This document outlines the security measures implemented to ensure safe sharing on GitHub.

The following files/directories contain sensitive data and are excluded from version control:

• ✅ .env
• ✅ .env.local
• ✅ .env.development.local
• ✅ .env.test.local
• ✅ .env.production.local

• ✅ cdk.out/ - Contains CloudFormation templates with AWS account IDs
• ✅ cdk-outputs.json - Contains sensitive resource IDs:
  • User Pool IDs
  • Identity Pool IDs
  • API Gateway URLs
  • S3 Bucket Names
  • AWS Account Numbers

• ✅ node_modules/
• ✅ dist/
• ✅ .next/
• ✅ Lambda build artifacts (lambda/*/dist/, lambda/*/node_modules/)

All source code uses environment variables instead of hardcoded values:

Frontend (frontend/src/config/aws-config.ts):

userPoolId: process.env.NEXT_PUBLIC_USER_POOL_ID || ''

Lambda Functions:

const DATA_TABLE_NAME = process.env.DATA_TABLE_NAME!
const DATA_BUCKET_NAME = process.env.DATA_BUCKET_NAME!

• ✅ CDK stack definitions (infra/lib/cortex-ai.ts)
• ✅ Lambda function source code
• ✅ Deployment scripts
• ✅ All TypeScript/JavaScript source files

1. Delete or ensure .gitignore excludes:

   rm -rf infra/cdk.out/
   rm -f infra/cdk-outputs.json
   rm -f frontend/.env.local
   rm -f query.js  # Temporary test file

2. Verify .gitignore is working:

   git status
   # Should NOT show any files from cdk.out/ or .env files

• AWS Account ID: 467793901514
• User Pool ID: us-east-1_Hl3Erc3Ls
• Identity Pool ID: us-east-1:32f28230-b710-4360-bed8-f9888a04de81
• API Gateway URL: https://uvcyk2ruih.execute-api.us-east-1.amazonaws.com/dev/
• User Pool Client ID: 4c1e85lccai5is4uo7umu4n90c

Status: ✅ All protected by .gitignore

Users cloning your repository will need to:

1. Deploy Infrastructure:

   cd infra
   npm install
   npm run deploy

2. Generate Frontend Config:

   npm run postdeploy

   This creates frontend/.env.local with the correct values.

3. Start Frontend:

   cd ../frontend
   npm install
   npm run dev

Before pushing to GitHub:

• Run git status to verify no .env* files are staged
• Verify cdk-outputs.json is not staged
• Verify cdk.out/ is not staged
• Check that .gitignore includes all sensitive patterns
• Ensure frontend/.env.local exists locally but is gitignored
• Review diff for any accidentally hardcoded credentials

Run these commands before committing:

# Check for accidentally staged sensitive files
git status | grep -E "(\.env|cdk-outputs|cdk\.out)"

# Search for potential hardcoded secrets in staged files
git diff --staged | grep -iE "(password|secret|api_key|token)" 

# Verify .gitignore is working
git check-ignore frontend/.env.local  # Should return the path
git check-ignore infra/cdk-outputs.json  # Should return the path

1. Add GitHub Secret Scanning: Enable secret scanning in repository settings
2. Branch Protection: Require PR reviews before merging to main
3. Pre-commit Hooks: Consider using tools like git-secrets or detect-secrets
4. Documentation: Keep this SECURITY.md file updated

If sensitive data is accidentally committed:

1. Immediately rotate credentials:

   • Delete and recreate Cognito User Pools
   • Rotate API keys
   • Update S3 bucket policies

2. Remove from Git history:

   git filter-branch --force --index-filter \
     "git rm --cached --ignore-unmatch path/to/sensitive/file" \
     --prune-empty --tag-name-filter cat -- --all

3. Force push (only if repository is private or just created):

   git push origin --force --all

For security concerns, please open a GitHub issue or contact the maintainer.

Last Updated: $(date) Reviewed By: Security Audit Script Status: ✅ Ready for GitHub