yusiboyz/platform
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Wiki Activity
24 Commits 1 Branch 0 Tags
877021ff2054387bcf4ac9dc2263ccc338ec8c50
Commit Graph

5 Commits

Author SHA1 Message Date
Yusuf Suleman
877021ff20 fix: remaining code issues — TLS, CORS, disconnect safety, cleanup
Some checks failed
Security Checks / dockerfile-lint (push) Successful in 10s
Details
Security Checks / dependency-audit (push) Failing after 19m48s
Details
Security Checks / secret-scanning (push) Failing after 17m18s
Details 
1. Trips TLS: Removed all ssl CERT_NONE / check_hostname=False from
   5 external HTTPS call sites (OpenAI, Gemini, Google Places, Geocode).
   All external calls now use default TLS verification.

2. Internal CORS: Removed permissive cors() from inventory and budget.
   Both are internal services accessed only via gateway.

3. App visibility: Documented as cosmetic-only in layout.server.ts.
   Nav hiding is intentional UX, not access control.

4. Disconnect safety: Added confirm() dialog before service disconnect
   in Settings. Prevents accidental disconnects.

5. Inventory cleanup: Removed stale /test startup log message.
   Replaced with API key status indicator.

6. Frontend deps: 4 low-severity cookie vulnerabilities in @sveltejs/kit.
   Fix requires breaking downgrade to kit@0.0.30 — not safe. Documented.
 2026-03-29 15:38:42 -05:00
Yusuf Suleman
0ed8f1f83e fix: deployment hardening — non-root containers and health checks (#10) 
- Gateway, Trips, Fitness Dockerfiles: run as non-root (appuser)
- Added HEALTHCHECK to gateway, trips, fitness
- Used --chown=appuser on COPY for correct file permissions
- Created data dirs with proper ownership before USER switch
- Trips Dockerfile no longer copies whole context (only server.py)

Partial fix for #10 — Node services (inventory, budget, frontend) not yet hardened.
 2026-03-29 09:18:42 -05:00
Yusuf Suleman
79d2c3b4b6 fix: remove all default credentials (#2) 
- Gateway: admin user seeded from ADMIN_USERNAME/ADMIN_PASSWORD env vars
  (no more hardcoded admin/admin). Warns if not set.
- Trips: USERNAME/PASSWORD env vars no longer default to admin/admin.
  Warns if not set.
- Fitness: user seed requires USER{n}_USERNAME/PASSWORD env vars.
  No more "changeme" fallback. Skips seed if not set.
- /api/auth/register remains disabled (403)

Closes #2
 2026-03-29 09:10:44 -05:00
Yusuf Suleman
d700ba7569 fix(trips): enforce password protection on shared trips (#3) 
- handle_share_api now checks X-Share-Password header against bcrypt hash
  before returning trip data. Returns 401 with {protected: true} if password
  required but not provided/incorrect
- share_password now stored as bcrypt hash, not plaintext
- All plaintext password logging removed from handle_share_verify
- handle_share_verify uses bcrypt.checkpw instead of string equality
- Migration invalidates existing plaintext share passwords (< 50 chars)
- Removed dead hash_password function (used hashlib.sha256)
- Added bcrypt to trips Dockerfile

Closes #3
 2026-03-29 08:50:45 -05:00
Yusuf Suleman
d3e250e361 Initial commit: Second Brain Platform 
Complete platform with unified design system and real API integration.

Apps: Dashboard, Fitness, Budget, Inventory, Trips, Reader, Media, Settings
Infrastructure: SvelteKit + Python gateway + Docker Compose
 2026-03-28 23:20:40 -05:00