Security: harden API ingress and CI scanning

.env.example

@@ -18,3 +18,29 @@ PUBLIC_SAMPLE_DATA_PATH=fixtures/public_sample_data/continuity_v1.json
 # Per-user response generation throttle (POST /v0/responses).
 RESPONSE_RATE_LIMIT_WINDOW_SECONDS=60
 RESPONSE_RATE_LIMIT_MAX_REQUESTS=20
+# Hosted auth and webhook ingress throttles.
+MAGIC_LINK_START_RATE_LIMIT_WINDOW_SECONDS=300
+MAGIC_LINK_START_RATE_LIMIT_MAX_REQUESTS=5
+MAGIC_LINK_VERIFY_RATE_LIMIT_WINDOW_SECONDS=300
+MAGIC_LINK_VERIFY_RATE_LIMIT_MAX_REQUESTS=10
+TELEGRAM_WEBHOOK_RATE_LIMIT_WINDOW_SECONDS=60
+TELEGRAM_WEBHOOK_RATE_LIMIT_MAX_REQUESTS=120
+# Telegram transport defaults.
+TELEGRAM_LINK_TTL_SECONDS=600
+TELEGRAM_BOT_USERNAME=alicebot
+TELEGRAM_WEBHOOK_SECRET=
+TELEGRAM_BOT_TOKEN=
+# Browser security posture.
+CORS_ALLOWED_ORIGINS=http://localhost:3000,http://127.0.0.1:3000
+CORS_ALLOWED_METHODS=GET,POST,PUT,PATCH,DELETE,OPTIONS
+CORS_ALLOWED_HEADERS=Authorization,Content-Type,X-AliceBot-User-Id,X-Telegram-Bot-Api-Secret-Token
+CORS_ALLOW_CREDENTIALS=false
+CORS_PREFLIGHT_MAX_AGE_SECONDS=600
+SECURITY_HEADERS_ENABLED=true
+SECURITY_HEADERS_HSTS_MAX_AGE_SECONDS=31536000
+SECURITY_HEADERS_HSTS_INCLUDE_SUBDOMAINS=true
+# Proxy and ingress trust boundaries.
+TRUST_PROXY_HEADERS=false
+TRUSTED_PROXY_IPS=
+# Entrypoint abuse-control backend.
+ENTRYPOINT_RATE_LIMIT_BACKEND=redis

.github/dependabot.yml

@@ -0,0 +1,21 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: pip
+    directory: /
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: npm
+    directory: /packages/alice-core
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: npm
+    directory: /packages/alice-cli
+    schedule:
+      interval: weekly

.github/workflows/publish-npm.yml

@@ -7,11 +7,17 @@ on:
 
 permissions:
   contents: read
-  id-token: write
+
+concurrency:
+  group: publish-npm-${{ github.ref }}
+  cancel-in-progress: false
 
 jobs:
   publish-core:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -59,6 +65,9 @@ jobs:
   publish-cli:
     runs-on: ubuntu-latest
     needs: publish-core
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4

.github/workflows/security-scans.yml

@@ -0,0 +1,57 @@
+name: Security Scans
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: "23 3 * * 1"
+
+permissions:
+  contents: read
+
+jobs:
+  secrets:
+    name: Secrets Scan (Gitleaks)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  codeql:
+    name: CodeQL (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+          - python
+          - javascript
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@v3

apps/api/src/alicebot_api/config.py

@@ -52,6 +52,35 @@
 DEFAULT_HOSTED_ABUSE_BLOCK_THRESHOLD = 5
 DEFAULT_HOSTED_RATE_LIMITS_ENABLED_BY_DEFAULT = True
 DEFAULT_HOSTED_ABUSE_CONTROLS_ENABLED_BY_DEFAULT = True
+DEFAULT_MAGIC_LINK_START_RATE_LIMIT_WINDOW_SECONDS = 300
+DEFAULT_MAGIC_LINK_START_RATE_LIMIT_MAX_REQUESTS = 5
+DEFAULT_MAGIC_LINK_VERIFY_RATE_LIMIT_WINDOW_SECONDS = 300
+DEFAULT_MAGIC_LINK_VERIFY_RATE_LIMIT_MAX_REQUESTS = 10
+DEFAULT_TELEGRAM_WEBHOOK_RATE_LIMIT_WINDOW_SECONDS = 60
+DEFAULT_TELEGRAM_WEBHOOK_RATE_LIMIT_MAX_REQUESTS = 120
+DEFAULT_CORS_ALLOWED_ORIGINS: tuple[str, ...] = ()
+DEFAULT_CORS_ALLOWED_METHODS: tuple[str, ...] = (
+    "GET",
+    "POST",
+    "PUT",
+    "PATCH",
+    "DELETE",
+    "OPTIONS",
+)
+DEFAULT_CORS_ALLOWED_HEADERS: tuple[str, ...] = (
+    "Authorization",
+    "Content-Type",
+    "X-AliceBot-User-Id",
+    "X-Telegram-Bot-Api-Secret-Token",
+)
+DEFAULT_CORS_ALLOW_CREDENTIALS = False
+DEFAULT_CORS_PREFLIGHT_MAX_AGE_SECONDS = 600
+DEFAULT_SECURITY_HEADERS_ENABLED = True
+DEFAULT_SECURITY_HEADERS_HSTS_MAX_AGE_SECONDS = 31_536_000
+DEFAULT_SECURITY_HEADERS_HSTS_INCLUDE_SUBDOMAINS = True
+DEFAULT_TRUST_PROXY_HEADERS = False
+DEFAULT_TRUSTED_PROXY_IPS: tuple[str, ...] = ()
+DEFAULT_ENTRYPOINT_RATE_LIMIT_BACKEND = "redis"
 
 Environment = Mapping[str, str]
 
@@ -71,6 +100,31 @@ def _get_env_int(env: Environment, key: str, default: int) -> int:
         raise ValueError(f"{key} must be an integer") from exc
 
 
+def _get_env_csv(env: Environment, key: str, default: tuple[str, ...]) -> tuple[str, ...]:
+    raw_value = env.get(key)
+    if raw_value is None:
+        return default
+
+    return tuple(item.strip() for item in raw_value.split(",") if item.strip() != "")
+
+
+def _normalize_csv_tokens(
+    values: tuple[str, ...],
+    *,
+    uppercase: bool = False,
+) -> tuple[str, ...]:
+    normalized: list[str] = []
+    for value in values:
+        token = value.strip()
+        if token == "":
+            continue
+        if uppercase:
+            token = token.upper()
+        if token not in normalized:
+            normalized.append(token)
+    return tuple(normalized)
+
+
 @dataclass(frozen=True)
 class Settings:
     app_env: str = DEFAULT_APP_ENV
@@ -110,6 +164,31 @@ class Settings:
     hosted_abuse_block_threshold: int = DEFAULT_HOSTED_ABUSE_BLOCK_THRESHOLD
     hosted_rate_limits_enabled_by_default: bool = DEFAULT_HOSTED_RATE_LIMITS_ENABLED_BY_DEFAULT
     hosted_abuse_controls_enabled_by_default: bool = DEFAULT_HOSTED_ABUSE_CONTROLS_ENABLED_BY_DEFAULT
+    magic_link_start_rate_limit_window_seconds: int = (
+        DEFAULT_MAGIC_LINK_START_RATE_LIMIT_WINDOW_SECONDS
+    )
+    magic_link_start_rate_limit_max_requests: int = DEFAULT_MAGIC_LINK_START_RATE_LIMIT_MAX_REQUESTS
+    magic_link_verify_rate_limit_window_seconds: int = (
+        DEFAULT_MAGIC_LINK_VERIFY_RATE_LIMIT_WINDOW_SECONDS
+    )
+    magic_link_verify_rate_limit_max_requests: int = DEFAULT_MAGIC_LINK_VERIFY_RATE_LIMIT_MAX_REQUESTS
+    telegram_webhook_rate_limit_window_seconds: int = (
+        DEFAULT_TELEGRAM_WEBHOOK_RATE_LIMIT_WINDOW_SECONDS
+    )
+    telegram_webhook_rate_limit_max_requests: int = DEFAULT_TELEGRAM_WEBHOOK_RATE_LIMIT_MAX_REQUESTS
+    cors_allowed_origins: tuple[str, ...] = DEFAULT_CORS_ALLOWED_ORIGINS
+    cors_allowed_methods: tuple[str, ...] = DEFAULT_CORS_ALLOWED_METHODS
+    cors_allowed_headers: tuple[str, ...] = DEFAULT_CORS_ALLOWED_HEADERS
+    cors_allow_credentials: bool = DEFAULT_CORS_ALLOW_CREDENTIALS
+    cors_preflight_max_age_seconds: int = DEFAULT_CORS_PREFLIGHT_MAX_AGE_SECONDS
+    security_headers_enabled: bool = DEFAULT_SECURITY_HEADERS_ENABLED
+    security_headers_hsts_max_age_seconds: int = DEFAULT_SECURITY_HEADERS_HSTS_MAX_AGE_SECONDS
+    security_headers_hsts_include_subdomains: bool = (
+        DEFAULT_SECURITY_HEADERS_HSTS_INCLUDE_SUBDOMAINS
+    )
+    trust_proxy_headers: bool = DEFAULT_TRUST_PROXY_HEADERS
+    trusted_proxy_ips: tuple[str, ...] = DEFAULT_TRUSTED_PROXY_IPS
+    entrypoint_rate_limit_backend: str = DEFAULT_ENTRYPOINT_RATE_LIMIT_BACKEND
 
     @classmethod
     def from_env(cls, env: Environment | None = None) -> "Settings":
@@ -250,6 +329,88 @@ def from_env(cls, env: Environment | None = None) -> "Settings":
                 "true" if cls.hosted_abuse_controls_enabled_by_default else "false",
             ).strip().lower()
             in {"1", "true", "yes", "on"},
+            magic_link_start_rate_limit_window_seconds=_get_env_int(
+                current_env,
+                "MAGIC_LINK_START_RATE_LIMIT_WINDOW_SECONDS",
+                cls.magic_link_start_rate_limit_window_seconds,
+            ),
+            magic_link_start_rate_limit_max_requests=_get_env_int(
+                current_env,
+                "MAGIC_LINK_START_RATE_LIMIT_MAX_REQUESTS",
+                cls.magic_link_start_rate_limit_max_requests,
+            ),
+            magic_link_verify_rate_limit_window_seconds=_get_env_int(
+                current_env,
+                "MAGIC_LINK_VERIFY_RATE_LIMIT_WINDOW_SECONDS",
+                cls.magic_link_verify_rate_limit_window_seconds,
+            ),
+            magic_link_verify_rate_limit_max_requests=_get_env_int(
+                current_env,
+                "MAGIC_LINK_VERIFY_RATE_LIMIT_MAX_REQUESTS",
+                cls.magic_link_verify_rate_limit_max_requests,
+            ),
+            telegram_webhook_rate_limit_window_seconds=_get_env_int(
+                current_env,
+                "TELEGRAM_WEBHOOK_RATE_LIMIT_WINDOW_SECONDS",
+                cls.telegram_webhook_rate_limit_window_seconds,
+            ),
+            telegram_webhook_rate_limit_max_requests=_get_env_int(
+                current_env,
+                "TELEGRAM_WEBHOOK_RATE_LIMIT_MAX_REQUESTS",
+                cls.telegram_webhook_rate_limit_max_requests,
+            ),
+            cors_allowed_origins=_normalize_csv_tokens(
+                _get_env_csv(current_env, "CORS_ALLOWED_ORIGINS", cls.cors_allowed_origins),
+            ),
+            cors_allowed_methods=_normalize_csv_tokens(
+                _get_env_csv(current_env, "CORS_ALLOWED_METHODS", cls.cors_allowed_methods),
+                uppercase=True,
+            ),
+            cors_allowed_headers=_normalize_csv_tokens(
+                _get_env_csv(current_env, "CORS_ALLOWED_HEADERS", cls.cors_allowed_headers),
+            ),
+            cors_allow_credentials=_get_env_value(
+                current_env,
+                "CORS_ALLOW_CREDENTIALS",
+                "true" if cls.cors_allow_credentials else "false",
+            ).strip().lower()
+            in {"1", "true", "yes", "on"},
+            cors_preflight_max_age_seconds=_get_env_int(
+                current_env,
+                "CORS_PREFLIGHT_MAX_AGE_SECONDS",
+                cls.cors_preflight_max_age_seconds,
+            ),
+            security_headers_enabled=_get_env_value(
+                current_env,
+                "SECURITY_HEADERS_ENABLED",
+                "true" if cls.security_headers_enabled else "false",
+            ).strip().lower()
+            in {"1", "true", "yes", "on"},
+            security_headers_hsts_max_age_seconds=_get_env_int(
+                current_env,
+                "SECURITY_HEADERS_HSTS_MAX_AGE_SECONDS",
+                cls.security_headers_hsts_max_age_seconds,
+            ),
+            security_headers_hsts_include_subdomains=_get_env_value(
+                current_env,
+                "SECURITY_HEADERS_HSTS_INCLUDE_SUBDOMAINS",
+                "true" if cls.security_headers_hsts_include_subdomains else "false",
+            ).strip().lower()
+            in {"1", "true", "yes", "on"},
+            trust_proxy_headers=_get_env_value(
+                current_env,
+                "TRUST_PROXY_HEADERS",
+                "true" if cls.trust_proxy_headers else "false",
+            ).strip().lower()
+            in {"1", "true", "yes", "on"},
+            trusted_proxy_ips=_normalize_csv_tokens(
+                _get_env_csv(current_env, "TRUSTED_PROXY_IPS", cls.trusted_proxy_ips),
+            ),
+            entrypoint_rate_limit_backend=_get_env_value(
+                current_env,
+                "ENTRYPOINT_RATE_LIMIT_BACKEND",
+                cls.entrypoint_rate_limit_backend,
+            ).strip().lower(),
         )
         return _validate_settings(settings)
 
@@ -287,8 +448,34 @@ def _validate_settings(settings: Settings) -> Settings:
         raise ValueError("HOSTED_ABUSE_WINDOW_SECONDS must be a positive integer")
     if settings.hosted_abuse_block_threshold <= 0:
         raise ValueError("HOSTED_ABUSE_BLOCK_THRESHOLD must be a positive integer")
+    if settings.magic_link_start_rate_limit_window_seconds <= 0:
+        raise ValueError("MAGIC_LINK_START_RATE_LIMIT_WINDOW_SECONDS must be a positive integer")
+    if settings.magic_link_start_rate_limit_max_requests <= 0:
+        raise ValueError("MAGIC_LINK_START_RATE_LIMIT_MAX_REQUESTS must be a positive integer")
+    if settings.magic_link_verify_rate_limit_window_seconds <= 0:
+        raise ValueError("MAGIC_LINK_VERIFY_RATE_LIMIT_WINDOW_SECONDS must be a positive integer")
+    if settings.magic_link_verify_rate_limit_max_requests <= 0:
+        raise ValueError("MAGIC_LINK_VERIFY_RATE_LIMIT_MAX_REQUESTS must be a positive integer")
+    if settings.telegram_webhook_rate_limit_window_seconds <= 0:
+        raise ValueError("TELEGRAM_WEBHOOK_RATE_LIMIT_WINDOW_SECONDS must be a positive integer")
+    if settings.telegram_webhook_rate_limit_max_requests <= 0:
+        raise ValueError("TELEGRAM_WEBHOOK_RATE_LIMIT_MAX_REQUESTS must be a positive integer")
+    if settings.cors_preflight_max_age_seconds <= 0:
+        raise ValueError("CORS_PREFLIGHT_MAX_AGE_SECONDS must be a positive integer")
+    if len(settings.cors_allowed_methods) == 0:
+        raise ValueError("CORS_ALLOWED_METHODS must include at least one method")
+    if settings.security_headers_hsts_max_age_seconds <= 0:
+        raise ValueError("SECURITY_HEADERS_HSTS_MAX_AGE_SECONDS must be a positive integer")
+    if settings.entrypoint_rate_limit_backend not in {"redis", "memory"}:
+        raise ValueError("ENTRYPOINT_RATE_LIMIT_BACKEND must be either 'redis' or 'memory'")
+    if settings.trust_proxy_headers and len(settings.trusted_proxy_ips) == 0:
+        raise ValueError("TRUSTED_PROXY_IPS must include at least one IP when TRUST_PROXY_HEADERS is enabled")
 
     if settings.app_env not in {"development", "test"}:
+        if "*" in settings.cors_allowed_origins:
+            raise ValueError(
+                "CORS_ALLOWED_ORIGINS cannot include wildcard outside development/test environments"
+            )
         if settings.auth_user_id == "":
             raise ValueError(
                 "ALICEBOT_AUTH_USER_ID must be configured outside development/test environments"
@@ -303,6 +490,10 @@ def _validate_settings(settings: Settings) -> Settings:
             raise ValueError("S3_ACCESS_KEY must be overridden outside development/test environments")
         if settings.s3_secret_key == DEFAULT_S3_SECRET_KEY:
             raise ValueError("S3_SECRET_KEY must be overridden outside development/test environments")
+        if settings.telegram_webhook_secret == "":
+            raise ValueError(
+                "TELEGRAM_WEBHOOK_SECRET must be configured outside development/test environments"
+            )
 
     return settings