Skip to content

merge: Sync changes from qa to main #1418

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pranalidhanavade merged 90 commits into from
Sep 8, 2025
Merged

merge: Sync changes from qa to main #1418

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
90 commits
Select commit Hold shift + click to select a range
d37a87e
fix: update upload-artifact-version to v4 and artifact name in scorec…
KambleSahil3 Jun 25, 2025
f5ce197
feat: otel and signoz implementation (#1297)
tipusinghaw Jun 27, 2025
fca8aba
feat: single sign on (#1305)
bhavanakarwade Jul 1, 2025
0ca57b2
feat/added org name for get all schema api's response
sujitaw Jul 11, 2025
8557feb
wip/fixed email not saving on verification request
sujitaw Jul 15, 2025
e5b3611
feat/added their label for connections to show in verification table
sujitaw Jul 15, 2025
2e4e6fd
Merge pull request #1314 from credebl/feat/include_org_name_in_all_sc…
sujitaw Jul 16, 2025
1cc84f0
Merge pull request #1367 from credebl/develop
shitrerohit Jul 22, 2025
9aa5c8f
fix/schema migration
sujitaw Jul 24, 2025
cb2a713
Merge pull request #1315 from credebl/fix/email_data_from_proofs_api
sujitaw Jul 24, 2025
97a2b7e
feat/updated connection for credentials with connection table
sujitaw Jul 24, 2025
38005c5
Merge pull request #1370 from credebl/feat/add_connection_label_to_cr…
sujitaw Jul 25, 2025
97af95a
Merge pull request #1373 from credebl/develop
sujitaw Jul 30, 2025
855603d
feat: refactor agent endpoint for token (#1375)
tipusinghaw Aug 5, 2025
255236a
refactor: changes agent endpoint (#1378)
tipusinghaw Aug 6, 2025
2593951
refactore: schema id in get schema (#1379)
tipusinghaw Aug 7, 2025
9deb93a
refactor: token API for tenant and create keypair (#1380)
tipusinghaw Aug 7, 2025
b45186f
feat: update workflow file to build and push multi-architecture Docke…
KambleSahil3 Aug 7, 2025
4481091
fix: DCO remediation ability (#1382)
GHkrishna Aug 7, 2025
732ac88
feat: added env key in sample and demo file (#1384)
tipusinghaw Aug 7, 2025
1fb387f
Merge pull request #1381 from credebl/develop
tipusinghaw Aug 7, 2025
ff3c273
fix: agent auth issue due to incorrect token (#1388)
GHkrishna Aug 12, 2025
4816fb6
fix/all schema api
sujitaw Aug 13, 2025
c023f07
Merge pull request #1389 from credebl/fix/all_schemas_selection
sujitaw Aug 13, 2025
addfec5
fix: taking variable value from env
bhavanakarwade Jul 16, 2025
804c0b9
wip: implemented fetch session details api
bhavanakarwade Jul 23, 2025
1a183c0
fix: added pnpm file
bhavanakarwade Jul 23, 2025
541f603
wip: fetch session details
bhavanakarwade Jul 24, 2025
ecfac3d
wip: fetch session details
bhavanakarwade Jul 24, 2025
ff8aef3
fix: encryption issues
bhavanakarwade Jul 25, 2025
b136932
fix:Added realtion between session and account table
shitrerohit Jul 29, 2025
c4d66f2
wip: update session
bhavanakarwade Jul 29, 2025
1b4b699
fix: Flow modification in generate token using clientId and secrat API
shitrerohit Jul 30, 2025
ddbfb57
feat: implemented destroy session functionality
bhavanakarwade Jul 31, 2025
97d8f79
fix:worked on generate client token API related workflow
shitrerohit Jul 31, 2025
b19ec58
account and session table related migration added
shitrerohit Jul 31, 2025
48ab913
fix:modification in session creation and account creation
shitrerohit Jul 31, 2025
9751adc
fix:modified the client login credential mathod response
shitrerohit Jul 31, 2025
c6b330b
fix:update fetch owner org details query
shitrerohit Jul 31, 2025
084a268
WIP:refresh token flow modification
shitrerohit Aug 4, 2025
d0a6267
fix: session id decoding issue
bhavanakarwade Aug 6, 2025
d616a85
fix:store correct account details issue
shitrerohit Aug 11, 2025
504e4c3
Merge pull request #1391 from credebl/develop
GHkrishna Aug 13, 2025
fe5fbad
Merge pull request #1320 from credebl/feat/database-strategy
shitrerohit Aug 18, 2025
79fa61f
fix/schema name save for connection and email
sujitaw Aug 19, 2025
b301496
Merge branch 'develop' of https://github.com/credebl/platform into fi…
sujitaw Aug 19, 2025
a2e2f4b
Merge pull request #1393 from credebl/develop
shitrerohit Aug 19, 2025
efd4276
fix/issues in the flow
sujitaw Aug 20, 2025
679cfcd
added missing constats file update
sujitaw Aug 21, 2025
3e00a4e
fix/resolved comments
sujitaw Aug 22, 2025
759dd3b
fix/change name in error for updateSchemaId
sujitaw Aug 22, 2025
fa7886f
Merge pull request #1395 from credebl/fix/schema_name_for_w3c_credent…
sujitaw Aug 22, 2025
89caf05
fix:changes in accept invitation url
shitrerohit Aug 24, 2025
92238cd
Merge pull request #1398 from credebl/fix/accept-invitation-issue
shitrerohit Aug 25, 2025
4189aa1
Merge pull request #1399 from credebl/develop
sujitaw Aug 25, 2025
ab9fb63
WIP:create account and session workflow modification
shitrerohit Aug 23, 2025
820863a
fix:add exp logic in jwt strategy
shitrerohit Aug 25, 2025
0012787
Merge pull request #1402 from credebl/fix/create-account-problem
shitrerohit Aug 25, 2025
d4c1523
fix: session logic for passkey flow (#1404)
pranalidhanavade Aug 26, 2025
79ada17
feat: Updated search parameter for Credentials and Verification api (…
sujitaw Aug 26, 2025
bdb89f2
fix: Issue for wallet creation with existing DID and Seed (#1394)
sujitaw Aug 26, 2025
b19590c
Third-Party DCO Remediation Commit for sujitaw <sujit.sutar@ayanworks…
sujitaw Aug 27, 2025
5e650c2
Third-Party DCO Remediation Commit for sujitaw <sujit.sutar@ayanworks…
sujitaw Aug 27, 2025
c4b4c7b
Merge pull request #1409 from credebl/fix/dco_fix_via_remediation
sujitaw Aug 27, 2025
f08f732
Merge pull request #1405 from credebl/develop
shitrerohit Aug 27, 2025
f93c933
fix:resolved user not found error on login
shitrerohit Aug 28, 2025
847e366
Merge pull request #1410 from credebl/fix/user-not-found-issue
shitrerohit Aug 28, 2025
90cf16a
fix/badge issuance error for non wallet issuance (#1411)
sujitaw Aug 29, 2025
2ca4baa
Third-Party DCO Remediation Commit for sujitaw <sujit.sutar@ayanworks…
sujitaw Aug 29, 2025
a6b69fd
Merge pull request #1414 from credebl/fix/dco_issue_through_remediation
sujitaw Aug 29, 2025
7600413
Merge pull request #1412 from credebl/develop
sujitaw Aug 29, 2025
19975c9
WIP:delete inactive sessions
shitrerohit Aug 28, 2025
bd4cc44
Added delete inactive session functionality during login
shitrerohit Aug 29, 2025
7f4071b
Added logs for delete inactive session
shitrerohit Aug 29, 2025
bf52105
Merge pull request #1415 from credebl/fix/inactive-session-deletion
shitrerohit Aug 29, 2025
c609bf1
Merge pull request #1416 from credebl/develop
shitrerohit Aug 30, 2025
055d9bb
feat/credo-spinup-script (#1417)
KambleSahil3 Sep 1, 2025
9a38856
Merge pull request #1419 from credebl/develop
KambleSahil3 Sep 1, 2025
3119cc7
fix/verify credentials api (#1420)
sujitaw Sep 1, 2025
2a446e6
Merge pull request #1421 from credebl/develop
sujitaw Sep 1, 2025
dc24f10
fix:sonar cloud related issues
shitrerohit Sep 2, 2025
803d7eb
Merge pull request #1422 from credebl/fix/resolve-sonar-cloud-issues
shitrerohit Sep 2, 2025
a91f3e6
fix:removed sonar cloud issue related changes
shitrerohit Sep 2, 2025
230dc9a
Merge pull request #1423 from credebl/fix/tracer-file-issue
shitrerohit Sep 2, 2025
18d1086
Merge pull request #1424 from credebl/develop
shitrerohit Sep 2, 2025
4703492
fix:sonar cloud issues
shitrerohit Sep 2, 2025
d748d20
Merge pull request #1425 from credebl/fix/sonar-cloud-issues
shitrerohit Sep 2, 2025
2571b42
Merge pull request #1426 from credebl/develop
shitrerohit Sep 2, 2025
c43f3c2
feat/credo-spinup-script (#1427)
KambleSahil3 Sep 8, 2025
00498a5
Merge pull request #1431 from credebl/develop
KambleSahil3 Sep 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 43 additions & 2 deletions .env.demo
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@ KEYCLOAK_MANAGEMENT_CLIENT_ID=adminClient
KEYCLOAK_MANAGEMENT_CLIENT_SECRET=
KEYCLOAK_REALM=credebl-platform

SCHEMA_FILE_SERVER_URL='https://schema.credebl.id/schemas/'
SCHEMA_FILE_SERVER_URL=
SCHEMA_FILE_SERVER_TOKEN=

GEO_LOCATION_MASTER_DATA_IMPORT_SCRIPT=/prisma/scripts/geo_location_data_import.sh
Expand Down Expand Up @@ -145,4 +145,45 @@ APP=api
#Schema-file-server
APP_PORT=4000
JWT_TOKEN_SECRET=
ISSUER=Credebl
ISSUER=Credebl

#Signoz and OTel
IS_ENABLE_OTEL=false
OTEL_SERVICE_NAME='CREDEBL-PLATFORM-SERVICE'
OTEL_SERVICE_VERSION='1.0.0'
OTEL_TRACES_OTLP_ENDPOINT='http://localhost:4318/v1/traces'
OTEL_LOGS_OTLP_ENDPOINT='http://localhost:4318/v1/logs'
OTEL_HEADERS_KEY=88ca6b1XXXXXXXXXXXXXXXXXXXXXXXXXXX
OTEL_LOGGER_NAME='credebl-platform-logger'
HOSTNAME='localhost'
SESSIONS_LIMIT=10
# SSO
APP_PROTOCOL=http
#To add more clients, simply copy the variable below and change the word 'CREDEBL' to your client's name.
CREDEBL_CLIENT_ALIAS=CREDEBL
CREDEBL_DOMAIN=http://localhost:3000
CREDEBL_KEYCLOAK_MANAGEMENT_CLIENT_ID= #Provide the value in its encrypted form using CRYPTO_PRIVATE_KEY.
CREDEBL_KEYCLOAK_MANAGEMENT_CLIENT_SECRET= #Provide the value in its encrypted form using CRYPTO_PRIVATE_KEY.
# To add more clients, simply add comma separated values of client names
SUPPORTED_SSO_CLIENTS=CREDEBL

# Key for agent base wallet
AGENT_API_KEY='supersecret-that-too-16chars'

# To add more client add the following variables for each additional client.
# Replace the `CLIENT-NAME` with the appropriate client name as added in `SUPPORTED_SSO_CLIENTS`
# Default client will not need the following details

# CLIENT-NAME_CLIENT_ALIAS=VERIFIER
# # Domain represents the redirection url once the client logs-in
# # TODO: Can be taken from keycloak instead
# CLIENT-NAME_DOMAIN=https://VERIFIER-domain.com
# # Encrypted client credentials using the `CRYPTO_PRIVATE_KEY`
# CLIENT-NAME_KEYCLOAK_MANAGEMENT_CLIENT_ID=
# CLIENT-NAME_KEYCLOAK_MANAGEMENT_CLIENT_SECRET=

# Sample values:
# VERIFIER_CLIENT_ALIAS=VERIFIER
# VERIFIER_DOMAIN=https://VERIFIER-domain.com
# VERIFIER_KEYCLOAK_MANAGEMENT_CLIENT_ID=encryptedKeyCloakClientId
# VERIFIER_KEYCLOAK_MANAGEMENT_CLIENT_SECRET=encryptedKeyCloakClientSecret
44 changes: 42 additions & 2 deletions .env.sample
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,7 @@ SCHEMA_FILE_SERVER_URL= // Please provide schema URL
SCHEMA_FILE_SERVER_TOKEN=xxxxxxxx // Please provide schema file server token for polygon

FILEUPLOAD_CACHE_TTL= //Provide file upload cache ttl

SESSIONS_LIMIT= //Provide limits of sessions
FIELD_UPLOAD_SIZE= //Provide field upload size

IS_ECOSYSTEM_ENABLE= //Set this flag to `true` to enable the ecosystem, or `false` to disable it.
Expand All @@ -166,4 +166,44 @@ ELK_PASSWORD=xxxxxx // ELK user password

ORGANIZATION=credebl
CONTEXT=platform
APP=api
APP=api

IS_ENABLE_OTEL=false # Flag to enable/disable OpenTelemetry (true = enabled, false = disabled)
OTEL_SERVICE_NAME='CREDEBL-PLATFORM-SERVICE' # Logical name of the service shown in observability tools (e.g., SigNoz)
OTEL_SERVICE_VERSION='1.0.0' # Version of the service; helps in tracking changes over time
OTEL_TRACES_OTLP_ENDPOINT='http://localhost:4318/v1/traces' # Endpoint where traces are exported (OTLP over HTTP)
OTEL_LOGS_OTLP_ENDPOINT='http://localhost:4318/v1/logs' # Endpoint where logs are exported (OTLP over HTTP)
OTEL_HEADERS_KEY=88ca6b1XXXXXXXXXXXXXXXXXXXXXXXXXXX # API key or token used for authenticating with the OTel collector (e.g., SigNoz)
OTEL_LOGGER_NAME='credebl-platform-logger' # Name of the logger used for OpenTelemetry log records
HOSTNAME='localhost' # Hostname or unique identifier for the service instance

# SSO
#To add more clients, simply copy the variable below and change the word 'CREDEBL' to your client's name.
CREDEBL_CLIENT_ALIAS=CREDEBL
CREDEBL_DOMAIN=http://localhost:3000
CREDEBL_KEYCLOAK_MANAGEMENT_CLIENT_ID= #Provide the value in its encrypted form using CRYPTO_PRIVATE_KEY.
CREDEBL_KEYCLOAK_MANAGEMENT_CLIENT_SECRET= #Provide the value in its encrypted form using CRYPTO_PRIVATE_KEY.
# To add more clients, simply add comma separated values of client names
SUPPORTED_SSO_CLIENTS=CREDEBL
APP_PROTOCOL=

# Key for agent base wallet
AGENT_API_KEY='supersecret-that-too-16chars'

# To add more client add the following variables for each additional client.
# Replace the `CLIENT-NAME` with the appropriate client name as added in `SUPPORTED_SSO_CLIENTS`
# Default client will not need the following details

# CLIENT-NAME_CLIENT_ALIAS=MYAPP
# # Domain represents the redirection url once the client logs-in
# # TODO: Can be taken from keycloak instead
# CLIENT-NAME_DOMAIN=https://myapp.com
# # Encrypted client credentials using the `CRYPTO_PRIVATE_KEY`
# CLIENT-NAME_KEYCLOAK_MANAGEMENT_CLIENT_ID=
# CLIENT-NAME_KEYCLOAK_MANAGEMENT_CLIENT_SECRET

# Sample values:
# VERIFIER_CLIENT_ALIAS=VERIFIER
# VERIFIER_DOMAIN=https://VERIFIER-domain.com
# VERIFIER_KEYCLOAK_MANAGEMENT_CLIENT_ID=encryptedKeyCloakClientId
# VERIFIER_KEYCLOAK_MANAGEMENT_CLIENT_SECRET=encryptedKeyCloakClientSecret
2 changes: 1 addition & 1 deletion .eslintrc.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,4 +101,4 @@ module.exports = {
'prefer-template': 'error',
quotes: ['warn', 'single', { allowTemplateLiterals: true }]
}
};
};
3 changes: 3 additions & 0 deletions .github/dco.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
allowRemediationCommits:
individual: true
thirdParty: true
Comment on lines +1 to +3
Copy link

@coderabbitai coderabbitai bot Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Confirm DCO app supports these keys and that org repo has the app installed

The keys allowRemediationCommits.individual and .thirdParty look plausible but DCO config schemas vary by app. Please verify the GitHub App you use for DCO enforcement recognizes these options, otherwise the config will be ignored.

To validate quickly:

You can also confirm the exact config keys with a quick web check:

🏁 Script executed:

#!/bin/bash
# 1) Confirm the DCO app is installed on this repo (requires gh auth with repo scope)
OWNER_REPO="$(gh repo view --json nameWithOwner -q .nameWithOwner)"
echo "Repo: $OWNER_REPO"
echo "Installed GitHub Apps:"
gh api repos/$OWNER_REPO/installations | jq -r '.installations[].app_slug'

# 2) Open a throwaway PR from a fork without Signed-off-by to see if a remediation commit is offered/applied.
echo "Create a test PR from a fork lacking DCO sign-off and observe the bot behavior."

Length of output: 528

🌐 Web query:

What is the supported configuration schema for the GitHub DCO app (probot/dco)? Does it support allowRemediationCommits with individual and thirdParty flags in .github/dco.yml?

💡 Result:

Yes. The probot DCO app supports a .github/dco.yml schema that includes an allowRemediationCommits block with boolean flags individual and thirdParty. Example forms:

  • Enable individual remediation:
    allowRemediationCommits:
    individual: true

  • Enable third‑party remediation (requires individual: true):
    allowRemediationCommits:
    individual: true
    thirdParty: true

(Other options such as require: members: false are also supported.) [1][2]

Install or enable the GitHub DCO App
The keys allowRemediationCommits.individual and thirdParty are valid for the probot DCO schema, but the GH CLI call (gh api repos/credebl/platform/installations) returned 404, indicating the DCO app isn’t installed or authorized on this repo. Please install or enable the DCO GitHub App to enforce these settings.

🤖 Prompt for AI Agents 
.github/dco.yml lines 1-3: The repository config references
allowRemediationCommits.individual and thirdParty for the DCO app but the DCO
GitHub App is not installed/authorized (GH API returned 404); install or enable
the GitHub DCO App for this repository/org via the GitHub Marketplace or org App
settings and authorize it for this repo so those settings take effect, or if you
don't intend to use the DCO app remove those keys from .github/dco.yml and
update the workflow/README to reflect the chosen enforcement method.

9 changes: 8 additions & 1 deletion .github/workflows/continuous-delivery.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,12 @@ jobs:
id: get_tag
run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

Comment on lines +47 to +52
Copy link

@coderabbitai coderabbitai bot Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Pin Docker actions to commit SHAs

Pin setup-qemu and setup-buildx to full-length SHAs instead of floating major tags.

I can fetch and pin the current SHAs and open a follow-up patch; confirm if you want this done now.

🏁 Script executed:

#!/bin/bash
echo "setup-qemu-action v3 SHA:"
curl -s https://api.github.com/repos/docker/setup-qemu-action/git/refs/tags/v3 \
  | grep -m1 '"sha"' \
  | sed -E 's/.*"sha": "([^"]+)".*/\1/'

echo "setup-buildx-action v3 SHA:"
curl -s https://api.github.com/repos/docker/setup-buildx-action/git/refs/tags/v3 \
  | grep -m1 '"sha"' \
  | sed -E 's/.*"sha": "([^"]+)".*/\1/'

Length of output: 485

Pin Docker actions to exact SHAs

.github/workflows/continuous-delivery.yml
@@ -47,6 +47,6 @@

  • uses: docker/setup-qemu-action@v3
  • uses: docker/setup-buildx-action@v3
🤖 Prompt for AI Agents 
.github/workflows/continuous-delivery.yml around lines 47 to 52: the workflow
references docker/setup-qemu-action@v3 and docker/setup-buildx-action@v3
(floating tags); update both uses to pinned commit SHAs to ensure reproducible
builds and supply the exact SHAs shown in the comment (replace
docker/setup-qemu-action@v3 with
docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 and replace
docker/setup-buildx-action@v3 with
docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435).

- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
with:
Expand All @@ -57,6 +63,7 @@ jobs:
context: .
file: Dockerfiles/Dockerfile.${{ matrix.service }}
push: true
platforms: linux/amd64,linux/arm64
tags: |
${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.service }}:${{ env.TAG }}
${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.service }}:latest
${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.service }}:latest
4 changes: 2 additions & 2 deletions .github/workflows/scorecard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,9 +59,9 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
uses: actions/upload-artifact@v4
Copy link

@coderabbitai coderabbitai bot Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Pin upload-artifact to a commit SHA for Supply-Chain hardening

Use a full-length commit SHA instead of a floating tag to satisfy Scorecard’s Pinned-Dependencies check.

Would you like me to generate a PR-ready patch with the latest v4 commit SHA pinned? I can also add step-security/harden-runner for network egress locking.

🏁 Script executed:

#!/bin/bash
# Verify usage of floating tag for upload-artifact action
rg -nP "actions/upload-artifact@v4" -C3 .github/workflows/scorecard.yml || echo "No match found"

Length of output: 394

Pin upload-artifact action to a full commit SHA
In .github/workflows/scorecard.yml:62, replace

uses: actions/upload-artifact@v4

with a specific commit SHA (e.g. actions/upload-artifact@<full-commit-sha>) so OpenSSF Scorecard’s Pinned-Dependencies check passes.

🤖 Prompt for AI Agents 
In .github/workflows/scorecard.yml around line 62, the workflow uses the
floating tag "actions/upload-artifact@v4"; replace this with the action pinned
to a full commit SHA (for example actions/upload-artifact@<full-commit-sha>) by
updating the uses line to reference the exact commit SHA for the upload-artifact
action to satisfy the OpenSSF Scorecard Pinned-Dependencies check.

with:
name: SARIF file
name: sarif-file
path: results.sarif
retention-days: 5

Expand Down
2 changes: 2 additions & 0 deletions Dockerfiles/Dockerfile.agent-provisioning
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ RUN set -eux \
aws-cli \
docker \
docker-compose \
jq \
&& npm install -g pnpm --ignore-scripts \
&& export PATH=$PATH:/usr/lib/node_modules/pnpm/bin \
&& rm -rf /var/cache/apk/*
Expand Down Expand Up @@ -46,6 +47,7 @@ RUN set -eux \
aws-cli \
docker \
docker-compose \
jq \
&& npm install -g pnpm --ignore-scripts \
&& export PATH=$PATH:/usr/lib/node_modules/pnpm/bin \
&& rm -rf /var/cache/apk/*
Expand Down
18 changes: 11 additions & 7 deletions apps/agent-provisioning/AFJ/scripts/docker_start_agent.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,13 @@ PROTOCOL=${12}
TENANT=${13}
AFJ_VERSION=${14}
INDY_LEDGER=${15}
INBOUND_ENDPOINT=${16}
SCHEMA_FILE_SERVER_URL=${17}
AGENT_API_KEY=${18}
ADMIN_PORT_FILE="$PWD/agent-provisioning/AFJ/port-file/last-admin-port.txt"
INBOUND_PORT_FILE="$PWD/agent-provisioning/AFJ/port-file/last-inbound-port.txt"
ADMIN_PORT=8001
INBOUND_PORT=9001

Comment on lines +20 to 27
Copy link

@coderabbitai coderabbitai bot Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

AGENT_API_KEY added: ensure it’s used consistently

You accept AGENT_API_KEY but do not mask it in logs and do not validate presence.

Run-time check:

🏁 Script executed:

#!/bin/sh
if [ -z "$AGENT_API_KEY" ]; then echo "AGENT_API_KEY is empty"; exit 1; fi

Length of output: 79

Validate and mask AGENT_API_KEY

  • In apps/agent-provisioning/AFJ/scripts/docker_start_agent.sh, immediately after
    AGENT_API_KEY=${18} add a guard: 
    if [ -z "$AGENT_API_KEY" ]; then
  echo "error: AGENT_API_KEY is required" >&2
  exit 1
fi
  • Ensure no logs print the raw API key—mask it (e.g. echo "AGENT_API_KEY=****").
🧰 Tools
🪛 Shellcheck (0.10.0)

[warning] 20-20: INBOUND_ENDPOINT appears unused. Verify use (or export if used externally).

(SC2034)

🤖 Prompt for AI Agents 
In apps/agent-provisioning/AFJ/scripts/docker_start_agent.sh around lines 20 to
27, after the AGENT_API_KEY=${18} assignment add a guard that exits with a
non-zero status and writes an error to stderr if AGENT_API_KEY is empty, and
change any subsequent logging so the raw key is never printed (log a masked
value like "AGENT_API_KEY=****" instead); implement the guard and replace or
wrap any echo/printf that would output the key with a masked string.

echo "AGENCY: $AGENCY"
echo "EXTERNAL_IP: $EXTERNAL_IP"
Expand All @@ -34,11 +41,6 @@ echo "TENANT: $TENANT"
echo "AFJ_VERSION: $AFJ_VERSION"
echo "INDY_LEDGER: $INDY_LEDGER"

ADMIN_PORT_FILE="$PWD/agent-provisioning/AFJ/port-file/last-admin-port.txt"
INBOUND_PORT_FILE="$PWD/agent-provisioning/AFJ/port-file/last-inbound-port.txt"
ADMIN_PORT=8001
INBOUND_PORT=9001

increment_port() {
local port="$1"
local lower_limit="$2"
Expand Down Expand Up @@ -144,7 +146,9 @@ cat <<EOF >${CONFIG_FILE}
],
"webhookUrl": "$WEBHOOK_HOST/wh/$AGENCY",
"adminPort": $ADMIN_PORT,
"tenancy": $TENANT
"tenancy": $TENANT,
"schemaFileServerURL": "$SCHEMA_FILE_SERVER_URL",
"apiKey": "$AGENT_API_KEY"
}
EOF

Expand Down Expand Up @@ -225,7 +229,7 @@ if [ $? -eq 0 ]; then
container_logs=$(docker logs $(docker ps -q --filter "name=${AGENCY}_${CONTAINER_NAME}"))

# Extract the token from the logs using sed
token=$(echo "$container_logs" | sed -nE 's/.*API Token: ([^ ]+).*/\1/p')
token=$(echo "$container_logs" | sed -nE 's/.*** API Key: ([^ ]+).*/\1/p')

# Print the extracted token
echo "Token: $token"
Comment on lines 231 to 235
Copy link

@coderabbitai coderabbitai bot Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Fix fragile token extraction

The sed regex with unescaped asterisks is unreliable. Extract by key name.

-token=$(echo "$container_logs" | sed -nE 's/.*** API Key: ([^ ]+).*/\1/p')
+token=$(printf "%s" "$container_logs" | awk -F'API Key: ' '/API Key:/ {print $2}' | awk '{print $1; exit}')

Also avoid echoing the token.

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents 
In apps/agent-provisioning/AFJ/scripts/docker_start_agent.sh around lines 231 to
235, the sed expression using unescaped asterisks is fragile and the script
prints the token to stdout; change extraction to reliably parse by the literal
key name and capture the following non-whitespace chunk (for example use grep
-oP 'API Key:\s*\K\S+' or awk -F'API Key: ' '{print $2}' | awk '{print $1}'),
assign that to the token variable, and remove the echo that prints the token so
it is not written to stdout or logs.

Expand Down
Loading