github · asrar-mared · Feb 14, 2026 · Feb 14, 2026 · Feb 14, 2026 · Feb 14, 2026
diff --git a/.anti_tamper.sh b/.anti_tamper.sh
@@ -0,0 +1,70 @@
+#!/bin/bash
+
+TAMPER_LOG=".tamper_log"
+CRITICAL_FILES=(
+    "scripts/core/setup_security_lab.sh"
+    "PROTECTION_LICENSE"
+    ".protection_key"
+    "decrypt_vault.sh"
+)
+
+# Function to check critical files
+check_critical_files() {
+    for file in "${CRITICAL_FILES[@]}"; do
+        if [[ ! -f "$file" ]]; then
+            echo "🚨 ملف حرج مفقود: $file" >> "$TAMPER_LOG"
+            echo "⚠️  تحذير: ملف حرج مفقود - $file"
+
+            # Send alert
+            echo "تم حذف ملف حرج من مشروع المارد الرقمي: $file" | \
+                mail -s "تنبيه أمني عاجل" security@digital-genie-project.com 2>/dev/null || true
+        fi
+    done
+}
+
+# Function to check unauthorized access
+check_unauthorized_access() {
+    local suspicious_patterns=(
+        "rm -rf"
+        "chmod 777"
+        "wget.*malware"
+        "curl.*backdoor"
+        "nc -l"
+    )
+
+    # Check command history for suspicious activity
+    if [[ -f ~/.bash_history ]]; then
+        for pattern in "${suspicious_patterns[@]}"; do
+            if grep -q "$pattern" ~/.bash_history 2>/dev/null; then
+                echo "🚨 نشاط مشبوه في التاريخ: $pattern" >> "$TAMPER_LOG"
+                echo "⚠️  تحذير: تم رصد نشاط مشبوه"
+            fi
+        done
+    fi
+}
+
+# Function to monitor system resources
+monitor_resources() {
+    local cpu_usage=$(top -bn1 | grep "Cpu(s)" | awk '{print $2}' | cut -d'%' -f1)
+    local memory_usage=$(free | grep Mem | awk '{printf "%.0f", $3/$2 * 100.0}')
+
+    # Alert if resources are unusually high
+    if (( $(echo "$cpu_usage > 80" | bc -l) )); then
+        echo "🚨 استخدام CPU مرتفع: $cpu_usage%" >> "$TAMPER_LOG"
+    fi
+
+    if (( memory_usage > 90 )); then
+        echo "🚨 استخدام الذاكرة مرتفع: $memory_usage%" >> "$TAMPER_LOG"
+    fi
+}
+
+# Main monitoring loop
+while true; do
+    check_critical_files
+    check_unauthorized_access
+    monitor_resources
+    sleep 300  # Check every 5 minutes
+done &
+
+echo $! > .anti_tamper_pid
+echo "✅ تم تفعيل نظام منع التلاعب"
diff --git a/.github/workflows/auto-remediation.yml b/.github/workflows/auto-remediation.yml
@@ -0,0 +1,266 @@
+name: 🛡️ Universal Security Remediation Engine
+
+on:
+  # تشغيل يومي
+  schedule:
+    - cron: '0 2 * * *'  # كل يوم الساعة 2 صباحاً UTC
+  # تشغيل يدوي من الـ Actions Tab
+  workflow_dispatch:
+  # تشغيل عند كل push إلى main
+  push:
+    branches:
+      - main
+      - develop
+    paths:
+      - 'package.json'
+      - 'requirements.txt'
+      - 'pom.xml'
+      - 'composer.json'
+      - 'Cargo.toml'
+
+jobs:
+  security-remediation:
+    runs-on: ubuntu-latest
+    name: 🛡️ Auto Security Fix
+    permissions:
+      contents: write
+      pull-requests: write
+      security-events: write
+    steps:
+      # ============================================================
+      # الخطوة 1: سحب الكود
+      # ============================================================
+      - name: 📥 Checkout Code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      # ============================================================
+      # الخطوة 2: إعداد البيئة
+      # ============================================================
+      - name: 🔧 Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18'
+      - name: 🔧 Setup Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.11'
+      - name: 🔧 Setup Java
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'adopt'
+          java-version: '17'
+      - name: 🔧 Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.2'
+      - name: 🔧 Setup Rust
+        uses: dtolnay/rust-toolchain@stable
+      # ============================================================
+      # الخطوة 3: تنفيذ المحركات
+      # ============================================================
+      - name: 📋 Clone Remediation Engine Repository
+        run: |
+          # يمكن استبدال هذا برابط المشروع الحقيقي
+          git clone https://github.com/yourusername/universal-security-remediation-engine.git engine || true
+          if [ ! -d "engine" ]; then
+            mkdir -p engine/engines
+            mkdir -p engine/reports
+            # نسخ المحركات من المشروع الحالي إذا كانت موجودة
+            cp -r engines/* engine/engines/ 2>/dev/null || true
+          fi
+      - name: 🛡️ Run NPM Remediation
+        if: hashFiles('package.json') != ''
+        continue-on-error: true
+        run: |
+          chmod +x engine/engines/*.sh
+          engine/engines/npm-engine.sh . || true
+      - name: 🛡️ Run PIP Remediation
+        if: hashFiles('requirements.txt') != ''
+        continue-on-error: true
+        run: |
+          chmod +x engine/engines/*.sh
+          engine/engines/pip-engine.sh . || true
+      - name: 🛡️ Run Maven Remediation
+        if: hashFiles('pom.xml') != ''
+        continue-on-error: true
+        run: |
+          chmod +x engine/engines/*.sh
+          engine/engines/maven-engine.sh . || true
+      - name: 🛡️ Run Composer Remediation
+        if: hashFiles('composer.json') != ''
+        continue-on-error: true
+        run: |
+          chmod +x engine/engines/*.sh
+          engine/engines/composer-engine.sh . || true
+      - name: 🛡️ Run Cargo Remediation
+        if: hashFiles('Cargo.toml') != ''
+        continue-on-error: true
+        run: |
+          chmod +x engine/engines/*.sh
+          engine/engines/cargo-engine.sh . || true
+      # ============================================================
+      # الخطوة 4: جمع التقارير
+      # ============================================================
+      - name: 📊 Collect Reports
+        if: always()
+        run: |
+          mkdir -p security-reports
+          cp -r engine/reports/* security-reports/ 2>/dev/null || true
+          ls -la security-reports/
+      # ============================================================
+      # الخطوة 5: رفع التقارير
+      # ============================================================
+      - name: 📤 Upload Reports as Artifacts
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: security-remediation-reports
+          path: security-reports/
+          retention-days: 30
+      # ============================================================
+      # الخطوة 6: إنشاء PR تلقائي
+      # ============================================================
+      - name: 🔄 Create Pull Request
+        if: success()
+        uses: peter-evans/create-pull-request@v5
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: |
+            🔐 security: auto-fix vulnerabilities
+            - Run universal-security-remediation-engine
+            - Auto-update vulnerable packages
+            - All 4 security phases passed
+            - Check reports in artifacts
+          branch: security/auto-remediation-${{ github.run_number }}
+          delete-branch: true
+          title: '🛡️ Security: Auto Remediation'
+          body: |
+            # 🛡️ Automated Security Remediation
+            This PR contains automatic security fixes from **Universal Security Remediation Engine**.
+            ## 📊 What's Inside?
+            ✅ All vulnerable packages have been scanned
+            ✅ Automatic fixes applied where possible
+            ✅ All 4 security phases completed
+            ✅ JSON reports generated
+            ## 📄 Reports
+            Check the artifacts for detailed security reports:
+            - `npm-report.json` - NPM packages analysis
+            - `pip-report.json` - Python packages analysis
+            - `maven-report.json` - Java packages analysis
+            - `composer-report.json` - PHP packages analysis
+            - `cargo-report.json` - Rust packages analysis
+            ## 🔍 Next Steps
+            1. Review the reports attached
+            2. Run your tests to ensure compatibility
+            3. Merge if everything looks good
+            4. Celebrate! 🎉
+            ---
+            *Created by [Universal Security Remediation Engine](https://github.com/yourusername/universal-security-remediation-engine)*
+          labels: |
+            security
+            automated
+            dependencies
+          reviewers: |
+            @dependabot
+          draft: false
+      # ============================================================
+      # الخطوة 7: إرسال تنبيهات
+      # ============================================================
+      - name: 💬 Send Slack Notification
+        if: always()
+        uses: 8398a7/action-slack@v3
+        with:
+          status: ${{ job.status }}
+          text: |
+            🛡️ Security Remediation Engine completed
+            Status: ${{ job.status }}
+            Run: ${{ github.run_number }}
+          webhook_url: ${{ secrets.SLACK_WEBHOOK }}
+        continue-on-error: true
+      - name: 📧 Send Email Notification
+        if: always()
+        uses: dawidd6/action-send-mail@v3
+        with:
+          server_address: ${{ secrets.EMAIL_SERVER }}
+          server_port: 465
+          username: ${{ secrets.EMAIL_USERNAME }}
+          password: ${{ secrets.EMAIL_PASSWORD }}
+          subject: '🛡️ Security Remediation Report - Run #${{ github.run_number }}'
+          to: ${{ secrets.EMAIL_RECIPIENT }}
+          from: 'security@yourdomain.com'
+          body: |
+            Security Remediation Engine has completed.
+            Status: ${{ job.status }}
+            Run: ${{ github.run_number }}
+            Repository: ${{ github.repository }}
+            Workflow: ${{ github.workflow }}
+            Check the PR or artifacts for detailed reports.
+          html_body: |
+            <h1>🛡️ Security Remediation Report</h1>
+            <p><strong>Status:</strong> ${{ job.status }}</p>
+            <p><strong>Run #:</strong> ${{ github.run_number }}</p>
+            <p><strong>Repository:</strong> ${{ github.repository }}</p>
+            <p>Check the PR or artifacts for detailed reports.</p>
+        continue-on-error: true
+
+  # ============================================================
+  # Job 2: اختبار التقارير
+  # ============================================================
+  validate-reports:
+    runs-on: ubuntu-latest
+    name: 📋 Validate Reports
+    needs: security-remediation
+    if: always()
+    steps:
+      - name: 📥 Checkout Code
+        uses: actions/checkout@v4
+      - name: 📥 Download Reports
+        uses: actions/download-artifact@v4
+        with:
+          name: security-remediation-reports
+          path: reports/
+      - name: 🔍 Validate JSON Reports run: |
+          echo "📄 Validating reports..."
+          for report in reports/*.json; do
+            if [ -f "$report" ]; then
+              echo "✅ Validating: $(basename $report)"
+              if jq empty "$report" 2>/dev/null; then
+                echo "   ✅ Valid JSON"
+              else
+                echo "   ❌ Invalid JSON"
+                exit 1
+              fi
+            fi
+          done
+          echo "✅ All reports are valid!"
+
+      - name: 📊 Generate Report Summary
+        if: always()
+        run: |
+          echo "# 🛡️ Security Reports Summary" > SECURITY_REPORT.md
+          echo "" >> SECURITY_REPORT.md
+          echo "Generated: $(date)" >> SECURITY_REPORT.md
+          echo "" >> SECURITY_REPORT.md
+          for report in reports/*.json; do
+            if [ -f "$report" ]; then
+              echo "## $(basename $report)" >> SECURITY_REPORT.md
+              echo "" >> SECURITY_REPORT.md
+              echo "\`\`\`json" >> SECURITY_REPORT.md
+              cat "$report" >> SECURITY_REPORT.md
+              echo "\`\`\`" >> SECURITY_REPORT.md
+              echo "" >> SECURITY_REPORT.md
+            fi
+          done
+      - name: 📤 Upload Summary
+        uses: actions/upload-artifact@v4
+        with:
+          name: security-report-summary
+          path: SECURITY_REPORT.md
+
+# ============================================================
+# Concurrency: تشغيل واحد في كل مرة
+# ============================================================
+concurrency:
+  group: security-remediation-${{ github.ref }}
+  cancel-in-progress: false
diff --git a/.github/workflows/pr_cleanup_secure.yml b/.github/workflows/pr_cleanup_secure.yml
@@ -0,0 +1,49 @@
+name: Secure PR Cleanup & Branch Management
+
+on:
+  pull_request:
+    types: [closed]
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  cleanup:
+    name: Safe Branch Cleanup After PR Close
+    runs-on: ubuntu-latest
+
+    if: github.event.pull_request.merged == true
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Define Branch Variables
+        run: |
+          echo "HEAD_BRANCH=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV
+          echo "BASE_BRANCH=${{ github.event.pull_request.base.ref }}" >> $GITHUB_ENV
+
+      - name: Protect Critical Branches
+        run: |
+          if [[ "$HEAD_BRANCH" == "main" || "$HEAD_BRANCH" == "staging" ]]; then
+            echo "Protected branch detected. Skipping deletion."
+            exit 0
+          fi
+
+      - name: Delete Merged Head Branch Safely
+        run: |
+          git push origin --delete $HEAD_BRANCH || echo "Branch already deleted."
+
+      - name: Log Cleanup Activity
+        run: |
+          echo "[$(date)] Deleted merged branch: $HEAD_BRANCH" >> cleanup.log
+
+      - name: Commit Log (Optional)
+        run: |
+          git config user.name "github-actions"
+          git config user.email "actions@github.com"
+          git add cleanup.log || true
+          git commit -m "chore: log branch cleanup activity" || true
+          git push || true