Merge remote-tracking branch 'upstream/main'

Author: boffin-dmytro

.github/workflows/secret-scan.yml

@@ -18,6 +18,34 @@ jobs:
         with:
           fetch-depth: 0
 
-      - uses: gitleaks/gitleaks-action@v2
+      # gitleaks-action@v2 now requires a paid license key for GitHub org repos.
+      # Use the OSS CLI instead to keep secret scanning enabled without paid secrets.
+      - name: Install gitleaks (OSS)
+        run: |
+          set -euo pipefail
+          VERSION="8.28.0"
+          curl -sSL -o gitleaks.tgz "https://github.com/gitleaks/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_linux_x64.tar.gz"
+          tar -xzf gitleaks.tgz gitleaks
+          sudo mv gitleaks /usr/local/bin/gitleaks
+          gitleaks version
+
+      - name: Run gitleaks
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          gitleaks detect \
+            --redact \
+            --verbose \
+            --source . \
+            --report-format json \
+            --report-path gitleaks-report.json \
+            --exit-code 1
+
+      - name: Upload gitleaks report (always)
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: gitleaks-report
+          path: gitleaks-report.json
+        continue-on-error: true

.github/workflows/test-linux.yml

@@ -17,9 +17,17 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Docs Link Checks
+        run: bash tests/test-doc-links.sh
+
       - name: Integration Smoke
         run: bash tests/integration-test.sh
 
+      - name: Extension Audit
+        run: |
+          python3 scripts/audit-extensions.py --project-dir .
+          bash tests/test-extension-audit.sh
+
       - name: Phase C P1 Static Checks
         run: bash tests/test-phase-c-p1.sh
 
@@ -43,6 +51,9 @@ jobs:
       - name: Validate Env Tests
         run: bash tests/test-validate-env.sh
 
+      - name: Validate Simulation Summary Tests
+        run: bash tests/test-validate-sim-summary.sh
+
       - name: CPU-Only Path Tests
         run: bash tests/test-cpu-only-path.sh
 

.gitleaks.toml

@@ -0,0 +1,11 @@
+[[rules]]
+  id = "langfuse-project-public-key"
+  description = "Langfuse project public key"
+  regex = '''pk-lf-[0-9a-f]+'''
+  keywords = ["pk-lf-"]
+
+[[rules]]
+  id = "langfuse-project-secret-key"
+  description = "Langfuse project secret key"
+  regex = '''sk-lf-[0-9a-f]+'''
+  keywords = ["sk-lf-"]

.gitleaksignore

@@ -3,3 +3,53 @@
 # Get fingerprints from gitleaks output when a false positive is detected
 #
 # Example: abc123def456...
+
+# Test fixtures in privacy-shield PII scrubber tests (not real secrets)
+bc47367431025198fcbea19a54abcde8c30847fd:dream-server/extensions/services/privacy-shield/tests/test_pii_scrubber.py:generic-api-key:125
+bc47367431025198fcbea19a54abcde8c30847fd:dream-server/extensions/services/privacy-shield/tests/test_pii_scrubber.py:generic-api-key:131
+bc47367431025198fcbea19a54abcde8c30847fd:dream-server/extensions/services/privacy-shield/tests/test_pii_scrubber.py:generic-api-key:181
+
+# Documentation examples (placeholder API keys in curl commands)
+4ba4a3779264f44b247af06fbad391c1f4d38269:dream-server/extensions/services/litellm/README.md:curl-auth-header:89
+9a1e87ce94083fb9696ec1df6c926ec77397b38e:resources/dev/extensions-library/workflows/comfyui/README.md:curl-auth-header:32
+9a1e87ce94083fb9696ec1df6c926ec77397b38e:resources/dev/extensions-library/workflows/comfyui/README.md:curl-auth-header:64
+9a1e87ce94083fb9696ec1df6c926ec77397b38e:resources/dev/extensions-library/workflows/langflow/README.md:curl-auth-header:30
+9a1e87ce94083fb9696ec1df6c926ec77397b38e:resources/dev/extensions-library/workflows/flowise/README.md:curl-auth-header:30
+1f9e6dae1a91ff274dac2f580996ae9f8d60f414:resources/dev/extensions-library/workflows/flowise/README.md:curl-auth-header:30
+1f9e6dae1a91ff274dac2f580996ae9f8d60f414:resources/dev/extensions-library/workflows/comfyui/README.md:curl-auth-header:32
+1f9e6dae1a91ff274dac2f580996ae9f8d60f414:resources/dev/extensions-library/workflows/comfyui/README.md:curl-auth-header:64
+1f9e6dae1a91ff274dac2f580996ae9f8d60f414:resources/dev/extensions-library/workflows/langflow/README.md:curl-auth-header:30
+
+# Example code in privacy shield implementation (test patterns)
+9a1e87ce94083fb9696ec1df6c926ec77397b38e:resources/dev/extensions-library/services/privacy_shield/pii_scrubber.py:generic-api-key:149
+1f9e6dae1a91ff274dac2f580996ae9f8d60f414:resources/dev/extensions-library/services/privacy_shield/pii_scrubber.py:generic-api-key:149
+6a5047fd3f7cc0369416d14289740b8c3f02dd06:dream-server/privacy-shield-offline/pii_scrubber.py:generic-api-key:146
+6a5047fd3f7cc0369416d14289740b8c3f02dd06:dream-server/privacy-shield/pii_scrubber.py:generic-api-key:149
+
+# Security audit documentation (example vulnerabilities for demonstration)
+ce863df7a784f4d2406bf2c151e9c5c497b3d085:SECURITY_AUDIT.md:generic-api-key:31
+ce863df7a784f4d2406bf2c151e9c5c497b3d085:SECURITY_AUDIT.md:generic-api-key:32
+ce863df7a784f4d2406bf2c151e9c5c497b3d085:SECURITY_AUDIT.md:generic-api-key:59
+
+# Archive/cookbook examples (historical test code and documentation)
+b21a7e1cf78cb925a8b0fe2d3819890c8a0e5751:archive/cookbook/android-labs/cookbooks/agent-template-writing.md:generic-api-key:383
+b21a7e1cf78cb925a8b0fe2d3819890c8a0e5751:archive/cookbook/android-labs/products/privacy-shield/test_shield.py:generic-api-key:34
+b21a7e1cf78cb925a8b0fe2d3819890c8a0e5751:archive/cookbook/android-labs/products/privacy-shield/test_shield.py:generic-api-key:157
+b21a7e1cf78cb925a8b0fe2d3819890c8a0e5751:archive/cookbook/android-labs/products/privacy-shield/test_shield.py:jwt:63
+b21a7e1cf78cb925a8b0fe2d3819890c8a0e5751:archive/cookbook/android-labs/docs/LIVEKIT-DEPLOYMENT-GUIDE.md:curl-auth-header:373
+b21a7e1cf78cb925a8b0fe2d3819890c8a0e5751:archive/cookbook/voice-agent-framework/core/hvac-token-server.py:generic-api-key:19
+b21a7e1cf78cb925a8b0fe2d3819890c8a0e5751:archive/cookbook/voice-agent-framework/core/hvac-token-server.py:generic-api-key:20
+76fc9f43ea8612dd50344a53b69b43b7eb650e04:archive/cookbook/android-labs/docs/LIVEKIT-DEPLOYMENT-GUIDE.md:curl-auth-header:373
+76fc9f43ea8612dd50344a53b69b43b7eb650e04:archive/cookbook/android-labs/cookbooks/agent-template-writing.md:generic-api-key:383
+76fc9f43ea8612dd50344a53b69b43b7eb650e04:archive/cookbook/android-labs/products/privacy-shield/test_shield.py:generic-api-key:34
+76fc9f43ea8612dd50344a53b69b43b7eb650e04:archive/cookbook/android-labs/products/privacy-shield/test_shield.py:generic-api-key:157
+76fc9f43ea8612dd50344a53b69b43b7eb650e04:archive/cookbook/android-labs/products/privacy-shield/test_shield.py:jwt:63
+a3b26dbd450fd0dc5d0651ffa6f21fe20acb1195:archive/cookbook/voice-agent-framework/core/hvac-token-server.py:generic-api-key:19
+a3b26dbd450fd0dc5d0651ffa6f21fe20acb1195:archive/cookbook/voice-agent-framework/core/hvac-token-server.py:generic-api-key:20
+
+# Installer-generated placeholder values (replaced during installation)
+9539512e06bef98b9276e339ef3cb2d6273e8f1f:dream-server/installers/macos/lib/env-generator.sh:generic-api-key:80
+5c5151fe050ac570fb022ccb99d86bda93dfedb2:dream-server/installers/windows/lib/env-generator.ps1:generic-api-key:115
+
+# Configuration examples (default/placeholder values)
+48a1d87d3d155359fb23d7a65d1db55b036b7508:dream-server/config/searxng/settings.yml:generic-api-key:3