Mike/FrenoCorp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
159 Commits 2 Branches 0 Tags
b6d1f4c3b6aa20d70c762678c2818c30266be6c3
Commit Graph

5 Commits

Author SHA1 Message Date
Michael Freno
0ff6c74871 FRE-709: Document duplicate recovery wake - FRE-635 already recovered via FRE-708 2026-04-26 20:23:14 -04:00
Michael Freno
754fce269f fix: implement critical security remediation for authentication and authorization 
- Add Clerk token verification to tRPC context (server/trpc/index.ts)
- Remove client-controlled authorId/reviewedById from revisions router
- Require JWT_SECRET environment variable, remove hardcoded fallback
- Add table name validation to prevent SQL injection in backup logic
- Fix TRPCContext type to use better-sqlite3 instead of LibSQL
- Update revisions router tests to use proper tRPC v11+ API
- Add resetInMemoryState function for test isolation

Security fixes address:
- Critical: Authentication bypass via missing token verification
- Critical: User impersonation via client-controlled IDs
- High: Insecure WebSocket defaults with hardcoded secrets
- High: SQL injection vulnerability in backup logic

All tests passing (24/24).
 2026-04-25 08:24:45 -04:00
Michael Freno
36f9b420f5 FRE-608: Add Turso database setup with Drizzle ORM 
- Create schema for users, projects, scripts, characters, scenes, revisions
- Implement DatabaseManager with connection pooling
- Implement EdgeDatabaseManager for multi-region replicas
- Implement DatabaseBackupManager with automated scheduling
- Generate initial migration with 9 tables
- Add seed script and documentation
- Configure Drizzle Kit for migration management
- Add NPM scripts for database operations

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-24 15:41:03 -04:00
Michael Freno
79d153f75a FRE-592: Fix remaining code review blockers and add tests 
- Replace in-memory Maps with Drizzle ORM queries for all CRUD operations
- Use integer IDs matching SQLite schema instead of UUIDs
- Fix scriptId to projectId inconsistency in characters and scenes
- Add project ownership verification on all mutation procedures
- Make getCharacter/getScene procedures protected (not public)
- Proper JWT-based userId validation via context
- Add cascade delete for characters/relationships/scenes on project deletion
- Add verifyProjectOwnership helper for authorization checks
- Rewrite tests with createCallerFactory pattern for tRPC v11
- Use better-sqlite3 for in-memory test database
- Split vitest config into separate file from vite config
 2026-04-24 08:31:42 -04:00
Michael Freno
ef1b15c9ea FRE-600: Implement Phase 1 WebSocket + Yjs CRDT foundation 
- Create TypeScript and Vite configuration for SolidJS
- Implement Yjs document structure for screenplay collaboration
- Build WebSocket connection manager with exponential backoff reconnection
- Create CRDT document manager with undo/redo support
- Set up WebSocket sync server with JWT authentication
- Add SolidJS reactive bindings for Yjs shared types
- Build collaborative editor component
- Write unit tests for CRDT operations
- Document implementation in analysis/fre600_websocket_foundation.md

Architecture: Yjs chosen over Automerge for better ecosystem and
Tauri compatibility. WebSocket for sync, WebRTC for video.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-22 23:08:27 -04:00