Files
nick-doc/09 - Audits/Workflow-Remediation-Plan-2026-06-10.md
Siavash Sameni c5fa6516e8 docs: add 2026-06-10 audit and remediation planning documents
- Comprehensive Workspace Audit - 2026-06-10.md
- C1-Secrets-Rotation-Checklist-2026-06-10.md
- Mistral-Outsource-Package-2026-06-10.md
- Workflow-Remediation-Plan-2026-06-10.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-10 10:09:29 +04:00

89 lines
4.4 KiB
Markdown

---
title: Workflow Remediation Plan — 2026-06-10 Audit
tags: [audit, workflow, plan, remediation]
created: 2026-06-10
status: draft
---
# Workflow Remediation Plan — 2026-06-10 Audit
## Division of Labour
| Finding | Severity | Assignee | Rationale |
|---|---|---|---|
| C1 (secrets rotation) | Critical | Mistral → rotation doc (Haiku writes checklist) | Rotation is human action; doc is mechanical |
| C2 (LLM proxy auth) | Critical | Sonnet | Auth pattern integration needs codebase knowledge |
| H1 (bot claim URL) | High | Haiku | Mechanical serializer split — no domain logic |
| H2 (file ownership) | High | Sonnet | Needs to read ownership model from DB schema |
| H3 (oracle quoting) | High | Sonnet (grouped with H4+M3) | Same file, complex payment logic |
| H4 (UUID/JWT mismatch) | High | Sonnet (grouped with H3+M3) | Same file, identity normalization |
| M3 (permit relay) | Medium | Sonnet (grouped with H3+H4) | Same file, rate-limit implementation |
| M4 (debug panel) | Medium | Mistral | Simple role-gating change |
| M5 (scanner startup) | Medium | Mistral | One Go startup guard |
| M6 (lint errors) | Medium | Mistral | Auto-fix pass + manual cleanup |
| L1 (deployment defaults) | Low | Mistral | Replace hardcoded strings |
| L2 (MIME hardening) | Low | Mistral | Reuse existing magic-byte validator |
| M1 (ignoreBuildErrors) | Medium | Mistral | Config change + TS cleanup |
## Workflow Phase Design
### Phase 1 — Haiku (parallel)
Two agents run simultaneously:
**H1-fix**: `tenantBotService.ts`
- Create `toPublicBotList()` — identical to `toPublicBot()` but always returns `claimUrl: null`
- Replace usage in the list/map path with the new function
- Keep `toPublicBot()` for the dedicated claim-link endpoint
**C1-doc**: Write `C1-Secrets-Rotation-Checklist-2026-06-10.md`
- Rotation steps per category (env files, test fixtures, docs)
- History cleanup instructions (git filter-repo, coordinate clones)
- Prevention checklist (gitleaks hook, CI scan)
### Phase 2 — Sonnet (parallel, non-overlapping files)
Three agents run simultaneously:
**C2-fix**: `frontend/src/app/api/llm/route.ts` + `amanat-assist/llm-proxy/index.mjs`
- Add session/JWT auth check to the Next.js route (401 if not authenticated)
- Add 64KB body size guard to route
- Flip CORS default from wildcard to closed in proxy
- Add 256KB body cap to proxy
- Restrict provider to ALLOWED_PROVIDERS env var
- Redact error logging (status + truncated message only)
**H2-fix**: `backend/src/services/file/fileController.ts` + `fileRoutes.ts`
- Read ownership model from upload code to understand user → file path mapping
- Add ownership check before delete: file must belong to user or user must be admin
- Add ownership check before info: same rule
- Return 403 on unauthorized access
**Payment-fix** (H3 + H4 + M3 combined — single agent to avoid same-file conflicts):
- H3: Remove `ORACLE_QUOTING_ENABLED` flag-gated fallback; always use server-side oracle path; fail 422 if offer not loadable
- H4: Replace raw `payment.buyerId !== userId.toString()` comparisons with canonical helper that checks both legacy ObjectId and pgId UUID (3 sites in `requestNetworkRoutes.ts` + 3 in `paymentRoutes.ts`)
- M3: Add buyer ownership check to permit relay route; add in-memory rate limiter (5 relay attempts/payment/minute)
### Phase 3 — Haiku (parallel verification)
- `cd backend && npx tsc --noEmit -p tsconfig.json` — report pass/fail + errors
- `cd scanner && go build ./...` — report pass/fail
### Phase 4 — Opus (final review)
Read all 6 changed files, assess:
- Is each fix correct and complete?
- Are there bypass vectors?
- Regressions in legitimate flows?
- TypeScript type safety?
Return a structured PASS/NEEDS_FIX verdict per file + overall READY/NEEDS_WORK.
## Findings NOT covered by this workflow (human action required)
- **C1 rotation**: The checklist is generated, but actual key rotation is a human action (BotFather, provider dashboards, re-deployment with new values, then git history rewrite after rotation confirmed).
- **H5 dependencies**: Upgrade lockfiles needs careful testing — separate controlled branch recommended.
- **M2 browser tokens**: Moving to httpOnly cookies is a large auth refactor — tracked as a separate initiative.
## Estimated output
- ~6 file edits across frontend, backend, amanat-assist
- 1 new doc (C1 rotation checklist)
- Typecheck passes expected (Opus review will catch regressions if any)
- Backend tsc was already passing before this workflow — must stay passing