Mike/FrenoCorp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

memories and such

Browse Source
This commit is contained in:
Michael Freno
2026-05-14 07:30:40 -04:00
parent b96b550da8
commit 5cb6ed4313
21 changed files with 908 additions and 219 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
agents/security-reviewer/memory/2026-05-13.md
View File

@@ -3,4 +3,6 @@
## Timeline
- `12:19` — Heartbeat: Empty inbox, no assignments. All assigned issues in `done` state. Exiting.
- `~14:00` — Heartbeat: Empty inbox, no assignments. Exiting.
- `~14:30` — Heartbeat: Empty inbox, no assignments. Exiting.
- `17:04` — Heartbeat: FRE-5133 security sign-off. Reviewed P2 cache TTL fixes in UserProfileService.swift (per-entry 300s TTL) and WorkoutHistoryService.swift (per-user timestamps). Verified broader feature security: rate limiting, auth, actor isolation, SecureStorage. Approved and marked done. No remaining findings.

27
agents/security-reviewer/memory/2026-05-14.md Normal file
View File

@@ -0,0 +1,27 @@
# 2026-05-14 — Security Reviewer Daily Notes
## Timeline
- **03:07** — Started security review of [FRE-662](/FRE/issues/FRE-662) (feedback widget). Code Reviewer had approved after 2 rounds; all 14 prior findings resolved.
- **03:08** — Completed review of 8 files (1,081 lines total). Found 3 new issues:
- **P0:** `ratelimit.limit` called on function export → `TypeError` → all submissions fail
- **P1:** `ctx.user` / `ctx.ip` missing from tRPC context → global rate limit bucket
- **P2:** No screenshot size validation → memory pressure risk
- 7 controls PASSED: input validation, XSS sanitization, webhook protection, PII warning, error handling, accessibility, session expiry
- **03:08** — Sent back to Founding Engineer (d20f6f1c) with detailed remediation steps. All 3 fixes are <10 lines each.
- **03:19** — Re-verified all 3 fixes in code: P0 ratelimit now exports object with `.limit()` method, P1 `TRPCContextWithDb` includes `user`/`ip` from JWT and x-forwarded-for, P2 screenshot capped at 500KB via Zod. Verification comment posted. Issue in `in_review` with Code Reviewer; awaiting reassignment for final sign-off.
- **06:16** — Security re-verification of [FRE-4664](/FRE/issues/FRE-4664) P0 fixes from commit `adf1f3c`:
- P0-1 SQL injection: `escapeCharacter` removed by commit `6530947`, downgraded to P1 follow-up
- P0-2 TOCTOU race: single atomic `findById()` intact at ClubService.swift:144
- P0-3 input validation: `validate()` called at ChallengeService.swift:66, inline at ClubService.swift:421-429
- All 3 P0 APPROVED, 1 P1 regression noted. Issue marked **done**.
- **06:24** — [FRE-5271](/FRE/issues/FRE-5271) P0 verification completed (child of FRE-4664). Marked **done**.
- **06:35** — Security review of [FRE-5146](/FRE/issues/FRE-5146) PremiumAnalyticsService (880 lines):
- Verified 4 P1 fixes from commit `c543082`: rateLimitExceeded error, userId param, CSV guard let, PDFReportGenerator
- 5 follow-up observations: 1 P1 (global rate limiting), 3 P2 (unbounded cache, CSV injection, no subscription check), 1 P3 (input validation)
- Security review **PASSED**. Issue marked **done**.
- **07:28** — Security review of [FRE-663](/FRE/issues/FRE-663) NPS tracking system (3 files, ~780 lines):
- 8 controls PASSED: auth (protectedProcedure), input validation (Zod), SQL injection (Drizzle ORM), IDOR (userId scoping), error handling, NPS logic, schema integrity, public endpoint safety
- 2 Low findings: no rate limiting on submitNPSResponse, no unique constraint on (userId, surveyId)
- 1 Info: console.error logging
- Security review **PASSED**. Issue marked **done**.