You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
37 lines
1.3 KiB
37 lines
1.3 KiB
--- |
|
description: Aturan keamanan wajib — credential, SSH, secret management |
|
globs: ["**/*"] |
|
alwaysApply: true |
|
--- |
|
|
|
# Security Rules |
|
|
|
## Larangan Mutlak |
|
|
|
- ❌ JANGAN commit file `.env` ke repository |
|
- ❌ JANGAN commit password, API key, token, atau private key |
|
- ❌ JANGAN tampilkan nilai secret di output, log, atau response API |
|
- ❌ JANGAN hardcode credential di code PHP atau PowerShell |
|
- ❌ JANGAN overwrite `.env` di server saat deploy — `.env` berisi credentials production |
|
|
|
## Lokasi Secret yang Benar |
|
|
|
| Secret | Lokasi | |
|
|--------|--------| |
|
| App credentials | `/opt/stacks/geonet-console/.env` di server 10.100.1.24 | |
|
| LDAP bind password | `.env` server (tidak di repo) | |
|
| QNAP OSS secret key | `.env` server (tidak di repo) | |
|
| SSH private key | `~/.ssh/` di laptop developer | |
|
| MikroTik RSA key | `~/.ssh/id_rsa_mikrotik` | |
|
|
|
## SSH Rules |
|
|
|
- SSH commands ke server **wajib minta persetujuan user** sebelum dijalankan |
|
- Jangan auto-run SSH command yang bersifat destructive |
|
- SSH key: `id_ed25519` untuk server Linux, `id_rsa_mikrotik` untuk MikroTik |
|
|
|
## Untuk AI Agent |
|
|
|
- Jika diminta buat credential baru → catat lokasi penyimpanan di `docs/environment.md` (bukan nilainya) |
|
- Jika ditemukan token di code → laporkan ke user, jangan commit |
|
- Jika perlu generate APP_KEY → instruksikan user run `php artisan key:generate` di server
|
|
|