grant/proof-of-work
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
38503436e179271988c0aebff38abdfda428de7b
proof-of-work/ROADMAP.md
T
Keysat ef3d079ca2
CI / proof-of-work (Next.js app) (push) Has been cancelled
Details
CI / start9/0.4 (StartOS package code) (push) Has been cancelled
Details
Record first-class-set-metric convention + CSV round-trip backlog 
Capture the ~17-touchpoint recipe for promoting a set metric to a column
(the watts precedent) so the next one doesn't need a repo-wide grep, and log
the pre-existing CSV export/import header-name asymmetry as backlog.
2026-06-16 14:07:03 -05:00

3.1 KiB
Raw Blame History

ROADMAP — Proof of Work

Longer-term backlog. Near-term state + next steps live in AGENTS.md → Current state.

AI quality

  • Tiered prompt formatting (also the immediate next step): JSON-Schema output enforcement via Ollama format and OpenAI response_format; pipe-separated library rows; XML-tagged prompt sections; Ollama-only few-shot example; stable prefix first for prompt-cache hits.
  • Keep MODEL_MENU / PRICES current as providers ship new models.

Security & hardening (from 2026-06-13 full-eval; full detail + file:line in EVALUATION.md)

  • Still open — verify on the box: whether the StartOS proxy forwards real client IPs to the app. The rate limiter now keys on the rightmost (trusted-proxy) X-Forwarded-For entry; if the proxy instead makes every client look like one IP, the per-IP cap collapses to a single global bucket. Confirm with live headers.
  • P3 hardening batch (remaining): CSP unsafe-eval vs comment, /api/health info disclosure, rate-limit map leak, configurable/shorter sessions (currently 30-day), no text max-length. Also unify the 3rd JSON-parse pattern in programs/[id]/days/[dayId]/start (try{json}catch{→{}}).

Done in 1.2.0:1:3: Next 14→15 / React 18→19 bump (1.2.0:1, closed RSC DoS / WS-upgrade SSRF / App Router XSS + middleware-bypass CVEs); iOS-Safari login first-tap retry (1.2.0:2); login timing oracle closed + exerciseId ownership enforced on all workout-write & program routes (1.2.0:3). Done in 1.1.0:9 (P2 batch): input-validation 500s → 400 (lib/http.ts readJsonBody + explicit guards); POST /api/auth rate-limited; XFF anti-spoof; container drops root via su-exec.

Packaging / distribution

  • Diagnose and fix the publish.sh Step-3 registry-register silent no-op.
  • Build for arm / additional arches once StartOS 0.4 supports them on the host.
  • Consider submission to the Start9 community registry (use the start9-spec-checker agent first). Blockers found 2026-06-13: non-SPDX "Proprietary" license, missing instructions.md, 404 packageRepo/upstreamRepo URLs, stale "0.3.5 data snapshot" install alert + long description; plus warnings (PNG vs SVG icon, migration-era README, no .github/workflows, generic docsUrls, Node 20 vs 22).

Product

  • Adherence tracking: compare logged workouts against the planned ProgramDay (the programDayId link already exists).
  • Per-user export/import polish and scheduled backups.
  • CSV export↔import round-trip: export writes setX-prefixed headers (setCalories/setWatts/setNotes) the importer doesn't read (it expects calories/watts/notes), so the app's own CSV export silently drops those on re-import (calories long-standing; watts since 1.2.0:4). Fix by aligning export header names with the parser, or adding the prefixed names as knownColumns aliases. (JSON account export/import round-trips fine.)
  • Charts/progress views over history (the data and 1RM estimates already exist).

Hygiene

  • Delete the legacy start9/0.4/workout-log_x86_64.s9pk build artifact; drop unused bcryptjs from start9/0.4/package.json.
  • Revisit workout-planner/ scratch dir — remove if truly unused.
Reference in New Issue View Git Blame Copy Permalink