# Security Quick Reference Card

Quick reference for common security tasks in OpenRabbit development.

## ❌ Common Security Mistakes

### 1. Exposing Full Webhook Data
```yaml
# ❌ NEVER DO THIS
env:
  EVENT_DATA: ${{ toJSON(github.event) }}  # Exposes emails, tokens!
```

### 2. Unvalidated User Input
```python
# ❌ NEVER DO THIS
owner, repo = repo_string.split('/')  # No validation!
```

### 3. Hardcoded Secrets
```python
# ❌ NEVER DO THIS
api_key = "sk-1234567890abcdef"  # Hardcoded secret!
```

---

## ✅ Secure Patterns

### 1. Workflow Event Handling
```yaml
# ✅ Use minimal data extraction
run: |
  EVENT_DATA=$(cat <<EOF
  {
    "issue": {"number": ${{ github.event.issue.number }}},
    "comment": {"body": $(echo '${{ github.event.comment.body }}' | jq -Rs .)}
  }
  EOF
  )
  python utils/safe_dispatch.py issue_comment "$REPO" "$EVENT_DATA"
```

### 2. Repository Validation
```python
# ✅ Always validate
from utils.webhook_sanitizer import validate_repository_format

try:
    owner, repo = validate_repository_format(user_input)
except ValueError as e:
    logger.error(f"Invalid repository: {e}")
    return
```

### 3. Webhook Data Sanitization
```python
# ✅ Sanitize before logging
from utils.webhook_sanitizer import sanitize_webhook_data

sanitized = sanitize_webhook_data(event_data)
logger.info(f"Processing event: {sanitized}")
```

### 4. Secret Management
```python
# ✅ Use environment variables
import os

api_key = os.environ.get("OPENAI_API_KEY")
if not api_key:
    raise ValueError("OPENAI_API_KEY not set")
```

---

## 🔍 Pre-Commit Checks

Install once:
```bash
pip install pre-commit
pre-commit install
```

Run manually:
```bash
pre-commit run --all-files
```

Bypass (NOT recommended):
```bash
git commit --no-verify
```

---

## 🛠️ Quick Commands

### Test Security Utilities
```bash
cd tools/ai-review

# Test sanitization
python -c "from utils.webhook_sanitizer import sanitize_webhook_data; \
print(sanitize_webhook_data({'user': {'email': 'test@example.com'}}))"

# Test validation (should fail)
python -c "from utils.webhook_sanitizer import validate_repository_format; \
validate_repository_format('owner/repo; rm -rf /')"
```

### Validate Workflow Files
```bash
# Check for security issues
python tools/ai-review/security/validate_workflows.py .gitea/workflows/*.yml

# Validate YAML syntax
python -c "import yaml; yaml.safe_load(open('.gitea/workflows/ai-comment-reply.yml'))"
```

### Scan for Secrets
```bash
# Check specific file
python tools/ai-review/security/check_secrets.py path/to/file.py

# Scan all Python files
find . -name "*.py" -exec python tools/ai-review/security/check_secrets.py {} \;
```

---

## 📋 Security Checklist

Before committing:
- [ ] No hardcoded secrets in code
- [ ] All user inputs validated
- [ ] Webhook data sanitized before logging
- [ ] Repository format validated
- [ ] Pre-commit hooks pass
- [ ] No full webhook data in environment variables

Before deploying workflow changes:
- [ ] Workflow validated with `validate_workflows.py`
- [ ] YAML syntax valid
- [ ] Input validation present
- [ ] Minimal data extraction used
- [ ] SECURITY.md guidelines followed

---

## 📚 Full Documentation

- **Complete Guide**: `SECURITY.md`
- **Implementation Details**: `SECURITY_FIXES_SUMMARY.md`
- **Developer Guide**: `CLAUDE.md` (Security Best Practices section)

---

## 🚨 Security Issue Found?

1. **DO NOT** create a public issue
2. Review `SECURITY.md` for reporting process
3. Email security contact immediately

---

**Remember**: Security is everyone's responsibility!