877021ff20
1. Trips TLS: Removed all ssl CERT_NONE / check_hostname=False from 5 external HTTPS call sites (OpenAI, Gemini, Google Places, Geocode). All external calls now use default TLS verification. 2. Internal CORS: Removed permissive cors() from inventory and budget. Both are internal services accessed only via gateway. 3. App visibility: Documented as cosmetic-only in layout.server.ts. Nav hiding is intentional UX, not access control. 4. Disconnect safety: Added confirm() dialog before service disconnect in Settings. Prevents accidental disconnects. 5. Inventory cleanup: Removed stale /test startup log message. Replaced with API key status indicator. 6. Frontend deps: 4 low-severity cookie vulnerabilities in @sveltejs/kit. Fix requires breaking downgrade to kit@0.0.30 — not safe. Documented.
Gitea CI Workflows
security.yml
Runs on push/PR to master. Three jobs:
- dependency-audit —
npm audit --audit-level=highfor budget and frontend - secret-scanning — checks for tracked .env/.db files and hardcoded secret patterns
- dockerfile-lint — verifies all Dockerfiles have
USER(non-root) andHEALTHCHECK
Prerequisites
These workflows require a Gitea Actions runner to be configured. Without a runner, the workflows are committed but will not execute.
To set up a runner:
- Go to Gitea → Site Administration → Runners
- Register a runner (Docker-based or shell-based)
- The workflows will automatically execute on the next push