Completed. Budget /transactions/recent cached 30s, /uncategorized-count cached 2min. Actual Budget per-account API constraint documented. All inventory full scans already eliminated. No…
Repo-side complete. Workflow reviewed and confirmed. Runner dependency documented in .gitea/README.md. Status: blocked on Gitea Actions runner infrastructure — not a code issue.
Completed. Removed /test endpoint from inventory. Trust model doc rewritten with accurate per-user vs gateway-key distinction, known limitations documented. No remaining debug surfaces.
Repo-side work complete. .gitea/workflows/security.yml covers dependency audit, secret scanning, Dockerfile lint. Remaining: configure a Gitea Actions runner to execute the workflow. This is…
Completed in 9e13984 — Inventory /issues and /needs-review-count use server-side NocoDB WHERE filters (no full scans). Budget buildLookups cached 2min. Budget summary cached 1min. Dashboard…
Completed in 7a7286a — SERVICE_LEVEL_AUTH renamed to GATEWAY_KEY_SERVICES. /debug-nocodb removed. NocoDB search sanitized (strips filter operators). Token validation uses protected endpoints…
Completed in 7c05ef1 + 9e13984 — _internal_ssl_ctx removed entirely. proxy.py uses plain urlopen() (all internal services are HTTP). ssl import removed from config.py. External calls (OpenAI,…
Fixed in 4ecd233 — Budget summary cached 1min. Dashboard cached 30s per user (2.1s→40ms). Inventory health endpoint added.
Fixed in 4ecd233 — Added .gitea/workflows/security.yml: dependency audit, secret scanning, Dockerfile lint. Requires Gitea Actions runner to execute.
Fixed in 4ecd233 — Token validation uses protected endpoints. Trust model documented in docs/trust-model.md. Unknown services rejected.