21aa81d2b0
14-file blueprint including: - sources.yml with data source provenance - 12 golden contract tests with native-language search terms - 5-6 drift detection anchors - MCP Registry + npm package configs - Vercel deployment config (SMALL tier) - Security policies and issue templates Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
50 lines
1.3 KiB
Markdown
50 lines
1.3 KiB
Markdown
# Security Setup Guide (Internal)
|
|
|
|
## Required Secrets
|
|
|
|
Configure these secrets in the GitHub repository settings:
|
|
|
|
| Secret | Purpose | Source |
|
|
|--------|---------|--------|
|
|
| `NPM_TOKEN` | npm publishing with provenance | npm.js account (Ansvar org) |
|
|
| `VERCEL_TOKEN` | Vercel deployment | Vercel dashboard |
|
|
| `VERCEL_ORG_ID` | Vercel organization | Vercel dashboard |
|
|
| `VERCEL_PROJECT_ID` | Vercel project | Vercel dashboard |
|
|
|
|
## MCP Registry Publishing
|
|
|
|
Registry publishing uses Azure Key Vault for signing:
|
|
|
|
- **Vault:** `kv-ansvar-dev`
|
|
- **Key:** `mcp-registry-signing-key`
|
|
- **Algorithm:** ECDSA P-384
|
|
- **DNS Auth:** `ansvar.eu` TXT record
|
|
|
|
To publish:
|
|
```bash
|
|
mcp-publisher login dns azure-key-vault \
|
|
--domain="ansvar.eu" \
|
|
--vault "kv-ansvar-dev" \
|
|
--key "mcp-registry-signing-key"
|
|
|
|
mcp-publisher publish
|
|
```
|
|
|
|
## Branch Protection
|
|
|
|
Enable these rules on `main`:
|
|
- Require pull request reviews (1 reviewer)
|
|
- Require status checks to pass (ci, contract-tests)
|
|
- Require branches to be up to date
|
|
- Do not allow bypassing the above settings
|
|
|
|
## Security Scanning
|
|
|
|
All 6 scanners are configured in `.github/workflows/ci.yml`:
|
|
- CodeQL (semantic SAST)
|
|
- Semgrep (pattern SAST)
|
|
- Trivy (dependency CVE)
|
|
- Gitleaks (secret detection)
|
|
- Socket Security (supply chain)
|
|
- OSSF Scorecard (security posture)
|