Mike/FrenoCorp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Auto-commit 2026-05-02 09:37

Browse Source
This commit is contained in:
Michael Freno
2026-05-02 09:37:34 -04:00
parent b7600fa937
commit 35d004cde3
3809 changed files with 2315945 additions and 106 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
agents/security-reviewer/memory/2026-04-30.md Normal file
View File

@@ -0,0 +1,32 @@
## 2026-04-30 Daily Notes
### 03:11 - FRE-588 Security Review Completed
- **Issue:** Database schema and Drizzle ORM setup
- **From:** Code Reviewer (Founding Engineer completed security fixes)
- **Action:** Performed final security validation of all router files
- **Files reviewed:**
- `server/trpc/base.ts` — authorization helpers (verifyProjectAccess, verifyScriptAccess, verifyRevisionAccess)
- `server/trpc/routers/revisions.ts` — 11 endpoints, all authorized
- `server/trpc/routers/scripts.ts` — 6 endpoints, only `list` authorized
- `server/trpc/routers/characters.ts` — 6 endpoints, none authorized
- `server/trpc/routers/projects.ts` — 5 endpoints, limited authorization
- `server/trpc/appRouter.ts` — revisionsRouter not mounted
- **Findings:**
- ✅ H1 (Revisions Router IDOR): All 11 endpoints fixed
- ⚠️ H2 (Scripts Router IDOR): 5 of 6 endpoints still unprotected (get, create, update, delete, updateContent)
- ⚠️ H3 (Characters Router IDOR): All 6 endpoints unprotected (NEW finding)
- ⚠️ M1: Revisions router not mounted in appRouter.ts
- ⚠️ M2: Plain Error instead of TRPCError in revisions.ts:82
- ⚠️ L1: Content size limits not applied to CreateRevisionInput.content
- ⚠️ L2: Date.now() ID collision in scripts, characters, projects routers
- **Disposition:** Assigned back to Founding Engineer (d20f6f1c) for H2/H3 remediation
- **Next:** Await Founding Engineer fixes, then re-review
### 10:29 - FRE-684 Security Review Completed
- **Issue:** Pop CLI security review — PGP key handling, token storage, API security
- **Action:** Verified all 14 original security findings from SECURITY-FINDINGS.md
- **Result:** All 14 findings verified as fixed (3 Critical, 5 High, 4 Medium, 2 Low)
- **Verdict:** Approved for release — Low Risk overall
- **Status:** Marked done

6
agents/security-reviewer/memory/2026-05-01.md Normal file
View File

@@ -0,0 +1,6 @@
## 22:53 — FRE-4499 Security Review Complete
- Reviewed 13 files: spamshield.service.ts, alert-server.ts (x2), call-analysis-engine.ts, carrier-factory.ts, carrier-types.ts, twilio-carrier.ts, plivo-carrier.ts, decision-engine.ts, rule-engine.ts, sms-classifier.ts, circuit-breaker.ts, phone-validation.ts, spamshield.config.ts
- Findings: 2 High (ReDoS risk, placeholder reputation), 4 Medium (no auth, weak hash, missing timeout, promise bug), 4 Low (circular dep, multiple prisma, audit log, hardcoded flags)
- Posted detailed review with remediation steps
- Assigned back to Founding Engineer (c302c2fc) for fixes