Work in the `platform` repo and continue from the current remediation state. Use Gitea issues as the source of truth: - `#1` umbrella - `#5` Gateway Trust Model - `#8` Dependency Security - `#9` Performance Hardening Important instruction: - Do NOT rotate or change the admin password during this pass. - Treat admin password rotation as a final manual ops step after all code and config fixes are complete and verified. - If you mention password rotation in comments or summaries, explicitly mark it as "LAST STEP". First, re-verify the repo state before changing anything. Do not trust prior summaries blindly. Current verified status: - Completed: `#2`, `#3`, `#4`, `#6`, `#7`, `#10` - Partial: `#5`, `#8`, `#9` Remaining work by issue: `#5 Gateway Trust Model` Current state: - Token validation is improved and uses protected endpoints. - Inventory `/debug-nocodb` has been removed. - Inventory search sanitization is better. - The gateway still has a service-global trust model for gateway-key services. What remains: - Re-check whether the current gateway-key service model is acceptable as-is or should be narrowed further. - If it stays, document it precisely and avoid claiming it was eliminated. - Review inventory and similar internal services for any remaining permissive/debug/admin-style surfaces. - Review whether service-global access should be limited at route level, method level, or by explicit allowlist. - Make sure issue comments and final summary describe the trust model accurately, not optimistically. Acceptance bar: - No remaining accidental debug endpoint exposure. - Remaining gateway-key trust assumptions are explicit, minimal, and documented. - No false claim that per-user auth exists where it does not. `#8 Dependency Security` Current state: - Budget dependency audit is clean. - `.gitea/workflows/security.yml` exists. What remains: - Review the workflow for correctness and realism. - Tighten the workflow if needed so repo-side enforcement is actually meaningful. - Verify whether secret scanning and dependency checks cover the important paths. - Do not mark this issue complete if a Gitea Actions runner is still required for execution. - Clearly separate "repo-side complete" from "operationally active". Acceptance bar: - Workflow file is committed and sane. - Remaining runner dependency is clearly documented. - Issue remains partial or blocked if execution infrastructure is missing. `#9 Performance Hardening` Current state: - Gateway dashboard response is cached. - Budget summary is cached. - Inventory `/issues` and `/needs-review-count` no longer full-scan all rows. What remains: - Re-check inventory endpoints for any other repeated full-table fetches. - Re-check budget endpoints for repeated account fan-out, especially `/transactions/recent`. - If Actual Budget API forces per-account queries, document that constraint explicitly. - Prefer targeted improvements such as short-TTL caching, narrower query windows, or reused lookups over broad refactors. - Do not mark this issue complete unless the remaining hot paths are either fixed or clearly bounded and documented. Acceptance bar: - The worst remaining repeated-scan or repeated-fan-out paths are either reduced or documented with clear justification. - Final status does not overstate completion. Instructions: - Make minimal, production-oriented fixes. - Preserve unrelated user changes. - After each issue-sized change: - verify it with direct checks - comment on the relevant Gitea issue with: - what changed - files touched - verification performed - what remains - Do not close `#5`, `#8`, or `#9` unless the actual code and behavior support it. - If an issue is still partial, say so directly. - Avoid renaming something and then claiming the underlying architectural concern is solved. Manual ops note: - Admin password rotation is intentionally deferred. - If referenced, mark it exactly as: `LAST STEP: rotate admin password after all remaining fixes are complete and verified.` Final output format: - `Completed:` - `Partial:` - `Blocked:` - `Manual ops actions:`