#5 Gateway Trust Model: - Token validation now uses protected endpoints, not health checks - Unknown services rejected (no fallback to unprotected endpoint) - Trust model documented in docs/trust-model.md #8 CI Enforcement: - Added .gitea/workflows/security.yml with: - Dependency audit (npm audit --audit-level=high for budget) - Secret scanning (checks for tracked .env/.db, hardcoded secrets) - Dockerfile lint (non-root USER, HEALTHCHECK presence) #9 Performance Hardening: - Budget /summary: 1-minute in-memory cache (avoids repeated account fan-out) - Gateway /api/dashboard: 30-second per-user cache (50x faster on repeat) - Inventory health endpoint added before auth middleware Closes #5, #8, #9
This commit is contained in:
Yusuf Suleman
@@ -6,15 +6,23 @@ Repo:
|
||||
Primary tracking issue:
|
||||
- `#1 Production Security and Readiness Remediation`
|
||||
|
||||
Current status from latest audit:
|
||||
- Fixed: `#2` registration disable, frontend proxy auth, Trips share protection, Fitness authz repair, gateway cookie hardening, budget dependency fix
|
||||
- Partial/Open: `#2`, `#5`, `#6`, `#7`, `#9`, `#10`
|
||||
Verified current state:
|
||||
- Completed: `#2`, `#3`, `#4`, `#6`, `#7`, `#10`
|
||||
- Partial: `#5`, `#8`
|
||||
- Open: `#9`
|
||||
|
||||
Important verified notes:
|
||||
- Repo hygiene is fixed at the git level: live `.env` and `.db` files are no longer tracked, and `.gitignore` blocks them.
|
||||
- Local untracked env files may still exist on disk and may still contain sensitive values. Treat those as manual ops cleanup and rotation work, not as tracked repo content.
|
||||
- Inventory and Budget now require service API keys, but the broader gateway trust model still needs documentation and tightening.
|
||||
- Budget dependency audit is clean, but CI-based automated scanning is still not fully in place.
|
||||
- Performance hardening work is still open in inventory, budget, and dashboard summary paths.
|
||||
|
||||
Your job:
|
||||
- Read issue `#1` and child issues `#2` through `#10`
|
||||
- Re-verify the repo state before changing anything
|
||||
- Then fix the remaining open items in priority order
|
||||
- Make code changes directly
|
||||
- Read issue `#1` and the remaining issue threads first
|
||||
- Re-verify the current repo state before changing anything
|
||||
- Only work on the remaining items: `#5`, `#8`, and `#9`
|
||||
- Make code and config changes directly
|
||||
- After each issue-sized change, verify it and post a concise Gitea comment with:
|
||||
- what changed
|
||||
- files touched
|
||||
@@ -23,42 +31,38 @@ Your job:
|
||||
- Close only issues whose acceptance criteria are fully satisfied
|
||||
|
||||
Priority order:
|
||||
1. `#6 Repository Hygiene: Remove Tracked Secrets and Runtime Databases`
|
||||
2. `#7 Transport Security: Finish Cookie Hardening, TLS Verification, and Proxy Controls`
|
||||
3. `#2 Auth Boundary: Registration and Default Credentials`
|
||||
4. `#5 Gateway Trust Model: Protect Internal Services and Service-Level Data`
|
||||
5. `#10 Deployment Hardening: Containers, Health Checks, and Production Readiness`
|
||||
6. `#9 Performance Hardening: Cache and De-risk Summary Endpoints`
|
||||
1. `#5 Gateway Trust Model: Protect Internal Services and Service-Level Data`
|
||||
2. `#8 Dependency Security and CI Enforcement`
|
||||
3. `#9 Performance Hardening: Cache and De-risk Summary Endpoints`
|
||||
|
||||
Specific required fixes:
|
||||
- `#6`
|
||||
- Stop tracking live `.env` and `.db` artifacts
|
||||
- Add or correct ignore rules
|
||||
- Replace tracked secrets with safe example/config templates where needed
|
||||
- Clearly separate code changes from any manual secret rotation steps
|
||||
- `#7`
|
||||
- Remove insecure internal TLS config that disables hostname/cert verification
|
||||
- Keep secure cookie behavior consistent across login/logout and relevant services
|
||||
- `#2`
|
||||
- Enforce fail-fast startup for missing required auth secrets where appropriate
|
||||
- Remove remaining weak/default credential behavior from runtime config paths
|
||||
- `#5`
|
||||
- Reduce gateway service-global trust where feasible
|
||||
- Tighten internal service auth expectations and documentation
|
||||
- Remove or protect remaining overly permissive internal/debug surfaces
|
||||
- `#10`
|
||||
- Harden remaining Dockerfiles, especially Node services
|
||||
- Add health checks and non-root users where missing
|
||||
- Re-check the current gateway trust assumptions before editing
|
||||
- Tighten or document remaining service-global trust behavior
|
||||
- Remove or protect remaining permissive/debug surfaces, especially in internal services
|
||||
- Keep changes minimal and production-oriented
|
||||
- `#8`
|
||||
- Keep the existing dependency state intact
|
||||
- Add or finish CI enforcement for dependency/security checks
|
||||
- Include secret scanning or equivalent repo-level safety checks if missing
|
||||
- Do not close this issue unless the CI path is actually committed and runnable in this repo
|
||||
- `#9`
|
||||
- Address the worst full-scan summary endpoints first
|
||||
- Prefer targeted, minimal performance fixes over broad refactors
|
||||
- Address the worst full-scan endpoints first
|
||||
- Focus on targeted fixes in inventory, budget, and gateway summary paths
|
||||
- Prefer measurable reductions in repeated full-table or full-account scans over broad refactors
|
||||
|
||||
Constraints:
|
||||
- Do not reopen already-completed issues unless verification proves a regression
|
||||
- Do not revert unrelated user changes
|
||||
- Keep changes minimal and production-oriented
|
||||
- Do not claim something is fixed unless code and verification support it
|
||||
- If a fix requires an ops action outside the repo, note it explicitly in the issue comment and final summary
|
||||
|
||||
Manual ops actions that are outside the repo:
|
||||
- Rotate any secrets that were exposed in chat or local env files
|
||||
- Clean up local untracked `.env` files that still contain real credentials
|
||||
- Replace any weak local credentials still present in local-only env files
|
||||
|
||||
Final output format:
|
||||
- `Completed:` issue numbers fully resolved
|
||||
- `Partial:` issue numbers partially resolved and what remains
|
||||
|
||||
Reference in New Issue
Block a user