Record registry-submission process + start-cli/prepare.sh; capture eval P2 backlog
Refresh AGENTS Current state for the full-eval session; document the email-based community-registry submission flow and the start-cli installer in the packaging guide; add a ROADMAP Security & hardening section so the eval P2s survive EVALUATION.md overwrites.
This commit is contained in:
Keysat
+36
-6
@@ -28,12 +28,18 @@ Longer-term backlog. Near-term state lives in `AGENTS.md` → Current state.
|
||||
|
||||
## Packaging & distribution
|
||||
|
||||
- Start9 Community Registry submission — a 2026-06-17 spec check found the wrapper passes the functional
|
||||
criteria (manifest, interfaces, health check, backup/restore, BTCPay dep, actions). Remaining gap before
|
||||
submission: add a `prepare.sh` to set up a clean Debian box for the first build (copy the one from
|
||||
`hello-world-startos`), then run the on-box manual verification (install / backup / restore / logs).
|
||||
Submission criteria themselves remain unpublished; reach out to Start9 when ready. (Icon-render and the
|
||||
source-available license are intentionally not treated as blockers.)
|
||||
- **Start9 Community Registry submission.** Mechanism (researched 2026-06-18): **email-based, not a PR or
|
||||
form.** Mail `submissions@start9labs.com` (the 0.3.5.x docs say `submissions@start9.com` — addresses are
|
||||
inconsistent) a link to the public wrapper repo (+ detailed README); both wrapper and upstream source must
|
||||
be public. Start9 snapshots the repo, **builds from source on a clean Debian box** (`prepare.sh` + `make`; a
|
||||
failed first build bounces the submission), installs + tests on real hardware (metadata, install/uninstall,
|
||||
interfaces, health, backup/restore, low-resource device), lands it in Community **Beta**, and promotes to
|
||||
production when you reply asking. Updates follow the same loop. `start-cli s9pk publish` is **self-hosted-registry
|
||||
only** — unrelated to community intake. `prepare.sh` shipped this session (`licensing-service-startos/prepare.sh`).
|
||||
**Clear with Start9 before submitting:** (1) is the custom source-available `LicenseRef-Keysat-1.0` acceptable
|
||||
(docs conflict: "source available" vs "Open Source License") — highest-leverage; a hard No blocks regardless of
|
||||
build-readiness; (2) does the 0.4.x build flow still invoke `prepare.sh` (a 0.3.5.x concept, absent from 0.4.x
|
||||
docs). Then the on-box manual verification. Functional criteria otherwise pass (2026-06-17 spec check).
|
||||
|
||||
## Operability & alerts
|
||||
|
||||
@@ -53,6 +59,30 @@ Longer-term backlog. Near-term state lives in `AGENTS.md` → Current state.
|
||||
The dormant `merchant_profiles.smtp_*` columns (migration 0020) are now dead weight — left in place (a removal
|
||||
migration isn't worth it) and flagged in `src/merchant_profiles.rs`.
|
||||
|
||||
## Security & hardening (2026-06-18 full-eval P2s; EVALUATION.md has full detail but is overwritten each run, so the durable list lives here)
|
||||
|
||||
- **X-Forwarded-For rate-limit bypass.** Login/recover/validate buckets key off the raw first XFF value
|
||||
(`api/auth.rs:137`, `api/recover.rs:65`, `api/admin.rs:63`, `api/validate.rs:95`); rotating XFF defeats the
|
||||
throttle. First confirm whether the StartOS front proxy overwrites XFF (decides real-world reachability), then
|
||||
derive client IP from the trusted-proxy connection with a peer-socket fallback.
|
||||
- **Dependency advisories** (mechanical, low-risk): bump `sqlx 0.7.4` → ≥0.8.1 (RUSTSEC-2024-0363),
|
||||
`rustls-webpki 0.101.7` → ≥0.103.13 (RUSTSEC-2026-0098/0099/0104), update start-sdk for the wrapper's
|
||||
`fast-xml-parser` (GHSA-5wm8-gmm8-39j9); re-run `cargo audit` / `npm audit`.
|
||||
- **Admin UI co-located with the public API** on the single `:8080` interface (`startos/interfaces.ts`) — operator
|
||||
can't network-isolate admin. Split the admin SPA + `/v1/admin/*` onto their own port/interface.
|
||||
- **Webhook-endpoint registration accepts `file://` / loopback URLs** (`webhooks.rs:106`, admin-gated) — add a
|
||||
scheme + host allowlist (reject non-http(s), loopback, link-local).
|
||||
- **Runtime-prepared SQL** in `db/repo.rs` + `subscriptions.rs` (no compile-time column check; this class already
|
||||
500'd every paid purchase once on `:52`) — migrate the money-path queries to compile-checked `sqlx::query!`.
|
||||
- **`rate_buckets` grows unbounded** (`rate_limit.rs:63`, one row per client IP on a public endpoint, no reaper) —
|
||||
add a reaper mirroring the session/redemption reapers in `main.rs`.
|
||||
- **No CI.** Stand up one job (`cargo test && cargo clippy && tsc --noEmit`, ideally `cargo fmt --check`); the suite
|
||||
is good but unenforced, so green depends on the operator remembering to run it before `publish.sh`.
|
||||
- Doc-drift P3 cluster (each one-liners, see EVALUATION.md): BUILDING.md Node 20→22 / Rust 1.75→1.88, broken docs
|
||||
`/changelog` footer link, README "Show credentials" → "Show admin API key", PORTING_SDK stale (Python/Go shipped;
|
||||
crate renamed), testing.md stale test counts, and the `unlimited_merchant_profiles` guide/code-comment ("still
|
||||
needs adding") vs AGENTS ("confirmed live") contradiction — resolve with a live `GET /v1/products/keysat/policies`.
|
||||
|
||||
## Licensing model
|
||||
|
||||
- Evaluate Elastic License v2 vs the current custom `LicenseRef-Keysat-1.0` (parked decision).
|
||||
|
||||
Reference in New Issue
Block a user