Security: Prevent Fork-Based npm Publishes and Add CODEOWNERS

[JeremyDev87]

Security: Prevent Fork-Based npm Publishes and Add CODEOWNERS

📋 Summary

Implements security measures to prevent unauthorized npm package publishing from forks and external contributors. Adds repository checks to canary/dev workflows and comprehensive CODEOWNERS rules for critical security-sensitive paths.

Closes #15

🎯 Problem

Security Risk

As an open source project, Codingbuddy was vulnerable to unauthorized npm package publishing:

1. Fork-Based Attacks: External contributors could fork the repository, modify workflows, and trigger npm publishes from their forks
2. No Code Review Requirements: Critical files (workflows, source code, AI rules) could be modified without owner review
3. Automatic Publishing: dev and canary workflows published to npm without repository ownership verification

Threat Scenarios

• Malicious code injection via PR → automatic npm publish
• Workflow manipulation to exfiltrate secrets
• Supply chain attacks through compromised dependencies

✨ Solution

1. Repository Ownership Checks

Added if conditions to canary and dev workflows to only allow publishing from the main repository:

jobs:
  publish-canary:
    if: github.repository == 'JeremyDev87/codingbuddy'
    # ... rest of job

  publish-dev:
    if: github.repository == 'JeremyDev87/codingbuddy'
    # ... rest of job

Impact: Prevents forks and external repositories from triggering npm publishes.

2. CODEOWNERS Configuration

Created comprehensive .github/CODEOWNERS file with detailed rules:

• Default owner: @JeremyDev87 for all files
• Critical paths requiring review:
  • .github/ - GitHub workflows (security-sensitive)
  • mcp-server/ - MCP Server source code
  • .ai-rules/ - AI rules (included in npm package)
  • scripts/ - Build/deployment scripts
  • package.json files - Package configuration

Impact: Ensures all critical changes require code owner approval before merge.

3. Workflow Naming Updates

Updated workflow names for consistency:

• codebuddy-canary → codingbuddy-canary
• codebuddy-dev → codingbuddy-dev
• codebuddy-release → codingbuddy-release

📊 Files Changed

• Modified Files (4):
  • .github/CODEOWNERS (+22 lines, -1 line)
  • .github/workflows/canary.yml (+2, -2)
  • .github/workflows/dev.yml (+2, -2)
  • .github/workflows/release.yml (+1, -1)

Total: 4 files changed, +28 insertions, -6 deletions

✅ Benefits

Security Improvements

Risk	Before	After
Malicious code merge	High	Low (requires owner review)
Unauthorized npm publish	High	Low (restricted to owner branches)
Workflow manipulation	Medium	Low (CODEOWNERS protection)

Key Protections

1. Fork Protection: Prevents npm publishes from forked repositories
2. Code Review: Requires owner approval for critical file changes
3. Audit Trail: CODEOWNERS provides clear ownership and review requirements
4. Defense in Depth: Multiple layers of security (workflow checks + CODEOWNERS)

🧪 Testing

• Workflow syntax validated
• CODEOWNERS syntax validated
• Repository condition logic verified
• Test: Fork push should NOT trigger npm publish (manual test)
• Test: Main repo push should trigger npm publish (manual test)
• Test: CODEOWNERS review requirement works (requires GitHub settings)

Issues

close #15