Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions .env.example
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,13 @@ GEMINI_MODEL_CHAT=gemini-2.5-flash
GEMINI_MODEL_DETECTION=gemini-2.5-flash
GEMINI_MODEL_EXTRACTION=gemini-2.5-flash
GEMINI_API_KEY=your_gemini_api_key_here
# PORTAL_SECRET_KEY signs every user session. It MUST be a strong, unique, secret
# value of >= 32 chars (the app refuses to start otherwise). Generate one with:
# python -c "import secrets; print(secrets.token_urlsafe(48))"
# Never commit the real value; keep it in your host's secret manager in production.
PORTAL_SECRET_KEY=replace_with_a_long_random_secret
SENTRY_DSN=your_sentry_dsn_here

# Set to 1 ONLY when running behind a trusted reverse proxy that sets X-Forwarded-For.
# Otherwise leave unset so clients cannot spoof their IP to bypass rate limiting.
TRUST_PROXY=0
28 changes: 28 additions & 0 deletions .github/workflows/security.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
name: security

on:
push:
branches: [main]
pull_request:

jobs:
audit-and-test:
runs-on: ubuntu-latest
env:
# Tests run with a throwaway secret; never use this anywhere real.
PORTAL_SECRET_KEY: ci-unit-test-secret-key-0123456789abcdef0123456789
GEMINI_API_KEY: ci-test-key
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.11"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
pip install pip-audit
- name: Dependency vulnerability scan
run: pip-audit -r requirements.txt
- name: Run tests
run: pytest -q
Loading
Loading