# Implementation Progress Tracking execution of [07-improvement-plan.md](07-improvement-plan.md). Newest entries first within each phase. --- ## Phase 0 — Security Hardening Sprint ✅ DONE **Completed and deployed to production 2026-06-09** (deploy task 81, verified live). | Plan item | Status | Commit | |---|---|---| | 0.1 Fail-fast configuration (SEC-01, BE-15) | ✅ | `15ea1ef` | | 0.2 Login hardening: compare_digest + 5/min/IP rate limit (SEC-02, SEC-03) | ✅ | `b412370` | | 0.3 CORS pinned to prod domain + localhost dev (SEC-04) | ✅ | `b412370` | | 0.4 7-day tokens (was 30) + COOKIE_SECURE setting (SEC-05, SEC-08) | ✅ | `15ea1ef`, `b412370` | | 0.5 Security headers via Hono middleware (SEC-07, FE-08) | ✅ | `bebd7b5` | | 0.6 Paste-import 1 MB cap / proxy 502 / 401 loop guard (ARCH-05, FE-23, FE-22) | ✅ | `3a357e4`, `bebd7b5`, `ad29cce` | | 0.7 Housekeeping: dead AgentHomeClient removed, dev compose creds → .env, .env.example | ✅ | `4a758b2`, `15ea1ef` | **Production verification (2026-06-09):** - Health 200 after deploy; frontend+backend containers recreated, healthy - `X-Frame-Options: DENY`, `X-Content-Type-Options: nosniff`, `Referrer-Policy` live on prod responses - Login rate limit live: 6th rapid attempt → **429 with `Retry-After: 58`** - CORS live: `evil.example` origin gets no allow header; app origin allowed - Fail-fast config: behaviorally tested (rejects missing/default/weak secrets in 4/4 cases); prod booted with real Gitea-injected secrets **Incidents & discoveries during rollout:** - Deploy task 80 **failed** on a latent CI bug unrelated to Phase 0: unpinned corepack resolved pnpm 11, which hard-errors on unreviewed dependency build scripts (`ERR_PNPM_IGNORED_BUILDS`). Fixed in `d874cf5` by pinning `packageManager: pnpm@10.33.1` and completing the build-script review in `pnpm-workspace.yaml` (approve `@swc/core`, `esbuild`; ignore `@scarf/scarf`). A failed build never touches running containers — prod was unaffected. - The Gitea repo is a **pull-mirror** (no direct pushes). Deploys are triggered by pushing to GitHub and then running a mirror-sync via the Gitea API from the VPS (token via `gitea admin user generate-access-token`, POST `/repos/admin/wealthysmart/mirror-sync` from inside the container — port 3000 is not published on the host). - **Dev credential change:** dev no longer accepts `admin/admin`. The generated dev password lives in the gitignored `.env` (old file backed up as `.env.bak-phase0`). Prod credentials unchanged. - Two temporary `phase0-sync-*` Gitea tokens should be revoked in Gitea UI → Settings → Applications. **Corrections to the review docs found during implementation:** none beyond those already noted in [README.md](README.md). --- ## Phase 1 — Foundations: Tests, Migrations, Time 🔄 IN PROGRESS Started 2026-06-09. Scope per plan: pytest harness + CI gate (1.1), billing-cycle characterization tests resolving BE-06/BE-07 (1.2), Alembic adoption (1.3), datetime sweep (1.4), Decimal-equivalence baseline (1.5). _Entries added as work lands — see git history for detail._ --- ## Phase 2 — Backend Correctness & Robustness ⏳ NOT STARTED ## Phase 3 — Frontend Data Layer & Feedback ⏳ NOT STARTED ## Phase 4 — UX, Trust & Features ⏳ NOT STARTED