Skip to content

chore(audit): execute 2026-06-03 audit — digest pins, healthchecks, explicit concurrency, prod log hygiene#116

Merged
agjs merged 7 commits into
mainfrom
chore/audit-fixes-20260603-1340
Jun 3, 2026
Merged

chore(audit): execute 2026-06-03 audit — digest pins, healthchecks, explicit concurrency, prod log hygiene#116
agjs merged 7 commits into
mainfrom
chore/audit-fixes-20260603-1340

Conversation

@agjs

@agjs agjs commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Executes all 7 findings from the 2026-06-03 audit-monorepo run (guardrail-first: every class-of-defect fix ships with the lint rule that now prevents it).
  • Security/supply-chain: ui Dockerfile.prod builder stage pinned by sha256 digest + new dockerfile-base-image-sha-pin lint-meta rule in both apps (F001); prod ui logger no longer prints structured log entries to the browser console — Sentry-breadcrumb-only, locked by a prod-mode test (F002).
  • Reliability/CI: healthchecks for prod ui (nginx /healthz) and traefik (--ping) plus a validate-compose CI step requiring healthchecks on all long-running prod services (F004); new github-actions-concurrency-explicit lint-meta rule — releases state cancel-in-progress: false, validation/drift workflows opt into true (F005); engine-pin-parity rule now directly unit-tested (F003); docs scripts route through bun run (F006); e2e consent fixture timestamps via canonical now() (F007).

New guardrails immediately caught instances beyond the audit's: traefik's missing healthcheck and three more workflows with implicit concurrency defaults.

Test plan

  • cd apps/api && bun run check + bun test tests/lint-meta (57 pass)
  • cd apps/ui && bun run check + lint-meta vitest suite (46 pass) + logger tests (11 pass)
  • cd apps/docs && bun run build:ci (incl. fragment check)
  • docker compose --profile prod config + yamllint (CI config) on compose changes
  • Pre-push gate: gitleaks, semgrep, full Docker smoke stack + 12 Playwright e2e specs — passed on push
  • New lint-meta rules RED/GREEN verified against the real violations before fixing

Conventions

  • No any, no blind as, no !
  • New env vars in schema + .env.example (+ SECURITY.md when relevant) — n/a, none added
  • Tests updated for changed behavior (prod-mode logger test, 3 new lint-meta suites)

Screenshots

n/a — no visual UI changes (logger + e2e fixture only).

agjs added 7 commits June 3, 2026 13:49
@agjs
fix(build): pin ui Dockerfile.prod builder base image by sha256 digest
d15daee 
Adds a dockerfile-base-image-sha-pin lint-meta rule to both apps so every
Dockerfile FROM must carry an @sha256 digest (stage aliases and scratch
exempt), surfaces the unpinned ui builder stage through the rule, then pins
it to the same oven/bun digest used by apps/api.

Audit: F001
@agjs
test(api): cover engine-pin-parity lint-meta rule directly
078571c 
Exports checkEnginePinParity from the lint-meta cli like its sibling
checks and adds a four-scenario suite (missing engines.bun, Dockerfile
drift, CI workflow drift, aligned) so the parity guardrail is itself
guarded.

Audit: F003
@agjs
fix(infra): add healthchecks to prod ui and traefik, guard via CI
4697753 
The prod ui service was the only long-running prod service without a
healthcheck (dev/smoke profiles already probe /healthz, which prod
nginx.conf serves). Traefik gains an internal --ping healthcheck too.
A new validate-compose CI step asserts every long-running prod-profile
service in the base compose file defines a healthcheck; one-shot jobs
(restart "no") are exempt.

Audit: F004
@agjs
fix(ui): stop emitting structured log entries to the prod console
92d4800 
The prod path of emit() printed every masked log entry to the browser
console, exposing the app's event stream to anyone with devtools open.
Production is now Sentry-breadcrumb-only; a prod-mode test (env.DEV
mocked false) locks in breadcrumb capture, PII masking, and console
silence.

Audit: F002
@agjs
fix(ci): make cancel-in-progress explicit wherever concurrency is set
8507dfb 
New github-actions-concurrency-explicit lint-meta rule (both apps)
requires an explicit cancel-in-progress on every workflow concurrency
block. Surfaced four implicit defaults: apps-api-release now states
false (matching apps-ui-release — never cancel an in-flight image
push); the acl-drift, openapi-drift, and validate-compose validation
workflows opt into true since superseded runs are worthless.

Audit: F005
@agjs
fix(docs): route package.json scripts through bun and refresh catalog
b04e834 
Six scripts invoked node directly while the repo standard (and
packageManager pin) is bun; bun executes the same .mjs files natively.
Also commits the regenerated lint-meta catalog picking up the new
dockerfile-base-image-sha-pin and github-actions-concurrency-explicit
rules.

Audit: F006
@agjs
fix(ui): generate e2e consent timestamp at runtime via now()
7c5f426 
The auth fixture pinned configuredAt to 2026-01-01, drifting ever
further into the past; if consent re-prompt logic ever lands, every
e2e run would silently exercise the stale-consent path. The canonical
now() helper keeps the fixture a fresh dismissal.

Audit: F007
@agjs agjs merged commit fc27378 into main Jun 3, 2026
29 checks passed
@agjs agjs deleted the chore/audit-fixes-20260603-1340 branch June 3, 2026 13:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@agjs