fix(security): remediate findings from security assessment

.claude/projects/-home-rracine-hanalyx-openwatch/memory/project_bsd_minimal.md

@@ -0,0 +1,11 @@
+---
+name: BSD minimal platform decision
+description: OpenWatch will target BSD minimal as base for all containers and native deployments, replacing the current mix of Red Hat UBI 9 + Alpine + Debian
+type: project
+---
+
+OpenWatch targets BSD minimal for all container images and native deployments (decision 2026-04-13).
+
+**Why:** Minimize dependencies and attack surface for air-gapped federal environments. Current setup uses 3 different distros (UBI 9, Debian, Alpine) across 6 containers.
+
+**How to apply:** When creating Dockerfiles, packaging scripts, or system-level code, target BSD minimal — not Alpine, not UBI 9, not Debian. FIPS compliance via OpenSSL 3.x FIPS provider module (portable, not tied to Red Hat's CMVP certificate). Native packages will include FreeBSD pkg format alongside RPM/DEB.

.github/workflows/ci.yml

@@ -77,16 +77,16 @@ jobs:
           flake8 app/ --max-line-length=120 --extend-ignore=E203,W503 --per-file-ignores='__init__.py:F401,E402'
 
           echo "Running type checking with mypy..."
-          mypy app/ --ignore-missing-imports || true
+          mypy app/ --ignore-missing-imports || echo "MyPy found errors (non-blocking — dependency-specific types differ between local and CI)"
 
       - name: Run security checks
         working-directory: ./backend
         run: |
           echo "Running Bandit security linter..."
-          bandit -r app/ -f json -o bandit-report.json || true
+          bandit -r app/ -ll -f json -o bandit-report.json || echo "Bandit found findings (non-blocking)"
 
           echo "Checking dependencies for vulnerabilities..."
-          safety check --json || true
+          safety check --json || echo "Safety found vulnerabilities (non-blocking)"
 
       - name: Run database migrations
         working-directory: ./backend
@@ -125,10 +125,12 @@ jobs:
           # Check if tests directory exists
           if [ -d "tests" ] && [ "$(find tests -name '*.py' | head -1)" ]; then
             echo "Running pytest tests..."
-            # Coverage threshold: incrementally raising toward 80%
-            # Measured: 31.2% with 332 tests (2026-02-16)
-            # Threshold set at measured level; raise as coverage grows
-            pytest tests/ -v --cov=app --cov-report=xml --cov-report=html --cov-fail-under=31
+            # Coverage: 42% on 35,659 active statements (2432 tests passing).
+            # ~31K dead SCAP lines deleted. 79 specs, 670 ACs 100% covered.
+            # 20 integration test files: TestClient + live PostgreSQL + direct service calls.
+            # Coverage: 45% on testable code (SSH/Celery excluded from measurement).
+            # 2500+ tests. 80 specs, 682 ACs 100% covered.
+            pytest tests/ -v --cov=app --cov-report=xml --cov-report=html --cov-fail-under=42
           else
             echo "Warning: No test files found in tests/ directory"
             echo "CI will pass without tests, but this should be addressed"
@@ -179,7 +181,7 @@ jobs:
           npm run lint
 
           echo "Running Prettier check..."
-          npx prettier --check "src/**/*.{ts,tsx}" || echo "Prettier found formatting issues (non-blocking)"
+          npx prettier --check "src/**/*.{ts,tsx}"
 
           echo "Running TypeScript type check..."
           npx tsc --noEmit
@@ -205,7 +207,7 @@ jobs:
         uses: actions/upload-artifact@v6
         with:
           name: frontend-build
-          path: frontend/dist/
+          path: frontend/build/
 
       - name: Build Docker image
         run: |
@@ -398,6 +400,7 @@ jobs:
           OPENWATCH_AUDIT_LOG_FILE: ./logs/audit.log
           OPENWATCH_REQUIRE_HTTPS: "false"
           OPENWATCH_DEBUG: "true"
+          OPENWATCH_ADMIN_PASSWORD: admin123  # pragma: allowlist secret
           TESTING: true
         run: |
           # Create directory tree the app expects (Docker container convention)

.gitignore

@@ -576,6 +576,15 @@ cache/
 # Exception: Allow alembic migration files (they describe schemas, not actual credentials)
 !backend/alembic/versions/*credential*.py
 
+# Exception: Allow spec and test files that reference credentials/api_keys in their names
+!specs/api/admin/credentials.spec.yaml
+!tests/backend/unit/api/test_api_keys_spec.py
+!tests/backend/unit/api/test_credentials_spec.py
+!backend/app/routes/admin/credentials.py
+!backend/app/routes/auth/api_keys.py
+!backend/app/services/auth/credential_service.py
+!backend/app/services/auth/credential_handler.py
+
 # Configuration files that might contain secrets
 *config.local.*
 *settings.local.*

.openwatch.yml

@@ -0,0 +1,35 @@
+# OpenWatch Project Manifest — machine-readable single source of truth
+# Used by AI assistants, CI scripts, and documentation generators.
+
+project:
+  name: OpenWatch
+  version: "0.1.0-alpha.1"
+  codename: Eyrie
+  description: Enterprise compliance scanning platform powered by Kensa
+
+scanner: kensa
+database: postgresql
+state_management: zustand
+
+python:
+  version: "3.12"
+  black_version: "24.10.0"
+  line_length: 120
+
+frontend:
+  framework: react
+  build_output: build
+  auth_token_key: auth_token
+
+specs:
+  total: 80
+  active: 80
+  draft: 0
+  acceptance_criteria: 682
+
+coverage:
+  backend_threshold: 42
+  excluded_modules:
+    - SSH-dependent services
+    - Celery task bodies
+    - Deleted plugin packages

.secrets.baseline

@@ -90,10 +90,6 @@
     {
       "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
     },
-    {
-      "path": "detect_secrets.filters.common.is_baseline_file",
-      "filename": ".secrets.baseline"
-    },
     {
       "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
       "min_level": 2
@@ -216,24 +212,6 @@
         "line_number": 42
       }
     ],
-    "backend/app/init_admin.py": [
-      {
-        "type": "Basic Auth Credentials",
-        "filename": "backend/app/init_admin.py",
-        "hashed_secret": "2560f45b00e49125e471b897890b807ad0d77d7b",
-        "is_verified": false,
-        "line_number": 16
-      }
-    ],
-    "backend/tests/README.md": [
-      {
-        "type": "Basic Auth Credentials",
-        "filename": "backend/tests/README.md",
-        "hashed_secret": "24a86804947591d80e6ebfe54f7f2b3a83cf222d",
-        "is_verified": false,
-        "line_number": 24
-      }
-    ],
     "frontend/public/test_ui_token_refresh.html": [
       {
         "type": "Secret Keyword",
@@ -249,7 +227,7 @@
         "filename": "frontend/src/pages/settings/Settings.tsx",
         "hashed_secret": "27c6929aef41ae2bcadac15ca6abcaff72cda9cd",
         "is_verified": false,
-        "line_number": 1194
+        "line_number": 1197
       }
     ],
     "packaging/bundle/create-prebuilt-images.sh": [
@@ -379,6 +357,29 @@
         "line_number": 417
       }
     ],
+    "specs/api/auth/api-keys.spec.yaml": [
+      {
+        "type": "Secret Keyword",
+        "filename": "specs/api/auth/api-keys.spec.yaml",
+        "hashed_secret": "859fc9033beea82428b34b8d1b883448b2007660",
+        "is_verified": false,
+        "line_number": 12
+      },
+      {
+        "type": "Secret Keyword",
+        "filename": "specs/api/auth/api-keys.spec.yaml",
+        "hashed_secret": "ff4733ee3d358e810f00f57e32cf7d5b06e81a10",
+        "is_verified": false,
+        "line_number": 28
+      },
+      {
+        "type": "Secret Keyword",
+        "filename": "specs/api/auth/api-keys.spec.yaml",
+        "hashed_secret": "f1a1d070b699e0258dc5ca08e4d6f28bde0e504f",
+        "is_verified": false,
+        "line_number": 33
+      }
+    ],
     "start-openwatch.sh": [
       {
         "type": "Basic Auth Credentials",
@@ -387,7 +388,137 @@
         "is_verified": false,
         "line_number": 167
       }
+    ],
+    "tests/backend/integration/test_api_coverage.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/backend/integration/test_api_coverage.py",
+        "hashed_secret": "a4b48a81cdab1e1a5dd37907d6c85ca1c61ddc7c",
+        "is_verified": false,
+        "line_number": 89
+      },
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/backend/integration/test_api_coverage.py",
+        "hashed_secret": "6eb67d95dba1a614971e31e78146d44bd4a3ada3",
+        "is_verified": false,
+        "line_number": 253
+      }
+    ],
+    "tests/backend/integration/test_coverage_push.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/backend/integration/test_coverage_push.py",
+        "hashed_secret": "6052acf657148ec39725c596e25bd0612fd301a6",
+        "is_verified": false,
+        "line_number": 478
+      }
+    ],
+    "tests/backend/integration/test_coverage_push2.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/backend/integration/test_coverage_push2.py",
+        "hashed_secret": "00e0f17d2234c3650b21f19f5b8588c253d53a26",
+        "is_verified": false,
+        "line_number": 43
+      },
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/backend/integration/test_coverage_push2.py",
+        "hashed_secret": "a8cd1d4b66d8e5dd2705c5d0cc94f3721948fb7a",
+        "is_verified": false,
+        "line_number": 51
+      }
+    ],
+    "tests/backend/integration/test_coverage_push5.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/backend/integration/test_coverage_push5.py",
+        "hashed_secret": "1ded3053d0363079a4e681a3b700435d6d880290",
+        "is_verified": false,
+        "line_number": 348
+      },
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/backend/integration/test_coverage_push5.py",
+        "hashed_secret": "a8cd1d4b66d8e5dd2705c5d0cc94f3721948fb7a",
+        "is_verified": false,
+        "line_number": 355
+      }
+    ],
+    "tests/backend/integration/test_coverage_push6.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/backend/integration/test_coverage_push6.py",
+        "hashed_secret": "c7d25755a1fe2f038cf3d286a139ed0bc0b3ea7f",
+        "is_verified": false,
+        "line_number": 176
+      },
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/backend/integration/test_coverage_push6.py",
+        "hashed_secret": "bc17d66449b630f5615c08b16f19cc7c5b61576c",
+        "is_verified": false,
+        "line_number": 193
+      },
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/backend/integration/test_coverage_push6.py",
+        "hashed_secret": "0c6ba03885f3aae765fbf20f07f514a44dbda30a",
+        "is_verified": false,
+        "line_number": 205
+      },
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/backend/integration/test_coverage_push6.py",
+        "hashed_secret": "a8cd1d4b66d8e5dd2705c5d0cc94f3721948fb7a",
+        "is_verified": false,
+        "line_number": 215
+      }
+    ],
+    "tests/backend/integration/test_health_integration.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/backend/integration/test_health_integration.py",
+        "hashed_secret": "d033e22ae348aeb5660fc2140aec35850c4da997",
+        "is_verified": false,
+        "line_number": 49
+      }
+    ],
+    "tests/backend/integration/test_hosts_deep.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/backend/integration/test_hosts_deep.py",
+        "hashed_secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3",
+        "is_verified": false,
+        "line_number": 149
+      }
+    ],
+    "tests/backend/integration/test_settings_deep.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/backend/integration/test_settings_deep.py",
+        "hashed_secret": "382caa7c44ee23ee25616f7e303af33c591efc3a",
+        "is_verified": false,
+        "line_number": 46
+      },
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/backend/integration/test_settings_deep.py",
+        "hashed_secret": "83e8dca5e8730480929f6e419014e78528bef66c",
+        "is_verified": false,
+        "line_number": 65
+      }
+    ],
+    "tests/backend/unit/test_app_coverage.py": [
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/backend/unit/test_app_coverage.py",
+        "hashed_secret": "e8662cfb96bd9c7fe84c31d76819ec3a92c80e63",
+        "is_verified": false,
+        "line_number": 110
+      }
     ]
   },
-  "generated_at": "2026-03-07T03:52:53Z"
+  "generated_at": "2026-03-26T00:33:16Z"
 }