- Comprehensive Workspace Audit - 2026-06-10.md - C1-Secrets-Rotation-Checklist-2026-06-10.md - Mistral-Outsource-Package-2026-06-10.md - Workflow-Remediation-Plan-2026-06-10.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
4.4 KiB
4.4 KiB
title, tags, created, status
| title | tags | created | status | ||||
|---|---|---|---|---|---|---|---|
| Workflow Remediation Plan — 2026-06-10 Audit |
|
2026-06-10 | draft |
Workflow Remediation Plan — 2026-06-10 Audit
Division of Labour
| Finding | Severity | Assignee | Rationale |
|---|---|---|---|
| C1 (secrets rotation) | Critical | Mistral → rotation doc (Haiku writes checklist) | Rotation is human action; doc is mechanical |
| C2 (LLM proxy auth) | Critical | Sonnet | Auth pattern integration needs codebase knowledge |
| H1 (bot claim URL) | High | Haiku | Mechanical serializer split — no domain logic |
| H2 (file ownership) | High | Sonnet | Needs to read ownership model from DB schema |
| H3 (oracle quoting) | High | Sonnet (grouped with H4+M3) | Same file, complex payment logic |
| H4 (UUID/JWT mismatch) | High | Sonnet (grouped with H3+M3) | Same file, identity normalization |
| M3 (permit relay) | Medium | Sonnet (grouped with H3+H4) | Same file, rate-limit implementation |
| M4 (debug panel) | Medium | Mistral | Simple role-gating change |
| M5 (scanner startup) | Medium | Mistral | One Go startup guard |
| M6 (lint errors) | Medium | Mistral | Auto-fix pass + manual cleanup |
| L1 (deployment defaults) | Low | Mistral | Replace hardcoded strings |
| L2 (MIME hardening) | Low | Mistral | Reuse existing magic-byte validator |
| M1 (ignoreBuildErrors) | Medium | Mistral | Config change + TS cleanup |
Workflow Phase Design
Phase 1 — Haiku (parallel)
Two agents run simultaneously:
H1-fix: tenantBotService.ts
- Create
toPublicBotList()— identical totoPublicBot()but always returnsclaimUrl: null - Replace usage in the list/map path with the new function
- Keep
toPublicBot()for the dedicated claim-link endpoint
C1-doc: Write C1-Secrets-Rotation-Checklist-2026-06-10.md
- Rotation steps per category (env files, test fixtures, docs)
- History cleanup instructions (git filter-repo, coordinate clones)
- Prevention checklist (gitleaks hook, CI scan)
Phase 2 — Sonnet (parallel, non-overlapping files)
Three agents run simultaneously:
C2-fix: frontend/src/app/api/llm/route.ts + amanat-assist/llm-proxy/index.mjs
- Add session/JWT auth check to the Next.js route (401 if not authenticated)
- Add 64KB body size guard to route
- Flip CORS default from wildcard to closed in proxy
- Add 256KB body cap to proxy
- Restrict provider to ALLOWED_PROVIDERS env var
- Redact error logging (status + truncated message only)
H2-fix: backend/src/services/file/fileController.ts + fileRoutes.ts
- Read ownership model from upload code to understand user → file path mapping
- Add ownership check before delete: file must belong to user or user must be admin
- Add ownership check before info: same rule
- Return 403 on unauthorized access
Payment-fix (H3 + H4 + M3 combined — single agent to avoid same-file conflicts):
- H3: Remove
ORACLE_QUOTING_ENABLEDflag-gated fallback; always use server-side oracle path; fail 422 if offer not loadable - H4: Replace raw
payment.buyerId !== userId.toString()comparisons with canonical helper that checks both legacy ObjectId and pgId UUID (3 sites inrequestNetworkRoutes.ts+ 3 inpaymentRoutes.ts) - M3: Add buyer ownership check to permit relay route; add in-memory rate limiter (5 relay attempts/payment/minute)
Phase 3 — Haiku (parallel verification)
cd backend && npx tsc --noEmit -p tsconfig.json— report pass/fail + errorscd scanner && go build ./...— report pass/fail
Phase 4 — Opus (final review)
Read all 6 changed files, assess:
- Is each fix correct and complete?
- Are there bypass vectors?
- Regressions in legitimate flows?
- TypeScript type safety? Return a structured PASS/NEEDS_FIX verdict per file + overall READY/NEEDS_WORK.
Findings NOT covered by this workflow (human action required)
- C1 rotation: The checklist is generated, but actual key rotation is a human action (BotFather, provider dashboards, re-deployment with new values, then git history rewrite after rotation confirmed).
- H5 dependencies: Upgrade lockfiles needs careful testing — separate controlled branch recommended.
- M2 browser tokens: Moving to httpOnly cookies is a large auth refactor — tracked as a separate initiative.
Estimated output
- ~6 file edits across frontend, backend, amanat-assist
- 1 new doc (C1 rotation checklist)
- Typecheck passes expected (Opus review will catch regressions if any)
- Backend tsc was already passing before this workflow — must stay passing