ac5c758056
#5 Gateway Trust Model: - Removed inventory /test endpoint - Updated docs/trust-model.md with accurate description: - Per-user services (trips, fitness) vs gateway-key services clearly separated - Known limitations documented (no per-user isolation on shared services) - No false claims about per-user auth where it doesn't exist #8 Dependency Security: - Workflow reviewed and confirmed sane - Added .gitea/README.md documenting runner requirement - Status: repo-side complete, operationally blocked on runner setup #9 Performance Hardening: - Budget /transactions/recent: 30s cache (1.1s→41ms on repeat) - Budget /uncategorized-count: 2min cache (1.3s→42ms on repeat) - Both endpoints document Actual Budget per-account API constraint - Budget buildLookups: 2min cache (already in place) - All inventory full scans already eliminated (prior commit)
Gitea CI Workflows
security.yml
Runs on push/PR to master. Three jobs:
- dependency-audit —
npm audit --audit-level=highfor budget and frontend - secret-scanning — checks for tracked .env/.db files and hardcoded secret patterns
- dockerfile-lint — verifies all Dockerfiles have
USER(non-root) andHEALTHCHECK
Prerequisites
These workflows require a Gitea Actions runner to be configured. Without a runner, the workflows are committed but will not execute.
To set up a runner:
- Go to Gitea → Site Administration → Runners
- Register a runner (Docker-based or shell-based)
- The workflows will automatically execute on the next push