From maintainx-pack
Secures MaintainX API integrations using env vars/dotenv, git hooks/gitleaks for secret detection, and Zod input validation.
npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin maintainx-packThis skill is limited to using the following tools:
Secure your MaintainX integration with proper credential management, input validation, audit logging, and key rotation procedures.
Provides production deployment checklist for MaintainX integrations verifying security, resilience, data integrity, observability, and performance.
Applies Instantly.ai security best practices for API keys: scoped least-privilege permissions, secret management, rotation, webhook validation, and workspace auditing.
Guides Next.js Cache Components and Partial Prerendering (PPR): 'use cache' directives, cacheLife(), cacheTag(), revalidateTag() for caching, invalidation, static/dynamic optimization. Auto-activates on cacheComponents: true.
Share bugs, ideas, or general feedback.
Secure your MaintainX integration with proper credential management, input validation, audit logging, and key rotation procedures.
Never hardcode API keys. Use environment variables or a secret manager.
# .env (never committed to git)
MAINTAINX_API_KEY=mx-prod-key-here
# .gitignore
.env
.env.*
*.key
// src/config.ts - load and validate credentials
import 'dotenv/config';
const REQUIRED_VARS = ['MAINTAINX_API_KEY'] as const;
export function validateEnv() {
const missing = REQUIRED_VARS.filter((v) => !process.env[v]);
if (missing.length > 0) {
throw new Error(`Missing required env vars: ${missing.join(', ')}`);
}
}
validateEnv();
export const API_KEY = process.env.MAINTAINX_API_KEY!;
# Install pre-commit hook
cat > .git/hooks/pre-commit << 'HOOK'
#!/bin/bash
# Block commits containing API keys
if git diff --cached --diff-filter=ACMR | grep -qiE '(MAINTAINX_API_KEY|Bearer mx-)'; then
echo "ERROR: Potential MaintainX API key detected in staged files."
echo "Remove secrets before committing."
exit 1
fi
HOOK
chmod +x .git/hooks/pre-commit
Or use gitleaks:
npx gitleaks detect --source . --no-git
Validate all user input before sending to the MaintainX API:
// src/validation.ts
import { z } from 'zod';
const WorkOrderInput = z.object({
title: z.string().min(1).max(500),
description: z.string().max(5000).optional(),
priority: z.enum(['NONE', 'LOW', 'MEDIUM', 'HIGH']).default('NONE'),
status: z.enum(['OPEN', 'IN_PROGRESS', 'ON_HOLD', 'COMPLETED', 'CLOSED']).default('OPEN'),
assignees: z.array(z.object({
type: z.enum(['USER', 'TEAM']),
id: z.number().positive(),
})).optional(),
assetId: z.number().positive().optional(),
locationId: z.number().positive().optional(),
dueDate: z.string().datetime().optional(),
});
export function validateWorkOrder(input: unknown) {
return WorkOrderInput.parse(input);
}
// Usage
try {
const validated = validateWorkOrder(userInput);
await client.createWorkOrder(validated);
} catch (err) {
if (err instanceof z.ZodError) {
console.error('Validation failed:', err.issues);
}
}
// src/audit-logger.ts
interface AuditEntry {
timestamp: string;
action: string;
resource: string;
resourceId?: number;
userId: string;
ip?: string;
result: 'success' | 'failure';
details?: string;
}
class AuditLogger {
private entries: AuditEntry[] = [];
log(entry: Omit<AuditEntry, 'timestamp'>) {
const full: AuditEntry = { ...entry, timestamp: new Date().toISOString() };
this.entries.push(full);
// Structured JSON for log aggregation (ELK, CloudWatch, etc.)
console.log(JSON.stringify({ type: 'audit', ...full }));
}
}
export const audit = new AuditLogger();
// Usage in API wrapper
async function createWorkOrderAudited(client: MaintainXClient, input: any, userId: string) {
try {
const wo = await client.createWorkOrder(input);
audit.log({
action: 'workorder.create',
resource: 'workorder',
resourceId: wo.id,
userId,
result: 'success',
});
return wo;
} catch (err: any) {
audit.log({
action: 'workorder.create',
resource: 'workorder',
userId,
result: 'failure',
details: err.message,
});
throw err;
}
}
// scripts/rotate-key.ts
// Run quarterly: npx tsx scripts/rotate-key.ts
async function rotateApiKey() {
console.log('=== MaintainX API Key Rotation ===');
console.log('1. Go to https://app.getmaintainx.com > Settings > Integrations');
console.log('2. Click "Generate New Key"');
console.log('3. Update the key in your secret manager / .env');
console.log('4. Verify with: curl -s -o /dev/null -w "%{http_code}" \\');
console.log(' https://api.getmaintainx.com/v1/users?limit=1 \\');
console.log(' -H "Authorization: Bearer NEW_KEY"');
console.log('5. Revoke the old key in MaintainX Settings');
console.log('6. Update CI/CD secrets (GitHub Actions, GCP Secret Manager)');
console.log('');
console.log('Rotation schedule: every 90 days');
console.log('Next rotation due:', new Date(Date.now() + 90 * 86400000).toISOString().split('T')[0]);
}
rotateApiKey();
.env with API key, protected by .gitignore| Issue | Cause | Solution |
|---|---|---|
| Key leaked to git | Committed .env or hardcoded key | Rotate immediately, add pre-commit hook |
| Validation errors | Invalid user input | Use Zod schema to validate before API calls |
| Audit gaps | Missing log entries | Wrap all API calls with audit logger |
| Stale key | Key not rotated in > 90 days | Follow rotation procedure in Step 5 |
For production deployment, see maintainx-prod-checklist.
Middleware for Express API that validates and audits:
function secureEndpoint(schema: z.ZodSchema) {
return async (req: express.Request, res: express.Response, next: express.NextFunction) => {
try {
req.body = schema.parse(req.body);
audit.log({
action: req.method + ' ' + req.path,
resource: req.path,
userId: req.headers['x-user-id'] as string,
result: 'success',
});
next();
} catch (err) {
res.status(400).json({ error: 'Validation failed', details: (err as z.ZodError).issues });
}
};
}