playbooks

home / skills / jeremylongshore / claude-code-plugins-plus-skills / maintainx-security-basics

maintainx-security-basics skill

/plugins/saas-packs/maintainx-pack/skills/maintainx-security-basics

This skill helps secure MaintainX integrations by enforcing credential management, access controls, and security best practices across environments.

npx playbooks add skill jeremylongshore/claude-code-plugins-plus-skills --skill maintainx-security-basics

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
10.3 KB
---
name: maintainx-security-basics
description: |
  Configure MaintainX API security, credential management, and access control.
  Use when securing API keys, implementing access controls,
  or hardening your MaintainX integration.
  Trigger with phrases like "maintainx security", "maintainx api key security",
  "secure maintainx", "maintainx credentials", "maintainx access control".
allowed-tools: Read, Write, Edit, Bash(npm:*)
version: 1.0.0
license: MIT
author: Jeremy Longshore <[email protected]>
---

# MaintainX Security Basics

## Overview

Secure your MaintainX integration with proper credential management, access controls, and security best practices.

## Prerequisites

- MaintainX account with admin access
- Understanding of environment variables
- Familiarity with secret management concepts

## Security Checklist

- [ ] API keys stored in environment variables or secret manager
- [ ] No credentials in version control
- [ ] HTTPS enforced for all API calls
- [ ] API key rotation schedule established
- [ ] Least privilege principle applied
- [ ] Audit logging enabled
- [ ] Input validation implemented

## Instructions

### Step 1: Secure Credential Storage

```typescript
// NEVER do this:
// const API_KEY = 'mx_live_abc123...';  // Hardcoded - BAD!

// ALWAYS do this:
// src/config/secure-config.ts

import { SecretManagerServiceClient } from '@google-cloud/secret-manager';

interface SecureConfig {
  maintainxApiKey: string;
  maintainxOrgId?: string;
}

// Option 1: Environment variables (development)
function loadFromEnv(): SecureConfig {
  const apiKey = process.env.MAINTAINX_API_KEY;

  if (!apiKey) {
    throw new Error(
      'MAINTAINX_API_KEY not set. ' +
      'Set it as an environment variable or use a secret manager.'
    );
  }

  return {
    maintainxApiKey: apiKey,
    maintainxOrgId: process.env.MAINTAINX_ORG_ID,
  };
}

// Option 2: Google Cloud Secret Manager (production)
async function loadFromSecretManager(): Promise<SecureConfig> {
  const client = new SecretManagerServiceClient();
  const projectId = process.env.GCP_PROJECT_ID;

  const [apiKeyVersion] = await client.accessSecretVersion({
    name: `projects/${projectId}/secrets/maintainx-api-key/versions/latest`,
  });

  const apiKey = apiKeyVersion.payload?.data?.toString();
  if (!apiKey) {
    throw new Error('Failed to load API key from Secret Manager');
  }

  return { maintainxApiKey: apiKey };
}

// Option 3: HashiCorp Vault
async function loadFromVault(): Promise<SecureConfig> {
  const vault = require('node-vault')({
    apiVersion: 'v1',
    endpoint: process.env.VAULT_ADDR,
    token: process.env.VAULT_TOKEN,
  });

  const secret = await vault.read('secret/data/maintainx');
  return {
    maintainxApiKey: secret.data.data.api_key,
  };
}

// Load config based on environment
export async function loadSecureConfig(): Promise<SecureConfig> {
  const env = process.env.NODE_ENV || 'development';

  switch (env) {
    case 'production':
      return loadFromSecretManager();
    case 'staging':
      return loadFromVault();
    default:
      return loadFromEnv();
  }
}
```

### Step 2: Git Security Configuration

```gitignore
# .gitignore - ALWAYS include these

# Environment files
.env
.env.*
!.env.example

# API keys and secrets
*.key
*.pem
secrets/
credentials/

# IDE and local config
.idea/
.vscode/settings.json

# Log files that might contain sensitive data
*.log
logs/
```

```bash
# .env.example - Safe to commit as template
# Copy to .env and fill in values

# MaintainX API Configuration
MAINTAINX_API_KEY=your-api-key-here
MAINTAINX_ORG_ID=optional-org-id

# For secret managers (production)
GCP_PROJECT_ID=your-gcp-project
VAULT_ADDR=https://vault.example.com
```

### Step 3: Pre-commit Hook for Secrets Detection

```bash
#!/bin/bash
# .git/hooks/pre-commit

# Check for potential secrets
PATTERNS=(
  'MAINTAINX_API_KEY\s*=\s*["\x27][a-zA-Z0-9_-]{20,}'
  'mx_live_[a-zA-Z0-9]+'
  'mx_test_[a-zA-Z0-9]+'
  'Bearer\s+[a-zA-Z0-9_-]{20,}'
)

for pattern in "${PATTERNS[@]}"; do
  if git diff --cached | grep -qE "$pattern"; then
    echo "ERROR: Potential secret detected in commit!"
    echo "Pattern: $pattern"
    echo ""
    echo "Remove the secret and use environment variables instead."
    exit 1
  fi
done

echo "Pre-commit security check passed."
```

```bash
# Install the hook
chmod +x .git/hooks/pre-commit
```

### Step 4: Input Validation

```typescript
// src/security/validation.ts
import { z } from 'zod';

// Define schemas for MaintainX data
const WorkOrderInputSchema = z.object({
  title: z.string()
    .min(1, 'Title is required')
    .max(200, 'Title too long')
    .regex(/^[^<>]*$/, 'Invalid characters in title'),  // Prevent XSS
  description: z.string()
    .max(10000, 'Description too long')
    .optional(),
  priority: z.enum(['NONE', 'LOW', 'MEDIUM', 'HIGH']).optional(),
  assetId: z.string()
    .regex(/^[a-zA-Z0-9_-]+$/, 'Invalid asset ID format')
    .optional(),
  locationId: z.string()
    .regex(/^[a-zA-Z0-9_-]+$/, 'Invalid location ID format')
    .optional(),
  dueDate: z.string()
    .datetime()
    .optional(),
});

type WorkOrderInput = z.infer<typeof WorkOrderInputSchema>;

// Validate before API calls
function validateWorkOrderInput(input: unknown): WorkOrderInput {
  return WorkOrderInputSchema.parse(input);
}

// Sanitize output for logging (remove sensitive data)
function sanitizeForLogging(data: any): any {
  const sensitiveFields = ['apiKey', 'token', 'password', 'secret'];
  const sanitized = { ...data };

  for (const field of sensitiveFields) {
    if (sanitized[field]) {
      sanitized[field] = '[REDACTED]';
    }
  }

  return sanitized;
}

// Usage in client
class SecureMaintainXClient {
  async createWorkOrder(input: unknown) {
    // Validate input
    const validatedInput = validateWorkOrderInput(input);

    // Log sanitized data
    console.log('Creating work order:', sanitizeForLogging(validatedInput));

    // Make API call with validated data
    return this.client.createWorkOrder(validatedInput);
  }
}
```

### Step 5: Audit Logging

```typescript
// src/security/audit.ts

interface AuditEntry {
  timestamp: string;
  action: string;
  resource: string;
  resourceId?: string;
  userId?: string;
  ipAddress?: string;
  success: boolean;
  errorMessage?: string;
  requestData?: any;
}

class AuditLogger {
  private logs: AuditEntry[] = [];

  log(entry: Omit<AuditEntry, 'timestamp'>) {
    const fullEntry: AuditEntry = {
      ...entry,
      timestamp: new Date().toISOString(),
      requestData: entry.requestData
        ? sanitizeForLogging(entry.requestData)
        : undefined,
    };

    this.logs.push(fullEntry);

    // In production, send to logging service
    console.log(`[AUDIT] ${fullEntry.action} on ${fullEntry.resource}: ${fullEntry.success ? 'SUCCESS' : 'FAILED'}`);
  }

  // Get audit trail for a resource
  getAuditTrail(resourceId: string): AuditEntry[] {
    return this.logs.filter(l => l.resourceId === resourceId);
  }
}

const auditLogger = new AuditLogger();

// Audit-enabled client wrapper
class AuditedMaintainXClient {
  private client: MaintainXClient;
  private audit: AuditLogger;
  private userId?: string;

  constructor(client: MaintainXClient, userId?: string) {
    this.client = client;
    this.audit = auditLogger;
    this.userId = userId;
  }

  async createWorkOrder(data: any) {
    try {
      const result = await this.client.createWorkOrder(data);

      this.audit.log({
        action: 'CREATE',
        resource: 'WorkOrder',
        resourceId: result.id,
        userId: this.userId,
        success: true,
        requestData: data,
      });

      return result;
    } catch (error: any) {
      this.audit.log({
        action: 'CREATE',
        resource: 'WorkOrder',
        userId: this.userId,
        success: false,
        errorMessage: error.message,
        requestData: data,
      });

      throw error;
    }
  }
}
```

### Step 6: API Key Rotation

```typescript
// scripts/rotate-api-key.ts

async function rotateApiKey() {
  console.log('=== MaintainX API Key Rotation ===\n');

  // Step 1: Generate new key in MaintainX dashboard
  console.log('1. Generate new API key:');
  console.log('   - Go to Settings > Integrations');
  console.log('   - Click "New Key" > "Generate Key"');
  console.log('   - Copy the new key\n');

  // Step 2: Update secret manager
  console.log('2. Update secret manager:');
  console.log('   - GCP: gcloud secrets versions add maintainx-api-key --data-file=newkey.txt');
  console.log('   - Vault: vault kv put secret/maintainx api_key=NEW_KEY\n');

  // Step 3: Deploy with new key
  console.log('3. Deploy application with new key');
  console.log('   - kubectl rollout restart deployment/your-app');
  console.log('   - Or trigger CI/CD pipeline\n');

  // Step 4: Verify new key works
  console.log('4. Verify new key:');
  console.log('   - Run health check script');
  console.log('   - Monitor for authentication errors\n');

  // Step 5: Revoke old key
  console.log('5. Revoke old key (after verification):');
  console.log('   - Go to Settings > Integrations');
  console.log('   - Find old key and click "Revoke"\n');

  // Schedule reminder
  console.log('6. Schedule next rotation (recommended: every 90 days)');
}

rotateApiKey();
```

### Step 7: Network Security

```typescript
// Enforce HTTPS and configure timeouts
import https from 'https';

const secureAxiosConfig = {
  baseURL: 'https://api.getmaintainx.com/v1',  // Always HTTPS
  timeout: 30000,  // 30 second timeout
  httpsAgent: new https.Agent({
    rejectUnauthorized: true,  // Verify SSL certificates
    minVersion: 'TLSv1.2',     // Minimum TLS version
  }),
  headers: {
    'Content-Type': 'application/json',
    'User-Agent': 'YourApp/1.0.0',  // Identify your application
  },
};
```

## Output

- Secure credential storage configured
- Git hooks preventing secret commits
- Input validation implemented
- Audit logging enabled
- Key rotation procedure documented

## Security Checklist Verification

```bash
# Run security checks
npm audit                          # Check for vulnerable dependencies
git secrets --scan                 # Scan for secrets (if git-secrets installed)
npx eslint --rule 'no-hardcoded-credentials: error' src/
```

## Resources

- [MaintainX Security](https://www.getmaintainx.com/security)
- [OWASP API Security](https://owasp.org/API-Security/)
- [Google Cloud Secret Manager](https://cloud.google.com/secret-manager)

## Next Steps

For production deployment, see `maintainx-prod-checklist`.

Overview

This skill helps you secure a MaintainX integration by configuring API key handling, access controls, and operational safeguards. It guides credential storage, commit-time secret detection, input validation, audit logging, and key rotation. Follow the steps to reduce risk of credential leakage and to enforce least-privilege access for MaintainX API usage.

How this skill works

The skill inspects integration touchpoints and applies defensive patterns: it recommends secret managers or environment variables for credential storage, pre-commit hooks to block accidental commits, and validation schemas to prevent injection and malformed data. It also outlines audit logging wrappers and an operational key rotation process, plus network-level settings like enforced HTTPS and TLS configuration. These controls are practical to implement in CI/CD, local development, and production environments.

When to use it

  • When integrating MaintainX into applications or automation pipelines and you need to protect API keys.
  • Before committing code or secrets to a repo to prevent accidental leaks.
  • When implementing role-based access or least-privilege rules for MaintainX API calls.
  • To harden production deployments with secret managers, audit trails, and network security.
  • When establishing an organizational policy for API key rotation and credential lifecycle.

Best practices

  • Never hardcode API keys in source. Use environment variables or a secret manager (GCP Secret Manager, Vault).
  • Add pre-commit hooks and gitignore rules to block and exclude secrets from version control.
  • Validate and sanitize all inputs to MaintainX APIs to prevent XSS, injection, and malformed data.
  • Implement audit logging for create/update/delete actions and store minimal, redacted request data.
  • Rotate keys on a regular schedule (recommendation: every 90 days) and verify before revoking old keys.

Example use cases

  • A CI/CD pipeline retrieving MaintainX API keys from Secret Manager at deploy time and restarting services.
  • A backend service validating work order payloads with Zod before calling the MaintainX API and logging redacted audit entries.
  • A development team adding a pre-commit hook to reject commits that include MaintainX key patterns.
  • An ops team enforcing HTTPS, TLS 1.2+, and client timeouts for all outbound MaintainX API requests.
  • A security process that documents step-by-step API key rotation and revocation after verification.

FAQ

How should I store MaintainX API keys in production?

Use a managed secret store (e.g., Google Secret Manager or HashiCorp Vault) and inject keys at runtime rather than embedding them in code or config files.

What if a key is accidentally committed?

Immediately revoke the compromised key in the MaintainX dashboard, rotate to a new key, and update secrets in your secret manager and deployments.