fix(security): 🛡️ harden management endpoints and fix secret scanner

[yacosta738]

This PR addresses two security-related issues:

1. Actuator Endpoint Exposure: The /management/info and /management/prometheus endpoints were previously configured with permitAll(), exposing internal metrics and build information to unauthorized users. These have been restricted to the ADMIN role.
2. Broken Secret Scanner: The scripts/check-secrets.sh script was failing to install gitleaks due to an incorrect architecture mapping and a missing checksum file. This has been fixed to ensure secret scanning is functional in the CI/CD pipeline.

All changes are well within the 50-line limit for Sentinel tasks. Verification was performed using make _verify-backend-check and make _verify-secrets.

---

PR created automatically by Jules for task 16328807985855626231 started by @yacosta738

[cloudflare-workers-and-pages]

Deploying cvix with    Cloudflare Pages

Latest commit:	b4978a9
Status:	✅  Deploy successful!
Preview URL:	https://be8283a1.cvix.pages.dev
Branch Preview URL:	https://fix-security-hardening-actua.cvix.pages.dev

View logs

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Security

  • Management endpoints now require authentication. Previously public endpoints (info and prometheus) are now restricted to improve security posture.

• Chores

  • Enhanced installation script with improved architecture compatibility and setup procedures.

Walkthrough

Gitleaks installation script enhanced with improved architecture mapping, checksum file handling, and directory initialization. Management endpoints (actuator/info, management/info, management/prometheus) restricted from public access, requiring authentication.

Changes

Cohort / File(s)	Summary
Gitleaks Installation Script scripts/check-secrets.sh	Updated architecture mapping (x86_64→x64), introduced CHECKSUMS_FILE variable for checksum verification, added INSTALL_DIR creation and executable permissions, appended success messaging.
Security Access Control server/modules/identity/.../SecurityConfiguration.kt	Removed public permitAll access from three management endpoints: actuator/info, management/info, and management/prometheus. All now require authentication.

Estimated Code Review Effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested Labels

security, backend

Poem

🔐 Gitleaks marches forth with corrected strides,
Secrets guarded, checksums verified with pride,
Management doors now locked behind auth's gate,
Tighter security—a fortress never too late! ✨

🚥 Pre-merge checks | ✅ 5 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Test Coverage	⚠️ Warning	Pull request introduced security-critical endpoint access control changes without integration tests verifying authorization rules and access restrictions.	Add integration tests to SecurityConfigurationIT.kt using WebTestClient to verify /management/info, /management/prometheus, and /actuator/** endpoint access control for authenticated and unauthenticated users.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title follows Conventional Commits format with 'fix(security):' prefix and includes an emoji, clearly summarizing both security fixes in the changeset.
Description check	✅ Passed	The description is directly related to the changeset, clearly explaining both the actuator endpoint hardening and the gitleaks script fixes with context and verification details.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Clean Architecture Compliance	✅ Passed	Pull request maintains Clean Architecture principles with domain layer free of framework dependencies, application layer implementing CQRS pattern with proper handler dependencies, and infrastructure components correctly implementing domain interfaces.
Security Review	✅ Passed	SecurityConfiguration.kt properly restricts management endpoints to ADMIN role and enforces authentication; check-secrets.sh implements secure checksum verification with no hardcoded secrets.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/security-hardening-actuator-and-secret-scanner-16328807985855626231

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

✅ Contributor Report

User: @yacosta738
Status: Passed (12/13 metrics passed)

Metric	Description	Value	Threshold	Status
PR Merge Rate	PRs merged vs closed	89%	>= 30%	✅
Repo Quality	Repos with ≥100 stars	0	>= 0	✅
Positive Reactions	Positive reactions received	9	>= 1	✅
Negative Reactions	Negative reactions received	0	<= 5	✅
Account Age	GitHub account age	3029 days	>= 30 days	✅
Activity Consistency	Regular activity over time	108%	>= 0%	✅
Issue Engagement	Issues with community engagement	0	>= 0	✅
Code Reviews	Code reviews given to others	347	>= 0	✅
Merger Diversity	Unique maintainers who merged PRs	3	>= 0	✅
Repo History Merge Rate	Merge rate in this repo	0.9161676646706587	>= 0	✅
Repo History Min PRs	Previous PRs in this repo	175	>= 0	✅
Profile Completeness	Profile richness (bio, followers)	90	>= 0	✅
Suspicious Patterns	Spam-like activity detection	1	N/A	❌

---

_{Contributor Report evaluates based on public GitHub activity. Analysis period: 2025-02-12 to 2026-02-12}

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

scripts/check-secrets.sh (1)

29-39: 🛠️ Refactor suggestion | 🟠 Major

Downloaded artifacts are never cleaned up after installation.

The tarball, checksums file, and .sha256 file remain in the current working directory after installation completes. In CI pipelines this leaves unnecessary artifacts; in local runs it pollutes whatever directory the script is invoked from. Use a temporary directory and clean up on exit.

♻️ Proposed fix: use a temp directory with trap-based cleanup

+WORK_DIR="$(mktemp -d)"
+trap 'rm -rf "$WORK_DIR"' EXIT
+
 if ! command -v gitleaks >/dev/null 2>&1; then
   echo -e "${YELLOW}🔍 gitleaks not found, installing to $INSTALL_DIR...${RESET}"
-  curl -sSL -O "$TARBALL_URL"
-  curl -sSL -O "$CHECKSUMS_URL"
-  grep "$TARBALL" "$CHECKSUMS_FILE" > "${TARBALL}.sha256"
-  sha256sum -c "${TARBALL}.sha256"
-  tar -xzf "$TARBALL" gitleaks
+  curl -sSL -o "$WORK_DIR/$TARBALL" "$TARBALL_URL"
+  curl -sSL -o "$WORK_DIR/$CHECKSUMS_FILE" "$CHECKSUMS_URL"
+  grep -F "$TARBALL" "$WORK_DIR/$CHECKSUMS_FILE" > "$WORK_DIR/${TARBALL}.sha256"
+  ( cd "$WORK_DIR" && sha256sum -c "${TARBALL}.sha256" )
+  tar -xzf "$WORK_DIR/$TARBALL" -C "$WORK_DIR" gitleaks
+  mv "$WORK_DIR/gitleaks" "$INSTALL_DIR/"
-  mv gitleaks "$INSTALL_DIR/"
   chmod +x "$INSTALL_DIR/gitleaks"
   export PATH="$INSTALL_DIR:$PATH"
   echo -e "${GREEN}✅ gitleaks installed successfully!${RESET}"

Note the addition of -F to grep — the tarball filename contains dots which are regex wildcards. Using fixed-string matching is more precise.

🤖 Fix all issues with AI agents

In `@scripts/check-secrets.sh`:
- Line 33: The grep invocation that extracts the checksum uses pattern matching
and should use fixed-string mode to avoid interpreting dots or other
metacharacters in $TARBALL as regex; update the command that runs grep
"$TARBALL" "$CHECKSUMS_FILE" > "${TARBALL}.sha256" to use fixed-string matching
(e.g., add -F or --fixed-strings) so the tarball name is matched literally
against $CHECKSUMS_FILE.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Use grep -F for fixed-string matching.

The tarball name contains literal dots (e.g., gitleaks_8.30.0_linux_x64.tar.gz). Without -F, grep interprets those as regex wildcards matching any character. While unlikely to cause a false match in this checksums file, it's a correctness gap that's trivially fixed.

🐛 Proposed fix

-  grep "$TARBALL" "$CHECKSUMS_FILE" > "${TARBALL}.sha256"
+  grep -F "$TARBALL" "$CHECKSUMS_FILE" > "${TARBALL}.sha256"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	grep "$TARBALL" "$CHECKSUMS_FILE" > "${TARBALL}.sha256"
	grep -F "$TARBALL" "$CHECKSUMS_FILE" > "${TARBALL}.sha256"

🤖 Prompt for AI Agents

In `@scripts/check-secrets.sh` at line 33, The grep invocation that extracts the
checksum uses pattern matching and should use fixed-string mode to avoid
interpreting dots or other metacharacters in $TARBALL as regex; update the
command that runs grep "$TARBALL" "$CHECKSUMS_FILE" > "${TARBALL}.sha256" to use
fixed-string matching (e.g., add -F or --fixed-strings) so the tarball name is
matched literally against $CHECKSUMS_FILE.

[github-actions]

Test Results

109 files  ±0  109 suites  ±0   1m 19s ⏱️ -8s
560 tests ±0  560 ✅ ±0  0 💤 ±0  0 ❌ ±0 
564 runs  ±0  564 ✅ ±0  0 💤 ±0  0 ❌ ±0 

Results for commit b4978a9. ± Comparison against base commit 8a16b3f.