2026-02-19 11:42:10 +00:00
|
|
|
# TASKS.md — General Bots Workspace Audit
|
|
|
|
|
|
2026-02-19 12:06:06 +00:00
|
|
|
**Generated:** 2026-02-19
|
|
|
|
|
**Workspace:** `/home/rodriguez/gb` (v6.2.0)
|
|
|
|
|
**Scope:** Security Audit and Improvements Execution
|
2026-02-19 11:42:10 +00:00
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
2026-02-19 12:06:06 +00:00
|
|
|
## 🔴 P0 — CRITICAL SECURITY FLAWS
|
2026-02-19 11:42:10 +00:00
|
|
|
|
2026-02-19 12:18:40 +00:00
|
|
|
### SEC-01: 🔴 PENDING — History Clean
|
|
|
|
|
**Status:** 🔴 Blocked. `git-filter-repo` missing in environment.
|
|
|
|
|
- [x] Files untracked (`vault-unseal-keys`, `init.json`)
|
|
|
|
|
- [ ] Needs history rewrite (Requires tool installation)
|
2026-02-19 11:42:10 +00:00
|
|
|
|
2026-02-19 12:06:06 +00:00
|
|
|
### SEC-02: ✅ PARTIALLY RESOLVED — `.env` exposure
|
2026-02-19 12:18:40 +00:00
|
|
|
**Status:** ✅ Mitigated (Untracked). **Rotation needed.**
|
2026-02-19 12:06:06 +00:00
|
|
|
- [ ] **Rotate Vault tokens immediately**
|
2026-02-19 11:42:10 +00:00
|
|
|
|
2026-02-19 12:06:06 +00:00
|
|
|
### SEC-03: ✅ RESOLVED — `init.json` removed
|
|
|
|
|
**Status:** ✅ Removed from tracking.
|
2026-02-19 11:42:10 +00:00
|
|
|
|
2026-02-19 12:06:06 +00:00
|
|
|
### SEC-04: ✅ RESOLVED — Command Execution Hardened
|
|
|
|
|
**Status:** ✅ Replaced `Command::new` with `SafeCommand`.
|
2026-02-19 11:42:10 +00:00
|
|
|
|
2026-02-19 12:06:06 +00:00
|
|
|
### SEC-05: ✅ RESOLVED — SQL Injection Hardened
|
|
|
|
|
**Status:** ✅ Parameterized queries implemented. Build verified.
|
2026-02-19 11:42:10 +00:00
|
|
|
|
2026-02-19 12:18:40 +00:00
|
|
|
### SEC-06: ✅ RESOLVED — `unwrap()`/`expect()` verified
|
|
|
|
|
**Status:** ✅ Core/LLM production code verified clean.
|
|
|
|
|
- [x] `botserver/src/core`: Clean (Unwraps confined to tests/stubs)
|
|
|
|
|
- [x] `botserver/src/llm`: Clean (Unwraps confined to tests)
|
|
|
|
|
- [x] Fixed `rate_limiter.rs` (unsafe) & `utils.rs` (expect)
|
2026-02-19 11:42:10 +00:00
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
2026-02-19 12:18:40 +00:00
|
|
|
## 🟠 P1 — HIGH PRIORITY IMPROVEMENTS
|
2026-02-19 11:42:10 +00:00
|
|
|
|
2026-02-19 12:06:06 +00:00
|
|
|
### IMP-03: ✅ RESOLVED — Artifact Cleanup
|
|
|
|
|
- [x] Deleted `.bas`, `PROMPT.md`
|
2026-02-19 12:18:40 +00:00
|
|
|
- [x] Added `Cargo.lock` to tracking
|
2026-02-19 11:42:10 +00:00
|
|
|
|
2026-02-19 12:06:06 +00:00
|
|
|
### IMP-04: ✅ RESOLVED — Unsafe Code Fix
|
2026-02-19 12:18:40 +00:00
|
|
|
- [x] Replaced `unsafe` block in `rate_limiter.rs`
|
2026-02-19 11:42:10 +00:00
|
|
|
|
2026-02-19 12:06:06 +00:00
|
|
|
### IMP-06: ✅ RESOLVED — CORS Configuration
|
2026-02-19 12:18:40 +00:00
|
|
|
- [x] Fixed syntax and logic in `validate_origin`
|
2026-02-19 11:42:10 +00:00
|
|
|
|
2026-02-19 12:18:40 +00:00
|
|
|
### IMP-14: 🟡 IN PROGRESS — Code Cleanup (TODOs)
|
|
|
|
|
**Status:** References cleaned. Features pending.
|
|
|
|
|
- [x] Removed stale README references to `TODO-refactor1.md`
|
|
|
|
|
- [ ] Implement `drive_handlers.rs` (Drive stubbed)
|
|
|
|
|
- [ ] Implement `admin_invitations.rs` (Schema missing)
|
2026-02-19 11:42:10 +00:00
|
|
|
|
2026-02-19 12:18:40 +00:00
|
|
|
### IMP-15: 🔴 PENDING — Integration Tests
|
|
|
|
|
**Status:** Blocked. `cargo-tarpaulin` missing.
|
|
|
|
|
- [ ] Install coverage tool
|
|
|
|
|
- [ ] Generate report
|
2026-02-19 11:42:10 +00:00
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
2026-02-19 12:18:40 +00:00
|
|
|
## 🟡 P2 — POLICIES (Completed)
|
2026-02-19 11:42:10 +00:00
|
|
|
|
2026-02-19 12:18:40 +00:00
|
|
|
### IMP-07 to IMP-10: ✅ RESOLVED — Policies Added
|
|
|
|
|
- [x] Rate Limiting, CSRF, Headers, Dependency Management documented in `AGENTS.md`.
|
2026-02-19 11:42:10 +00:00
|
|
|
|
2026-02-19 12:06:06 +00:00
|
|
|
### IMP-16: ✅ RESOLVED — Tool Consolidation
|
2026-02-19 12:18:40 +00:00
|
|
|
- [x] Removed Puppeteer.
|
2026-02-19 11:42:10 +00:00
|
|
|
|
2026-02-19 12:18:40 +00:00
|
|
|
### IMP-17: ✅ RESOLVED — Lockfile
|
|
|
|
|
- [x] Tracked `Cargo.lock`.
|
