Add manufacturability checking system with Docker integration

.env.example

@@ -71,3 +71,10 @@ DJANGO_ACCOUNT_ALLOW_REGISTRATION=True
 # ------------------------------------------------------------------------------
 # Uses PostgreSQL as broker by default (via DATABASE_URL)
 # Override if needed: CELERY_BROKER_URL=db+postgresql://user:password@localhost:5432/wafer_space
+
+# Manufacturability Checking
+# ------------------------------------------------------------------------------
+PRECHECK_DOCKER_IMAGE=ghcr.io/wafer-space/gf180mcu-precheck:latest
+PRECHECK_CONCURRENT_LIMIT=4
+PRECHECK_PER_USER_LIMIT=1
+PRECHECK_TIMEOUT_SECONDS=10800

.github/workflows/ci.yml

@@ -21,6 +21,19 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
+  gitleaks:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code Repository
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0  # Fetch all history for gitleaks to scan
+
+      - name: Run Gitleaks
+        uses: gacts/gitleaks@v1
+        # gacts/gitleaks is MIT licensed and requires no license key
+        # Alternative to proprietary gitleaks/gitleaks-action@v2
+
   linter:
     runs-on: ubuntu-latest
     steps:

.gitleaks.toml

@@ -0,0 +1,147 @@
+# Gitleaks configuration for wafer.space platform
+# Documentation: https://github.com/gitleaks/gitleaks/tree/master
+
+title = "Gitleaks configuration for wafer.space"
+
+# Allowlisting specific paths that should never be scanned
+[allowlist]
+description = "Allowlisted files and patterns"
+paths = [
+    '''\.env\.example$''',              # Template files are safe
+    '''\.env\.production\.template$''', # Production template is safe
+    '''\.env$''',                        # Local development .env file
+    '''docs/''',                         # Documentation files
+    '''\.venv/''',                       # Virtual environment
+    '''\.worktrees/''',                  # Git worktrees
+    '''node_modules/''',                 # Node modules
+    '''staticfiles/''',                  # Collected static files
+    '''__pycache__/''',                  # Python cache files
+    '''\.claude/agents/''',             # Claude agent documentation
+    '''config/settings/base\.py$''',    # Base settings with env() calls and doc URLs
+    '''config/settings/local\.py$''',   # Local development settings with dev defaults
+    '''config/settings/test\.py$''',    # Test settings with test defaults
+    '''\.github/workflows/ci\.yml$''',  # CI workflow has example connection strings
+    '''deployment/scripts/''',           # Deployment scripts that generate secrets (not contain them)
+    '''\.gitleaks\.toml$''',             # This config file contains example patterns
+    '''tests/''',                        # All test files (browser tests, unit tests with test fixtures)
+]
+
+# Common patterns for test files with fake credentials
+regexes = [
+    '''test_client_id''',
+    '''test_secret''',
+    '''testpass123''',
+    '''TEST_PASSWORD''',
+    '''fake_token''',
+    '''dummy_key''',
+    '''browser_test_''',
+    '''_REDACTED''',
+]
+
+# Custom rules for Django/OAuth specific secrets
+[[rules]]
+id = "django-secret-key"
+description = "Django SECRET_KEY in assignment"
+regex = '''(?i)SECRET_KEY\s*=\s*['"][^'"]{40,}['"]'''
+tags = ["django", "secret"]
+[rules.allowlist]
+regexes = [
+    '''env\(''',  # Allow env() calls - secrets loaded from environment
+    '''get_random_secret_key\(''',  # Allow Django's random secret key generator
+    '''startswith\(''',  # Allow string comparison checks (e.g., line.startswith('SECRET_KEY='))
+]
+
+[[rules]]
+id = "oauth-client-secret"
+description = "OAuth Client Secret in settings"
+regex = '''(?i)(client_secret|secret)\s*[:=]\s*['"][a-zA-Z0-9_\-]{20,}['"]'''
+tags = ["oauth", "secret"]
+[rules.allowlist]
+regexes = [
+    '''test_''',
+    '''fake_''',
+    '''dummy_''',
+    '''env\(''',  # Allow env() calls - secrets loaded from environment
+    '''browser_test_''',  # Browser test fixtures
+    '''REDACTED''',  # Placeholder values
+]
+
+[[rules]]
+id = "mailgun-api-key"
+description = "Mailgun API Key"
+regex = '''(?i)mailgun[_-]?api[_-]?key\s*[:=]\s*['"][a-z0-9]{32}['"]'''
+tags = ["mailgun", "api-key"]
+
+[[rules]]
+id = "database-password"
+description = "Database password in connection string"
+regex = '''postgres://[^:]+:([^@]{8,})@'''
+tags = ["database", "password"]
+[rules.allowlist]
+regexes = [
+    '''postgres://[^:]+:postgres@''',          # Allow literal 'postgres' password only
+    '''postgres:///''',                         # Allow no-password localhost connection
+    '''\$DB_PASSWORD''',                        # Allow shell variable substitution
+]
+
+[[rules]]
+id = "github-oauth-secret"
+description = "GitHub OAuth Client Secret"
+regex = '''(?i)github.*client[_-]?secret\s*[:=]\s*['"][a-f0-9]{40}['"]'''
+tags = ["github", "oauth"]
+
+[[rules]]
+id = "gitlab-oauth-secret"
+description = "GitLab OAuth Client Secret"
+regex = '''(?i)gitlab.*client[_-]?secret\s*[:=]\s*['"][a-f0-9]{64,}['"]'''
+tags = ["gitlab", "oauth"]
+
+[[rules]]
+id = "google-oauth-secret"
+description = "Google OAuth Client Secret"
+regex = '''(?i)google.*client[_-]?secret\s*[:=]\s*['"]GOCSPX-[a-zA-Z0-9_\-]{28}['"]'''
+tags = ["google", "oauth"]
+
+[[rules]]
+id = "discord-oauth-secret"
+description = "Discord OAuth Client Secret"
+regex = '''(?i)discord.*client[_-]?secret\s*[:=]\s*['"][a-zA-Z0-9_\-]{32}['"]'''
+tags = ["discord", "oauth"]
+
+[[rules]]
+id = "linkedin-oauth-secret"
+description = "LinkedIn OAuth Client Secret"
+regex = '''(?i)linkedin.*client[_-]?secret\s*[:=]\s*['"][a-zA-Z0-9]{16,}['"]'''
+tags = ["linkedin", "oauth"]
+
+[[rules]]
+id = "aws-access-key"
+description = "AWS Access Key ID"
+regex = '''(?i)aws[_-]?access[_-]?key[_-]?id\s*[:=]\s*['"]AKIA[0-9A-Z]{16}['"]'''
+tags = ["aws", "access-key"]
+
+[[rules]]
+id = "aws-secret-key"
+description = "AWS Secret Access Key"
+regex = '''(?i)aws[_-]?secret[_-]?access[_-]?key\s*[:=]\s*['"][a-zA-Z0-9/+=]{40}['"]'''
+tags = ["aws", "secret-key"]
+
+[[rules]]
+id = "private-key"
+description = "Private Key (RSA, SSH, etc.)"
+regex = '''-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----'''
+tags = ["private-key", "ssh"]
+
+[[rules]]
+id = "generic-api-key"
+description = "Generic API Key"
+regex = '''(?i)api[_-]?key\s*[:=]\s*['"][a-zA-Z0-9_\-]{20,}['"]'''
+tags = ["api-key"]
+[rules.allowlist]
+regexes = [
+    '''test_''',
+    '''fake_''',
+    '''dummy_''',
+    '''example''',
+    '''your-api-key-here''',
+]

Makefile

@@ -270,9 +270,20 @@ shell-plus: ## Open Django shell_plus (requires django-extensions)
 # ==================== Celery ====================
 
 .PHONY: celery
-celery: ## Start Celery worker
-	@echo "$(BLUE)Starting Celery worker...$(NC)"
-	@$(CELERY) -A config worker --loglevel=info
+celery: ## Start Celery worker (all queues: celery, manufacturability, referrals)
+	@echo "$(BLUE)Starting Celery worker (all queues)...$(NC)"
+	@$(CELERY) -A config worker -Q celery,manufacturability,referrals --loglevel=info --concurrency=1 --pool=solo
+
+.PHONY: celery-manufacturability
+celery-manufacturability: ## Start Celery worker for manufacturability queue only
+	@echo "$(BLUE)Starting Celery worker (manufacturability queue only)...$(NC)"
+	@echo "$(YELLOW)Note: This requires Docker access to run precheck containers$(NC)"
+	@$(CELERY) -A config worker -Q manufacturability --loglevel=info --concurrency=1 --pool=solo
+
+.PHONY: celery-referrals
+celery-referrals: ## Start Celery worker for referrals queue only
+	@echo "$(BLUE)Starting Celery worker (referrals queue only)...$(NC)"
+	@$(CELERY) -A config worker -Q referrals --loglevel=info --concurrency=1 --pool=solo
 
 .PHONY: celery-purge
 celery-purge: ## Purge all Celery tasks

config/settings/base.py

@@ -438,6 +438,16 @@
     },
 }
 
+# Precheck (Manufacturability Checking) configuration
+# See: Design document for manufacturability checking implementation
+PRECHECK_DOCKER_IMAGE = env(
+    "PRECHECK_DOCKER_IMAGE",
+    default="ghcr.io/wafer-space/gf180mcu-precheck:latest",
+)
+PRECHECK_CONCURRENT_LIMIT = env.int("PRECHECK_CONCURRENT_LIMIT", default=4)
+PRECHECK_PER_USER_LIMIT = env.int("PRECHECK_PER_USER_LIMIT", default=1)
+PRECHECK_TIMEOUT_SECONDS = env.int("PRECHECK_TIMEOUT_SECONDS", default=10800)  # 3 hours
+
 
 # Your stuff...
 # ------------------------------------------------------------------------------