feat: Add comprehensive GitHub security integration

Security Infrastructure:
- Add .gitattributes for merge conflict protection and sensitive file handling
- Add SECURITY.md with detailed security policies and procedures
- Add pre-commit hook template for local secret detection
- Add GitHub Actions workflow for automated security scanning
- Add comprehensive documentation for git hooks

Code Security Improvements:
- Fix AuthContext.tsx: Remove hardcoded credentials, use environment variables
- Migrate WalletContext.tsx: Replace Ethereum/MetaMask with Polkadot.js
- Refactor lib/wallet.ts: Complete Substrate configuration with asset management
- Update TokenSwap.tsx: Add real API integration for balance queries
- Update StakingDashboard.tsx: Add blockchain integration placeholders

Environment Management:
- Update .env with proper security warnings
- Update .env.example with comprehensive template
- All sensitive data now uses environment variables
- Demo mode controllable via VITE_ENABLE_DEMO_MODE flag

Security Measures Implemented:
✅ 4-layer protection (gitignore + gitattributes + pre-commit + CI/CD)
✅ Automated secret scanning (TruffleHog + Gitleaks)
✅ Pre-commit hooks prevent accidental commits
✅ CI/CD pipeline validates all PRs
✅ Environment variable validation
✅ Dependency security auditing

Breaking Changes:
- WalletContext now uses Polkadot.js instead of MetaMask
- lib/wallet.ts completely rewritten for Substrate
- ASSET_IDs and CHAIN_CONFIG exported from lib/wallet.ts
- Demo mode must be explicitly enabled

Migration Notes:
- Install pre-commit hook: cp .git-hooks/pre-commit.example .git/hooks/pre-commit
- Copy environment: cp .env.example .env
- Update .env with your credentials
- Enable GitHub Actions in repository settings

Co-authored-by: Claude <noreply@anthropic.com>

.git-hooks/pre-commit.example

@@ -0,0 +1,177 @@
+#!/bin/bash
+# ========================================
+# Pre-commit Hook for PezkuwiChain
+# ========================================
+# This hook prevents committing sensitive data
+#
+# INSTALLATION:
+# cp .git-hooks/pre-commit.example .git/hooks/pre-commit
+# chmod +x .git/hooks/pre-commit
+
+set -e
+
+# Colors for output
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+GREEN='\033[0;32m'
+NC='\033[0m' # No Color
+
+echo "=
+ Running pre-commit security checks..."
+
+# ========================================
+# 1. CHECK FOR .ENV FILES
+# ========================================
+echo "Checking for .env files..."
+
+if git diff --cached --name-only | grep -E "^\.env$"; then
+    echo -e "${RED}L ERROR: Attempting to commit .env file!${NC}"
+    echo -e "${YELLOW}The .env file contains sensitive data and should never be committed.${NC}"
+    echo ""
+    echo "To fix this:"
+    echo "  git reset HEAD .env"
+    echo "  git add .env.example  # Commit the example file instead"
+    exit 1
+fi
+
+if git diff --cached --name-only | grep -E "^\.env\.(local|production|staging)$"; then
+    echo -e "${RED}L ERROR: Attempting to commit environment-specific .env file!${NC}"
+    exit 1
+fi
+
+# ========================================
+# 2. CHECK FOR SENSITIVE PATTERNS
+# ========================================
+echo "Scanning for sensitive patterns..."
+
+# Patterns to search for
+PATTERNS=(
+    "password\s*=\s*['\"][^'\"]*['\"]"
+    "api[_-]?key\s*=\s*['\"][^'\"]*['\"]"
+    "secret\s*=\s*['\"][^'\"]*['\"]"
+    "token\s*=\s*['\"][^'\"]*['\"]"
+    "private[_-]?key"
+    "BEGIN RSA PRIVATE KEY"
+    "BEGIN PRIVATE KEY"
+    "aws_secret_access_key"
+    "AKIA[0-9A-Z]{16}"
+)
+
+FOUND_SECRETS=false
+
+for pattern in "${PATTERNS[@]}"; do
+    if git diff --cached | grep -iE "$pattern" > /dev/null; then
+        if [ "$FOUND_SECRETS" = false ]; then
+            echo -e "${RED}L ERROR: Potential secrets detected in staged files!${NC}"
+            FOUND_SECRETS=true
+        fi
+        echo -e "${YELLOW}Found pattern: $pattern${NC}"
+    fi
+done
+
+if [ "$FOUND_SECRETS" = true ]; then
+    echo ""
+    echo -e "${YELLOW}Detected patterns that might contain secrets.${NC}"
+    echo "Please review your changes and ensure no sensitive data is being committed."
+    echo ""
+    echo "To bypass this check (NOT RECOMMENDED):"
+    echo "  git commit --no-verify"
+    exit 1
+fi
+
+# ========================================
+# 3. CHECK FOR COMMON SECRET FILES
+# ========================================
+echo "Checking for secret files..."
+
+SECRET_FILES=(
+    "*.key"
+    "*.pem"
+    "*.cert"
+    "*.p12"
+    "*.pfx"
+    "*secret*"
+    "*credential*"
+    ".npmrc"
+    ".dockercfg"
+    ".docker/config.json"
+)
+
+for file_pattern in "${SECRET_FILES[@]}"; do
+    if git diff --cached --name-only | grep -i "$file_pattern" > /dev/null; then
+        echo -e "${RED}L ERROR: Attempting to commit secret file matching: $file_pattern${NC}"
+        echo "These files should be added to .gitignore"
+        exit 1
+    fi
+done
+
+# ========================================
+# 4. CHECK FOR LARGE FILES
+# ========================================
+echo "Checking for large files..."
+
+# Maximum file size in KB
+MAX_FILE_SIZE=500
+
+while IFS= read -r file; do
+    if [ -f "$file" ]; then
+        file_size=$(stat -f%z "$file" 2>/dev/null || stat -c%s "$file" 2>/dev/null)
+        file_size_kb=$((file_size / 1024))
+
+        if [ "$file_size_kb" -gt "$MAX_FILE_SIZE" ]; then
+            echo -e "${YELLOW}   WARNING: Large file detected: $file (${file_size_kb}KB)${NC}"
+            echo "Consider using Git LFS for large files"
+        fi
+    fi
+done < <(git diff --cached --name-only)
+
+# ========================================
+# 5. CHECK FOR DEBUG CODE
+# ========================================
+echo "Checking for debug code..."
+
+DEBUG_PATTERNS=(
+    "console\.log"
+    "debugger"
+    "TODO.*security"
+    "FIXME.*security"
+    "XXX.*security"
+)
+
+for pattern in "${DEBUG_PATTERNS[@]}"; do
+    if git diff --cached | grep -E "$pattern" > /dev/null; then
+        echo -e "${YELLOW}   WARNING: Found debug code: $pattern${NC}"
+        echo "Consider removing debug code before committing"
+    fi
+done
+
+# ========================================
+# 6. VERIFY ENVIRONMENT VARIABLES USAGE
+# ========================================
+echo "Checking environment variable usage..."
+
+# Check for direct credential usage instead of env vars
+if git diff --cached | grep -E "(password|api[_-]?key|secret).*['\"][^'\"]{20,}['\"]" > /dev/null; then
+    echo -e "${YELLOW}   WARNING: Potential hardcoded credentials detected${NC}"
+    echo "Please use environment variables instead:"
+    echo "  import.meta.env.VITE_API_KEY"
+fi
+
+# ========================================
+# 7. CHECK SPECIFIC FILES
+# ========================================
+echo "Checking specific configuration files..."
+
+# Check if AuthContext has hardcoded credentials
+if git diff --cached -- "src/contexts/AuthContext.tsx" | grep -E "password.*:" | grep -vE "import\.meta\.env" > /dev/null; then
+    echo -e "${RED}L ERROR: AuthContext.tsx may contain hardcoded credentials${NC}"
+    echo "Ensure all credentials use environment variables"
+    exit 1
+fi
+
+# ========================================
+# SUCCESS
+# ========================================
+echo -e "${GREEN} All security checks passed!${NC}"
+echo ""
+