Files
nick-doc/09 - Audits/Workflow-Remediation-Plan-2026-06-10.md
Siavash Sameni c5fa6516e8 docs: add 2026-06-10 audit and remediation planning documents
- Comprehensive Workspace Audit - 2026-06-10.md
- C1-Secrets-Rotation-Checklist-2026-06-10.md
- Mistral-Outsource-Package-2026-06-10.md
- Workflow-Remediation-Plan-2026-06-10.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-10 10:09:29 +04:00

4.4 KiB

title, tags, created, status
title tags created status
Workflow Remediation Plan — 2026-06-10 Audit
audit
workflow
plan
remediation
2026-06-10 draft

Workflow Remediation Plan — 2026-06-10 Audit

Division of Labour

Finding Severity Assignee Rationale
C1 (secrets rotation) Critical Mistral → rotation doc (Haiku writes checklist) Rotation is human action; doc is mechanical
C2 (LLM proxy auth) Critical Sonnet Auth pattern integration needs codebase knowledge
H1 (bot claim URL) High Haiku Mechanical serializer split — no domain logic
H2 (file ownership) High Sonnet Needs to read ownership model from DB schema
H3 (oracle quoting) High Sonnet (grouped with H4+M3) Same file, complex payment logic
H4 (UUID/JWT mismatch) High Sonnet (grouped with H3+M3) Same file, identity normalization
M3 (permit relay) Medium Sonnet (grouped with H3+H4) Same file, rate-limit implementation
M4 (debug panel) Medium Mistral Simple role-gating change
M5 (scanner startup) Medium Mistral One Go startup guard
M6 (lint errors) Medium Mistral Auto-fix pass + manual cleanup
L1 (deployment defaults) Low Mistral Replace hardcoded strings
L2 (MIME hardening) Low Mistral Reuse existing magic-byte validator
M1 (ignoreBuildErrors) Medium Mistral Config change + TS cleanup

Workflow Phase Design

Phase 1 — Haiku (parallel)

Two agents run simultaneously:

H1-fix: tenantBotService.ts

  • Create toPublicBotList() — identical to toPublicBot() but always returns claimUrl: null
  • Replace usage in the list/map path with the new function
  • Keep toPublicBot() for the dedicated claim-link endpoint

C1-doc: Write C1-Secrets-Rotation-Checklist-2026-06-10.md

  • Rotation steps per category (env files, test fixtures, docs)
  • History cleanup instructions (git filter-repo, coordinate clones)
  • Prevention checklist (gitleaks hook, CI scan)

Phase 2 — Sonnet (parallel, non-overlapping files)

Three agents run simultaneously:

C2-fix: frontend/src/app/api/llm/route.ts + amanat-assist/llm-proxy/index.mjs

  • Add session/JWT auth check to the Next.js route (401 if not authenticated)
  • Add 64KB body size guard to route
  • Flip CORS default from wildcard to closed in proxy
  • Add 256KB body cap to proxy
  • Restrict provider to ALLOWED_PROVIDERS env var
  • Redact error logging (status + truncated message only)

H2-fix: backend/src/services/file/fileController.ts + fileRoutes.ts

  • Read ownership model from upload code to understand user → file path mapping
  • Add ownership check before delete: file must belong to user or user must be admin
  • Add ownership check before info: same rule
  • Return 403 on unauthorized access

Payment-fix (H3 + H4 + M3 combined — single agent to avoid same-file conflicts):

  • H3: Remove ORACLE_QUOTING_ENABLED flag-gated fallback; always use server-side oracle path; fail 422 if offer not loadable
  • H4: Replace raw payment.buyerId !== userId.toString() comparisons with canonical helper that checks both legacy ObjectId and pgId UUID (3 sites in requestNetworkRoutes.ts + 3 in paymentRoutes.ts)
  • M3: Add buyer ownership check to permit relay route; add in-memory rate limiter (5 relay attempts/payment/minute)

Phase 3 — Haiku (parallel verification)

  • cd backend && npx tsc --noEmit -p tsconfig.json — report pass/fail + errors
  • cd scanner && go build ./... — report pass/fail

Phase 4 — Opus (final review)

Read all 6 changed files, assess:

  • Is each fix correct and complete?
  • Are there bypass vectors?
  • Regressions in legitimate flows?
  • TypeScript type safety? Return a structured PASS/NEEDS_FIX verdict per file + overall READY/NEEDS_WORK.

Findings NOT covered by this workflow (human action required)

  • C1 rotation: The checklist is generated, but actual key rotation is a human action (BotFather, provider dashboards, re-deployment with new values, then git history rewrite after rotation confirmed).
  • H5 dependencies: Upgrade lockfiles needs careful testing — separate controlled branch recommended.
  • M2 browser tokens: Moving to httpOnly cookies is a large auth refactor — tracked as a separate initiative.

Estimated output

  • ~6 file edits across frontend, backend, amanat-assist
  • 1 new doc (C1 rotation checklist)
  • Typecheck passes expected (Opus review will catch regressions if any)
  • Backend tsc was already passing before this workflow — must stay passing