rhysmcneill
diff --git a/‎.dockerignore‎
Lines changed: 1 addition & 1 deletion b/‎.dockerignore‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.gitattributes‎
Lines changed: 1 addition & 0 deletions b/‎.gitattributes‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 1 deletion b/‎.gitignore‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.gitleaks.toml‎
Lines changed: 15 additions & 0 deletions b/‎.gitleaks.toml‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎.pre-commit-config.yaml‎
Lines changed: 14 additions & 0 deletions b/‎.pre-commit-config.yaml‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎internal/config/config.go‎
Lines changed: 44 additions & 21 deletions b/‎internal/config/config.go‎
Lines changed: 44 additions & 21 deletions
diff --git a/‎internal/database/audit.sql.go‎
Lines changed: 47 additions & 0 deletions b/‎internal/database/audit.sql.go‎
Lines changed: 47 additions & 0 deletions
diff --git a/‎internal/database/database.go‎
Lines changed: 4 additions & 0 deletions b/‎internal/database/database.go‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎internal/database/querier.go‎
Lines changed: 1 addition & 0 deletions b/‎internal/database/querier.go‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎internal/database/queries/audit.sql‎
Lines changed: 9 additions & 0 deletions b/‎internal/database/queries/audit.sql‎
Lines changed: 9 additions & 0 deletions
@@ -18,7 +18,7 @@ node_modules/
 vendor/
 
 # Docker secrets
-docker/secrets/*.txt
+docker/secrets/*
 
 # CSS output (generated file)
 web/static/css/output.css
 
@@ -0,0 +1 @@
+docker/secrets/** filter=git-crypt diff=git-crypt
@@ -25,7 +25,7 @@ tmp/
 .air.toml
 
 # Docker secrets
-docker/secrets/*.txt
+docker/secrets/
 
 # HMRC files
 docs/*.json
 
@@ -0,0 +1,15 @@
+title = "Dividr Gitleaks Config"
+
+[extend]
+useDefault = true
+
+# Block specific paths - these should NEVER contain secrets
+[[rules]]
+id = "block-secrets-folder"
+description = "Prevent committing docker/secrets/ directory"
+path = '''docker/secrets/'''
+
+[[rules]]
+id = "block-test-data"
+description = "Prevent committing test data with credentials"
+path = '''docs/.*\.json$'''
@@ -29,6 +29,20 @@ repos:
         pass_filenames: false
         files: \.go$
 
+      - id: block-secrets-folder
+        name: Block docker/secrets/ directory
+        entry: bash -c 'if git diff --cached --name-only | grep -q "^docker/secrets/"; then echo "ERROR - Files in docker/secrets/ should never be committed!"; exit 1; fi'
+        language: system
+        pass_filenames: false
+        always_run: true
+
+      - id: block-test-data
+        name: Block test data files
+        entry: bash -c 'if git diff --cached --name-only | grep -qE "^docs/.*\.json$"; then echo "ERROR - Test data files in docs/ should never be committed!"; exit 1; fi'
+        language: system
+        pass_filenames: false
+        always_run: true
+
   # General file quality
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v2.3.0
 
@@ -12,39 +12,41 @@ import (
 )
 
 type Config struct {
-	AppEnv           string
-	Port             string
-	DatabaseURL      string
-	LogLevel         string
-	DBMaxConns       int           // Default: 10
-	DBMinConns       int           // Default: 2
-	DBMaxConnIdle    time.Duration // Default: 30 minutes
-	HMRCRedirectURL  string
-	HMRCClientID     string
-	HMRCClientSecret string
+	AppEnv             string
+	Port               string
+	DatabaseURL        string
+	LogLevel           string
+	DBMaxConns         int           // Default: 10
+	DBMinConns         int           // Default: 2
+	DBMaxConnIdle      time.Duration // Default: 30 minutes
+	HMRCRedirectURL    string
+	HMRCClientID       string
+	HMRCClientSecret   string
+	TokenEncryptionKey string
 }
 
 func Load() *Config {
 	// Load .env file if it exists (silently fails if not found)
 	_ = godotenv.Load()
 
 	return &Config{
-		AppEnv:           getEnv("APP_ENV", "dev"),
-		Port:             getEnv("PORT", "8080"),
-		DatabaseURL:      buildDatabaseURL(),
-		LogLevel:         getEnv("LOG_LEVEL", "DEBUG"),
-		DBMaxConns:       getEnvInt("DB_MAX_CONNS", 10),
-		DBMinConns:       getEnvInt("DB_MIN_CONNS", 2),
-		DBMaxConnIdle:    getEnvDuration("DB_MAX_CONN_IDLE", 30*time.Minute),
-		HMRCRedirectURL:  getEnv("HMRC_REDIRECT_URL", "http://localhost:8080/auth/hmrc/callback"),
-		HMRCClientID:     getEnv("HMRC_CLIENT_ID", ""),
-		HMRCClientSecret: getHMRCCLientSecret(),
+		AppEnv:             getEnv("APP_ENV", "dev"),
+		Port:               getEnv("PORT", "8080"),
+		DatabaseURL:        buildDatabaseURL(),
+		LogLevel:           getEnv("LOG_LEVEL", "DEBUG"),
+		DBMaxConns:         getEnvInt("DB_MAX_CONNS", 10),
+		DBMinConns:         getEnvInt("DB_MIN_CONNS", 2),
+		DBMaxConnIdle:      getEnvDuration("DB_MAX_CONN_IDLE", 30*time.Minute),
+		HMRCRedirectURL:    getEnv("HMRC_REDIRECT_URL", "http://localhost:8080/auth/hmrc/callback"),
+		HMRCClientID:       getEnv("HMRC_CLIENT_ID", ""),
+		HMRCClientSecret:   getHMRCCLientSecret(),
+		TokenEncryptionKey: getCryptoKey(),
 	}
 }
 
 func getEnv(key, defaultValue string) string {
 	if value, exists := os.LookupEnv(key); exists {
-		return value
+		return strings.TrimSpace(value)
 	}
 	return defaultValue
 }
@@ -112,6 +114,27 @@ func getHMRCCLientSecret() string {
 	return getEnv("HMRC_CLIENT_SECRET", "")
 }
 
+func getCryptoKey() string {
+	// Try Docker secret first
+	secretPath := "/run/secrets/crypto_key"
+	if data, err := os.ReadFile(secretPath); err == nil {
+		return strings.TrimSpace(string(data))
+	}
+
+	// Try local file for development convenience
+	localSecretPath := "docker/secrets/.crypto_key"
+	if data, err := os.ReadFile(localSecretPath); err == nil {
+		return strings.TrimSpace(string(data))
+	}
+	cwd, _ := os.Getwd()
+	slog.Info("debug: attempting to load secret",
+		"current_dir", cwd,
+		"target_path", localSecretPath,
+	)
+	// Fallback to env var
+	return getEnv("TOKEN_ENCRYPTION_KEY", "")
+}
+
 // getEnvInt reads an integer from env or returns default
 func getEnvInt(key string, defaultVal int) int {
 	if v, exists := os.LookupEnv(key); exists {
 
@@ -28,6 +28,10 @@ func Connect(cfg *config.Config) (*Service, error) {
 		return nil, fmt.Errorf("unable to connect to database: %w", err)
 	}
 
+	pool.Config().MaxConns = int32(cfg.DBMaxConns)
+	pool.Config().MinConns = int32(cfg.DBMinConns)
+	pool.Config().MaxConnIdleTime = cfg.DBMaxConnIdle
+
 	// 2. Fast Ping to verify
 	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
 	defer cancel()
 
@@ -0,0 +1,9 @@
+-- name: CreateAuditEvent :one
+INSERT INTO audit_events (
+    user_id,
+    event_type,
+    ip_address,
+    details
+) VALUES (
+    $1, $2, $3, $4
+) RETURNING id, created_at;
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+docker/secrets/** filter=git-crypt diff=git-crypt`