feat: tasks app, security hardening, mobile fixes, iOS app shell
- Custom SQLite task manager replacing TickTick wrapper - 73 tasks migrated from TickTick across 15 projects - RRULE recurrence engine with lazy materialization - Dashboard tasks widget (desktop sidebar + mobile card) - Tasks page with project tabs, add/edit/complete/delete - Security: locked ports to localhost, removed old containers - Gitea Actions runner configured and all 3 CI jobs passing - Fixed mobile overflow on dashboard cards - iOS Capacitor app shell (Second Brain) - Frontend/backend guide docs for adding new services - TickTick Google Calendar sync re-authorized Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Yusuf Suleman
104
remediation_final_status.txt
Normal file
104
remediation_final_status.txt
Normal file
@@ -0,0 +1,104 @@
|
||||
Platform Security & Readiness Remediation — Final Status
|
||||
=========================================================
|
||||
Date: 2026-03-29
|
||||
|
||||
ISSUE TRACKER: Gitea yusiboyz/platform Issues #1–#10
|
||||
|
||||
COMPLETED ISSUES
|
||||
================
|
||||
|
||||
#2 Auth Boundary: Registration and Default Credentials
|
||||
- /api/auth/register disabled (403)
|
||||
- Gateway admin seeded from ADMIN_USERNAME/ADMIN_PASSWORD env vars only
|
||||
- Trips USERNAME/PASSWORD have no default fallback
|
||||
- Fitness user seed requires env vars (no "changeme" default)
|
||||
- All passwords use bcrypt
|
||||
|
||||
#3 Trips Sharing Security
|
||||
- handle_share_api enforces password via X-Share-Password header + bcrypt
|
||||
- share_password stored as bcrypt hash
|
||||
- All plaintext password logging removed
|
||||
- Existing plaintext passwords invalidated by migration
|
||||
- Dead hash_password function removed
|
||||
|
||||
#4 Fitness Authorization
|
||||
- All user_id query params enforced to authenticated user's own ID
|
||||
- /api/users returns only current user
|
||||
- Wildcard CORS removed
|
||||
|
||||
#5 Gateway Trust Model
|
||||
- Inventory and budget require API keys (X-API-Key middleware)
|
||||
- Token validation uses protected endpoints per service type
|
||||
- /debug-nocodb removed from inventory
|
||||
- /test removed from inventory
|
||||
- NocoDB search filter sanitized (strips operator injection chars)
|
||||
- SERVICE_LEVEL_AUTH renamed to GATEWAY_KEY_SERVICES
|
||||
- Trust model documented in docs/trust-model.md
|
||||
- Per-user vs gateway-key services clearly distinguished
|
||||
- Known limitations documented (no per-user isolation on shared services)
|
||||
|
||||
#6 Repository Hygiene
|
||||
- No .env or .db files tracked in git
|
||||
- .gitignore covers: .env*, *.db*, services/**/.env, data/, test-results/
|
||||
- .env.example updated with all current env vars (no secrets)
|
||||
|
||||
#7 Transport Security
|
||||
- Gateway: _internal_ssl_ctx removed entirely (internal services use plain HTTP)
|
||||
- Gateway: ssl import removed from config.py
|
||||
- Gateway: proxy.py uses urlopen() without context parameter
|
||||
- Gateway: logout cookie includes HttpOnly, Secure, SameSite=Lax
|
||||
- Gateway: image proxy uses default TLS + domain allowlist + content-type validation
|
||||
- Trips: all 5 CERT_NONE sites removed (OpenAI, Gemini, Google Places, Geocode)
|
||||
- Inventory: permissive cors() removed
|
||||
- Budget: permissive cors() removed
|
||||
|
||||
#9 Performance Hardening
|
||||
- Inventory /issues: server-side NocoDB WHERE filter (no full scan)
|
||||
- Inventory /needs-review-count: server-side filter + pageInfo.totalRows
|
||||
- Budget /summary: 1-minute cache
|
||||
- Budget /transactions/recent: 30-second cache
|
||||
- Budget /uncategorized-count: 2-minute cache
|
||||
- Budget buildLookups: 2-minute cache
|
||||
- Gateway /api/dashboard: 30-second per-user cache
|
||||
- Actual Budget per-account API constraint documented
|
||||
|
||||
#10 Deployment Hardening
|
||||
- All 6 containers run as non-root (appuser/node)
|
||||
- Health checks on gateway, trips, fitness, inventory, budget, frontend
|
||||
- PYTHONUNBUFFERED=1 on all Python services
|
||||
- Trips Dockerfile only copies server.py (not whole context)
|
||||
- Frontend uses multi-stage build
|
||||
|
||||
PARTIAL ISSUES
|
||||
==============
|
||||
|
||||
#8 Dependency Security
|
||||
- Budget path-to-regexp vulnerability fixed
|
||||
- .gitea/workflows/security.yml committed:
|
||||
- dependency-audit (npm audit for budget + frontend)
|
||||
- secret-scanning (tracked .env/.db, hardcoded patterns)
|
||||
- dockerfile-lint (USER instruction, HEALTHCHECK)
|
||||
- Runner dependency documented in .gitea/README.md
|
||||
- BLOCKED: Requires Gitea Actions runner to be configured operationally
|
||||
|
||||
OTHER FIXES (not tied to specific issues)
|
||||
- Disconnect confirmation dialog added to Settings
|
||||
- App nav visibility documented as cosmetic-only
|
||||
- Stale /test startup log removed from inventory
|
||||
- Frontend cookie vulnerability (4 low-severity) documented as not safe to fix
|
||||
(requires breaking @sveltejs/kit downgrade)
|
||||
|
||||
MANUAL OPS ACTIONS REQUIRED
|
||||
============================
|
||||
1. Configure a Gitea Actions runner to activate CI workflows
|
||||
2. Store admin password securely (set via ADMIN_PASSWORD env var)
|
||||
3. Clean up local untracked .env files with real credentials if needed
|
||||
4. Monitor @sveltejs/kit for a non-breaking cookie fix in future releases
|
||||
|
||||
ARCHITECTURE REFERENCE
|
||||
======================
|
||||
- Trust model: docs/trust-model.md
|
||||
- CI workflows: .gitea/workflows/security.yml
|
||||
- Runner setup: .gitea/README.md
|
||||
- Design system: frontend-v2/DESIGN_SYSTEM.md
|
||||
- Env var reference: .env.example
|
||||
Reference in New Issue
Block a user