Skip to content

security: remove hardcoded VPS SSH credentials from committed files#3

Draft
Copilot wants to merge 46 commits intomainfrom
copilot/check-recent-project-changes
Draft

security: remove hardcoded VPS SSH credentials from committed files#3
Copilot wants to merge 46 commits intomainfrom
copilot/check-recent-project-changes

Conversation

Copy link
Copy Markdown

Copilot AI commented Feb 24, 2026
edited
Loading

SSH password was hardcoded in plain text across four committed files (.github/copilot-instructions.md, SKILLS.md, deploy.sh). This replaces it with an environment-variable-based pattern and gitignores the intended local credentials file.

Changes

  • .gitignore — adds .copilot-credentials.md to prevent the local credentials file from ever being committed
  • .github/copilot-instructions.md — replaces hardcoded SSH command with a reference to .copilot-credentials.md in both the Infrastructure section and Critical Rules #10
  • deploy.sh — loads VPS_SSH_PASS from .env or the shell environment; uses SSHPASS env var + sshpass -e to avoid password exposure in process listings (ps aux); fails fast with a clear error if unset
  • SKILLS.md — updates SSH deployment examples to match the new pattern
  • .env.example — documents the VPS_SSH_PASS variable
# Before — password visible in process list
sshpass -p '#Crowlr@2023' ssh $SSH_OPTS "$SERVER" "..."

# After — password passed via env var, never in argv
export SSHPASS="$VPS_SSH_PASS"
sshpass -e ssh $SSH_OPTS "$SERVER" "..."

⚠️ The password existed in git history prior to this PR. Rotating the VPS SSH password is recommended to fully close the exposure.

Original prompt

continue

[Chronological Review: The conversation began with the user requesting a check on recent changes made to their projects, specifically regarding the creation of a credentials file and updates to documentation. The user then inquired about the usefulness of the Context Engine and MCP server, followed by questions about the options available when selecting CLOUD. The user expressed a desire to commit changes and delegate tasks to a cloud agent, and finally asked if the agent was actively working.]

[Intent Mapping:

  1. "check what was done and apply to your projects!" - User wants to verify recent changes and ensure they are applied.
  2. "does the Context engine or the MCP server is getting useful?" - User seeks feedback on the utility of their systems.
  3. "when I set CLOUD I only see Agent, Ask or plan, no more llm choice like 4.6!" - User is confused about the options available in the CLOUD setting.
  4. "Commit Changes and Delegate: 'Delegate to cloud agent'" - User wants to commit changes and delegate tasks.
  5. "are you working?" - User is checking on the agent's activity status.]

[Technical Inventory:

  • Tools/Commands: git commands for checking the status and ignoring files, cloud agent functionalities.
  • Files: .copilot-credentials.md, copilot-instructions.md, CLAUDE.md, README.md.
  • Concepts: Git version control, cloud agent delegation, context engine functionality.]

[Code Archaeology:

  • .copilot-credentials.md: Created to store sensitive information securely.
  • copilot-instructions.md: Updated to reference the new credentials file.
  • CLAUDE.md: Updated to include references to the credentials file.
  • README.md: Current file being edited by the user.]

[Progress Assessment:

  • Completed: Creation of .copilot-credentials.md and updates to copilot-instructions.md and CLAUDE.md.
  • Pending: User's inquiry about the cloud agent's functionality and the delegation of tasks.]

[Context Validation: All critical information regarding recent changes, user inquiries, and the current state of the project is captured.]

[Recent Commands Analysis:

  • Last Agent Commands: "Commit Changes and Delegate: 'Delegate to cloud agent'" - User requested to commit changes and delegate tasks.
  • Tool Results Summary: No specific results were returned from the last command as it was a user request.
  • Pre-Summary State: The agent was actively engaged in processing the user's request to commit changes and delegate tasks when the token budget was exceeded.
  • Operation Context: The user is focused on ensuring that recent changes are committed and tasks are delegated to a cloud agent for further processing.]
1. Conversation Overview: - Primary Objectives: - "check what was done and apply to your projects!" - Verify recent changes. - "does the Context engine or the MCP server is getting useful?" - Assess the utility of systems. - "when I set CLOUD I only see Agent, Ask or plan, no more llm choice like 4.6!" - Clarify options in CLOUD settings. - "Commit Changes and Delegate: 'Delegate to cloud agent'" - Commit changes and delegate tasks. - "are you working?" - Check on agent's activity. - Session Context: The conversation flowed from checking recent project updates to inquiries about system functionality and committing changes. - User Intent Evolution: The user transitioned from verifying changes to seeking clarity on system options and delegating tasks.
  1. Technical Foundation:
  • Git: Version control system used for managing project files.
  • Cloud Agent: Functionality for delegating tasks to a cloud-based system.
  • Context Engine: A system the user is evaluating for its usefulness.
  1. Codebase Status:
  • .copilot-credentials.md:
    • Purpose: Store sensitive information securely.
    • Current State: Newly created.
    • Key Code Segments: Contains SSH passwords, MySQL root password, and deployment commands.
    • Dependencies: Related to copilot-instructions.md for referencing credentials.
  • copilot-instructions.md:
    • Purpose: Document architecture and rules.
    • Current State: Updated to reference .copilot-credentials.md.
    • Key Code Segments: Lines updated to indicate where credentials are stored.
  • CLAUDE.md:
    • Purpose: Quick reference to credentials.
    • Current State: Updated to include references to .copilot-credentials.md.
  1. Problem Resolution:
  • Issues Encountered: User confusion regarding the options available in the CLOUD setting.
  • Solutions Implemented: Updates made to documentation to clarify usage.
  • Debugging Context: Ongoing inquiries about system functionality.
  • Lessons Learned: Importance of clear documentation for user guidance.
  1. Progress Tracking:
  • Completed Tasks: Creation of .copilot-credentials.md and updates to related documentation.
  • Partially Complete Work: User's inquiry about cloud agent functionality and task delegation.
  • Validated Outcomes: Changes confirmed as committed and documented.
  1. Active Work State:
  • Current Focus: User was wo...

Created from VS Code.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@FASTPROD
docs: update copilot-instructions (VPS deploy, SSL, sshpass), SCORE.m…
926a1cf 
…d 88->96 A+

- copilot-instructions: added Infrastructure section with full VPS layout, SSL cert,
  nginx proxy, sshpass SSH, gen-delta env var, deployment log, updated stats
  (25 vitest tests, ESLint flat config)
- SCORE.md: 96/100 A+ — ESLint +5, vitest +8, CI lint+test +2, VPS live
@FASTPROD
feat: CLI save-learning + delete-learning — terminal fallback when MC…
b5600b7 
…P not connected

- save-learning: full arg parsing (-c category, -p project, --context), category validation
- delete-learning: by ID
- Solves the 'learnings silently skipped' problem when MCP server is unavailable
- Rule 11 updated: agents must use CLI fallback, never skip
- 6 session learnings saved via new CLI (sshpass, C++17 pinning, gen-delta env, heredoc, nginx, CLI pattern)
- 25/25 tests pass, clean build
@FASTPROD
v1.15.0: CLI save-learning fallback, ESLint, 25 vitest tests, VPS dep…
a5f87a1 
…loyment

Published to npm: @compr/contextengine-mcp@1.15.0

Changes since v1.14.1:
- feat: CLI save-learning + delete-learning (terminal fallback when MCP unavailable)
- quality: ESLint typescript-eslint flat config (0 errors)
- quality: 25 vitest tests (search 11, activation 8, learnings 6)
- security: rate-limit, CORS whitelist, graceful shutdown, Helmet
- fix: gen-delta reads CONTEXTENGINE_DIST env var for VPS paths
- fix: npm audit — 0 vulnerabilities
- docs: copilot-instructions updated with VPS deployment details
- infra: CI lint+build+test pipeline (Node 18/20/22)
- Score: 96/100 A+
@FASTPROD
score: 79% → 89% (A) — add .env.example, .cursorrules, deploy.sh
7e0d504 
- .env.example: Documents all 6 env vars (client + server)
- .cursorrules: Multi-agent context (build/run, architecture, rules)
- deploy.sh: Full deploy script (npm publish + VPS server)
- SCORE.md: Updated to reflect 89% A grade
- Doc score: 30/30 (was 24/30)
- Infra score: 22/30 (was 18/30)
@FASTPROD
feat: Stripe payment integration for self-service licensing
82ed7fd 
- server/src/stripe.ts: Checkout session creation, webhook handler, license provisioning, email delivery
- server/src/server.ts: Stripe webhook (raw body, before express.json), checkout endpoint, health shows stripeEnabled
- server/package.json: Added stripe@14, nodemailer@6 deps
- .env.example: Added STRIPE_*, SMTP_* env vars documentation

Webhook handles: checkout.session.completed (auto-seed license + email key),
customer.subscription.deleted (deactivate license), invoice.payment_failed (log warning).
Extends existing license if same email+plan, creates new otherwise.
Stripe mapping table tracks subscription→license relationship.

Plans: pro (/mo), team (/mo), enterprise (/mo) + annual variants.
Email: HTML template via Gandi SMTP (mail.gandi.net:465).
Graceful degradation: server works without STRIPE_SECRET_KEY (payment endpoints disabled).
@FASTPROD
docs: update SKILLS.md + copilot-instructions.md — Stripe section, de…
142d838 
…ploy automation, CLI fallback, session 17
@FASTPROD
fix: score command now auto-writes SCORE.md to project root (v1.15.1)
10b7798 
Previously 'contextengine score' only printed to stdout — agents would see
the score but no file was committed. Now writes SCORE.md to each scored
project root by default. Use --no-save to skip.

Added generateProjectScoreMD() in agents.ts with category summary, detailed
check breakdown, and improvements section.
@FASTPROD
docs: regenerate SCORE.md via auto-write (89% A)
126c599
@FASTPROD
feat: v1.16.0 — CLI session commands, non-interactive mode, auto-sess…
becace0 
…ion inject, enforcement nudge

- 5 new CLI commands: save-session, load-session, list-sessions, end-session, import-learnings
- Non-interactive mode: --yes/-y flag + TTY detection for agent/CI automation
- Auto-session inject: loads most recent session (<72h) into search chunks on MCP startup
- Enforcement nudge: reminds agents to save session every 15 tool calls
- Nudge added to search_context + list_sources responses
- Fixed stale version string (v1.10.0 → v1.16.0) in list_sources
- Bumped package.json 1.15.1 → 1.16.0
- Build: 0 errors, Tests: 25/25 passed
@FASTPROD
feat: context-aware scoring, escalating enforcement, honest README
42a8ff6 
- Docker scoring: check file content quality, not just existence
  - Stub Dockerfiles (<3 lines) get 1pt instead of 5
  - Empty docker-compose (no image:/build:) gets minimal credit
  - Vercel/Netlify/Render/Fly projects get full infra points
  - Prevents agents from creating dummy files to game the score
- Enforcement v2: escalating urgency + git status checks
  - 15 calls: gentle reminder nudge
  - 30 calls: 🚨 URGENT escalation
  - Every 2 min: checks git status across workspace, warns about uncommitted
  - Git check is time-cached to avoid hammering
- README: honest messaging about agent limitations
  - 'Not perfect but solves pain points and saves time'
  - 'Guardrails while we wait for agents to become smarter'
- Build: 0 errors, Tests: 25/25 passed
@FASTPROD
feat: VS Code extension prototype — chat participant, git monitor, st…
7a9b297 
…atus bar

- @ContextEngine chat participant with /status, /commit, /search, /remind
- GitMonitor: periodic git status scanning across workspace folders
- StatusBar: persistent indicator (clean/warning/critical) with action tooltips
- Notifications: escalating warnings when uncommitted files exceed threshold
- Commands: commitAll, showStatus, endSession, search knowledge base
- ContextEngineClient: CLI delegation for search, sessions, end-session
- Direct git ops: scanGitStatus, gitCommitAll, gitPush to all remotes
- Compiles cleanly on TypeScript 5.4, targets VS Code ^1.93.0
- Also: published @compr/contextengine-mcp v1.16.0 to npm
@FASTPROD
chore: extension branding — CSS org, icon, enforcement-first description
f4f5bbc 
- Azure DevOps org: FASTPROD → CSS
- Publisher: fastprod → css-llc
- Icon: brain + shield + gear + reminder bell (SVG + 256x256 PNG)
- Description rewritten: durable memory & enforcement, not just knowledge base
- Extension ID: css-llc.contextengine
@FASTPROD
feat(extension): publish v0.1.0 to VS Code Marketplace — red icon, LI…
6b7abd8 
…CENSE, publisher css-llc
@FASTPROD
feat(extension): v0.2.0 — info panel WebView with live status + monit…
1ac4405 
…oring checklist

- New infoPanel.ts: InfoStatusBarController (ℹ️ icon, priority 49)
- WebView panel shows: live project status, 7-item monitoring checklist (FREE/PRO badges), end-of-session protocol, architecture explanation
- Wired into extension.ts: showInfo command, gitMonitor.onSnapshot → updateInfoPanel
- Published to VS Code Marketplace as css-llc.contextengine v0.2.0
- 14 files, 43.45 KB package
@FASTPROD
docs: update copilot-instructions with extension v0.2.0 section, mark…
0c2e96d 
… VSCODE_EXTENSION_STEPS as complete

- copilot-instructions.md: version 1.15→1.16, added VS Code Extension section (architecture, features, publishing workflow)
- VSCODE_EXTENSION_STEPS.md: marked all steps ✅ PUBLISHED, updated with actual org name css-llc and gotchas
@FASTPROD
docs: remove stale pre-publish text from VSCODE_EXTENSION_STEPS.md
a3372ef
@FASTPROD
docs: full end-of-session update — copilot-instructions v1.16.0 + SKI…
ac91d43 
…LLS.md extension section

- copilot-instructions.md: CLI 10→15 subcommands, stats 8500→9400 LOC, 189→219 learnings, added VS Code Extension marketplace line
- SKILLS.md: added VS Code Extension section (marketplace publishing, VS Code API, git monitoring, info panel, chat participant, Azure DevOps)
- Session 18: 6 learnings saved, session context persisted
@FASTPROD
v1.17.0: BSL-1.1 license, PRO pricing page, extension v0.3.0 upgrade …
5910e6b 
…flow

- LICENSE: AGPL-3.0 → BSL-1.1 (non-compete, converts to AGPL 2030)
- README: added VS Code Extension section, PRO features table, pricing CTA
- package.json: version 1.17.0, exclude test files from npm package
- CHANGELOG.md: full version history for npm and extension
- server: /contextengine/pricing route + static pricing page (dark theme, 3-tier)
- extension v0.3.0: PRO badges clickable → pricing, CTA box in info panel
- copilot-instructions: updated to v1.17.0 stats
- npm published v1.17.0, marketplace published v0.3.0
- VPS deployed: pricing page live at api.compr.ch/contextengine/pricing
@FASTPROD
feat: Stripe checkout wiring + success page + VPS ecosystem config
e9264e0 
- pricing.html: billing toggle (monthly/annual), checkout() JS POSTs to
  /contextengine/create-checkout-session and redirects to Stripe checkout URL
- success.html: post-checkout landing page with activation instructions
- server.ts: added /contextengine/success route
- VPS: ecosystem.config.cjs with STRIPE_SECRET_KEY (test key), stripeEnabled:true
- copilot-instructions.md: ecosystem.config.cjs, pricing JS, success page, file transfer workaround
- .gitignore: exclude *.vsix binaries
- CHANGELOG.md: updated with Stripe wiring details

Products/prices/webhook deferred to STRIPE-BACKEND project.
@FASTPROD
security: project-scope learnings to prevent cross-project IP leakage
ad8cc89 
- listLearnings() and learningsToChunks() now accept projects[] param
- MCP: activeProjectNames populated from loadProjectDirs() during reindex
- CLI: cliListLearnings() and initEngine() scope by active project
- end-session: enhanced with learnings stats, doc freshness, sessions info
- 245 total -> ~234 visible per workspace (other project learnings hidden)
@FASTPROD
v1.18.0: project-scoped learnings security fix + enhanced end-session
cc684d5
@FASTPROD
docs: add SKILLS.md + update SCORE.md for v1.18.0
c6c3201
@FASTPROD
docs: update stats to v1.18.0, 249 learnings
28c076a
@FASTPROD
feat(extension): v0.4.0 — event-driven CE compliance, /sync command, …
995cbc7 
…pre-commit hook

- Pre-commit hook: warns about stale CE docs when code files staged (never blocks)
- /sync chat command: checks doc freshness per project (copilot-instructions, SKILLS, SCORE)
- contextengine.sync VS Code command: Output channel report with Open Chat action
- Doc staleness notifications: fires warning when code committed but CE docs not updated
- GitSnapshot extended with ceDocStatus[] for per-project doc tracking
- Philosophy: event-driven (hooks + scan triggers), not memory-driven
@FASTPROD
fix: pre-commit hook PATH for git/grep resolution
292a3db
@FASTPROD
feat(extension): terminal watcher — monitors command completions via …
101a5ff 
…Shell Integration API
@FASTPROD
fix: pre-commit hook — zsh path variable shadowing destroyed PATH
f5b7a76
@FASTPROD
docs: update stats — 258 learnings, extension v0.4.0 published
384bbe0
@FASTPROD
docs: add post-commit hook pattern, zsh path gotcha, cancelled-commit…
791236f 
… rules
@FASTPROD
docs: extension v0.4.1 — updated README with v0.4.0 features (termina…
fefda41 
…l watcher, /sync, doc staleness, pre-commit hook)
FASTPROD and others added 15 commits February 23, 2026 12:02
@FASTPROD
chore: curate learnings 262→164, trim defaults 30→14 — remove duplica…
5dfe1f5 
…tes, tech inventory, import headers
@FASTPROD
v1.18.1: curated defaults (30→14), npm publish
0f2cddc
@FASTPROD
fix: non-blocking post-commit hook + PRO badge URLs point to api.comp…
9e0f6ee 
…r.ch

- Post-commit hook now backgrounds pushes (no more terminal tool timeouts)
- PRO badges in info panel link to https://api.compr.ch/contextengine/pricing
@FASTPROD
docs: update post-commit hook section — now non-blocking, remove canc…
eb104e8 
…elled-commit pattern
@FASTPROD
feat: Protocol Firewall — progressive response degradation for agent …
08cd2e2 
…compliance

NEW: src/firewall.ts — ProtocolFirewall class
- Tracks 4 obligations: learnings saved, session saved, git status, doc freshness
- Wraps EVERY tool response (not just 2/17 like old nudge system)
- Escalation: silent → footer → header → DEGRADED (output truncation)
- At 40+ calls with score ≥50%: tool output truncated to 500 chars
- Exempt tools (save_learning, save_session, end_session) pass through
- Git/doc checks cached (60s/120s) to avoid hammering on every call

REPLACED: old maybeNudge system (toolCallCount, sessionSaved, checkGitStatus)
- Was only on search_context + list_sources (2 of 17 tools)
- Had zero consequences — informational text that agents ignored
- New firewall covers ALL 17 tools via respond() helper

This is the first MCP server that enforces agent behavior through
progressive response degradation.
@FASTPROD
fix: CSP blocking pricing page JS — extract to external file + config…
5da3ea2 
…ure Helmet

- Moved inline <script> from pricing.html → pricing.js (external file)
- Added express.static route: /contextengine/static/ → public/
- Configured Helmet CSP: script-src 'self', style-src 'unsafe-inline',
  connect-src for Stripe checkout, frame-src for Stripe
- Removed inline onclick handlers, replaced with addEventListener
- Added Protocol Firewall to feature comparison table
- Deployed to VPS: server.js + pricing.html + pricing.js
- PM2 restarted, health OK, JS served at 200
@FASTPROD
v1.19.0: Protocol Firewall, pricing page updates, version bump
a363c90 
- Protocol Firewall: progressive response degradation for agent compliance
- README: added firewall feature (IP-safe), 17 tools with Tier column, PRO URL fix
- Pricing page: updated hero text and Pro card for firewall messaging
- list_sources version string updated to v1.19.0
- copilot-instructions: firewall section, CSP fix docs, critical rule 9
- SKILLS.md: Protocol Firewall section, trade secret constraint
- .github/SKILLS.md: updated to v1.19.0, firewall + extension v0.4.1
@FASTPROD
docs: update SCORE.md version to v1.19.0, refresh line counts
9667e57
@FASTPROD
extension v0.5.0: redesigned info panel — Protocol Firewall hero, non…
6ee04a2 
…-tech explanation

- Removed git-centric hero (VS Code Source Control already does this)
- Protocol Firewall is now the centerpiece with plain-English explanation
- 'Speed camera for your AI agent' analogy for non-tech users
- Escalation flow visualization: Silent → Footer → Header → Truncated
- Git status demoted to compact one-liner with 'See Source Control' hint
- End-of-session protocol simplified to 4 steps, notes firewall enforces it
- Updated description and version in package.json
- Published to VS Code Marketplace
@FASTPROD
feat: auto-import learnings from doc sources during reindex and end-s…
297a845 
…ession

- autoImportFromSources() scans all discovered markdown docs and extracts rules
- Called during reindex() (MCP startup + file changes) and CLI end-session
- Dedup built-in — safe to call repeatedly, no duplicate learnings created
- Bumped to v1.19.1, published to npm
@FASTPROD
docs: add Privacy & Data Security section to README and extension
bde110b 
- Explicit table of what stays local vs what the server receives
- Clear statement: server NEVER receives project data, code, learnings
- Comparison to competitors (Copilot/Cursor send code, CE doesn't)
- Extension README links to full privacy details
@FASTPROD
feat: obfuscate delta modules with terser — mangle vars, compress, st…
29112ef 
…rip comments (46-72% smaller)
@FASTPROD
docs: update copilot-instructions — v1.19.1 auto-import, obfuscation,…
694247c 
… privacy, GitHub visibility
@FASTPROD @claude
docs: replace all GitHub links with npm — repo going private
07e9da6 
12 files updated: package.json, extension, CLI, score reports,
server pages, skill metadata. Zero GitHub references remain.

Co-Authored-By: Claude <noreply@anthropic.com>
Initial plan
c4738b1
@FASTPROD
security: remove hardcoded VPS SSH credentials from committed files
cb670bc 
- Add .copilot-credentials.md to .gitignore (local credentials file never committed)
- Replace hardcoded SSH password in .github/copilot-instructions.md with reference to local credentials file
- Update deploy.sh to use VPS_SSH_PASS env var (loaded from .env or env), SSHPASS env var + sshpass -e to avoid exposing password in process listings
- Update SKILLS.md SSH examples to use SSHPASS env var pattern
- Add VPS_SSH_PASS to .env.example with documentation

Co-authored-by: FASTPROD <8733681+FASTPROD@users.noreply.github.com>
Copilot AI changed the title [WIP] Review recent changes to projects and documentation security: remove hardcoded VPS SSH credentials from committed files Feb 24, 2026
Copilot AI requested a review from FASTPROD February 24, 2026 12:27
@FASTPROD FASTPROD force-pushed the main branch 2 times, most recently from fd34794 to 263746f Compare February 28, 2026 13:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@FASTPROD FASTPROD Awaiting requested review from FASTPROD

Assignees

@FASTPROD FASTPROD

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@FASTPROD