fix(ci): Sync canonical security artifacts

2026-03-28 17:42:37 +01:00
parent b681e0e03b
commit 9ac140049c
4 changed files with 55 additions and 41 deletions
--- a/README.md
+++ b/README.md
@@ -647,8 +647,8 @@ We officially thank the following contributors for their help in making this rep
 - [@zinzied](https://github.com/zinzied)
 - [@ssumanbiswas](https://github.com/ssumanbiswas)
 - [@Dokhacgiakhoa](https://github.com/Dokhacgiakhoa)
- [@IanJ332](https://github.com/IanJ332)
 - [@sx4im](https://github.com/sx4im)
+- [@IanJ332](https://github.com/IanJ332)
 - [@maxdml](https://github.com/maxdml)
 - [@skyruh](https://github.com/skyruh)
 - [@Champbreed](https://github.com/Champbreed)
@@ -671,18 +671,18 @@ We officially thank the following contributors for their help in making this rep
 - [@HuynhNhatKhanh](https://github.com/HuynhNhatKhanh)
 - [@taksrules](https://github.com/taksrules)
 - [@liyin2015](https://github.com/liyin2015)
+- [@krabat-l](https://github.com/krabat-l)
 - [@fullstackcrew-alpha](https://github.com/fullstackcrew-alpha)
- [@arathiesh](https://github.com/arathiesh)
 - [@fernandezbaptiste](https://github.com/fernandezbaptiste)
 - [@Gizzant](https://github.com/Gizzant)
 - [@JayeHarrill](https://github.com/JayeHarrill)
+- [@AssassinMaeve](https://github.com/AssassinMaeve)
+- [@Musayrlsms](https://github.com/Musayrlsms)
+- [@arathiesh](https://github.com/arathiesh)
 - [@Tiger-Foxx](https://github.com/Tiger-Foxx)
 - [@RamonRiosJr](https://github.com/RamonRiosJr)
- [@Musayrlsms](https://github.com/Musayrlsms)
- [@AssassinMaeve](https://github.com/AssassinMaeve)
- [@Wolfe-Jam](https://github.com/Wolfe-Jam)
+- [@vuth-dogo](https://github.com/vuth-dogo)
 - [@Wittlesus](https://github.com/Wittlesus)
- [@PabloASMD](https://github.com/PabloASMD)
 - [@wahidzzz](https://github.com/wahidzzz)
 - [@Vonfry](https://github.com/Vonfry)
 - [@vprudnikoff](https://github.com/vprudnikoff)
@@ -695,7 +695,6 @@ We officially thank the following contributors for their help in making this rep
 - [@TomGranot](https://github.com/TomGranot)
 - [@terryspitz](https://github.com/terryspitz)
 - [@Onsraa](https://github.com/Onsraa)
- [@ProgramadorBrasil](https://github.com/ProgramadorBrasil)
 - [@SebConejo](https://github.com/SebConejo)
 - [@SuperJMN](https://github.com/SuperJMN)
 - [@Enreign](https://github.com/Enreign)
@@ -705,7 +704,9 @@ We officially thank the following contributors for their help in making this rep
 - [@shubhamdevx](https://github.com/shubhamdevx)
 - [@ronanguilloux](https://github.com/ronanguilloux)
 - [@sraphaz](https://github.com/sraphaz)
- [@vuth-dogo](https://github.com/vuth-dogo)
+- [@ProgramadorBrasil](https://github.com/ProgramadorBrasil)
+- [@PabloASMD](https://github.com/PabloASMD)
+- [@yubing744](https://github.com/yubing744)
 - [@yang1002378395-cmyk](https://github.com/yang1002378395-cmyk)
 - [@viliawang-pm](https://github.com/viliawang-pm)
 - [@uucz](https://github.com/uucz)
@@ -731,6 +732,7 @@ We officially thank the following contributors for their help in making this rep
 - [@amalsam](https://github.com/amalsam)
 - [@ziuus](https://github.com/ziuus)
 - [@Cerdore](https://github.com/Cerdore)
+- [@Wolfe-Jam](https://github.com/Wolfe-Jam)
 - [@qcwssss](https://github.com/qcwssss)
 - [@rcigor](https://github.com/rcigor)
 - [@hvasconcelos](https://github.com/hvasconcelos)
@@ -757,7 +759,6 @@ We officially thank the following contributors for their help in making this rep
 - [@ALEKGG1](https://github.com/ALEKGG1)
 - [@8144225309](https://github.com/8144225309)
 - [@1bcMax](https://github.com/1bcMax)
- [@yubing744](https://github.com/yubing744)
 - [@olgasafonova](https://github.com/olgasafonova)
 - [@sharmanilay](https://github.com/sharmanilay)
 - [@KhaiTrang1995](https://github.com/KhaiTrang1995)
@@ -781,6 +782,7 @@ We officially thank the following contributors for their help in making this rep
 - [@kage-art](https://github.com/kage-art)
 - [@whatiskadudoing](https://github.com/whatiskadudoing)
 - [@jonathimer](https://github.com/jonathimer)
+- [@Jonohobs](https://github.com/Jonohobs)
 - [@JaskiratAnand](https://github.com/JaskiratAnand)
 - [@jamescha-earley](https://github.com/jamescha-earley)

--- a/skills/claude-monitor/scripts/api_bench.py
+++ b/skills/claude-monitor/scripts/api_bench.py
@@ -34,6 +34,17 @@ ENDPOINTS = [
 ]


+def create_tls_context():
+    """Cria contexto TLS restringindo conexoes a TLS 1.2+."""
+    context = ssl.create_default_context()
+    if hasattr(ssl, "TLSVersion"):
+        context.minimum_version = ssl.TLSVersion.TLSv1_2
+    else:
+        context.options |= getattr(ssl, "OP_NO_TLSv1", 0)
+        context.options |= getattr(ssl, "OP_NO_TLSv1_1", 0)
+    return context
+
+
 def test_tcp_latency(host, port, timeout=5):
    """Testa latência TCP para um host:port."""
    try:
@@ -49,7 +60,7 @@ def test_tcp_latency(host, port, timeout=5):
 def test_tls_handshake(host, port=443, timeout=5):
    """Testa tempo do handshake TLS."""
    try:
-        context = ssl.create_default_context()
+        context = create_tls_context()
        start = time.time()
        with socket.create_connection((host, port), timeout=timeout) as sock:
            with context.wrap_socket(sock, server_hostname=host) as ssock:
--- a/skills/whatsapp-cloud-api/scripts/send_test_message.py
+++ b/skills/whatsapp-cloud-api/scripts/send_test_message.py
@@ -28,11 +28,21 @@ except ImportError:
 GRAPH_API = "https://graph.facebook.com/v21.0"


-def _mask_secret(value: str) -> str:
-    """Return a masked version of a secret for safe logging."""
-    if not value or len(value) < 8:
-        return "***masked***"
-    return f"{value[:6]}...masked"
+def _redact_json(value):
+    """Recursively redact common secret-bearing keys before logging JSON."""
+    sensitive_keys = {"authorization", "token", "access_token", "app_secret", "secret"}
+
+    if isinstance(value, dict):
+        redacted = {}
+        for key, item in value.items():
+            if key.lower() in sensitive_keys:
+                redacted[key] = "***redacted***"
+            else:
+                redacted[key] = _redact_json(item)
+        return redacted
+    if isinstance(value, list):
+        return [_redact_json(item) for item in value]
+    return value


 def send_test(to: str, message: str) -> None:
@@ -84,11 +94,7 @@ def send_test(to: str, message: str) -> None:

        print()
        print("Full response:")
-        # Mask token in response output to prevent credential leakage
-        response_str = json.dumps(data, indent=2)
-        if token and token in response_str:
-            response_str = response_str.replace(token, _mask_secret(token))
-        print(response_str)
+        print(json.dumps(_redact_json(data), indent=2))

    except httpx.ConnectError:
        print("Error: Connection failed. Check your internet connection.")
@@ -96,10 +102,8 @@ def send_test(to: str, message: str) -> None:
    except httpx.TimeoutException:
        print("Error: Request timed out.")
        sys.exit(1)
-    except Exception as e:
-        # Mask token in error output to prevent credential leakage
-        safe_err = str(e).replace(token, _mask_secret(token)) if token else str(e)
-        print(f"Error: {safe_err}")
+    except Exception as exc:
+        print(f"Error: unexpected {exc.__class__.__name__} while sending the test message.")
        sys.exit(1)


--- a/skills/whatsapp-cloud-api/scripts/validate_config.py
+++ b/skills/whatsapp-cloud-api/scripts/validate_config.py
@@ -47,11 +47,14 @@ def check_env_vars() -> tuple[bool, list[str]]:
    return len(missing) == 0, missing


-def _mask_secret(value: str) -> str:
-    """Return a masked version of a secret for safe logging."""
-    if not value or len(value) < 8:
-        return "***masked***"
-    return f"{value[:6]}...masked"
+def _format_api_failure(response: httpx.Response) -> str:
+    """Return a sanitized API failure message without echoing sensitive payloads."""
+    try:
+        error = response.json().get("error", {})
+    except ValueError:
+        error = {}
+    error_code = error.get("code", "?")
+    return f"API request failed (status {response.status_code}, code {error_code})."


 def test_api_connection() -> tuple[bool, str]:
@@ -76,17 +79,14 @@ def test_api_connection() -> tuple[bool, str]:
                f"  Quality: {data.get('quality_rating', 'N/A')}"
            )
        else:
-            error = response.json().get("error", {})
-            return False, f"API Error {error.get('code', '?')}: {error.get('message', 'Unknown')}"
+            return False, _format_api_failure(response)

    except httpx.ConnectError:
        return False, "Connection failed. Check your internet connection."
    except httpx.TimeoutException:
        return False, "Request timed out after 10 seconds."
-    except Exception as e:
-        # Mask token in error output to prevent credential leakage
-        safe_err = str(e).replace(token, _mask_secret(token)) if token else str(e)
-        return False, f"Unexpected error: {safe_err}"
+    except Exception as exc:
+        return False, f"Unexpected {exc.__class__.__name__} while contacting the Graph API."


 def test_waba_access() -> tuple[bool, str]:
@@ -106,13 +106,10 @@ def test_waba_access() -> tuple[bool, str]:
            count = len(data.get("data", []))
            return True, f"WABA accessible. {count} phone number(s) found."
        else:
-            error = response.json().get("error", {})
-            return False, f"API Error {error.get('code', '?')}: {error.get('message', 'Unknown')}"
+            return False, _format_api_failure(response)

-    except Exception as e:
-        # Mask token in error output to prevent credential leakage
-        safe_err = str(e).replace(token, _mask_secret(token)) if token else str(e)
-        return False, f"Error: {safe_err}"
+    except Exception as exc:
+        return False, f"Unexpected {exc.__class__.__name__} while checking WABA access."


 def main():