Platform Security & Readiness Remediation — Final Status ========================================================= Date: 2026-03-29 ISSUE TRACKER: Gitea yusiboyz/platform Issues #1–#10 COMPLETED ISSUES ================ #2 Auth Boundary: Registration and Default Credentials - /api/auth/register disabled (403) - Gateway admin seeded from ADMIN_USERNAME/ADMIN_PASSWORD env vars only - Trips USERNAME/PASSWORD have no default fallback - Fitness user seed requires env vars (no "changeme" default) - All passwords use bcrypt #3 Trips Sharing Security - handle_share_api enforces password via X-Share-Password header + bcrypt - share_password stored as bcrypt hash - All plaintext password logging removed - Existing plaintext passwords invalidated by migration - Dead hash_password function removed #4 Fitness Authorization - All user_id query params enforced to authenticated user's own ID - /api/users returns only current user - Wildcard CORS removed #5 Gateway Trust Model - Inventory and budget require API keys (X-API-Key middleware) - Token validation uses protected endpoints per service type - /debug-nocodb removed from inventory - /test removed from inventory - NocoDB search filter sanitized (strips operator injection chars) - SERVICE_LEVEL_AUTH renamed to GATEWAY_KEY_SERVICES - Trust model documented in docs/trust-model.md - Per-user vs gateway-key services clearly distinguished - Known limitations documented (no per-user isolation on shared services) #6 Repository Hygiene - No .env or .db files tracked in git - .gitignore covers: .env*, *.db*, services/**/.env, data/, test-results/ - .env.example updated with all current env vars (no secrets) #7 Transport Security - Gateway: _internal_ssl_ctx removed entirely (internal services use plain HTTP) - Gateway: ssl import removed from config.py - Gateway: proxy.py uses urlopen() without context parameter - Gateway: logout cookie includes HttpOnly, Secure, SameSite=Lax - Gateway: image proxy uses default TLS + domain allowlist + content-type validation - Trips: all 5 CERT_NONE sites removed (OpenAI, Gemini, Google Places, Geocode) - Inventory: permissive cors() removed - Budget: permissive cors() removed #9 Performance Hardening - Inventory /issues: server-side NocoDB WHERE filter (no full scan) - Inventory /needs-review-count: server-side filter + pageInfo.totalRows - Budget /summary: 1-minute cache - Budget /transactions/recent: 30-second cache - Budget /uncategorized-count: 2-minute cache - Budget buildLookups: 2-minute cache - Gateway /api/dashboard: 30-second per-user cache - Actual Budget per-account API constraint documented #10 Deployment Hardening - All 6 containers run as non-root (appuser/node) - Health checks on gateway, trips, fitness, inventory, budget, frontend - PYTHONUNBUFFERED=1 on all Python services - Trips Dockerfile only copies server.py (not whole context) - Frontend uses multi-stage build PARTIAL ISSUES ============== #8 Dependency Security - Budget path-to-regexp vulnerability fixed - .gitea/workflows/security.yml committed: - dependency-audit (npm audit for budget + frontend) - secret-scanning (tracked .env/.db, hardcoded patterns) - dockerfile-lint (USER instruction, HEALTHCHECK) - Runner dependency documented in .gitea/README.md - BLOCKED: Requires Gitea Actions runner to be configured operationally OTHER FIXES (not tied to specific issues) - Disconnect confirmation dialog added to Settings - App nav visibility documented as cosmetic-only - Stale /test startup log removed from inventory - Frontend cookie vulnerability (4 low-severity) documented as not safe to fix (requires breaking @sveltejs/kit downgrade) MANUAL OPS ACTIONS REQUIRED ============================ 1. Configure a Gitea Actions runner to activate CI workflows 2. Store admin password securely (set via ADMIN_PASSWORD env var) 3. Clean up local untracked .env files with real credentials if needed 4. Monitor @sveltejs/kit for a non-breaking cookie fix in future releases ARCHITECTURE REFERENCE ====================== - Trust model: docs/trust-model.md - CI workflows: .gitea/workflows/security.yml - Runner setup: .gitea/README.md - Design system: frontend-v2/DESIGN_SYSTEM.md - Env var reference: .env.example