fix(security): add .gitignore, remove PEM keys and debug endpoints from tracking

.gitignore

@@ -0,0 +1,96 @@
+# ============================================================
+# Siro Project - .gitignore
+# ============================================================
+
+# --- Environment & Secrets ---
+.env
+.env.*
+!.env.example
+**/*.env
+**/private_key.pem
+**/public_key.pem
+*.pem
+service-account.json
+**/service-account.json
+
+# --- IDE & OS ---
+.DS_Store
+Thumbs.db
+*.swp
+*.swo
+*~
+.vscode/
+.idea/
+*.iml
+.ruby-lsp/
+.kilo/
+
+# --- Build Artifacts ---
+node_modules/
+vendor/
+**/vendor/
+build/
+dist/
+*.js.map
+*.css.map
+
+# --- Flutter/Dart ---
+.dart_tool/
+.packages
+.pub-cache/
+pubspec.lock
+*.g.dart
+**/env.g.dart
+*.freezed.dart
+*.config.dart
+
+# --- Android ---
+*.apk
+*.aab
+*.dex
+*.class
+*.keystore
+local.properties
+android/.gradle/
+android/captures/
+
+# --- iOS ---
+*.ipa
+*.dSYM.zip
+*.dSYM
+Pods/
+DerivedData/
+*.xcworkspace
+xcuserdata/
+
+# --- Composer / PHP ---
+/composer.lock
+**/composer.lock
+
+# --- Logs ---
+*.log
+logs/
+**/logs/
+
+# --- Uploads ---
+uploads/
+**/uploads/
+portrate_captain_image/
+card_image/
+imageForUsingApp/
+new_driver_car/
+upload_audio/
+
+# --- Python ---
+__pycache__/
+*.pyc
+.venv/
+venv/
+
+# --- Firebase ---
+.google-services.json
+GoogleService-Info.plist
+
+# --- Audit/Scan Output ---
+semgrep_*.json
+nuclei_results.txt

backend/Admin/debug/.htaccess

@@ -1,10 +0,0 @@
-# 🔒 SECURITY: Block all access to debug files
-# This directory contains sensitive debugging scripts
-# DO NOT remove this file in production
-
-<RequireAll>
-    Require all denied
-</RequireAll>
-
-# Alternative for older Apache:
-# Deny from all

backend/Admin/debug/check_driver_phones.php

@@ -1,13 +0,0 @@
-<?php
-require_once 'connect.php';
-
-try {
-    $stmt = $con->query("SELECT phone FROM driver LIMIT 10");
-    $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
-    foreach ($rows as $row) {
-        echo "Raw: " . $row['phone'] . " | Decrypted: " . $encryptionHelper->decryptData($row['phone']) . "\n";
-    }
-} catch (Exception $e) {
-    echo "An error occurred.";
-}
-?>

backend/Admin/debug/check_users_cols.php

@@ -1,11 +0,0 @@
-<?php
-require_once 'connect.php';
-
-try {
-    $stmt = $con->query("DESCRIBE users");
-    $cols = $stmt->fetchAll(PDO::FETCH_ASSOC);
-    echo json_encode($cols, JSON_PRETTY_PRINT);
-} catch (Exception $e) {
-    echo "An error occurred.";
-}
-?>

backend/Admin/debug/debug_phone.php

@@ -1,23 +0,0 @@
-<?php
-require_once __DIR__ . '/connect.php';
-
-$searchPhone = '0992952235';
-echo "Searching for: $searchPhone\n";
-
-$variants = [$searchPhone, '963' . substr($searchPhone, 1), '+963' . substr($searchPhone, 1)];
-
-foreach ($variants as $v) {
-    echo "Checking variant: $v\n";
-    $enc = $encryptionHelper->encryptData($v);
-    
-    $stmt = $con->prepare("SELECT id, phone, first_name FROM driver WHERE phone = ? OR phone = ?");
-    $stmt->execute([$v, $enc]);
-    $res = $stmt->fetch();
-    
-    if ($res) {
-        echo "FOUND! ID: {$res['id']}, Name: {$res['first_name']}, Phone in DB: {$res['phone']}\n";
-        exit;
-    }
-}
-
-echo "NOT FOUND in driver table.\n";

backend/Admin/debug/env_test.php

@@ -1,57 +0,0 @@
-<?php
-// env_test.php - أداة مخصصة لاختبار جميع متغيرات البيئة
-require_once __DIR__ . '/core/bootstrap.php'; // لتحميل الـ .env
-
-header('Content-Type: text/plain; charset=utf-8');
-
-echo "=== فحص متغيرات البيئة (Environment Variables) ===\n\n";
-
-$keysToCheck = [
-    'PASSENGER_SOCKET_URL',
-    'LOCATION_SOCKET_URL',
-    'INTERNAL_SOCKET_KEY_PATH',
-    'SECRET_KEY_PAY_PATH',
-    'SECRET_KEY_HMAC',
-    'allowed1',
-    'allowed2',
-    'passwordnewpassenger',
-    'FP_PEPPER'
-];
-
-foreach ($keysToCheck as $key) {
-    $val = getenv($key);
-    if ($val !== false && $val !== '') {
-        // إخفاء جزء من القيم الحساسة مثل كلمات المرور
-        if (strpos(strtolower($key), 'password') !== false || strpos(strtolower($key), 'secret') !== false || strpos(strtolower($key), 'hmac') !== false) {
-            $hiddenVal = substr($val, 0, 3) . '***' . substr($val, -3);
-            echo "[OK] $key = $hiddenVal\n";
-        } else {
-            echo "[OK] $key = $val\n";
-        }
-    } else {
-        echo "[ERROR] $key = (مفقود أو فارغ!)\n";
-    }
-}
-
-echo "\n\n=== فحص الملفات المباشرة ===\n\n";
-
-$filesToCheck = [
-    '/home/siro-api/.internal_socket_key',
-    '/home/siro-api/.secret_key_pay'
-];
-
-foreach ($filesToCheck as $file) {
-    if (file_exists($file)) {
-        $content = trim(file_get_contents($file));
-        if (!empty($content)) {
-            $hidden = substr($content, 0, 3) . '***' . substr($content, -3);
-            echo "[OK] File ($file) exists and has content: $hidden\n";
-        } else {
-            echo "[WARNING] File ($file) exists but is EMPTY!\n";
-        }
-    } else {
-        echo "[ERROR] File ($file) DOES NOT EXIST!\n";
-    }
-}
-
-echo "\n=== انتهى الفحص ===\n";

backend/Admin/debug/ggg.php

@@ -1,78 +0,0 @@
-<?php
-include 'connect.php';
-
-// نضمن أن الرد دائماً JSON
-header('Content-Type: application/json; charset=utf-8');
-
-// 1) قراءة الـ body كـ JSON (من Flutter)
-$raw  = file_get_contents('php://input');
-$data = json_decode($raw, true);
-
-if (!is_array($data)) {
-    // fallback لو أرسلت form-data أو x-www-form-urlencoded
-    $data = $_POST;
-}
-
-// 2) التحقق من رقم هاتف الأدمن المصرّح له
-
-// قراءة الأرقام المسموح لها من الـ ENV
-$phonesRaw = getenv('ADMIN_PHONE_NUMBERS') ?: '';
-$ALLOWED_TOOL_PHONES = array_values(
-    array_filter(
-        array_map(function ($p) {
-            // إزالة أي رموز غير رقمية (مسافات، +، - إلخ)
-            return preg_replace('/\D+/', '', $p);
-        }, explode(',', $phonesRaw))
-    )
-);
-
-// رقم الهاتف القادم من Flutter (parameter جديد)
-$adminPhoneParam = isset($data['admin_phone'])
-    ? preg_replace('/\D+/', '', $data['admin_phone'])
-    : '';
-
-// إذا لم يُرسل رقم أو لم يكن ضمن القائمة → منع الوصول
-if ($adminPhoneParam === '' || !in_array($adminPhoneParam, $ALLOWED_TOOL_PHONES, true)) {
-    http_response_code(403);
-    echo json_encode([
-        'status'  => 'error',
-        'message' => 'Access denied for this admin phone.',
-    ]);
-    exit;
-}
-
-// 3) التحقق من بقية المدخلات (action + text)
-$action = $data['action'] ?? '';
-$text   = trim($data['text'] ?? '');
-
-if ($text === '' || ($action !== 'encrypt' && $action !== 'decrypt')) {
-    http_response_code(400);
-    echo json_encode([
-        'status'  => 'error',
-        'message' => 'Invalid input: need action=encrypt|decrypt and non-empty text.',
-    ]);
-    exit;
-}
-
-// 4) تنفيذ التشفير / الفك
-try {
-   // require_once __DIR__ . '/encrypt_decrypt.php';
-
-    if ($action === 'encrypt') {
-        $result = $encryptionHelper->encryptData($text);
-    } else { // decrypt
-        $result = $encryptionHelper->decryptData($text);
-    }
-
-    echo json_encode([
-        'status' => 'success',
-        'action' => $action,
-        'result' => (string) $result,
-    ]);
-} catch (Exception $e) {
-    http_response_code(500);
-    echo json_encode([
-        'status'  => 'error',
-        'message' => 'Operation failed.',
-    ]);
-}

backend/Admin/debug/scratch_db_check.php

@@ -1,23 +0,0 @@
-<?php
-require_once 'connect.php';
-
-echo "--- ADMIN TABLE ---\n";
-try {
-    $stmt = $con->prepare("SELECT id, name, role FROM admin");
-    $stmt->execute();
-    $admins = $stmt->fetchAll(PDO::FETCH_ASSOC);
-    print_r($admins);
-} catch (Exception $e) {
-    echo "Error: " . $e->getMessage() . "\n";
-}
-
-echo "\n--- DATABASES ---\n";
-try {
-    $stmt = $con->prepare("SHOW DATABASES");
-    $stmt->execute();
-    $dbs = $stmt->fetchAll(PDO::FETCH_COLUMN);
-    print_r($dbs);
-} catch (Exception $e) {
-    echo "Error: " . $e->getMessage() . "\n";
-}
-?>

backend/Admin/debug/scratch_log_path.php

@@ -1,2 +0,0 @@
-<?php
-echo ini_get('error_log');

backend/Admin/debug/scratch_test_find.php

@@ -1,13 +0,0 @@
-<?php
-require_once __DIR__ . '/../core/bootstrap.php';
-require_once __DIR__ . '/../functions.php';
-
-$con = Database::get('main');
-$lat = 32.11171;
-$lng = 36.06737;
-$carType = 'Fixed Price';
-
-echo "Testing findBestDrivers...\n";
-$drivers = findBestDrivers($con, $lat, $lng, $carType);
-print_r($drivers);
-echo "Done.\n";

backend/Admin/debug/scratch_test_redis.php

@@ -1,10 +0,0 @@
-<?php
-require_once __DIR__ . '/../core/bootstrap.php';
-$redis = getRedis(); // or however it's connected in bootstrap
-if (!$redis) {
-    echo "No redis\n"; exit;
-}
-$redis->geoadd('geo:rides:waiting', 36.0, 32.0, 'test_ride');
-$res = $redis->georadius('geo:rides:waiting', 36.0, 32.0, 10, 'km', ['WITHDIST' => true]);
-print_r($res);
-echo json_encode($res) . "\n";

walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver/private_key.pem

@@ -1,15 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXwIBAAKBgQDOhVAdUyxFpVNSyjRndMWEPAN9vJEetMzLbjF9DTn2lPVuRj/M
-kwq9wCNhy+tdeX2lIn4K3EkONBvYJubBhxnYOoQuMchPW5vG7VnmpLjZ7TkpM2n9
-fcMu8u1GkLatLblDI4LTfvn3851+nhpnYlUVkjw5GAhH4XnEpveIjqDhzQIDAQAB
-AoGBALRcAvqJT8nHN7y+8QNFHNZ+XwIpc4egmJY1Ny0iJvPtZWaYHVG5PRE4Qu4+
-29+3oX5dYDx146tu4L5mQvLS3ULBsvxaUZt2lT/vxkQzI9pNfXw584WvIrbtxQod
-ILvBcnamwQa9hEOIFZVyZ/hzkzUcMO6cAXqvsfqqPgJhm7PBAkEA+xgE9CUOLDFl
-vLePQKGcHIUOsPLr16qNEgGhTW7Km3OMMqoB2f7t67xOHGqK6tnANRM4Sk6IModI
-wbZuVh4jMQJBANKOVmIdDLNffZVHp90SDRG7/YdK2R5ob361CIkcUzjh927Wfs5W
-A/WroB7eJ7pWiq2BMaj/xq65nYaCOldvaV0CQQDm12c+eY61DFjnDa6ykaEvCxi9
-jydJp+93vW3o/VFhZvJeZbO8EcX0MrNxJnY+gSBW6yuWDOrj4UH/bVO08pIRAkEA
-lH3TiBAqo9nlTEEjrnILi4VD0IVFx/8pGnf71A6I1qXuBVn6RfQ9iKWIIBzWccCU
-vrZNWn1AFntLD9CJ6p3k9QJBAMbSQ9CoXWlOLJRduV15ER1ZyE/inVd4jIvtjAgz
-b7QaM62Ecxl3D8EI/LTSZV9Oa8D/62cJeMsflVa7gpavL70=
------END RSA PRIVATE KEY-----

walletintaleq.intaleq.xyz/v2/main/ride/mtn/driver/public_key.pem

@@ -1,6 +0,0 @@
------BEGIN PUBLIC KEY-----
-MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDqBQZEJXWCQwPsPzBM70M3TjyU
-5vwCZWoEtUomR9Qu+dEQaa0Hniz6JY8+goCxfMYuZQw6+kimctA2KqzT2pCsJufN
-b92pSAMZgb0RSTl2y62oJkJd2WY7dj36AvPEyw6DxCFItvFOu7HGl3LlHQBriiw3
-jwtuS6DO7gbmAJPU8wIDAQAB
------END PUBLIC KEY-----

walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/private_key.pem

@@ -1,15 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXwIBAAKBgQDOhVAdUyxFpVNSyjRndMWEPAN9vJEetMzLbjF9DTn2lPVuRj/M
-kwq9wCNhy+tdeX2lIn4K3EkONBvYJubBhxnYOoQuMchPW5vG7VnmpLjZ7TkpM2n9
-fcMu8u1GkLatLblDI4LTfvn3851+nhpnYlUVkjw5GAhH4XnEpveIjqDhzQIDAQAB
-AoGBALRcAvqJT8nHN7y+8QNFHNZ+XwIpc4egmJY1Ny0iJvPtZWaYHVG5PRE4Qu4+
-29+3oX5dYDx146tu4L5mQvLS3ULBsvxaUZt2lT/vxkQzI9pNfXw584WvIrbtxQod
-ILvBcnamwQa9hEOIFZVyZ/hzkzUcMO6cAXqvsfqqPgJhm7PBAkEA+xgE9CUOLDFl
-vLePQKGcHIUOsPLr16qNEgGhTW7Km3OMMqoB2f7t67xOHGqK6tnANRM4Sk6IModI
-wbZuVh4jMQJBANKOVmIdDLNffZVHp90SDRG7/YdK2R5ob361CIkcUzjh927Wfs5W
-A/WroB7eJ7pWiq2BMaj/xq65nYaCOldvaV0CQQDm12c+eY61DFjnDa6ykaEvCxi9
-jydJp+93vW3o/VFhZvJeZbO8EcX0MrNxJnY+gSBW6yuWDOrj4UH/bVO08pIRAkEA
-lH3TiBAqo9nlTEEjrnILi4VD0IVFx/8pGnf71A6I1qXuBVn6RfQ9iKWIIBzWccCU
-vrZNWn1AFntLD9CJ6p3k9QJBAMbSQ9CoXWlOLJRduV15ER1ZyE/inVd4jIvtjAgz
-b7QaM62Ecxl3D8EI/LTSZV9Oa8D/62cJeMsflVa7gpavL70=
------END RSA PRIVATE KEY-----

walletintaleq.intaleq.xyz/v2/main/ride/mtn/passenger/public_key.pem

@@ -1,6 +0,0 @@
------BEGIN PUBLIC KEY-----
-MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDqBQZEJXWCQwPsPzBM70M3TjyU
-5vwCZWoEtUomR9Qu+dEQaa0Hniz6JY8+goCxfMYuZQw6+kimctA2KqzT2pCsJufN
-b92pSAMZgb0RSTl2y62oJkJd2WY7dj36AvPEyw6DxCFItvFOu7HGl3LlHQBriiw3
-jwtuS6DO7gbmAJPU8wIDAQAB
------END PUBLIC KEY-----