claude_code_remaining_fixes_prompt.txt

Work in the `platform` repo and use the existing Gitea issues as the source of truth.

Repo:
- `yusiboyz/platform`

Primary tracking issue:
- `#1 Production Security and Readiness Remediation`

Current status from latest audit:
- Fixed: `#2` registration disable, frontend proxy auth, Trips share protection, Fitness authz repair, gateway cookie hardening, budget dependency fix
- Partial/Open: `#2`, `#5`, `#6`, `#7`, `#9`, `#10`

Your job:
- Read issue `#1` and child issues `#2` through `#10`
- Re-verify the repo state before changing anything
- Then fix the remaining open items in priority order
- Make code changes directly
- After each issue-sized change, verify it and post a concise Gitea comment with:
  - what changed
  - files touched
  - verification performed
  - what still remains, if anything
- Close only issues whose acceptance criteria are fully satisfied

Priority order:
1. `#6 Repository Hygiene: Remove Tracked Secrets and Runtime Databases`
2. `#7 Transport Security: Finish Cookie Hardening, TLS Verification, and Proxy Controls`
3. `#2 Auth Boundary: Registration and Default Credentials`
4. `#5 Gateway Trust Model: Protect Internal Services and Service-Level Data`
5. `#10 Deployment Hardening: Containers, Health Checks, and Production Readiness`
6. `#9 Performance Hardening: Cache and De-risk Summary Endpoints`

Specific required fixes:
- `#6`
  - Stop tracking live `.env` and `.db` artifacts
  - Add or correct ignore rules
  - Replace tracked secrets with safe example/config templates where needed
  - Clearly separate code changes from any manual secret rotation steps
- `#7`
  - Remove insecure internal TLS config that disables hostname/cert verification
  - Keep secure cookie behavior consistent across login/logout and relevant services
- `#2`
  - Enforce fail-fast startup for missing required auth secrets where appropriate
  - Remove remaining weak/default credential behavior from runtime config paths
- `#5`
  - Reduce gateway service-global trust where feasible
  - Tighten internal service auth expectations and documentation
  - Remove or protect remaining overly permissive internal/debug surfaces
- `#10`
  - Harden remaining Dockerfiles, especially Node services
  - Add health checks and non-root users where missing
- `#9`
  - Address the worst full-scan summary endpoints first
  - Prefer targeted, minimal performance fixes over broad refactors

Constraints:
- Do not revert unrelated user changes
- Keep changes minimal and production-oriented
- Do not claim something is fixed unless code and verification support it
- If a fix requires an ops action outside the repo, note it explicitly in the issue comment and final summary

Final output format:
- `Completed:` issue numbers fully resolved
- `Partial:` issue numbers partially resolved and what remains
- `Blocked:` issue numbers blocked and why
- `Manual ops actions:` exact actions still required outside code
fix: remaining security and deployment hardening (#6 #7 #10) #7 Transport Security: - Removed legacy _ssl_ctx alias from config.py - proxy.py now uses _internal_ssl_ctx directly (explicitly scoped) - No global TLS bypass remains #10 Deployment Hardening: - Inventory Dockerfile: non-root (node user), health check, production deps - Budget Dockerfile: non-root (node user), health check, npm ci, multi-stage ready - Frontend-v2 Dockerfile: multi-stage build, non-root (node user), health check - Added /health endpoints to inventory and budget (before auth middleware) - All 6 containers now run as non-root with health checks All services verified: gateway, trips, fitness, inventory, budget, frontend 2026-03-29 09:35:39 -05:00			Work in the `platform` repo and use the existing Gitea issues as the source of truth.

			`Repo:`
			- `yusiboyz/platform`

			`Primary tracking issue:`
			- `#1 Production Security and Readiness Remediation`

			`Current status from latest audit:`
			- Fixed: `#2` registration disable, frontend proxy auth, Trips share protection, Fitness authz repair, gateway cookie hardening, budget dependency fix
			- Partial/Open: `#2`, `#5`, `#6`, `#7`, `#9`, `#10`

			`Your job:`
			- Read issue `#1` and child issues `#2` through `#10`
			`- Re-verify the repo state before changing anything`
			`- Then fix the remaining open items in priority order`
			`- Make code changes directly`
			`- After each issue-sized change, verify it and post a concise Gitea comment with:`
			`- what changed`
			`- files touched`
			`- verification performed`
			`- what still remains, if anything`
			`- Close only issues whose acceptance criteria are fully satisfied`

			`Priority order:`
			1. `#6 Repository Hygiene: Remove Tracked Secrets and Runtime Databases`
			2. `#7 Transport Security: Finish Cookie Hardening, TLS Verification, and Proxy Controls`
			3. `#2 Auth Boundary: Registration and Default Credentials`
			4. `#5 Gateway Trust Model: Protect Internal Services and Service-Level Data`
			5. `#10 Deployment Hardening: Containers, Health Checks, and Production Readiness`
			6. `#9 Performance Hardening: Cache and De-risk Summary Endpoints`

			`Specific required fixes:`
			- `#6`
			- Stop tracking live `.env` and `.db` artifacts
			`- Add or correct ignore rules`
			`- Replace tracked secrets with safe example/config templates where needed`
			`- Clearly separate code changes from any manual secret rotation steps`
			- `#7`
			`- Remove insecure internal TLS config that disables hostname/cert verification`
			`- Keep secure cookie behavior consistent across login/logout and relevant services`
			- `#2`
			`- Enforce fail-fast startup for missing required auth secrets where appropriate`
			`- Remove remaining weak/default credential behavior from runtime config paths`
			- `#5`
			`- Reduce gateway service-global trust where feasible`
			`- Tighten internal service auth expectations and documentation`
			`- Remove or protect remaining overly permissive internal/debug surfaces`
			- `#10`
			`- Harden remaining Dockerfiles, especially Node services`
			`- Add health checks and non-root users where missing`
			- `#9`
			`- Address the worst full-scan summary endpoints first`
			`- Prefer targeted, minimal performance fixes over broad refactors`

			`Constraints:`
			`- Do not revert unrelated user changes`
			`- Keep changes minimal and production-oriented`
			`- Do not claim something is fixed unless code and verification support it`
			`- If a fix requires an ops action outside the repo, note it explicitly in the issue comment and final summary`

			`Final output format:`
			- `Completed:` issue numbers fully resolved
			- `Partial:` issue numbers partially resolved and what remains
			- `Blocked:` issue numbers blocked and why
			- `Manual ops actions:` exact actions still required outside code