grant/recap-relay
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Mark three P2 hardening items done in Current state

Browse Source
This commit is contained in:
Keysat
2026-06-13 18:22:20 -05:00
parent 693d72431b
commit 3e33728013
1 changed files with 6 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
AGENTS.md
+6 -3
View File
@@ -152,10 +152,13 @@ All three P1 items are fixed and committed; suite is green at 57 tests (was 47).
### Known debt — P2 (accepted for now; fix opportunistically)
- Path traversal on internal-meetings `:id` (admin-gated): validate `^[A-Za-z0-9_-]+$` before `path.join``routes/internal-meetings.js:84,91,242` (`output-store.js:52` shows the pattern). *(security-auditor + exerciser)*
- Non-constant-time operator-key compare (`!==`) on `relay_cloud_operator_key``server/identity.js:43,84`; use `timingSafeEqual` like the admin path. *(evaluator + security-auditor)*
**Done 2026-06-13** (commits `cbd9748`/`da1bba2`/`693d724`; suite green at 60 tests):
- ✅ Path traversal on internal-meetings `:id` — centralized `meetingPath()` in `routes/internal-meetings.js` sanitizes to `[A-Za-z0-9_-]` (mirrors `output-store.js`); `saveMeeting`/`loadMeeting`/`deleteMeeting` all route through it. Test: `test/meeting-path.test.js`.
- ✅ Non-constant-time operator-key compare — `identity.js` now uses a `timingSafeEqual`-based `constantTimeEqual` in `resolveIdentity` + `verifyOperatorKey`.
- ✅ Malformed-body stack-trace leak — added a final error-handling middleware in `index.js` (JSON 400 for `entity.parse.failed`, 413 for too-large, generic 500 otherwise). Verified end-to-end: the exerciser's repro now returns `{"error":"invalid JSON body"}` with no stack.
Still open:
- In-memory webhook dedup Set lost on restart → double-credit/double-extend — `routes/credits.js:63`, `zaprite-webhook.js:27`; persist processed invoice/order ids. *(security-auditor)*
- Malformed JSON body → full Node stack trace (FS paths) — add an Express `entity.parse.failed` → JSON-400 handler. *(exerciser)*
- BTCPay declared `optional:false`/`kind:'running'` despite "optional" comments → StartOS won't start the relay without BTCPay co-installed — `startos/manifest/index.ts:38-49`, `startos/dependencies.ts`. Decide, then make manifest + dependencies + comment agree. *(start9-spec-checker)*
- No money-path unit tests (`commitCredit`/`refundCredit`/`applyTierPromotion`/`planBackend`/grant handlers) — why the P1 billing bug ships green. *(evaluator)*
- `routes/internal-meetings.js` is 2225 lines; extract the MD/HTML formatters + storage/backfill layer. *(evaluator)*