Keysat
ef3d079ca2
Capture the ~17-touchpoint recipe for promoting a set metric to a column (the watts precedent) so the next one doesn't need a repo-wide grep, and log the pre-existing CSV export/import header-name asymmetry as backlog.
35 lines
3.1 KiB
Markdown
35 lines
3.1 KiB
Markdown
# ROADMAP — Proof of Work
|
||
|
||
Longer-term backlog. Near-term state + next steps live in `AGENTS.md` → Current state.
|
||
|
||
## AI quality
|
||
|
||
- Tiered prompt formatting (also the immediate next step): JSON-Schema output enforcement via Ollama `format` and OpenAI `response_format`; pipe-separated library rows; XML-tagged prompt sections; Ollama-only few-shot example; stable prefix first for prompt-cache hits.
|
||
- Keep `MODEL_MENU` / `PRICES` current as providers ship new models.
|
||
|
||
## Security & hardening (from 2026-06-13 full-eval; full detail + file:line in `EVALUATION.md`)
|
||
|
||
- **Still open — verify on the box:** whether the StartOS proxy forwards real client IPs to the app. The rate limiter now keys on the rightmost (trusted-proxy) `X-Forwarded-For` entry; if the proxy instead makes every client look like one IP, the per-IP cap collapses to a single global bucket. Confirm with live headers.
|
||
- P3 hardening batch (remaining): CSP `unsafe-eval` vs comment, `/api/health` info disclosure, rate-limit map leak, configurable/shorter sessions (currently 30-day), no text max-length. Also unify the 3rd JSON-parse pattern in `programs/[id]/days/[dayId]/start` (`try{json}catch{→{}}`).
|
||
|
||
Done in 1.2.0:1–:3: Next 14→15 / React 18→19 bump (1.2.0:1, closed RSC DoS / WS-upgrade SSRF / App Router XSS + middleware-bypass CVEs); iOS-Safari login first-tap retry (1.2.0:2); login timing oracle closed + `exerciseId` ownership enforced on all workout-write & program routes (1.2.0:3).
|
||
Done in 1.1.0:9 (P2 batch): input-validation 500s → 400 (`lib/http.ts readJsonBody` + explicit guards); `POST /api/auth` rate-limited; XFF anti-spoof; container drops root via su-exec.
|
||
|
||
## Packaging / distribution
|
||
|
||
- Diagnose and fix the `publish.sh` Step-3 registry-register silent no-op.
|
||
- Build for `arm` / additional arches once StartOS 0.4 supports them on the host.
|
||
- Consider submission to the Start9 community registry (use the start9-spec-checker agent first). Blockers found 2026-06-13: non-SPDX `"Proprietary"` license, missing `instructions.md`, 404 `packageRepo`/`upstreamRepo` URLs, stale "0.3.5 data snapshot" install alert + long description; plus warnings (PNG vs SVG icon, migration-era README, no `.github/workflows`, generic `docsUrls`, Node 20 vs 22).
|
||
|
||
## Product
|
||
|
||
- Adherence tracking: compare logged workouts against the planned `ProgramDay` (the `programDayId` link already exists).
|
||
- Per-user export/import polish and scheduled backups.
|
||
- CSV export↔import round-trip: export writes `setX`-prefixed headers (`setCalories`/`setWatts`/`setNotes`) the importer doesn't read (it expects `calories`/`watts`/`notes`), so the app's own CSV export silently drops those on re-import (calories long-standing; watts since 1.2.0:4). Fix by aligning export header names with the parser, or adding the prefixed names as `knownColumns` aliases. (JSON account export/import round-trips fine.)
|
||
- Charts/progress views over history (the data and 1RM estimates already exist).
|
||
|
||
## Hygiene
|
||
|
||
- Delete the legacy `start9/0.4/workout-log_x86_64.s9pk` build artifact; drop unused `bcryptjs` from `start9/0.4/package.json`.
|
||
- Revisit `workout-planner/` scratch dir — remove if truly unused.
|