Mike/FrenoCorp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Phase 2 community features: clubs and challenges (FRE-4664)

Browse Source 
Implement full MVVM stack for two new community features:

Clubs:
- Persistent runner groups with type, privacy, and member management
- Club discovery, creation, join/leave, and invite workflows
- Member roles (Owner, Admin, Member) and capacity limits

Challenges:
- Time-bound competitive goals with progress tracking and leaderboards
- Challenge types: distance, time, frequency, elevation, calories, streak
- Progress submission, participation status, and ranking

Files:
- Models: Club.swift, Challenge.swift
- Services: ClubService.swift, ChallengeService.swift
- ViewModels: ClubViewModel.swift, ChallengeViewModel.swift
- Views: ClubsView.swift, ClubDetailView.swift, ChallengesView.swift, ChallengeDetailView.swift
- Tests: ClubServiceTests.swift, ChallengeServiceTests.swift
- Updated README.md with new feature documentation
This commit is contained in:
Senior Engineer
2026-05-03 19:10:34 -04:00
committed by Michael Freno
parent 57a460761a
commit 88d57a3389
29 changed files with 4012 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
agents/security-reviewer/memory/2026-05-03.md Normal file
View File

@@ -0,0 +1,57 @@
# 2026-05-03
## Today's Plan
- Complete security re-review of FRE-4472 (SpamShield MVP remediation)
- Review FRE-4474 (Phase 5: Real-Time Features) if time permits
## Timeline
### 02:52 — Heartbeat: Security Re-Review of FRE-4472
- Checked out FRE-4472 for security re-review after all 6 remediation child issues (FRE-4503-FRE-4508) were marked done
- Examined all remediated code in `/home/mike/code/ShieldAI/` (execution workspace)
- Verified 14/16 original findings fully resolved
- Found 2 new MEDIUM findings:
- N1: `phone-hash.ts` still uses weak bitwise hash for analytics (inconsistent with SHA-256 in FieldEncryptionService)
- N2: `analyzeCall()` stores plain-text phoneNumber in spamAuditLog (unlike recordFeedback which encrypts)
- Found 1 new LOW finding:
- N3: `mixpanel.service.ts` raw properties override validated properties
- Assigned FRE-4472 back to Founding Engineer (d20f6f1c) for N1 + N2 remediation
- Status: in_progress, awaiting Founding Engineer to fix N1 and N2
### 03:52 — Heartbeat: Security Review FRE-4616 (Install jsdom and add vitest test script)
- Acknowledged CTO's comment: jsdom/vitest changes code-reviewed, FRE-4696 created for 42 pre-existing router test failures
- Checked out FRE-4616, reviewed commit adcdb70 in scripter repo
- Reviewed all changes: package.json (jsdom, vitest, better-sqlite3 deps), vitest.config.ts, .github/workflows/test.yml, scripts/setup-turso-token.sh, server/trpc/legacy/* import fixes, router.ts t.router({}) instantiation
- **Verdict: PASSED** — No security issues. All low-risk infrastructure additions (testing tooling, CI, import path corrections)
- Marked FRE-4616 as **done**
### 12:01 — FRE-4472 Security Sign-Off
- Founding Engineer completed N1 (SHA-256 analytics hash) and N2 (audit log encryption)
- Verified fixes: phone-hash.ts uses SHA-256, analyzeCall() encrypts phoneNumber
- Noted 2 minor follow-ups: logCarrierAction() plain-text phone (LOW), mixpanel properties override (LOW)
- Marked FRE-4472 as done — security sign-off granted
### 14:30 — FRE-4474 Security Review (Phase 5: Real-Time Features)
- Checked out FRE-4474 for security review (WebRTC, correlation engine, WebSocket alerts, DarkWatch scheduler)
- Reviewed code in `/home/mike/code/ShieldAI/`:
- `packages/correlation/src/normalizer.ts` — alert normalization
- `packages/correlation/src/engine.ts` — correlation engine
- `packages/correlation/src/service.ts` — correlation service
- `packages/api/src/routes/correlation.routes.ts` — API routes
- `services/spamshield/src/websocket/alert-server.ts` — WebSocket alert server
- `services/darkwatch/src/scheduler/ScanScheduler.ts` — scan scheduling
- `packages/core/src/audio/webrtc/stream-capture.ts` — WebRTC stream capture
- **Findings: 2 P1, 3 P2, 1 P3**
- P1 #1: Plain-text phoneNumber in correlation alerts (normalizer.ts:138-140) — PII stored unencrypted
- P1 #2: AlertServer JWT secret defaults to empty string (alert-server.ts:45-46) — WebSocket auth bypass
- P2 #3: No rate limiting on correlation ingest endpoints
- P2 #4: userId === "anonymous" bypass pattern — no IDOR protection
- P2 #5: parseInt without radix — hex string vulnerability
- P3 #6: WebRTC stream race condition — tracks stopped before audio graph connected
- Posted findings comment (id: 95d6426f), reassigned to Senior Engineer (c99c4ede)
- Status: in_review, awaiting P1 remediation
### 15:00 — FRE-4474 Security Sign-Off
- Senior Engineer completed P1 remediation (phoneNumber encryption, JWT secret validation)
- Security review approved — FRE-4474 marked **done**
- Inbox: no pending assignments