chore: format docs files
This commit is contained in:
54
docs/scratchpads/gateway-security-20260313.md
Normal file
54
docs/scratchpads/gateway-security-20260313.md
Normal file
@@ -0,0 +1,54 @@
|
||||
# Gateway Security Hardening Scratchpad
|
||||
|
||||
## Metadata
|
||||
|
||||
- Date: 2026-03-13
|
||||
- Worktree: `/home/jwoltje/src/mosaic-mono-v1-worktrees/sec-remediation`
|
||||
- Branch: `fix/gateway-security`
|
||||
- Scope: Finish 7 requested gateway security fixes without switching branches or worktrees
|
||||
- Related tracker: worker task only; `docs/TASKS.md` is orchestrator-owned and left unchanged
|
||||
- Budget assumption: no explicit token cap; keep scope limited to requested gateway/auth/validation hardening
|
||||
|
||||
## Objective
|
||||
|
||||
Complete the remaining gateway security hardening work:
|
||||
|
||||
1. Chat HTTP auth guard enforcement
|
||||
2. Chat WebSocket session validation
|
||||
3. Ownership checks on by-id CRUD routes
|
||||
4. Global validation pipe and DTO enforcement
|
||||
5. Rate limiting
|
||||
6. Helmet security headers
|
||||
7. Body limit and env validation
|
||||
|
||||
## Plan
|
||||
|
||||
1. Reconcile current worktree state against requested fixes.
|
||||
2. Patch or extend tests first for DTO/auth behavior mismatches.
|
||||
3. Implement minimal code changes to satisfy tests and requested behavior.
|
||||
4. Run targeted gateway tests.
|
||||
5. Run baseline gates: `pnpm typecheck`, `pnpm lint`.
|
||||
6. Perform manual code review and record findings.
|
||||
7. Commit, push branch, open PR, send OpenClaw event, remove worktree.
|
||||
|
||||
## Progress Log
|
||||
|
||||
### 2026-03-13T00:00 local
|
||||
|
||||
- Loaded required Mosaic/global/runtime instructions and applicable skills.
|
||||
- Confirmed active worktree is `sec-remediation` and branch is already dirty with prior session changes.
|
||||
- Identified remaining gaps: DTO validation mismatch and non-requested socket auth helper typing/behavior drift.
|
||||
|
||||
## TDD Notes
|
||||
|
||||
- Required: yes. This is security/auth/permission logic.
|
||||
- Approach: update targeted unit tests first, verify failure, then patch code minimally.
|
||||
|
||||
## Verification Log
|
||||
|
||||
- Pending.
|
||||
|
||||
## Risks / Blockers
|
||||
|
||||
- Repository instructions conflict on PR merge behavior; user explicitly instructed PR-only, no merge. Follow user instruction.
|
||||
- Existing worktree contains prior-session modifications; do not revert unrelated changes.
|
||||
Reference in New Issue
Block a user