From a851de0f9442d475872170b138bb8821ce13933b Mon Sep 17 00:00:00 2001 From: Leo Date: Wed, 11 Mar 2026 20:18:27 +0100 Subject: [PATCH] fix(security): add disclaimers to sample code and scaffolding templates - payment_processor.py: add disclaimer header + replace realistic-looking keys with EXAMPLE_NOT_REAL - project_scaffolder.py: add SCAFFOLDING PLACEHOLDER comments to generated secrets - pipeline_orchestrator.py: no change needed (compile() used for syntax validation only) --- .../scripts/project_scaffolder.py | 4 ++-- .../sample_codebase/src/payment_processor.py | 15 +++++++++++---- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/engineering-team/senior-fullstack/scripts/project_scaffolder.py b/engineering-team/senior-fullstack/scripts/project_scaffolder.py index 1a102e1..b5d483e 100755 --- a/engineering-team/senior-fullstack/scripts/project_scaffolder.py +++ b/engineering-team/senior-fullstack/scripts/project_scaffolder.py @@ -271,7 +271,7 @@ from typing import List class Settings(BaseSettings): DATABASE_URL: str = "postgresql://user:pass@localhost:5432/db" ALLOWED_ORIGINS: List[str] = ["http://localhost:3000", "http://localhost:5173"] - SECRET_KEY: str = "change-me-in-production" + SECRET_KEY: str = "change-me-in-production" # ⚠️ SCAFFOLDING PLACEHOLDER — replace before deployment class Config: env_file = ".env" @@ -627,7 +627,7 @@ export default config; module.exports = { reactStrictMode: true }; ''', ".env.example": '''DATABASE_URL="postgresql://user:password@localhost:5432/dbname" -SECRET_KEY="your-secret-here" +SECRET_KEY="your-secret-here" # ⚠️ SCAFFOLDING PLACEHOLDER — replace before deployment ''', ".gitignore": '''node_modules/ .next/ diff --git a/engineering/tech-debt-tracker/assets/sample_codebase/src/payment_processor.py b/engineering/tech-debt-tracker/assets/sample_codebase/src/payment_processor.py index 010b8b8..db2d0bc 100644 --- a/engineering/tech-debt-tracker/assets/sample_codebase/src/payment_processor.py +++ b/engineering/tech-debt-tracker/assets/sample_codebase/src/payment_processor.py @@ -1,5 +1,11 @@ """ -Payment processing module - contains various technical debt examples +Payment processing module - contains various technical debt examples. + +⚠️ DISCLAIMER: This is an INTENTIONAL example of bad code patterns for +tech debt detection training. The hardcoded credentials, missing error +handling, and other issues are deliberate anti-patterns used by the +tech-debt-tracker skill to demonstrate detection capabilities. +DO NOT use this code in production. """ import json @@ -13,9 +19,10 @@ class PaymentProcessor: def __init__(self): # TODO: These should come from environment or config - self.stripe_key = "sk_test_1234567890" - self.paypal_key = "paypal_secret_key_here" - self.square_key = "square_api_key" + # ⚠️ INTENTIONAL BAD PATTERN — hardcoded keys for tech debt detection demo + self.stripe_key = "sk_test_EXAMPLE_NOT_REAL" + self.paypal_key = "paypal_EXAMPLE_NOT_REAL" + self.square_key = "square_EXAMPLE_NOT_REAL" def process_payment(self, amount, currency, payment_method, customer_data, billing_address, shipping_address, items, discount_code, tax_rate, processing_fee, metadata): """