- Comprehensive Workspace Audit - 2026-06-10.md - C1-Secrets-Rotation-Checklist-2026-06-10.md - Mistral-Outsource-Package-2026-06-10.md - Workflow-Remediation-Plan-2026-06-10.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
89 lines
4.4 KiB
Markdown
89 lines
4.4 KiB
Markdown
---
|
|
title: Workflow Remediation Plan — 2026-06-10 Audit
|
|
tags: [audit, workflow, plan, remediation]
|
|
created: 2026-06-10
|
|
status: draft
|
|
---
|
|
|
|
# Workflow Remediation Plan — 2026-06-10 Audit
|
|
|
|
## Division of Labour
|
|
|
|
| Finding | Severity | Assignee | Rationale |
|
|
|---|---|---|---|
|
|
| C1 (secrets rotation) | Critical | Mistral → rotation doc (Haiku writes checklist) | Rotation is human action; doc is mechanical |
|
|
| C2 (LLM proxy auth) | Critical | Sonnet | Auth pattern integration needs codebase knowledge |
|
|
| H1 (bot claim URL) | High | Haiku | Mechanical serializer split — no domain logic |
|
|
| H2 (file ownership) | High | Sonnet | Needs to read ownership model from DB schema |
|
|
| H3 (oracle quoting) | High | Sonnet (grouped with H4+M3) | Same file, complex payment logic |
|
|
| H4 (UUID/JWT mismatch) | High | Sonnet (grouped with H3+M3) | Same file, identity normalization |
|
|
| M3 (permit relay) | Medium | Sonnet (grouped with H3+H4) | Same file, rate-limit implementation |
|
|
| M4 (debug panel) | Medium | Mistral | Simple role-gating change |
|
|
| M5 (scanner startup) | Medium | Mistral | One Go startup guard |
|
|
| M6 (lint errors) | Medium | Mistral | Auto-fix pass + manual cleanup |
|
|
| L1 (deployment defaults) | Low | Mistral | Replace hardcoded strings |
|
|
| L2 (MIME hardening) | Low | Mistral | Reuse existing magic-byte validator |
|
|
| M1 (ignoreBuildErrors) | Medium | Mistral | Config change + TS cleanup |
|
|
|
|
## Workflow Phase Design
|
|
|
|
### Phase 1 — Haiku (parallel)
|
|
Two agents run simultaneously:
|
|
|
|
**H1-fix**: `tenantBotService.ts`
|
|
- Create `toPublicBotList()` — identical to `toPublicBot()` but always returns `claimUrl: null`
|
|
- Replace usage in the list/map path with the new function
|
|
- Keep `toPublicBot()` for the dedicated claim-link endpoint
|
|
|
|
**C1-doc**: Write `C1-Secrets-Rotation-Checklist-2026-06-10.md`
|
|
- Rotation steps per category (env files, test fixtures, docs)
|
|
- History cleanup instructions (git filter-repo, coordinate clones)
|
|
- Prevention checklist (gitleaks hook, CI scan)
|
|
|
|
### Phase 2 — Sonnet (parallel, non-overlapping files)
|
|
Three agents run simultaneously:
|
|
|
|
**C2-fix**: `frontend/src/app/api/llm/route.ts` + `amanat-assist/llm-proxy/index.mjs`
|
|
- Add session/JWT auth check to the Next.js route (401 if not authenticated)
|
|
- Add 64KB body size guard to route
|
|
- Flip CORS default from wildcard to closed in proxy
|
|
- Add 256KB body cap to proxy
|
|
- Restrict provider to ALLOWED_PROVIDERS env var
|
|
- Redact error logging (status + truncated message only)
|
|
|
|
**H2-fix**: `backend/src/services/file/fileController.ts` + `fileRoutes.ts`
|
|
- Read ownership model from upload code to understand user → file path mapping
|
|
- Add ownership check before delete: file must belong to user or user must be admin
|
|
- Add ownership check before info: same rule
|
|
- Return 403 on unauthorized access
|
|
|
|
**Payment-fix** (H3 + H4 + M3 combined — single agent to avoid same-file conflicts):
|
|
- H3: Remove `ORACLE_QUOTING_ENABLED` flag-gated fallback; always use server-side oracle path; fail 422 if offer not loadable
|
|
- H4: Replace raw `payment.buyerId !== userId.toString()` comparisons with canonical helper that checks both legacy ObjectId and pgId UUID (3 sites in `requestNetworkRoutes.ts` + 3 in `paymentRoutes.ts`)
|
|
- M3: Add buyer ownership check to permit relay route; add in-memory rate limiter (5 relay attempts/payment/minute)
|
|
|
|
### Phase 3 — Haiku (parallel verification)
|
|
- `cd backend && npx tsc --noEmit -p tsconfig.json` — report pass/fail + errors
|
|
- `cd scanner && go build ./...` — report pass/fail
|
|
|
|
### Phase 4 — Opus (final review)
|
|
Read all 6 changed files, assess:
|
|
- Is each fix correct and complete?
|
|
- Are there bypass vectors?
|
|
- Regressions in legitimate flows?
|
|
- TypeScript type safety?
|
|
Return a structured PASS/NEEDS_FIX verdict per file + overall READY/NEEDS_WORK.
|
|
|
|
## Findings NOT covered by this workflow (human action required)
|
|
|
|
- **C1 rotation**: The checklist is generated, but actual key rotation is a human action (BotFather, provider dashboards, re-deployment with new values, then git history rewrite after rotation confirmed).
|
|
- **H5 dependencies**: Upgrade lockfiles needs careful testing — separate controlled branch recommended.
|
|
- **M2 browser tokens**: Moving to httpOnly cookies is a large auth refactor — tracked as a separate initiative.
|
|
|
|
## Estimated output
|
|
|
|
- ~6 file edits across frontend, backend, amanat-assist
|
|
- 1 new doc (C1 rotation checklist)
|
|
- Typecheck passes expected (Opus review will catch regressions if any)
|
|
- Backend tsc was already passing before this workflow — must stay passing
|