NMKR Studio Open-Source Process Documentation

Overview

This document outlines the process, decisions, and considerations involved in making NMKR Studio open-source. It provides transparency about what was included, what was excluded, and the security measures taken to protect sensitive infrastructure while maintaining the integrity of the codebase.

Date: October 9, 2025

Version: 1.0

Status: Initial Open-Source Release

1. General Considerations

1.1 Purpose of Open-Sourcing

The decision to open-source NMKR Studio was driven by:

  • Community Contribution: Enable developers to contribute improvements and features
  • Transparency: Demonstrate commitment to open development practices in the Cardano ecosystem
  • Education: Provide a reference implementation for NFT management platforms
  • Collaboration: Foster innovation through community collaboration
  • Trust: Build trust by allowing security audits and code review
  • Catalyst-Milestone-requirement: Project 1000091: M5 Open Source NMKR Studio

Pre-Release Preparation

Before publication, the following steps were completed:

  1. Security Audit: Comprehensive scan of all files for sensitive data
  2. Credential Removal: All API keys, passwords, and secrets replaced with empty placeholders
  3. Git History Cleanup: Complete repository reinitialization to remove historical sensitive data
  4. Documentation Review: Creation of comprehensive documentation for contributors
  5. License Selection: Research and selection of appropriate open-source license

2. Scope of Open-Source Release
2.1 Components Included

The following components have been made open-source:

Core Application Components
  • NMKR.Pro: Main Blazor-based user interface
  • All UI components and pages
  • Client-side logic and state management
  • Blazor components and layouts

NMKR.Api: REST API implementation
  • All API endpoints (v1 and v2)
  • Controller logic and business rules
  • API validation and authentication framework
  • Rate limiting configuration

NMKR.BackgroundService: Background processing service
  • Hosted services for blockchain operations
  • Minting and burning workflows
  • Transaction monitoring services
  • Address checking logic

NMKR.CardanoCliApi: Cardano CLI wrapper API
  • Cardano CLI integration layer
  • Transaction building utilities
  • Blockchain interaction logic

Shared Libraries
NMKR.Shared: Core shared functionality

  - Database models and context

  - Shared business logic

  - Utility functions

  - Blockchain-specific functions (Cardano, Solana, Aptos)

  - Configuration class structure

NMKR.RazorSharedClassLibrary: Shared Blazor components

  - Reusable UI components

  - Modal windows and dialogs

  - Form components

  - Helper components

Supporting Components
NMKR.SimpleExec: Command execution library

  - Process execution utilities

  - Simple-Exec integration (third-party library included)

2.2 Database Structure
-Complete Database Schema: The full MySQL database structure (`defaultdb.sql`) is included

  - All table definitions

  - Views and stored procedures

  - Relationships and indexes

  - Note: No actual data is included, only the schema

2.3 Configuration Templates
All configuration files are included as templates with empty values:

- `settings.yaml` (all services)

- `settings.preprod.yaml` (all services)

- `appsettings.json` (all services)

- `appsettings.Development.json` (all services)

These templates show the structure needed for configuration but contain no actual credentials.

3. Components and Information Excluded
3.1 Credentials and Secrets

The following sensitive information has been removed or replaced with placeholders:

Database Credentials

- MySQL connection strings

- PostgreSQL connection strings (DbSync)

- Database passwords and usernames

- Server hostnames and ports

External Service Credentials

- Blockfrost API: API keys for mainnet and testnet

- Koios API: Access credentials

- Maestro API: API keys for Cardano and Bitcoin

- Iagon Storage: API keys

- Helios RPC: API keys

- AWS Services: Email service credentials (SES)

- Redis: Server addresses and passwords

- RabbitMQ: Connection strings, usernames, and passwords

- Solana RPC: API endpoints with credentials

- Aptos API: Access credentials

Third-Party Services

- **Google reCAPTCHA**: Site keys and secrets

- **MessageBird**: Access keys for SMS services

- **Yota SDK**: SDK identifiers

- **Mailerlite**: API keys and group IDs

- **Rebex**: License keys

Security Keys

- RSA private keys (replaced with placeholder: `YOUR_RSA_PRIVATE_KEY_HERE`)

- Master password for encryption

- Two-factor authentication secrets

- JWT signing keys

3.2 Infrastructure Details

The following infrastructure information has been removed:

- Production server hostnames (DigitalOcean, AWS)

- Internal IP addresses

- SFTP server credentials

- Production deployment configurations

- Monitoring and telemetry endpoints

3.3 Business-Specific Data

- Customer data (none included in code)

- User Transaction history (none included)

- API usage statistics (none included)

- Production metrics and analytics configurations

3.4 Why These Were Excluded

**Security**: Exposing production credentials would compromise the live NMKR Studio platform and potentially affect users.

**Privacy**: Customer and business data must remain confidential.

**Operational Integrity**: Production infrastructure details could be used for attacks or unauthorized access.

**Legal Compliance**: Certain third-party service credentials cannot be shared due to terms of service.

---

4. Security Considerations

4.1 Security Measures Taken

Pre-Publication Security Audit

A comprehensive security audit was performed including:

1. **Automated Scanning**: 940+ files scanned for credentials, secrets, and sensitive data

2. **Manual Review**: Critical files reviewed manually for context-specific security issues

3. **Pattern Matching**: Regular expressions used to detect:

   - API keys (various formats)

   - Passwords and secrets

   - Connection strings

   - Private keys and certificates

   - AWS access keys

   - Database credentials

Credential Sanitization

All configuration files were sanitized:

- YAML files: All credential values set to empty strings

- JSON files: All secret values removed

- Ccode: Hardcoded credentials replaced with placeholders or configuration references

- Comments: Sensitive information in comments removed

Git History Cleanup

- Complete removal of `.git` directory

- Fresh `git init` to start with clean history

- No historical commits containing sensitive data

4.2 Security Best Practices for Contributors

Contributors should follow these security practices:

1. **Never Commit Credentials**: Use environment variables or secure configuration management

2. **Use Configuration Templates**: Copy `settings.yaml.template` (not included, use existing as template)

3. **Local Development**: Keep local configuration files out of git using `.gitignore`

4. **Secret Management**: Use secure vaults or environment-specific configuration

5. **API Keys**: Generate your own keys for external services (Blockfrost, Koios, etc.)

4.3 Remaining Security Considerations

API Endpoint Security

The code includes API authentication and authorization mechanisms:

- API key validation (`ApiKeyValidator.cs`)

- Rate limiting configuration

- IP-based restrictions

**Note**: These are frameworks only. Actual API keys must be generated and managed separately.

Database Security

The database schema is public, which means:

- Table structures are visible

- Relationships and indexes are known

- **Mitigation**: Use strong database credentials, network isolation, and access controls

Encryption Keys

References to encryption functionality exist in the code:

- Master password for encryption (must be provided via configuration)

- Policy key encryption/decryption

- **Mitigation**: Generate strong, unique encryption keys for your deployment

---

5. Configuration Requirements for Deployment

To deploy NMKR Studio, you must provide your own:

5.1 Required Services

1. **MySQL Server**: For main application database

2. **PostgreSQL Server**: For Cardano DbSync integration

3. **Redis Server**: For caching and session management

4. **RabbitMQ**: For message queuing

5. **Cardano Node**: For blockchain interaction

6. **IPFS Node**: For metadata storage

5.2 Required External Service Accounts

1. **Blockfrost**: Cardano blockchain API

2. **Koios**: Cardano blockchain API (alternative)

3. **Maestro**: Cardano infrastructure API

4. **AWS SES**: For email notifications

5. **Google reCAPTCHA**: For bot protection

5.3 Configuration Files to Populate

Each service requires a `settings.yaml` file with your credentials:

```yaml

ConnectionString: <your-mysql-connection-string>

Redis:

  Server: <your-redis-server>

  Password: <your-redis-password>

BlockfrostApikey: <your-blockfrost-key>

... etc

```

See `Readme.md` for detailed configuration instructions.

---

6. Contribution Guidelines

6.1 What We Accept

- Bug fixes

- Feature enhancements

- Documentation improvements

- Performance optimizations

- Test coverage improvements

- Security vulnerability reports (via responsible disclosure)

6.2 What We Don't Accept

- Commits containing credentials or secrets

- Unreviewed third-party dependencies

- Changes that compromise security

- Undocumented breaking changes

6.3 Security Vulnerability Reporting

If you discover a security vulnerability:

1. **Do NOT** open a public issue

2. Contact us privately

3. Provide detailed information about the vulnerability

---

7. Legal and Licensing

7.1 License

See `LICENSE.md` for the specific open-source license terms.

7.2 Third-Party Dependencies

NMKR Studio uses various third-party libraries and dependencies. Each retains its original license. See individual package references in `.csproj` files.

8. Open-Source Process Timeline

1. **October 2, 2025**: Security audit initiated

2. **October 2-9, 2025**: All credentials removed and replaced with placeholders

3. **October 2-9, 2025**: Git history cleaned and repository reinitialized

4. **October 5-9, 2025**: Documentation created

5. **October 9, 2025**: Repository ready for publication

---

9. Contact and Support

For questions about the open-source process or security concerns:

phil@nmkr.io

---

**Document Version**: 1.0

**Last Updated**: October 9, 2025

**Maintained By**: NMKR Studio Team

business@nmkr.io
utxo AG

Dammstrasse 16
6300 Zug
Switzerland
x logolinkedin logoyt logoinstagram

Company

ClientsBlogsPressAbout UsCareersHackathons

Services

NMKR TokenStatusSupportContactAgency
Services

References

API DocsGlossarylicenseSolutionsProposals
NewsletterGithub repository
© 2025 NMKR,  All Rights Reserved
Privacy PolicyTerms of service