grant/proof-of-work
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
486dcb3773f45ef9bcc87ce28651bbe99c57ba3e
proof-of-work/ROADMAP.md
T
Keysat 4d1f9126b0
CI / proof-of-work (Next.js app) (push) Has been cancelled
Details
CI / start9/0.4 (StartOS package code) (push) Has been cancelled
Details
Update Current state: 1.2.0:3 built + sideloaded; record session patterns 
Current state now reflects 1.2.0:3 (P3 hardening) built + sideloaded
(git f540a47, 221 tests). Add durable conventions for the three patterns
established this session: cross-user exerciseId ownership
(lib/exerciseOwnership), login timing-oracle avoidance
(verifyPasswordOrDummy), and the iOS-Safari auth-form retry
(lib/retryAction). ROADMAP: move the shipped P3 items (timing oracle,
exerciseId ownership) and the Next 15 bump into the Done lines.
2026-06-15 18:33:16 -05:00

34 lines
2.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# ROADMAP — Proof of Work
Longer-term backlog. Near-term state + next steps live in `AGENTS.md` → Current state.
## AI quality
- Tiered prompt formatting (also the immediate next step): JSON-Schema output enforcement via Ollama `format` and OpenAI `response_format`; pipe-separated library rows; XML-tagged prompt sections; Ollama-only few-shot example; stable prefix first for prompt-cache hits.
- Keep `MODEL_MENU` / `PRICES` current as providers ship new models.
## Security & hardening (from 2026-06-13 full-eval; full detail + file:line in `EVALUATION.md`)
- **Still open — verify on the box:** whether the StartOS proxy forwards real client IPs to the app. The rate limiter now keys on the rightmost (trusted-proxy) `X-Forwarded-For` entry; if the proxy instead makes every client look like one IP, the per-IP cap collapses to a single global bucket. Confirm with live headers.
- P3 hardening batch (remaining): CSP `unsafe-eval` vs comment, `/api/health` info disclosure, rate-limit map leak, configurable/shorter sessions (currently 30-day), no text max-length. Also unify the 3rd JSON-parse pattern in `programs/[id]/days/[dayId]/start` (`try{json}catch{→{}}`).
Done in 1.2.0:1:3: Next 14→15 / React 18→19 bump (1.2.0:1, closed RSC DoS / WS-upgrade SSRF / App Router XSS + middleware-bypass CVEs); iOS-Safari login first-tap retry (1.2.0:2); login timing oracle closed + `exerciseId` ownership enforced on all workout-write & program routes (1.2.0:3).
Done in 1.1.0:9 (P2 batch): input-validation 500s → 400 (`lib/http.ts readJsonBody` + explicit guards); `POST /api/auth` rate-limited; XFF anti-spoof; container drops root via su-exec.
## Packaging / distribution
- Diagnose and fix the `publish.sh` Step-3 registry-register silent no-op.
- Build for `arm` / additional arches once StartOS 0.4 supports them on the host.
- Consider submission to the Start9 community registry (use the start9-spec-checker agent first). Blockers found 2026-06-13: non-SPDX `"Proprietary"` license, missing `instructions.md`, 404 `packageRepo`/`upstreamRepo` URLs, stale "0.3.5 data snapshot" install alert + long description; plus warnings (PNG vs SVG icon, migration-era README, no `.github/workflows`, generic `docsUrls`, Node 20 vs 22).
## Product
- Adherence tracking: compare logged workouts against the planned `ProgramDay` (the `programDayId` link already exists).
- Per-user export/import polish and scheduled backups.
- Charts/progress views over history (the data and 1RM estimates already exist).
## Hygiene
- Delete the legacy `start9/0.4/workout-log_x86_64.s9pk` build artifact; drop unused `bcryptjs` from `start9/0.4/package.json`.
- Revisit `workout-planner/` scratch dir — remove if truly unused.
Reference in New Issue View Git Blame Copy Permalink