grant/proof-of-work

Fork 0

Files

T

Keysat 3f22ef7600

CI / proof-of-work (Next.js app) (push) Has been cancelled

Details

CI / start9/0.4 (StartOS package code) (push) Has been cancelled

Details

v1.1.0:9 — P2 hardening: input-validation 400s, auth rate-limit, XFF anti-spoof, non-root container

P2 batch from the 2026-06-13 full-eval (EVALUATION.md / ROADMAP.md), reviewed by the reviewer agent. App-code + packaging only; no schema or data change, existing /data untouched.

Input validation: malformed JSON bodies, invalid date, and out-of-range or non-numeric pagination on /api/workouts now return 400 instead of 500. New lib/http.ts readJsonBody maps a bad body to a ZodError across the 11 CRUD routes whose catch maps ZodError to 400; me/import and admin/signups guard request.json() in an explicit try/catch.

Rate limiting: POST /api/auth now shares the UI login server action's per-IP 10-per-15min cap and returns 429 + Retry-After. clientIpFromHeaders reads the rightmost (trusted-proxy-appended) X-Forwarded-For entry instead of the spoofable leftmost.

Container: drops root. The entrypoint prepares /data as root, chowns it to nextjs, then exec su-exec nextjs:nodejs node server.js (su-exec added to the runner image). The container drop needs live sideload verification.

2026-06-13 00:03:47 -05:00

2.6 KiB

Raw Blame History

ROADMAP — Proof of Work

Longer-term backlog. Near-term state + next steps live in AGENTS.md → Current state.

AI quality

Tiered prompt formatting (also the immediate next step): JSON-Schema output enforcement via Ollama format and OpenAI response_format; pipe-separated library rows; XML-tagged prompt sections; Ollama-only few-shot example; stable prefix first for prompt-cache hits.
Keep MODEL_MENU / PRICES current as providers ship new models.

Security & hardening (from 2026-06-13 full-eval; full detail + file:line in `EVALUATION.md`)

Next.js 14→15 major bump (CVEs: RSC DoS, WS-upgrade SSRF, App Router XSS). Own tested change — breaking App Router/caching semantics, needs its own build + sideload verification.
Still open — verify on the box: whether the StartOS proxy forwards real client IPs to the app. The rate limiter now keys on the rightmost (trusted-proxy) X-Forwarded-For entry; if the proxy instead makes every client look like one IP, the per-IP cap collapses to a single global bucket. Confirm with live headers.
P3 hardening batch: login timing oracle (dummy bcrypt on unknown email), CSP unsafe-eval vs comment, /api/health info disclosure, rate-limit map leak, exerciseId ownership unchecked on workout PATCH/sets POST, 30-day sessions, no text max-length. Also unify the 3rd JSON-parse pattern in programs/[id]/days/[dayId]/start (try{json}catch{→{}}).

Done in 1.1.0:9 (P2 batch): input-validation 500s → 400 (lib/http.ts readJsonBody + explicit guards); POST /api/auth rate-limited; XFF anti-spoof; container drops root via su-exec.

Packaging / distribution

Diagnose and fix the publish.sh Step-3 registry-register silent no-op.
Build for arm / additional arches once StartOS 0.4 supports them on the host.
Consider submission to the Start9 community registry (use the start9-spec-checker agent first). Blockers found 2026-06-13: non-SPDX "Proprietary" license, missing instructions.md, 404 packageRepo/upstreamRepo URLs, stale "0.3.5 data snapshot" install alert + long description; plus warnings (PNG vs SVG icon, migration-era README, no .github/workflows, generic docsUrls, Node 20 vs 22).

Product

Adherence tracking: compare logged workouts against the planned ProgramDay (the programDayId link already exists).
Per-user export/import polish and scheduled backups.
Charts/progress views over history (the data and 1RM estimates already exist).

Hygiene

Delete the legacy start9/0.4/workout-log_x86_64.s9pk build artifact; drop unused bcryptjs from start9/0.4/package.json.
Revisit workout-planner/ scratch dir — remove if truly unused.

2.6 KiB Raw Blame History