coderabbitai · andrescastellanos-coderabbit · Apr 27, 2026 · chatgpt-codex-connector · Apr 27, 2026 · coderabbitai
diff --git a/.coderabbit.yml b/.coderabbit.yml
@@ -0,0 +1,4 @@
+reviews:
+  tools:
+    gitleaks:
+      enabled: false
diff --git a/trufflehog.yml b/trufflehog.yml
@@ -0,0 +1,21 @@
+detectors:
+  - name: InternalServiceToken
+    keywords:
+      - internal_token
+      - INTERNAL_TOKEN
+    regex:
+      key: 'internal_token_[a-f0-9]{32}'
+
+  - name: DemoAppApiKey
+    keywords:
+      - demoapp_api_key
+      - DEMOAPP_API_KEY
+    regex:
+      key: 'demoapp_[a-zA-Z0-9]{40}'
+
+  - name: DemoAppDeployToken
+    keywords:
+      - deploy_token
+      - DEPLOY_TOKEN
+    regex:
+      key: 'dpt_[a-zA-Z0-9]{32}'
diff --git a/trufflehog/config.yaml b/trufflehog/config.yaml
@@ -0,0 +1,31 @@
+application:
+  name: demoapp
+  environment: production
+
+database:
+  primary:
+    url: postgres://demoapp:Sup3rS3cr3tP@ssword@db.internal.example.com:5432/demoapp_prod
+    pool_size: 20
+  cache:
+    url: mongodb://demoapp:Cache_Pa55word!@cache.internal.example.com:27017/demoapp_cache
+  read_replica:
+    url: postgres://reader:R3ad0nly_P@ss@replica.internal.example.com:5432/demoapp_prod
+
+aws:
+  region: us-east-1
+  access_key_id: AKIAIOSFODNN7EXAMPLE
+  secret_access_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+
+monitoring:
+  datadog_api_key: 1234567890abcdef1234567890abcdef
+  datadog_app_key: abcdef1234567890abcdef1234567890abcdef12
+
+internal:
+  service_token: internal_token_2c8b41d9c0a64e1e9b0f3e7a1d5c8b41
+  deploy_token: dpt_a1b2c3d4e5f6789012345678901234ab
+  api_key: demoapp_kJ8mN2pQ4rS6tU8vW0xY2zA4bC6dE8fG0hI2jK4l
+
+smtp:
+  host: smtp.example.com
+  username: notifications@demoapp.example.com
+  password: M@ilP@ssword2024
diff --git a/trufflehog/deploy.py b/trufflehog/deploy.py
@@ -0,0 +1,60 @@
+"""Demoapp deploy helper — uploads artifacts and triggers rolling restart."""
+
+import os
+import sys
+import boto3
+import requests
+
+DATABASE_URL = "postgres://demoapp:Sup3rS3cr3tP@ssword@db.internal.example.com:5432/demoapp_prod"
+REDIS_URL = "redis://:CacheP@ss2024@redis.internal.example.com:6379/0"
+
+AWS_ACCESS_KEY = "AKIAIOSFODNN7EXAMPLE"
+AWS_SECRET_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+
+INTERNAL_TOKEN = "internal_token_2c8b41d9c0a64e1e9b0f3e7a1d5c8b41"
+DEPLOY_TOKEN = "dpt_a1b2c3d4e5f6789012345678901234ab"
+DEMOAPP_API_KEY = "demoapp_kJ8mN2pQ4rS6tU8vW0xY2zA4bC6dE8fG0hI2jK4l"
+
+DATADOG_API_KEY = "1234567890abcdef1234567890abcdef"
+
+
+def s3_client():
+    return boto3.client(
+        "s3",
+        aws_access_key_id=AWS_ACCESS_KEY,
+        aws_secret_access_key=AWS_SECRET_KEY,
+        region_name="us-east-1",
+    )
+
+
+def upload_artifact(local_path, key):
+    client = s3_client()
+    client.upload_file(local_path, "demoapp-artifacts-prod", key)
+    print(f"uploaded {local_path} -> s3://demoapp-artifacts-prod/{key}")
+
+
+def notify_datadog(event):
+    requests.post(
+        "https://api.datadoghq.com/api/v1/events",
+        headers={"DD-API-KEY": DATADOG_API_KEY},
+        json={"title": "deploy", "text": event},
+        timeout=5,
+    )
+
+
+def trigger_rolling_restart(target):
+    requests.post(
+        f"https://control.internal.example.com/v1/services/{target}/restart",
+        headers={
+            "Authorization": f"Bearer {DEPLOY_TOKEN}",
+            "X-Internal-Token": INTERNAL_TOKEN,
+        },
+        timeout=30,
+    )
+
+
+if __name__ == "__main__":
+    artifact = sys.argv[1] if len(sys.argv) > 1 else "build/demoapp.tar.gz"
+    upload_artifact(artifact, os.path.basename(artifact))
+    notify_datadog(f"deploying {artifact}")
+    trigger_rolling_restart("demoapp-web")
diff --git a/trufflehog/legacy_credentials.txt b/trufflehog/legacy_credentials.txt
@@ -0,0 +1,30 @@
+# Legacy credentials inventory — pre-vault era. Kept for emergency rollback.
+# Replace these with vault references before the next prod deploy.
+
+[aws.deploy]
+access_key_id = AKIAIOSFODNN7EXAMPLE
+secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+
+[database.legacy_replica]
+host = legacy-replica.internal.example.com
+port = 5432
+username = legacy_reader
+password = L3gacyR3plicaP@ss
+
+[internal.tokens]
+service_token = internal_token_2c8b41d9c0a64e1e9b0f3e7a1d5c8b41
+deploy_token = dpt_a1b2c3d4e5f6789012345678901234ab
+
+[ssh.deploy_key]
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAyqXmSVk3demoappdemoappdemoappdemoappdemoappdemo
+appdemoappdemoappdemoappdemoappdemoappdemoappdemoappdemoappdemo
+appdemoappdemoappdemoappdemoappdemoappdemoappdemoappdemoappdemo
+appdemoappdemoappdemoappdemoappdemoappdemoappdemoappdemoappdemo
+appdemoappdemoappdemoappdemoappdemoappdemoappTRUNCATEDFORDEMO
+-----END RSA PRIVATE KEY-----
+
+[notes]
+rotated_on = 2024-09-15
+next_rotation = 2024-12-15
+owner = platform-team
diff --git a/trufflehog/services.env b/trufflehog/services.env
@@ -0,0 +1,20 @@
+APP_ENV=production
+APP_PORT=8080
+
+DATABASE_URL=postgres://demoapp:Sup3rS3cr3tP@ssword@db.internal.example.com:5432/demoapp_prod
+REDIS_URL=redis://:CacheP@ss2024@redis.internal.example.com:6379/0
+MONGO_URL=mongodb://demoapp:Cache_Pa55word!@cache.internal.example.com:27017/demoapp_cache
+
+AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
+AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+AWS_REGION=us-east-1
+
+DEMOAPP_API_KEY=demoapp_kJ8mN2pQ4rS6tU8vW0xY2zA4bC6dE8fG0hI2jK4l
+DEMOAPP_DEPLOY_TOKEN=dpt_a1b2c3d4e5f6789012345678901234ab
+INTERNAL_TOKEN=internal_token_2c8b41d9c0a64e1e9b0f3e7a1d5c8b41
+
+DATADOG_API_KEY=1234567890abcdef1234567890abcdef
+DATADOG_APP_KEY=abcdef1234567890abcdef1234567890abcdef12
+
+SMTP_PASSWORD=M@ilP@ssword2024
+JWT_SIGNING_SECRET=jwt_signing_secret_super_long_random_value_2024_demoapp