21aa81d2b0
14-file blueprint including: - sources.yml with data source provenance - 12 golden contract tests with native-language search terms - 5-6 drift detection anchors - MCP Registry + npm package configs - Vercel deployment config (SMALL tier) - Security policies and issue templates Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1.3 KiB
1.3 KiB
Security Setup Guide (Internal)
Required Secrets
Configure these secrets in the GitHub repository settings:
| Secret | Purpose | Source |
|---|---|---|
NPM_TOKEN |
npm publishing with provenance | npm.js account (Ansvar org) |
VERCEL_TOKEN |
Vercel deployment | Vercel dashboard |
VERCEL_ORG_ID |
Vercel organization | Vercel dashboard |
VERCEL_PROJECT_ID |
Vercel project | Vercel dashboard |
MCP Registry Publishing
Registry publishing uses Azure Key Vault for signing:
- Vault:
kv-ansvar-dev - Key:
mcp-registry-signing-key - Algorithm: ECDSA P-384
- DNS Auth:
ansvar.euTXT record
To publish:
mcp-publisher login dns azure-key-vault \
--domain="ansvar.eu" \
--vault "kv-ansvar-dev" \
--key "mcp-registry-signing-key"
mcp-publisher publish
Branch Protection
Enable these rules on main:
- Require pull request reviews (1 reviewer)
- Require status checks to pass (ci, contract-tests)
- Require branches to be up to date
- Do not allow bypassing the above settings
Security Scanning
All 6 scanners are configured in .github/workflows/ci.yml:
- CodeQL (semantic SAST)
- Semgrep (pattern SAST)
- Trivy (dependency CVE)
- Gitleaks (secret detection)
- Socket Security (supply chain)
- OSSF Scorecard (security posture)