Keysat
988a3cca9a
Multi-user authorization hardening from a full security evaluation (EVALUATION.md):
- P0: /api/settings/{export,import}-db are now admin-only. Previously any signed-in user could download the whole instance DB (all bcrypt hashes + plaintext AI keys) or replace it wholesale. Per-user CSV export/import stays open.
- AI custom-URL providers (Ollama, OpenAI-compatible) are now admin-only, and every server fetch to a user-supplied URL passes through assertSafeProviderUrl (blocks link-local/cloud-metadata; private LAN allowed by design). Fixed-URL cloud providers stay per-user. Removed the dead legacy /api/ai/config route.
- Dev: fixed broken quick-start (added npm run create-admin; rewrote README; dropped dead CLAUDE_API_KEY) and the export-db 0-byte path resolution (resolveDatabasePath now matches Prisma).
ExVer bumped to 1.1.0:8 (no schema/data migration). Tests 197 pass, build green, tsc clean.
35 lines
2.6 KiB
Markdown
35 lines
2.6 KiB
Markdown
# ROADMAP — Proof of Work
|
|
|
|
Longer-term backlog. Near-term state + next steps live in `AGENTS.md` → Current state.
|
|
|
|
## AI quality
|
|
|
|
- Tiered prompt formatting (also the immediate next step): JSON-Schema output enforcement via Ollama `format` and OpenAI `response_format`; pipe-separated library rows; XML-tagged prompt sections; Ollama-only few-shot example; stable prefix first for prompt-cache hits.
|
|
- Keep `MODEL_MENU` / `PRICES` current as providers ship new models.
|
|
|
|
## Security & hardening (from 2026-06-13 full-eval; full detail + file:line in `EVALUATION.md`)
|
|
|
|
- **Next.js 14→15 major bump** (CVEs: RSC DoS, WS-upgrade SSRF, App Router XSS). Own tested change — breaking App Router/caching semantics, needs its own build + sideload verification.
|
|
- Input-validation 500s → should be 400: invalid `date`, malformed JSON body, negative pagination `offset` on `/api/workouts` (+ `import/exercises/seed`). One shared `try{json}→400` + Zod guard fixes the set.
|
|
- `POST /api/auth` has no rate limiting (the UI server-action is capped; the raw API isn't) → brute-forceable.
|
|
- Rate limiter trusts the spoofable leftmost `X-Forwarded-For` (`lib/rateLimit.ts`) — verify whether the StartOS proxy overwrites XFF on the live box.
|
|
- Container runs as **root** — add `USER nextjs` to `start9/0.4/Dockerfile`.
|
|
- P3 hardening batch: login timing oracle (dummy bcrypt on unknown email), CSP `unsafe-eval` vs comment, `/api/health` info disclosure, rate-limit map leak, `exerciseId` ownership unchecked on workout PATCH/sets POST, 30-day sessions, no text max-length.
|
|
|
|
## Packaging / distribution
|
|
|
|
- Diagnose and fix the `publish.sh` Step-3 registry-register silent no-op.
|
|
- Build for `arm` / additional arches once StartOS 0.4 supports them on the host.
|
|
- Consider submission to the Start9 community registry (use the start9-spec-checker agent first). Blockers found 2026-06-13: non-SPDX `"Proprietary"` license, missing `instructions.md`, 404 `packageRepo`/`upstreamRepo` URLs, stale "0.3.5 data snapshot" install alert + long description; plus warnings (PNG vs SVG icon, migration-era README, no `.github/workflows`, generic `docsUrls`, Node 20 vs 22).
|
|
|
|
## Product
|
|
|
|
- Adherence tracking: compare logged workouts against the planned `ProgramDay` (the `programDayId` link already exists).
|
|
- Per-user export/import polish and scheduled backups.
|
|
- Charts/progress views over history (the data and 1RM estimates already exist).
|
|
|
|
## Hygiene
|
|
|
|
- Delete the legacy `start9/0.4/workout-log_x86_64.s9pk` build artifact; drop unused `bcryptjs` from `start9/0.4/package.json`.
|
|
- Revisit `workout-planner/` scratch dir — remove if truly unused.
|