grant/proof-of-work
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Current state: 1.1.0:9 built + sideloaded
CI / proof-of-work (Next.js app) (push) Has been cancelled
Details
CI / start9/0.4 (StartOS package code) (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Keysat
2026-06-13 00:07:51 -05:00
parent 3f22ef7600
commit 96d8431de9
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
AGENTS.md
+2 -2
View File
@@ -98,13 +98,13 @@ Canonical publish path for this project: `~/.proof-of-work/publish.sh` (builds,
## Current state
Latest version is **1.1.0:9** (P2 hardening batch, on `master`). **1.1.0:8** was the last build+sideload confirmed booting; **:9 is being built + sideloaded this session** — the container privilege-drop is only *verified* once that boot succeeds and the app writes `/data` as uid 1001. Registry empty, **publishing parked** (sideload-only via `make install`).
Latest version is **1.1.0:9** **built + sideloaded** to the StartOS box (2026-06-13, on `master`). The container privilege-drop is *verified* only once a clean boot is confirmed in StartOS → Logs (entrypoint logs `launching ... as nextjs`, app writes `/data` as uid 1001 with no permission errors). Registry empty, **publishing parked** (sideload-only via `make install`).
Working: workout logging, programs (manual + AI), multi-user, curated library, full AI subsystem (5 providers, multi-config, background generation, history detail, cost/duration, Ollama auto-detect, infinite-scroll exercise history).
Done this session (P2 batch from `EVALUATION.md`, reviewed by the reviewer agent): malformed bodies / invalid `date` / out-of-range pagination now **400 not 500** (new `lib/http.ts readJsonBody` across 11 CRUD routes; explicit guard on `me/import` + `admin/signups`); **`POST /api/auth` rate-limited** (shares the UI `login:${ip}` 10/15min bucket; 429+Retry-After); rate-limiter **XFF anti-spoof** (rightmost entry); **container drops root** via su-exec. Tests **209 pass**, build + tsc + lint clean.
In progress: **build + sideload of 1.1.0:9** (`make x86``make install` from `start9/0.4/`), then verify it boots + writes `/data` as non-root.
In progress: none. Pending on-box check: confirm 1.1.0:9 boots clean and the Node server writes `/data` as non-root (StartOS → Logs).
Next steps (priority order):
1. **Next.js 14→15 major bump** (the remaining P1 — CVEs) as its own tested change — planned next; the login server action already uses async `cookies()/headers()`, easing the migration.