Harden security
This commit is contained in:
@@ -1,36 +0,0 @@
|
||||
# Feature Plan: Canonical Conversation Events (Append-Only Timeline)
|
||||
|
||||
## Goal
|
||||
Introduce a canonical append-only event log for conversations so adapters remain stateless and replay/debugging become deterministic.
|
||||
|
||||
## Why This Fits GIA
|
||||
- GIA already has `Person`, `PersonIdentifier`, `ChatSession`, `Message` and multi-transport routing.
|
||||
- This adds a durable event backbone without replacing current UI/features.
|
||||
|
||||
## Scope
|
||||
- Add `ConversationEvent` model (append-only).
|
||||
- Event types: `message_created`, `message_edited`, `message_deleted`, `reaction_added`, `reaction_removed`, `read_receipt`, `media_attached`, `participant_added`, `participant_removed`.
|
||||
- Persist source metadata: transport, upstream IDs, timestamps, actor, payload.
|
||||
- Write events from transport ingress and internal compose actions.
|
||||
- Build replay utility for one chat/session.
|
||||
|
||||
## Implementation
|
||||
1. Add model + migration + indexes (`session`, `event_type`, `created_at`, `origin_transport+origin_message_id`).
|
||||
2. Add write helper in a new module (`core/events/ledger.py`).
|
||||
3. Update signal/whatsapp/xmpp ingress handlers to emit canonical events.
|
||||
4. Update compose send/reaction/edit/delete paths to emit canonical events.
|
||||
5. Add admin/diagnostic read view for event stream by session.
|
||||
6. Add replay command to regenerate derived projections.
|
||||
|
||||
## Acceptance Criteria
|
||||
- Every new message/reaction/edit/delete creates exactly one canonical event.
|
||||
- Event ordering is deterministic per session.
|
||||
- Replay reproduces message projection for a selected session.
|
||||
- No adapter requires business logic to infer missing event state.
|
||||
|
||||
## Risks
|
||||
- Double-write races during transition.
|
||||
- Backfill complexity for old messages.
|
||||
|
||||
## Out of Scope
|
||||
- Full migration of all legacy records in one release.
|
||||
@@ -7,6 +7,22 @@ Define transport feature capabilities centrally so router/policy/UI can make det
|
||||
- GIA currently spans Signal/WhatsApp/Instagram/XMPP with uneven feature support.
|
||||
- Prevents silent failures (for example reaction exists internally but cannot be sent outward).
|
||||
|
||||
## How It Follows Plan 1
|
||||
- Plan 1 established canonical event flow as the shared source language for transport actions.
|
||||
- Plan 2 uses that event flow to gate what may be attempted per transport before adapter calls.
|
||||
- Interlink:
|
||||
- Canonical events define **what happened** (`reaction_added`, `message_edited`, etc.).
|
||||
- Capability matrix defines **what is allowed** on each service at execution time.
|
||||
- Together they prevent drift:
|
||||
- no silent no-op on unsupported features,
|
||||
- no adapter-specific policy branching,
|
||||
- deterministic user-visible failure reasons.
|
||||
|
||||
## Required Inputs From Plan 1
|
||||
- Canonical event types and normalized action shapes are stable.
|
||||
- Event write path exists for ingress/outbound actions.
|
||||
- Traceability exists for diagnostics (`trace_id`, source transport metadata).
|
||||
|
||||
## Scope
|
||||
- Add capability registry per transport.
|
||||
- Features: reactions, edits, deletes, threaded replies, typing, media classes, read receipts, participant events.
|
||||
@@ -23,6 +39,7 @@ Define transport feature capabilities centrally so router/policy/UI can make det
|
||||
- Unsupported action never calls transport adapter.
|
||||
- User receives explicit, actionable error.
|
||||
- Service capabilities are test-covered and easy to update.
|
||||
- Capability decisions are traceable against canonical event/action context.
|
||||
|
||||
## Out of Scope
|
||||
- Dynamic remote capability negotiation.
|
||||
|
||||
2
artifacts/plans/14-security-audit.md
Normal file
2
artifacts/plans/14-security-audit.md
Normal file
@@ -0,0 +1,2 @@
|
||||
# 14) Run security audit using artifacts/1-initial.json. Generated using ship-safe.
|
||||
https://github.com/asamassekou10/ship-safe
|
||||
@@ -1,9 +0,0 @@
|
||||
# 14) Sensitive Information Hygiene
|
||||
|
||||
## Goal
|
||||
Detect and remove sensitive data exposure from code, config, logs, and payload surfaces.
|
||||
|
||||
## Minimal Plan
|
||||
1. Add a repeatable scan for sensitive patterns across repo and runtime-generated artifacts.
|
||||
2. Expunge discovered sensitive values and replace with safe placeholders or references.
|
||||
3. Add guardrails to prevent reintroduction and document the remediation workflow.
|
||||
@@ -10,4 +10,10 @@ This group has no derived tasks yet. To start populating this view:
|
||||
|
||||
|
||||
|
||||
task settings sound complicated, make them simpler
|
||||
task settings sound complicated, make them simpler
|
||||
|
||||
--
|
||||
|
||||
# https://gia.zm.is/settings/system/
|
||||
assume the user cannot access the log
|
||||
Use a trace id from the dropdown (recent traces), Event Ledger Smoke `sample[].trace_id`, or UR logs.
|
||||
Reference in New Issue
Block a user