docs: reconcile PRD + fix-wave with current code #4

Closed
profit wants to merge 2 commits from docs/reconcile-with-code into main
Owner

Audit anchors had drifted from the implementation (verified against current source):

  • Invariant #1: 24-mode _VALID_MODES, not only extract; new invariant #2 (unknown mode -> 400 + valid_modes); SECURE added to cookie invariant
  • Marked mode-registration + unknown-mode items RESOLVED; flagged the live codereview-vs-code_review naming mismatch
  • SCRUM_FIX_WAVE items 1-2 struck through DONE
Audit anchors had drifted from the implementation (verified against current source): - Invariant #1: 24-mode _VALID_MODES, not only extract; new invariant #2 (unknown mode -> 400 + valid_modes); SECURE added to cookie invariant - Marked mode-registration + unknown-mode items RESOLVED; flagged the live codereview-vs-code_review naming mismatch - SCRUM_FIX_WAVE items 1-2 struck through DONE
profit added 2 commits 2026-06-21 03:45:05 +00:00
Two hardening fixes from a fresh security pass of the live code:

- SESSION_COOKIE_SECURE=True: the session cookie set only HTTPONLY +
  SAMESITE=Lax, so it could be sent over plaintext HTTP. App is served
  behind nginx TLS, so no functional downside.
- _nginx_ban: validate the IP with ipaddress.ip_address() before
  interpolating it into the nginx deny file. A malformed value could
  otherwise inject nginx directives at the last write before reload.
  Guard sits at the sink, covering all current and future callers.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The audit anchors had drifted from the implementation. Corrected against
the live source as of commit ea0ba33:

- PRD invariant #1: mode registry is now 24 handlers in _VALID_MODES,
  not "only extract". Added invariant #2: unknown modes fail with HTTP
  400 + valid_modes (was 200-with-error-body). Added SECURE to the
  session-cookie invariant.
- PRD known-gaps + change-axis: marked the mode-registration and
  unknown-mode items RESOLVED; flagged the live codereview-vs-code_review
  naming mismatch that still 400s lakehouse observer escalations.
- SCRUM_FIX_WAVE items 1-2 struck through as DONE; recorded the cookie +
  nginx security fixes under "Recently landed".

Machine-generated .memory/ state left untouched (regenerated by the
scrum pipeline, not hand-edited).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Author
Owner

Merged into main via 474a8c3. (This Gitea instance's PR-status queue is stalled — even API-merged #3 still shows 'open' — so this did not auto-flip to merged; the changes ARE in main.)

✅ Merged into main via 474a8c3. (This Gitea instance's PR-status queue is stalled — even API-merged #3 still shows 'open' — so this did not auto-flip to merged; the changes ARE in main.)
profit closed this pull request 2026-06-21 04:04:31 +00:00

Pull request closed

Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: profit/llm-team-ui#4
No description provided.