yusiboyz/platform
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Wiki Activity
23 Commits 1 Branch 0 Tags
ac5c7580565191a67971581348d2a71139e42a3f
Commit Graph

6 Commits

Author SHA1 Message Date
Yusuf Suleman
ac5c758056 fix: complete remaining partial issues (#5, #8, #9)
Some checks failed
Security Checks / dependency-audit (push) Has been cancelled
Details
Security Checks / secret-scanning (push) Has been cancelled
Details
Security Checks / dockerfile-lint (push) Has been cancelled
Details 
#5 Gateway Trust Model:
- Removed inventory /test endpoint
- Updated docs/trust-model.md with accurate description:
  - Per-user services (trips, fitness) vs gateway-key services clearly separated
  - Known limitations documented (no per-user isolation on shared services)
  - No false claims about per-user auth where it doesn't exist

#8 Dependency Security:
- Workflow reviewed and confirmed sane
- Added .gitea/README.md documenting runner requirement
- Status: repo-side complete, operationally blocked on runner setup

#9 Performance Hardening:
- Budget /transactions/recent: 30s cache (1.1s→41ms on repeat)
- Budget /uncategorized-count: 2min cache (1.3s→42ms on repeat)
- Both endpoints document Actual Budget per-account API constraint
- Budget buildLookups: 2min cache (already in place)
- All inventory full scans already eliminated (prior commit)
 2026-03-29 15:17:28 -05:00
Yusuf Suleman
9e13984b05 fix: performance hardening — eliminate full table scans (#9)
Some checks failed
Security Checks / dependency-audit (push) Has been cancelled
Details
Security Checks / secret-scanning (push) Has been cancelled
Details
Security Checks / dockerfile-lint (push) Has been cancelled
Details 
Inventory:
- /issues: replaced full scan + client filter with NocoDB server-side
  WHERE filter (Received eq Issues/Issue). Single query, ~200 rows max.
- /needs-review-count: replaced full scan with server-side WHERE +
  limit=1 + pageInfo.totalRows. Returns count without fetching data.

Budget:
- buildLookups(): added 2-minute cache for payee/account/category maps.
  Eliminates 3 API calls per request for repeated queries.
- /summary cache (added earlier): 1-minute TTL still active.

Files: services/inventory/server.js, services/budget/server.js
 2026-03-29 13:50:07 -05:00
Yusuf Suleman
4ecd2336b5 fix: complete remaining remediation (#5, #8, #9)
Some checks failed
Security Checks / dependency-audit (push) Has been cancelled
Details
Security Checks / secret-scanning (push) Has been cancelled
Details
Security Checks / dockerfile-lint (push) Has been cancelled
Details 
#5 Gateway Trust Model:
- Token validation now uses protected endpoints, not health checks
- Unknown services rejected (no fallback to unprotected endpoint)
- Trust model documented in docs/trust-model.md

#8 CI Enforcement:
- Added .gitea/workflows/security.yml with:
  - Dependency audit (npm audit --audit-level=high for budget)
  - Secret scanning (checks for tracked .env/.db, hardcoded secrets)
  - Dockerfile lint (non-root USER, HEALTHCHECK presence)

#9 Performance Hardening:
- Budget /summary: 1-minute in-memory cache (avoids repeated account fan-out)
- Gateway /api/dashboard: 30-second per-user cache (50x faster on repeat)
- Inventory health endpoint added before auth middleware

Closes #5, #8, #9
 2026-03-29 10:13:00 -05:00
Yusuf Suleman
72747668f9 fix: remaining security and deployment hardening (#6 #7 #10) 
#7 Transport Security:
- Removed legacy _ssl_ctx alias from config.py
- proxy.py now uses _internal_ssl_ctx directly (explicitly scoped)
- No global TLS bypass remains

#10 Deployment Hardening:
- Inventory Dockerfile: non-root (node user), health check, production deps
- Budget Dockerfile: non-root (node user), health check, npm ci, multi-stage ready
- Frontend-v2 Dockerfile: multi-stage build, non-root (node user), health check
- Added /health endpoints to inventory and budget (before auth middleware)
- All 6 containers now run as non-root with health checks

All services verified: gateway, trips, fitness, inventory, budget, frontend
 2026-03-29 09:35:39 -05:00
Yusuf Suleman
fcb9383623 fix(gateway): enforce API key auth on inventory and budget services (#5) 
- Added X-API-Key middleware to inventory-service and budget-service
- Services reject all requests without valid API key (401)
- Gateway proxy injects service API keys for inventory and budget
- Dashboard widget fetchers inject API keys
- Generated unique API keys per service, stored in .env
- Added SERVICE_API_KEY env var to docker-compose for both services

Partial fix for #5 — internal services now require auth.
Remaining: document trust model, validate service token semantics.
 2026-03-29 09:06:41 -05:00
Yusuf Suleman
d3e250e361 Initial commit: Second Brain Platform 
Complete platform with unified design system and real API integration.

Apps: Dashboard, Fitness, Budget, Inventory, Trips, Reader, Media, Settings
Infrastructure: SvelteKit + Python gateway + Docker Compose
 2026-03-28 23:20:40 -05:00