grant/proof-of-work
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
988a3cca9a2b5a3f1ae9e3b02202b3340e80659e
proof-of-work/ROADMAP.md
T
Keysat 988a3cca9a
CI / proof-of-work (Next.js app) (push) Has been cancelled
Details
CI / start9/0.4 (StartOS package code) (push) Has been cancelled
Details
v1.1.0:8 — admin-gate whole-DB routes + AI custom-URL providers; SSRF guard 
Multi-user authorization hardening from a full security evaluation (EVALUATION.md):

- P0: /api/settings/{export,import}-db are now admin-only. Previously any signed-in user could download the whole instance DB (all bcrypt hashes + plaintext AI keys) or replace it wholesale. Per-user CSV export/import stays open.

- AI custom-URL providers (Ollama, OpenAI-compatible) are now admin-only, and every server fetch to a user-supplied URL passes through assertSafeProviderUrl (blocks link-local/cloud-metadata; private LAN allowed by design). Fixed-URL cloud providers stay per-user. Removed the dead legacy /api/ai/config route.

- Dev: fixed broken quick-start (added npm run create-admin; rewrote README; dropped dead CLAUDE_API_KEY) and the export-db 0-byte path resolution (resolveDatabasePath now matches Prisma).

ExVer bumped to 1.1.0:8 (no schema/data migration). Tests 197 pass, build green, tsc clean.
2026-06-12 23:15:09 -05:00

2.6 KiB
Raw Blame History

ROADMAP — Proof of Work

Longer-term backlog. Near-term state + next steps live in AGENTS.md → Current state.

AI quality

  • Tiered prompt formatting (also the immediate next step): JSON-Schema output enforcement via Ollama format and OpenAI response_format; pipe-separated library rows; XML-tagged prompt sections; Ollama-only few-shot example; stable prefix first for prompt-cache hits.
  • Keep MODEL_MENU / PRICES current as providers ship new models.

Security & hardening (from 2026-06-13 full-eval; full detail + file:line in EVALUATION.md)

  • Next.js 14→15 major bump (CVEs: RSC DoS, WS-upgrade SSRF, App Router XSS). Own tested change — breaking App Router/caching semantics, needs its own build + sideload verification.
  • Input-validation 500s → should be 400: invalid date, malformed JSON body, negative pagination offset on /api/workouts (+ import/exercises/seed). One shared try{json}→400 + Zod guard fixes the set.
  • POST /api/auth has no rate limiting (the UI server-action is capped; the raw API isn't) → brute-forceable.
  • Rate limiter trusts the spoofable leftmost X-Forwarded-For (lib/rateLimit.ts) — verify whether the StartOS proxy overwrites XFF on the live box.
  • Container runs as root — add USER nextjs to start9/0.4/Dockerfile.
  • P3 hardening batch: login timing oracle (dummy bcrypt on unknown email), CSP unsafe-eval vs comment, /api/health info disclosure, rate-limit map leak, exerciseId ownership unchecked on workout PATCH/sets POST, 30-day sessions, no text max-length.

Packaging / distribution

  • Diagnose and fix the publish.sh Step-3 registry-register silent no-op.
  • Build for arm / additional arches once StartOS 0.4 supports them on the host.
  • Consider submission to the Start9 community registry (use the start9-spec-checker agent first). Blockers found 2026-06-13: non-SPDX "Proprietary" license, missing instructions.md, 404 packageRepo/upstreamRepo URLs, stale "0.3.5 data snapshot" install alert + long description; plus warnings (PNG vs SVG icon, migration-era README, no .github/workflows, generic docsUrls, Node 20 vs 22).

Product

  • Adherence tracking: compare logged workouts against the planned ProgramDay (the programDayId link already exists).
  • Per-user export/import polish and scheduled backups.
  • Charts/progress views over history (the data and 1RM estimates already exist).

Hygiene

  • Delete the legacy start9/0.4/workout-log_x86_64.s9pk build artifact; drop unused bcryptjs from start9/0.4/package.json.
  • Revisit workout-planner/ scratch dir — remove if truly unused.
Reference in New Issue View Git Blame Copy Permalink