From aa07c0270dc98ab58f21d920be1aab2606277888 Mon Sep 17 00:00:00 2001 From: Mikkel Georgsen Date: Sun, 1 Mar 2026 03:17:46 +0100 Subject: [PATCH] wip: 01-tournament-engine paused at security feedback (1/7 applied) Applied security fix 1 (no default admin PIN in prod, first-run setup). Fixes 2-7 remaining: WS auth, HTTP hardening, audit triggers, JWT validation, NATS subject validation, CSV safety. Co-Authored-By: Claude Opus 4.6 --- .../01-tournament-engine/.continue-here.md | 110 ++++++++++++++++++ .../phases/01-tournament-engine/01-PLAN-B.md | 10 +- 2 files changed, 119 insertions(+), 1 deletion(-) create mode 100644 .planning/phases/01-tournament-engine/.continue-here.md diff --git a/.planning/phases/01-tournament-engine/.continue-here.md b/.planning/phases/01-tournament-engine/.continue-here.md new file mode 100644 index 0000000..3aa6b33 --- /dev/null +++ b/.planning/phases/01-tournament-engine/.continue-here.md @@ -0,0 +1,110 @@ +--- +phase: 01-tournament-engine +task: planning-feedback +total_tasks: 14 plans (A-N) +status: in_progress +last_updated: 2026-03-01T02:16:50.435Z +--- + + +Phase 1 planning is complete (14 plans, 6 waves, 68/68 requirements covered). Currently applying security feedback — item 1 of 7 is done, items 2-7 remain. All plans are committed except the security hardening edits. + + + + +## Planning Pipeline (fully complete) +- Research: 01-RESEARCH.md written (go-libsql, NATS JetStream, Svelte 5, ICM complexity) +- Plans A-N created (14 plans, 6 waves) +- Plan checker: 2 iterations, all blockers resolved (G dep on F, J/L scope splits → M/N) +- Committed: `21ff950 docs(01): create Phase 1 plans (A-N) with research and feedback` + +## User Feedback Round 1 (fully applied, committed) +- Correction 1: CONTEXT.md — Added hand-for-hand decisions (per-table completion tracking) +- Correction 2: Plan D/H — Fixed hand-for-hand (removed time deduction, added per-table handCompleted) +- Correction 3: REQUIREMENTS.md — Reworded SEAT-06 to "tap-tap manual seat moves" +- Correction 4: Plan C — Removed FIN-14 duplicate (Plan F is sole owner) +- Correction 5: Plan B — Clarified re-entry clears bust fields +- Gap 6: CONTEXT.md — Defined punctuality bonus concretely +- Gap 7: Plan I — Added integration_test.go with full tournament lifecycle +- Gap 8: Plan A — Health check verifies LibSQL + NATS + hub +- Gap 9: Plan C — JWT expiry 24h → 7 days +- Suggestion 10: Plan B — DKK defaults + Copenhagen chip set +- Suggestion 12: Plan M — Multi-tournament state caching +- Suggestion 13: Plan K — Removed clock tap-to-pause (FAB only) + +## Security Feedback (partially applied) +- Fix 1 DONE: Plan B — Removed default admin PIN seed, added first-run setup flow + dev-only seed migration +- Fixes 2-7: NOT YET APPLIED (see remaining_work) + + + + +## Security Fixes (MUST APPLY — continue from fix 2) + +### Fix 2: Plan A — Authenticated WebSocket connections +- Require JWT as query param on /ws?token=... +- Validate JWT before allowing subscription +- Enforce tournament scope server-side +- Validate Origin header, reject unknown origins +- Edit Plan A task A2 WebSocket hub section + +### Fix 3: Plan A — Harden HTTP server baseline +- Set explicit timeouts: ReadHeaderTimeout(10s), ReadTimeout(30s), WriteTimeout(60s), IdleTimeout(120s), MaxHeaderBytes(1MB) +- Apply http.MaxBytesReader on all request body reads (default 1MB, larger for CSV import) +- Edit Plan A task A2 HTTP server section + +### Fix 4: Plan B — Audit trail tamper protection triggers +- SQLite trigger REJECT UPDATE on audit_entries (except undone_by) +- SQLite trigger REJECT DELETE on audit_entries entirely +- Add to Plan B task B1 schema migration + +### Fix 5: Plan C — Fix JWT validation and PIN rate limiting +- Enforce HS256 via jwt.WithValidMethods([]string{"HS256"}) +- JWT TTL already 7 days (done in earlier feedback) +- Persist failed login attempts in LibSQL (not in-memory) +- Key rate limiting by operator ID (not IP) +- Emit audit entries for 5+ consecutive failures +- Defer key rotation to Phase 7 + +### Fix 6: Plan C/A (NATS) — Validate subject construction +- UUID validation helper before constructing NATS subjects +- Apply in internal/nats/publisher.go (Plan A) + +### Fix 7: Plan G + Plan F — CSV safety +- Import limits: max 10,000 rows, 20 columns, 1,000 chars/field +- Export: neutralize formula injection (prefix =, +, -, @ with tab) +- Test cases for both + +### Also Apply: +- Keep-as-is item 8: Add TODO comment in Plan J auth store re: Phase 7 HttpOnly cookies +- Acceptance criteria: Add security acceptance criteria to relevant plan verification sections + +### After Security Fixes: +- Commit all security edits +- Phase 1 planning is DONE — ready for /gsd:execute-phase 1 + + + + +- Plans split from 12→14: J split into J+M (layout shell), L split into L+N (tables+more) — checker blocker on file count +- G moved to wave 4 (depends on F for financial engine calls) — checker blocker on missing dependency +- I moved to wave 5, K/L/N moved to wave 6 — cascading from G wave change +- Hand-for-hand is per-table completion tracking (not time deduction) — user correction +- SEAT-06 reworded to tap-tap (not drag-and-drop) — user correction, matches CONTEXT.md locked decision +- Clock tap-to-pause removed — accidental pause risk, FAB only +- JWT 7 days not 24h — 12+ hour tournament sessions +- DKK as default currency — Copenhagen demo venue +- No default admin PIN in prod — first-run setup screen instead + + + +None — just need to finish applying security fixes 2-7 + + + +The user provided security feedback as a structured list (7 must-apply items, 2 keep-as-is items, acceptance criteria). Fix 1 (Plan B default admin) is applied. The remaining 6 fixes are straightforward edits to existing plan files. All the files have already been read in this session. After applying fixes 2-7, commit, and Phase 1 planning is complete. Next step after planning: /gsd:execute-phase 1. + + + +Start with: Apply security fix 2 (Plan A WebSocket auth) — edit the WebSocket hub section in 01-PLAN-A.md task A2 to require JWT token as query parameter, validate before subscription, enforce tournament scope, validate Origin header. Then continue with fixes 3-7 sequentially, add acceptance criteria to verification sections, commit all. + diff --git a/.planning/phases/01-tournament-engine/01-PLAN-B.md b/.planning/phases/01-tournament-engine/01-PLAN-B.md index d15467e..182289f 100644 --- a/.planning/phases/01-tournament-engine/01-PLAN-B.md +++ b/.planning/phases/01-tournament-engine/01-PLAN-B.md @@ -241,12 +241,20 @@ END; **4. Seed data:** Create `internal/store/migrations/003_seed_data.sql`: -- Insert a default admin operator (name: "Admin", PIN hash for "1234", role: "admin") - Insert a default venue_settings row (currency: DKK, symbol: kr, rounding: 5000 = 50 kr, receipt_mode: digital) - Insert a default chip set ("Standard") with common denominations: - 25 (white, #FFFFFF), 100 (red, #FF0000), 500 (green, #00AA00), 1000 (black, #000000), 5000 (blue, #0000FF) - Insert a second chip set ("Copenhagen") with DKK-friendly denominations: - 100 (white), 500 (red), 1000 (green), 5000 (black), 10000 (blue) +- **NO default admin operator in seed migration** — first-run setup handles this +- Dev-only seed: create `internal/store/migrations/004_dev_seed.sql` with default admin (name: "Admin", PIN hash for "1234", role: "admin"). Only applied when `--dev` flag is set. + +**5. First-run setup:** +- On startup, check if operators table has zero rows +- If zero operators AND not --dev mode: server starts but returns a setup page at all routes except `/api/v1/setup` +- `POST /api/v1/setup` — body: `{"name": "...", "pin": "..."}` — creates the first admin operator. Only works when zero operators exist. Returns JWT. +- After first operator is created, normal app behavior resumes +- In --dev mode: dev seed migration creates default admin, no setup screen needed **Verification:** - `make run` starts the binary and auto-applies all 3 migrations