Pre-public readiness: audit, tests, warnings, and URL cleanup#37
Merged
ElMatiOfficial merged 7 commits intomainfrom Apr 23, 2026
Merged
Pre-public readiness: audit, tests, warnings, and URL cleanup#37ElMatiOfficial merged 7 commits intomainfrom
ElMatiOfficial merged 7 commits intomainfrom
Conversation
node_modules/ was committed in an early commit before .gitignore got its current shape. It's since been re-ignored at the file level, but the 25,290 tracked files keep showing up in every diff, gitleaks scan, and CodeQL run — and they balloon the repo size before going public. This removes them from the index (git rm --cached). The working-tree files stay put; `npm ci` from the root will continue to populate node_modules as expected. History still contains the blobs — that's acceptable given we've already audited history for secrets and found none, and rewriting history is a separate destructive operation. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
SECURITY.md and CODE_OF_CONDUCT.md both had `<your-domain>` placeholders that would look unprofessional the moment the repo flipped public. For a single-maintainer personal-account project, GitHub's built-in private reporting (Security Advisories + Report content) is the right default: nothing to set up, nothing to leak, visible to the maintainer only. Left the door open for a dedicated email + PGP key to be added later when the project scales beyond one maintainer. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
GHSA-xq3m-2v4x-88gg (arbitrary code execution) was the one remaining critical finding on main after the firebase 12 bump — protobufjs is a deep transitive dep via @firebase/firestore, so it can't be bumped directly. Added a root `overrides` entry pinning protobufjs to 7.5.5 (the first patched release). A clean install was required to apply it; npm's partial-lockfile modes silently dropped the override in this setup. Side-effect: the lockfile regeneration picked up patched versions of seven other transitives (rollup, node-forge, minimatch, picomatch, flatted, fast-xml-parser, path-to-regexp), all of which were high severity. `npm audit --audit-level=high` now exits 0 — CI 'audit' job will go green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
DEMO_MODE defaults to true and enables a bearer-token bypass in the authenticate middleware. Intentional for local dev, but a copy-paste prod deployment that forgets to flip the flag would silently accept any token starting with 'demo_' — effectively an open API. Guard: if NODE_ENV=production and DEMO_MODE=true, print a fatal error explaining which variable to change and exit(1) before the server starts listening. Dev/demo deployments (NODE_ENV=development) still boot in demo mode; production deployments with DEMO_MODE=false still boot normally. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
First tests in the repo. Exercises the full sign-then-verify path with the real jose crypto (mocking the signing layer is explicitly forbidden in CONTRIBUTING.md), using a temp keys directory seeded via the file-based keyManager. Coverage: - issue: shape of the emitted VC (id, issuer DID, type, proof) - verify: an untouched credential round-trips to valid=true - tamper: mutating credentialSubject.work.title flips to valid=false - forge: a syntactically-valid but forged JWS flips to valid=false - malformed: input without proof.jws is rejected with a specific error - human token: 1-hour EdDSA JWT with the expected sub/iss/kid and exp-iat Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The one-liner 'Status: Proof of concept' was easy to skim past. This replaces it with a GitHub-flavored WARNING callout that enumerates the specific production gaps (real IdP, KMS, JCS canonicalization, revocation) and notes the regulatory surface that Apache-2.0's warranty disclaimer does not address. Intent: a deployer who reads the README and chooses to ship anyway cannot claim ignorance about what's missing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Ahead of renaming the GitHub repo from 'human-poc' to 'realh' (dropping the POC suffix since the code, README, and package name are all already 'RealH'), this updates every reference: - README and CONTRIBUTING quickstart clone URLs (previously \`<your-org>/realh.git\` placeholders) - SECURITY.md Private Vulnerability Reporting URL - CODE_OF_CONDUCT.md PVR URL - .github/ISSUE_TEMPLATE/config.yml Security Advisories + Discussions links GitHub will keep a redirect from the old repo name, but baking the new URL into the docs avoids future cleanup. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Seven-commit branch to get the repo into a state where it can be flipped public without immediate regrets. Each commit is narrowly scoped — review them in order.
Commits
npm cifrom root continues to populatenode_modulesas expected.<your-domain>. No email to set up.npm audit --audit-level=highnow exits 0.ElMatiOfficial/realhin preparation for the repo rename.Test plan
test (server)passes — the new round-trip tests should run green.lintpasses — no new rule violations.build (client)passes — no breakage from the lockfile regen.npm audit (high+)goes green for the first time — this is the win.gitleakspasses — node_modules removal reduces the scan surface.human-poc→realh.Not included in this PR
Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com