From 5e7bef1807a56ef59df3a0dc8563ac98144a7b19 Mon Sep 17 00:00:00 2001 From: Alexander Whitestone Date: Mon, 13 Apr 2026 21:28:39 +0000 Subject: [PATCH] =?UTF-8?q?fix(ci):=20remove=20issue=20template=20from=20w?= =?UTF-8?q?orkflows=20dir=20=E2=80=94=20not=20a=20workflow=20(#461)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../security/security_pr_checklist.yml | 99 ------------------- 1 file changed, 99 deletions(-) delete mode 100644 hermes-sovereign/security/security_pr_checklist.yml diff --git a/hermes-sovereign/security/security_pr_checklist.yml b/hermes-sovereign/security/security_pr_checklist.yml deleted file mode 100644 index 29ee9d15..00000000 --- a/hermes-sovereign/security/security_pr_checklist.yml +++ /dev/null @@ -1,99 +0,0 @@ -name: "🔒 Security PR Checklist" -description: "Use this when your PR touches authentication, file I/O, external API calls, or other sensitive paths." -title: "[Security Review]: " -labels: ["security", "needs-review"] -body: - - type: markdown - attributes: - value: | - ## Security Pre-Merge Review - Complete this checklist before requesting review on PRs that touch **authentication, file I/O, external API calls, or secrets handling**. - - - type: input - id: pr-link - attributes: - label: Pull Request - description: Link to the PR being reviewed - placeholder: "https://forge.alexanderwhitestone.com/Timmy_Foundation/hermes-agent/pulls/XXX" - validations: - required: true - - - type: dropdown - id: change-type - attributes: - label: Change Category - description: What kind of sensitive change does this PR make? - multiple: true - options: - - Authentication / Authorization - - File I/O (read/write/delete) - - External API calls (outbound HTTP/network) - - Secret / credential handling - - Command execution (subprocess/shell) - - Dependency addition or update - - Configuration changes - - CI/CD pipeline changes - validations: - required: true - - - type: checkboxes - id: secrets-checklist - attributes: - label: Secrets & Credentials - options: - - label: No secrets, API keys, or credentials are hardcoded - required: true - - label: All sensitive values are loaded from environment variables or a secrets manager - required: true - - label: Test fixtures use fake/placeholder values, not real credentials - required: true - - - type: checkboxes - id: input-validation-checklist - attributes: - label: Input Validation - options: - - label: All external input (user, API, file) is validated before use - required: true - - label: File paths are validated against path traversal (`../`, null bytes, absolute paths) - - label: URLs are validated for SSRF (blocked private/metadata IPs) - - label: Shell commands do not use `shell=True` with user-controlled input - - - type: checkboxes - id: auth-checklist - attributes: - label: Authentication & Authorization (if applicable) - options: - - label: Authentication tokens are not logged or exposed in error messages - - label: Authorization checks happen server-side, not just client-side - - label: Session tokens are properly scoped and have expiry - - - type: checkboxes - id: supply-chain-checklist - attributes: - label: Supply Chain - options: - - label: New dependencies are pinned to a specific version range - - label: Dependencies come from trusted sources (PyPI, npm, official repos) - - label: No `.pth` files or install hooks that execute arbitrary code - - label: "`pip-audit` passes (no known CVEs in added dependencies)" - - - type: textarea - id: threat-model - attributes: - label: Threat Model Notes - description: | - Briefly describe the attack surface this change introduces or modifies, and how it is mitigated. - placeholder: | - This PR adds a new outbound HTTP call to the OpenRouter API. - Mitigation: URL is hardcoded (no user input), response is parsed with strict schema validation. - - - type: textarea - id: testing - attributes: - label: Security Testing Done - description: What security testing did you perform? - placeholder: | - - Ran validate_security.py — all checks pass - - Tested path traversal attempts manually - - Verified no secrets in git diff