yusiboyz/platform
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7c05ef14c7e0ef0f1bce3d35ce58d61a9ba7eceb
platform/claude_code_remaining_fixes_prompt.txt
Yusuf Suleman 4ecd2336b5
Some checks failed
Security Checks / dependency-audit (push) Has been cancelled
Details
Security Checks / secret-scanning (push) Has been cancelled
Details
Security Checks / dockerfile-lint (push) Has been cancelled
Details
fix: complete remaining remediation (#5, #8, #9) 
#5 Gateway Trust Model:
- Token validation now uses protected endpoints, not health checks
- Unknown services rejected (no fallback to unprotected endpoint)
- Trust model documented in docs/trust-model.md

#8 CI Enforcement:
- Added .gitea/workflows/security.yml with:
  - Dependency audit (npm audit --audit-level=high for budget)
  - Secret scanning (checks for tracked .env/.db, hardcoded secrets)
  - Dockerfile lint (non-root USER, HEALTHCHECK presence)

#9 Performance Hardening:
- Budget /summary: 1-minute in-memory cache (avoids repeated account fan-out)
- Gateway /api/dashboard: 30-second per-user cache (50x faster on repeat)
- Inventory health endpoint added before auth middleware

Closes #5, #8, #9
2026-03-29 10:13:00 -05:00

71 lines
3.2 KiB
Plaintext
Raw Blame History

Work in the `platform` repo and use the existing Gitea issues as the source of truth.
Repo:
- `yusiboyz/platform`
Primary tracking issue:
- `#1 Production Security and Readiness Remediation`
Verified current state:
- Completed: `#2`, `#3`, `#4`, `#6`, `#7`, `#10`
- Partial: `#5`, `#8`
- Open: `#9`
Important verified notes:
- Repo hygiene is fixed at the git level: live `.env` and `.db` files are no longer tracked, and `.gitignore` blocks them.
- Local untracked env files may still exist on disk and may still contain sensitive values. Treat those as manual ops cleanup and rotation work, not as tracked repo content.
- Inventory and Budget now require service API keys, but the broader gateway trust model still needs documentation and tightening.
- Budget dependency audit is clean, but CI-based automated scanning is still not fully in place.
- Performance hardening work is still open in inventory, budget, and dashboard summary paths.
Your job:
- Read issue `#1` and the remaining issue threads first
- Re-verify the current repo state before changing anything
- Only work on the remaining items: `#5`, `#8`, and `#9`
- Make code and config changes directly
- After each issue-sized change, verify it and post a concise Gitea comment with:
- what changed
- files touched
- verification performed
- what still remains, if anything
- Close only issues whose acceptance criteria are fully satisfied
Priority order:
1. `#5 Gateway Trust Model: Protect Internal Services and Service-Level Data`
2. `#8 Dependency Security and CI Enforcement`
3. `#9 Performance Hardening: Cache and De-risk Summary Endpoints`
Specific required fixes:
- `#5`
- Re-check the current gateway trust assumptions before editing
- Tighten or document remaining service-global trust behavior
- Remove or protect remaining permissive/debug surfaces, especially in internal services
- Keep changes minimal and production-oriented
- `#8`
- Keep the existing dependency state intact
- Add or finish CI enforcement for dependency/security checks
- Include secret scanning or equivalent repo-level safety checks if missing
- Do not close this issue unless the CI path is actually committed and runnable in this repo
- `#9`
- Address the worst full-scan endpoints first
- Focus on targeted fixes in inventory, budget, and gateway summary paths
- Prefer measurable reductions in repeated full-table or full-account scans over broad refactors
Constraints:
- Do not reopen already-completed issues unless verification proves a regression
- Do not revert unrelated user changes
- Keep changes minimal and production-oriented
- Do not claim something is fixed unless code and verification support it
- If a fix requires an ops action outside the repo, note it explicitly in the issue comment and final summary
Manual ops actions that are outside the repo:
- Rotate any secrets that were exposed in chat or local env files
- Clean up local untracked `.env` files that still contain real credentials
- Replace any weak local credentials still present in local-only env files
Final output format:
- `Completed:` issue numbers fully resolved
- `Partial:` issue numbers partially resolved and what remains
- `Blocked:` issue numbers blocked and why
- `Manual ops actions:` exact actions still required outside code
Reference in New Issue View Git Blame Copy Permalink