Files
WealthySmart/codebase-review/PROGRESS.md
2026-06-09 19:34:48 -06:00

3.2 KiB

Implementation Progress

Tracking execution of 07-improvement-plan.md. Newest entries first within each phase.


Phase 0 — Security Hardening Sprint DONE

Completed and deployed to production 2026-06-09 (deploy task 81, verified live).

Plan item Status Commit
0.1 Fail-fast configuration (SEC-01, BE-15) 15ea1ef
0.2 Login hardening: compare_digest + 5/min/IP rate limit (SEC-02, SEC-03) b412370
0.3 CORS pinned to prod domain + localhost dev (SEC-04) b412370
0.4 7-day tokens (was 30) + COOKIE_SECURE setting (SEC-05, SEC-08) 15ea1ef, b412370
0.5 Security headers via Hono middleware (SEC-07, FE-08) bebd7b5
0.6 Paste-import 1 MB cap / proxy 502 / 401 loop guard (ARCH-05, FE-23, FE-22) 3a357e4, bebd7b5, ad29cce
0.7 Housekeeping: dead AgentHomeClient removed, dev compose creds → .env, .env.example 4a758b2, 15ea1ef

Production verification (2026-06-09):

  • Health 200 after deploy; frontend+backend containers recreated, healthy
  • X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy live on prod responses
  • Login rate limit live: 6th rapid attempt → 429 with Retry-After: 58
  • CORS live: evil.example origin gets no allow header; app origin allowed
  • Fail-fast config: behaviorally tested (rejects missing/default/weak secrets in 4/4 cases); prod booted with real Gitea-injected secrets

Incidents & discoveries during rollout:

  • Deploy task 80 failed on a latent CI bug unrelated to Phase 0: unpinned corepack resolved pnpm 11, which hard-errors on unreviewed dependency build scripts (ERR_PNPM_IGNORED_BUILDS). Fixed in d874cf5 by pinning packageManager: pnpm@10.33.1 and completing the build-script review in pnpm-workspace.yaml (approve @swc/core, esbuild; ignore @scarf/scarf). A failed build never touches running containers — prod was unaffected.
  • The Gitea repo is a pull-mirror (no direct pushes). Deploys are triggered by pushing to GitHub and then running a mirror-sync via the Gitea API from the VPS (token via gitea admin user generate-access-token, POST /repos/admin/wealthysmart/mirror-sync from inside the container — port 3000 is not published on the host).
  • Dev credential change: dev no longer accepts admin/admin. The generated dev password lives in the gitignored .env (old file backed up as .env.bak-phase0). Prod credentials unchanged.
  • Two temporary phase0-sync-* Gitea tokens should be revoked in Gitea UI → Settings → Applications.

Corrections to the review docs found during implementation: none beyond those already noted in README.md.


Phase 1 — Foundations: Tests, Migrations, Time 🔄 IN PROGRESS

Started 2026-06-09. Scope per plan: pytest harness + CI gate (1.1), billing-cycle characterization tests resolving BE-06/BE-07 (1.2), Alembic adoption (1.3), datetime sweep (1.4), Decimal-equivalence baseline (1.5).

Entries added as work lands — see git history for detail.


Phase 2 — Backend Correctness & Robustness NOT STARTED

Phase 3 — Frontend Data Layer & Feedback NOT STARTED

Phase 4 — UX, Trust & Features NOT STARTED