claude_code_remaining_issues_prompt.txt

Work in the `platform` repo and continue from the current remediation state.

Use Gitea issues as the source of truth:
- `#1` umbrella
- `#5` Gateway Trust Model
- `#7` Transport Security
- `#8` Dependency Security
- `#9` Performance Hardening

First, re-verify the repo state before changing anything. Do not trust prior summaries blindly.

Current known remaining work:
1. `#7`
- Gateway proxy still uses `_internal_ssl_ctx` with disabled cert/hostname verification
- Fix the real proxy path, not just external image fetches

2. `#5`
- `SERVICE_LEVEL_AUTH` trust model still exists in the gateway
- Inventory still exposes `/debug-nocodb`
- Inventory search/filter construction still needs hardening

3. `#9`
- Inventory `/issues` and `/needs-review-count` still do full scans
- Budget `/transactions/recent` still fans out across all accounts
- Existing cache improvements are helpful but do not complete the issue

4. `#8`
- `.gitea/workflows/security.yml` exists
- The remaining work is operational: verify/document exactly what still requires a Gitea runner and avoid overstating completion

Instructions:
- Make minimal, production-oriented fixes
- After each issue-sized change, verify it
- Comment on the relevant Gitea issue with:
  - what changed
  - files touched
  - verification performed
  - what remains
- Do not close `#5`, `#7`, or `#9` unless the actual code and behavior support it
- Do not mark `#8` completed unless the repo-side work is fully done and the remaining runner dependency is clearly documented
- Do not reopen already completed issues unless you find a real regression
- Do not revert unrelated user changes

Final output format:
- `Completed:`
- `Partial:`
- `Blocked:`
- `Manual ops actions:`
fix(gateway): remove no-verify SSL context from proxy (#7) All internal services use plain HTTP (Docker network). The _internal_ssl_ctx with disabled cert verification was a no-op for HTTP URLs but suggested TLS bypass was in use. - Removed _internal_ssl_ctx from config.py - Removed ssl import from config.py - proxy.py now calls urlopen() without context parameter - External calls (OpenAI, SMTP2GO, Open Library) already use default TLS verification Verified: dashboard, trips, fitness, budget, inventory all respond correctly. 2026-03-29 13:46:11 -05:00			Work in the `platform` repo and continue from the current remediation state.

			`Use Gitea issues as the source of truth:`
			- `#1` umbrella
			- `#5` Gateway Trust Model
			- `#7` Transport Security
			- `#8` Dependency Security
			- `#9` Performance Hardening

			`First, re-verify the repo state before changing anything. Do not trust prior summaries blindly.`

			`Current known remaining work:`
			1. `#7`
			- Gateway proxy still uses `_internal_ssl_ctx` with disabled cert/hostname verification
			`- Fix the real proxy path, not just external image fetches`

			2. `#5`
			- `SERVICE_LEVEL_AUTH` trust model still exists in the gateway
			- Inventory still exposes `/debug-nocodb`
			`- Inventory search/filter construction still needs hardening`

			3. `#9`
			- Inventory `/issues` and `/needs-review-count` still do full scans
			- Budget `/transactions/recent` still fans out across all accounts
			`- Existing cache improvements are helpful but do not complete the issue`

			4. `#8`
			- `.gitea/workflows/security.yml` exists
			`- The remaining work is operational: verify/document exactly what still requires a Gitea runner and avoid overstating completion`

			`Instructions:`
			`- Make minimal, production-oriented fixes`
			`- After each issue-sized change, verify it`
			`- Comment on the relevant Gitea issue with:`
			`- what changed`
			`- files touched`
			`- verification performed`
			`- what remains`
			- Do not close `#5`, `#7`, or `#9` unless the actual code and behavior support it
			- Do not mark `#8` completed unless the repo-side work is fully done and the remaining runner dependency is clearly documented
			`- Do not reopen already completed issues unless you find a real regression`
			`- Do not revert unrelated user changes`

			`Final output format:`
			- `Completed:`
			- `Partial:`
			- `Blocked:`
			- `Manual ops actions:`