATUS=$?
+          set -e
+          if [ "$STATUS" -ne 0 ]; then
+            echo "::error::Security vulnerabilities found in dependencies"
+            jq '.metadata.vulnerabilities' audit-report.json || true
+            exit "$STATUS"
+          fi
+
+      - name: Upload npm audit report
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: frontend-audit-report
+          path: frontend/audit-report.json
+          retention-days: 7
 
       - name: Check for outdated dependencies
         working-directory: frontend
         run: |
           npm outdated || echo "Some packages are outdated"
 
+  secret-scan:
+    name: Secret Scan (Gitleaks)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ env.DEPLOY_REF }}
+
+      - name: Run gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
   build-test:
     name: Build Verification
     runs-on: ubuntu-latest
@@ -265,7 +292,7 @@ jobs:
 
   quality-gate:
     name: Quality Gate
-    needs: [lint, security, build-test]
+    needs: [lint, security, secret-scan, build-test]
     runs-on: ubuntu-latest
     steps:
       - name: All checks passed
@@ -276,6 +303,7 @@ jobs:
           echo "|-------|--------|" >> $GITHUB_STEP_SUMMARY
           echo "| Lint & Code Quality | ✅ Passed |" >> $GITHUB_STEP_SUMMARY
           echo "| Security Audit | ✅ Passed |" >> $GITHUB_STEP_SUMMARY
+          echo "| Secret Scan | ✅ Passed |" >> $GITHUB_STEP_SUMMARY
           echo "| Build Verification | ✅ Passed |" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "Proceeding to deployment..." >> $GITHUB_STEP_SUMMARY