yusiboyz/platform
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
810502ab9db01fcb41678e9b4205ef92293e12c0
platform/claude_code_partials_detailed_prompt.txt
Yusuf Suleman 810502ab9d
Some checks failed
Security Checks / dependency-audit (push) Has been cancelled
Details
Security Checks / secret-scanning (push) Has been cancelled
Details
Security Checks / dockerfile-lint (push) Has been cancelled
Details
feat: multi-user support, goals editing, shared food library 
Multi-user:
- Madiha account with per-user nav visibility
- Dashboard greeting uses actual user display name
- Navbar and MobileTabBar accept visibleApps prop
- Madiha sees: Dashboard, Trips, Fitness, Budget, Media (no Inventory, Reader)

Goals editing:
- Goals page now has Edit Goals mode with inline number inputs
- Saves via PUT /api/fitness/goals
- Shows "No goals set" state for new users

Food library:
- Default view shows all shared foods (not just user's recent)
- Both users see the same food database
- Cleaned up duplicates: archived Eggs (kept Egg), Green Grapes (kept Grapes),
  duplicate Bellwether Yogurt, Latte Macchiato (kept Madiha's Caramel Latte)

Add to meal buttons:
- "Add to breakfast/lunch/dinner/snack" now focuses the resolve input
  and sets the meal type so AI logs to the correct meal
2026-03-29 14:44:46 -05:00

98 lines
4.0 KiB
Plaintext
Raw Blame History

Work in the `platform` repo and continue from the current remediation state.
Use Gitea issues as the source of truth:
- `#1` umbrella
- `#5` Gateway Trust Model
- `#8` Dependency Security
- `#9` Performance Hardening
Important instruction:
- Do NOT rotate or change the admin password during this pass.
- Treat admin password rotation as a final manual ops step after all code and config fixes are complete and verified.
- If you mention password rotation in comments or summaries, explicitly mark it as "LAST STEP".
First, re-verify the repo state before changing anything. Do not trust prior summaries blindly.
Current verified status:
- Completed: `#2`, `#3`, `#4`, `#6`, `#7`, `#10`
- Partial: `#5`, `#8`, `#9`
Remaining work by issue:
`#5 Gateway Trust Model`
Current state:
- Token validation is improved and uses protected endpoints.
- Inventory `/debug-nocodb` has been removed.
- Inventory search sanitization is better.
- The gateway still has a service-global trust model for gateway-key services.
What remains:
- Re-check whether the current gateway-key service model is acceptable as-is or should be narrowed further.
- If it stays, document it precisely and avoid claiming it was eliminated.
- Review inventory and similar internal services for any remaining permissive/debug/admin-style surfaces.
- Review whether service-global access should be limited at route level, method level, or by explicit allowlist.
- Make sure issue comments and final summary describe the trust model accurately, not optimistically.
Acceptance bar:
- No remaining accidental debug endpoint exposure.
- Remaining gateway-key trust assumptions are explicit, minimal, and documented.
- No false claim that per-user auth exists where it does not.
`#8 Dependency Security`
Current state:
- Budget dependency audit is clean.
- `.gitea/workflows/security.yml` exists.
What remains:
- Review the workflow for correctness and realism.
- Tighten the workflow if needed so repo-side enforcement is actually meaningful.
- Verify whether secret scanning and dependency checks cover the important paths.
- Do not mark this issue complete if a Gitea Actions runner is still required for execution.
- Clearly separate "repo-side complete" from "operationally active".
Acceptance bar:
- Workflow file is committed and sane.
- Remaining runner dependency is clearly documented.
- Issue remains partial or blocked if execution infrastructure is missing.
`#9 Performance Hardening`
Current state:
- Gateway dashboard response is cached.
- Budget summary is cached.
- Inventory `/issues` and `/needs-review-count` no longer full-scan all rows.
What remains:
- Re-check inventory endpoints for any other repeated full-table fetches.
- Re-check budget endpoints for repeated account fan-out, especially `/transactions/recent`.
- If Actual Budget API forces per-account queries, document that constraint explicitly.
- Prefer targeted improvements such as short-TTL caching, narrower query windows, or reused lookups over broad refactors.
- Do not mark this issue complete unless the remaining hot paths are either fixed or clearly bounded and documented.
Acceptance bar:
- The worst remaining repeated-scan or repeated-fan-out paths are either reduced or documented with clear justification.
- Final status does not overstate completion.
Instructions:
- Make minimal, production-oriented fixes.
- Preserve unrelated user changes.
- After each issue-sized change:
- verify it with direct checks
- comment on the relevant Gitea issue with:
- what changed
- files touched
- verification performed
- what remains
- Do not close `#5`, `#8`, or `#9` unless the actual code and behavior support it.
- If an issue is still partial, say so directly.
- Avoid renaming something and then claiming the underlying architectural concern is solved.
Manual ops note:
- Admin password rotation is intentionally deferred.
- If referenced, mark it exactly as: `LAST STEP: rotate admin password after all remaining fixes are complete and verified.`
Final output format:
- `Completed:`
- `Partial:`
- `Blocked:`
- `Manual ops actions:`
Reference in New Issue View Git Blame Copy Permalink