DocFast session 96: 130 tests, security util extraction
This commit is contained in:
Hoid
parent
052bf8519f
commit
486f77557a
8 changed files with 135 additions and 26 deletions
|
|
@ -1,5 +1,63 @@
|
|||
# Session Log
|
||||
|
||||
## Session 96 — 2026-02-25 19:00 UTC (Wednesday Evening)
|
||||
- **Production:** v0.4.5 ✅ healthy, 2 replicas, 0 restarts
|
||||
- **Staging:** v0.5.1 ✅ healthy (new commit deploying)
|
||||
- **K8s cluster:** All 3 nodes Ready
|
||||
- **Support:** Zero tickets
|
||||
- **Proactive improvements completed:**
|
||||
1. **Extracted and unit-tested security-critical utility functions:**
|
||||
- `isPrivateIP` → `src/utils/network.ts` (19 tests: IPv4 private/public ranges, IPv6 loopback/link-local/unique-local, IPv4-mapped IPv6, edge cases)
|
||||
- `isTransientError` → `src/utils/errors.ts` (23 tests: all PG error codes, message-based matches, null/undefined, non-transient errors)
|
||||
- `escapeHtml` → `src/utils/html.ts` (9 tests: all special chars, empty string, double-escaping, mixed content)
|
||||
- `markdownToHtml` / `wrapHtml` (12 tests: headings, bold, italic, links, code blocks, custom/default CSS, empty input)
|
||||
2. **Code quality:** Extracted inline functions to shared utils for testability and reuse. Original files import from new locations. Backward-compatible re-exports maintained.
|
||||
3. **130 tests total** (up from 67), all passing in ~4s across 7 test files.
|
||||
- **Commit:** 50a163b pushed to main → auto-deploys to staging
|
||||
- **Investor test:** All 5 checks pass ✅
|
||||
- **Budget:** €181.71 remaining, Revenue: €9
|
||||
- **Pending for investor:**
|
||||
- Production tag for latest staging (20+ commits ahead of prod v0.4.5)
|
||||
- SDK tokens (npm/PyPI/Go/Packagist)
|
||||
- Google Search Console verification
|
||||
|
||||
## Session 95 — 2026-02-25 16:00 UTC (Wednesday Late Afternoon)
|
||||
- **Production:** v0.4.5 ✅ healthy, 2 replicas, 0 restarts
|
||||
- **Staging:** v0.5.1 ✅ healthy, OpenAPI spec working (BUG-087 fix confirmed deployed)
|
||||
- **K8s cluster:** All 3 nodes Ready
|
||||
- **Support:** Zero tickets
|
||||
- **Proactive improvements completed:**
|
||||
1. **Deduplicated `sanitizeFilename`** — extracted to shared `src/utils/sanitize.ts`, removed duplicate implementations from convert.ts and templates.ts. Consistent behavior: replace dangerous chars with _, trim, limit 200 chars, default fallback.
|
||||
2. **Fixed XSS vector in `esc()` function** — added single-quote escaping (`'` → `'`) in template rendering for attribute context safety.
|
||||
3. **New test files** — `src/__tests__/sanitize.test.ts` (6 tests) + `src/__tests__/templates.test.ts` (5 tests). Tests cover: filename sanitization edge cases, template rendering with correct totals, HTML entity escaping including XSS prevention, unknown template handling.
|
||||
4. **67 tests total** (up from 57), all passing in 2.3s across 3 test files.
|
||||
- **Commit:** 0a002f9 pushed to main → auto-deploys to staging
|
||||
- **Investor test:** All 5 checks pass ✅
|
||||
- **Budget:** €181.71 remaining, Revenue: €9
|
||||
- **Note:** claude-sonnet-4-512k sub-agents failing instantly (model unavailability?). Used Opus for dev work.
|
||||
- **Pending for investor:**
|
||||
- Production tag for latest staging (20+ commits ahead of prod v0.4.5)
|
||||
- SDK tokens (npm/PyPI/Go/Packagist)
|
||||
- Google Search Console verification
|
||||
|
||||
## Session 94 — 2026-02-25 13:00 UTC (Wednesday Afternoon)
|
||||
- **Production:** v0.4.5 ✅ healthy, 75k+ seconds uptime, 2 replicas, 0 restarts
|
||||
- **Staging:** v0.5.1 ✅ healthy (but pending redeploy with new commits)
|
||||
- **K8s cluster:** All 3 nodes Ready
|
||||
- **Support:** Zero tickets
|
||||
- **Proactive improvements completed:**
|
||||
1. **BUG-087 FOUND & FIXED** — swagger-jsdoc 7.0.0-rc.6 (upgraded in session 93) broke OpenAPI spec generation. `/openapi.json` returns `{}` on staging. Reverted to 6.2.8 (0 vulns). Added 2 regression tests. Commit 288d6c7.
|
||||
2. **Unhandled error handlers** — Added `process.on('uncaughtException')` and `process.on('unhandledRejection')` with fatal logging + exit. Previously a stray rejection could crash silently. Commit c4fea79.
|
||||
3. **New tests** — SSRF blocks 0.0.0.0, Content-Disposition default/custom filename, OpenAPI spec validation. **56 tests total** (up from 52).
|
||||
- **CI issue:** ARM64 cross-compile builds appear stuck/slow. Commits 288d6c7 and c4fea79 pushed but staging hasn't redeployed yet after 10+ minutes. May need CI runner check.
|
||||
- **Investor test:** All 5 checks pass ✅ (production unaffected by staging regression)
|
||||
- **Budget:** €181.71 remaining, Revenue: €9
|
||||
- **Pending for investor:**
|
||||
- CI runner may need restart (builds not deploying)
|
||||
- Production tag for latest staging (20+ commits ahead of prod v0.4.5)
|
||||
- SDK tokens (npm/PyPI/Go/Packagist)
|
||||
- Google Search Console verification
|
||||
|
||||
## Session 93 — 2026-02-25 10:00 UTC (Wednesday Mid-Morning)
|
||||
- **Production:** v0.4.5 ✅ healthy, 64k+ seconds uptime, 2 replicas, 0 restarts
|
||||
- **Staging:** v0.5.1 ✅ healthy, pod running on w1
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue