Feature/security-system

.env

@@ -3,14 +3,38 @@ NODE_ENV=development
 PORT=3000
 
 # Database Configuration (Supabase PostgreSQL)
-DATABASE_URL=postgresql://postgres:your-password@db.your-project-ref.supabase.co:5432/postgres
+# DATABASE_URL=postgresql://username:password@host:port/database
+# Set your DATABASE_URL in a local, untracked .env file (e.g., .env.local)
 
-# Session Configuration
-SESSION_SECRET=dev-secret-key-change-in-production
+# Telegram Configuration (REQUIRED)
+TELEGRAM_BOT_TOKEN=your-telegram-bot-token-here
+# Set your admin Telegram ID in a local, untracked .env file (e.g., .env.local)
+ADMIN_TELEGRAM_ID=your-admin-telegram-id-here
+TELEGRAM_WEBHOOK_URL=your-telegram-webhook-url-here
+
+# Development Settings (Optional)
+SKIP_TELEGRAM_VALIDATION=false
+SKIP_RATE_LIMITING=false
+
+# Session Configuration (REQUIRED)
+# Generate with: node -e "console.log(require('crypto').randomBytes(64).toString('hex'))"
+# WARNING: Do NOT commit your real session secret to version control!
+SESSION_SECRET=your-session-secret-here
 
 # Frontend Configuration (VITE_ prefix required for client access)
 VITE_API_URL=http://localhost:3000/api
 VITE_WS_URL=ws://localhost:8080
 VITE_APP_NAME=WZ Tournament Platform
 VITE_APP_VERSION=1.0.0
-VITE_TELEGRAM_BOT_NAME=wz_tournament_bot
+VITE_TELEGRAM_BOT_NAME=wz_tournament_bot
+
+# Security Settings
+CORS_ORIGIN=http://localhost:5173
+BCRYPT_ROUNDS=12
+
+# Logging
+LOG_LEVEL=info
+LOG_FILE=./logs/app.log
+
+# Database Settings
+ENABLE_QUERY_LOGGING=false

.github/workflows/ci-cd.yml

@@ -15,14 +15,18 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Clean node_modules and lockfile
+        run: |
+          rm -rf node_modules package-lock.json
+
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
           node-version: '20'
           cache: 'npm'
 
       - name: Install dependencies
-        run: npm ci
+        run: npm install
 
       - name: Run ESLint
         run: npm run lint
@@ -42,14 +46,18 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Clean node_modules and lockfile
+        run: |
+          rm -rf node_modules package-lock.json
+
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
           node-version: '20'
           cache: 'npm'
 
       - name: Install dependencies
-        run: npm ci
+        run: npm install
 
       - name: Run unit tests
         run: npm run test
@@ -71,14 +79,18 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Clean node_modules and lockfile
+        run: |
+          rm -rf node_modules package-lock.json
+
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
           node-version: '20'
           cache: 'npm'
 
       - name: Install dependencies
-        run: npm ci
+        run: npm install
 
       - name: Build application
         run: npm run build
@@ -98,14 +110,18 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Clean node_modules and lockfile
+        run: |
+          rm -rf node_modules package-lock.json
+
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
           node-version: '20'
           cache: 'npm'
 
       - name: Install dependencies
-        run: npm ci
+        run: npm install
 
       - run: node -e "console.log(require('esbuild').version)"
 
@@ -119,7 +135,7 @@ jobs:
 
     environment:
       name: staging
-      url: https://staging.yourdomain.com
+      url: https://wz-tournament-staging.replit.app
 
     steps:
       - name: Checkout code
@@ -131,11 +147,29 @@ jobs:
           name: build-files
           path: dist/
 
+      - name: Clean node_modules and lockfile
+        run: |
+          rm -rf node_modules package-lock.json
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm install
+
       - name: Deploy to staging
+        env:
+          REPLIT_TOKEN: ${{ secrets.REPLIT_TOKEN }}
+          REPLIT_STAGING_URL: ${{ secrets.REPLIT_STAGING_URL }}
         run: |
           echo "Deploying to staging environment..."
-          # Add your deployment commands here
-          # Example: rsync, docker deploy, cloud provider CLI, etc.
+          curl -X POST "$REPLIT_STAGING_URL/api/deploy" \
+            -H "Authorization: Bearer $REPLIT_TOKEN" \
+            -H "Content-Type: application/json" \
+            -d '{"branch": "develop"}'
 
   deploy-production:
     name: Deploy to Production
@@ -145,7 +179,7 @@ jobs:
 
     environment:
       name: production
-      url: https://yourdomain.com
+      url: https://wz-tournament.replit.app
 
     steps:
       - name: Checkout code
@@ -157,16 +191,40 @@ jobs:
           name: build-files
           path: dist/
 
+      - name: Clean node_modules and lockfile
+        run: |
+          rm -rf node_modules package-lock.json
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm install
+
       - name: Deploy to production
+        env:
+          REPLIT_TOKEN: ${{ secrets.REPLIT_TOKEN }}
+          REPLIT_PRODUCTION_URL: ${{ secrets.REPLIT_PRODUCTION_URL }}
         run: |
           echo "Deploying to production environment..."
-          # Add your production deployment commands here
+          curl -X POST "$REPLIT_PRODUCTION_URL/api/deploy" \
+            -H "Authorization: Bearer $REPLIT_TOKEN" \
+            -H "Content-Type: application/json" \
+            -d '{"branch": "main"}'
 
       - name: Notify deployment
         if: success()
+        env:
+          TELEGRAM_BOT_TOKEN: ${{ secrets.TELEGRAM_BOT_TOKEN }}
+          TELEGRAM_CHAT_ID: ${{ secrets.TELEGRAM_CHAT_ID }}
         run: |
           echo "Production deployment successful!"
-          # Add notification logic (Slack, Discord, email, etc.)
+          curl -s -X POST "https://api.telegram.org/bot$TELEGRAM_BOT_TOKEN/sendMessage" \
+            -d chat_id="$TELEGRAM_CHAT_ID" \
+            -d text="🚀 Production deployment successful! WZ Tournament Platform is now live."
 
   database-migration:
     name: Database Migration
@@ -177,14 +235,18 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Clean node_modules and lockfile
+        run: |
+          rm -rf node_modules package-lock.json
+
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
           node-version: '20'
           cache: 'npm'
 
       - name: Install dependencies
-        run: npm ci
+        run: npm install
 
       - name: Run database migrations
         env:

.gitignore

@@ -3,4 +3,14 @@ dist
 .DS_Store
 server/public
 vite.config.ts.*
-*.tar.gz
+*.tar.gz
+
+# Environment files
+.env
+.env.local
+.env.production
+.env.staging
+
+# Logs
+logs/
+*.log

DEPLOYMENT.md

@@ -0,0 +1,89 @@
+# Deployment Guide
+
+## GitHub Secrets Configuration
+
+To enable CI/CD deployment, you need to configure the following secrets in your GitHub repository:
+
+### Required Secrets
+
+1. **DATABASE_URL** - PostgreSQL database connection string
+
+   ```
+   postgresql://username:password@host:port/database
+   ```
+
+2. **REPLIT_TOKEN** - Your Replit API token
+   - Get it from: https://replit.com/account
+   - Account → API Token
+
+3. **REPLIT_STAGING_URL** - URL of your Replit staging app
+
+   ```
+   https://wz-tournament-staging.replit.app
+   ```
+
+4. **REPLIT_PRODUCTION_URL** - URL of your Replit production app
+
+   ```
+   https://wz-tournament.replit.app
+   ```
+
+5. **TELEGRAM_BOT_TOKEN** - Bot token for deployment notifications
+   - Create bot via @BotFather on Telegram
+
+6. **TELEGRAM_CHAT_ID** - Chat ID for deployment notifications
+   - Get your chat ID from @userinfobot
+
+### How to Add Secrets
+
+1. Go to your GitHub repository
+2. Navigate to Settings → Secrets and variables → Actions
+3. Click "New repository secret"
+4. Add each secret with the exact name and value
+
+### Replit Setup
+
+1. Create two Replit projects:
+   - `wz-tournament-staging` (for develop branch)
+   - `wz-tournament` (for main branch)
+
+2. Connect your GitHub repository to both Replit projects:
+   - Go to your Replit project
+   - Click "Connect to GitHub"
+   - Select your repository
+
+3. Set environment variables in Replit:
+   - Go to your Replit project
+   - Click on "Secrets" tab
+   - Add the following secrets:
+     ```
+     NODE_ENV=production
+     DATABASE_URL=your-database-url
+     SESSION_SECRET=your-secret-key
+     TELEGRAM_BOT_TOKEN=your-bot-token
+     ADMIN_TELEGRAM_ID=your-telegram-id
+     TELEGRAM_WEBHOOK_URL=your-webhook-url
+     ```
+
+4. Configure auto-deployment:
+   - In Replit project settings
+   - Enable "Auto-deploy from GitHub"
+   - Set branch to `develop` for staging, `main` for production
+
+### Deployment Flow
+
+- **Staging**: Automatic deployment when pushing to `develop` branch
+- **Production**: Automatic deployment when pushing to `main` branch
+- **Database migrations**: Automatic on production deployments
+
+### Manual Deployment
+
+```bash
+# Deploy to staging
+git push origin develop
+
+# Deploy to production
+git checkout main
+git merge develop
+git push origin main
+```

audit-ci.json

@@ -2,8 +2,8 @@
   "moderate": true,
   "high": true,
   "critical": true,
-  "allowlist": [],
-  "skip-dev": false,
+  "allowlist": ["GHSA-67mh-4wv8-2f99"],
   "report-type": "summary",
-  "output-format": "text"
+  "output-format": "text",
+  "skip-dev": false
 }