From 2d26181aaf66f5676728e6645cb60858fbf03e0f Mon Sep 17 00:00:00 2001 From: Saravana Achu Mac Date: Tue, 5 May 2026 10:13:00 -0700 Subject: [PATCH] docs(roadmap): record encryption coverage --- docs/PRODUCTION_READINESS_HANDOFF_ROADMAP.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/PRODUCTION_READINESS_HANDOFF_ROADMAP.md b/docs/PRODUCTION_READINESS_HANDOFF_ROADMAP.md index 7760483..135b3a3 100644 --- a/docs/PRODUCTION_READINESS_HANDOFF_ROADMAP.md +++ b/docs/PRODUCTION_READINESS_HANDOFF_ROADMAP.md @@ -143,7 +143,7 @@ Goal: production starts fail closed and do not silently run with development-onl - [x] **P3.3** Review all unauthenticated backend endpoints. Keep `/health`, `/api/bootstrap`, and public share reads intentional; protect diagnostics or make them explicitly dev/admin-gated. Commit: `56a051a`; Verified: `GITEA_NPM_TOKEN=dummy pnpm --filter @notelett/backend exec vitest run src/diagnostics.test.ts src/server.test.ts`; `GITEA_NPM_TOKEN=dummy pnpm --filter @notelett/backend run typecheck`; `git diff --check`. Kept `/health`, `/api/bootstrap`, and `/api/public/note-shares/:token` intentionally public; moved diagnostics into `diagnosticsRoutes()` with dev/test open access and production `admin`/`owner` auth via shared auth middleware. - [x] **P3.4** Add or verify rate limiting and abuse controls for public share, auth-facing, prompt, intake, and LLM-backed endpoints using shared platform patterns where available. Commit: `ee4a8ab`; Verified: `GITEA_NPM_TOKEN=dummy pnpm --filter @notelett/backend exec vitest run src/lib/rate-limit.test.ts src/modules/notes/copilot.test.ts src/modules/note-prompts/note-prompts.test.ts src/modules/intake/routes.test.ts`; `GITEA_NPM_TOKEN=dummy pnpm --filter @notelett/backend run typecheck`; `git diff --check`. Added a shared in-memory sliding-window limiter backed by `TooManyRequestsError` from `@bytelyst/errors`, replaced the local intake limiter, and guarded public share reads plus prompt, Smart Action, embedding, URL extraction, merge/compare, copilot, title suggestion, and workspace chat endpoints before expensive work begins. Auth-facing endpoints remain owned by common-platform `platform-service`. - [x] **P3.5** Verify agent write paths enforce role, product scope, workspace membership, idempotency, dry-run, and audit trail behavior. Add missing tests. Commit: `8a53dfd`; Verified: `GITEA_NPM_TOKEN=dummy pnpm --filter @notelett/backend exec vitest run src/mcp/note-tools.test.ts src/mcp/register-note-tools.test.ts src/modules/note-agent-actions/routes.test.ts src/modules/note-agent-actions/routes.integration.test.ts`; `GITEA_NPM_TOKEN=dummy pnpm --filter @notelett/backend run typecheck`; `git diff --check`. Added defense-in-depth role checks inside executable MCP tools, user/product/workspace/note scope guards before writes, duplicate idempotency-key rejection before side effects, and regression coverage for dry-run no-persistence, audit metadata, scoped updates, create-draft workspace ownership, and link-note product scope. -- [ ] **P3.6** Verify field encryption coverage for note body, sensitive artifact metadata, prompt content if needed, and agent action details. Add migration notes if fields are newly encrypted. Commit: +- [x] **P3.6** Verify field encryption coverage for note body, sensitive artifact metadata, prompt content if needed, and agent action details. Add migration notes if fields are newly encrypted. Commit: `6b37b72`; Verified: `GITEA_NPM_TOKEN=dummy pnpm --filter @notelett/backend exec vitest run src/lib/encryption-coverage.test.ts src/modules/note-artifacts/routes.integration.test.ts src/modules/note-prompts/note-prompts.test.ts src/modules/note-agent-actions/routes.integration.test.ts`; `GITEA_NPM_TOKEN=dummy pnpm --filter @notelett/backend run typecheck`; `git diff --check`. Added shared optional text-field encryption helpers; encrypted artifact `title`, `description`, and `blobPath`; prompt `description`, `systemPrompt`, and `userPromptTemplate`; and agent action `reason`, `beforeSummary`, `afterSummary`, and `reviewNote`, while preserving plaintext query metadata and backward-compatible plaintext reads. Added raw-storage encryption tests and migration notes in `docs/FIELD_ENCRYPTION_COVERAGE.md`. Acceptance criteria: - A production container cannot start with unsafe defaults.