hobokenchicken/GopherGate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dd54c14ff8312bd07048b63ab974a7b5f268e1e7
GopherGate/PLAN.md
hobokenchicken 633b69a07b
Some checks failed
CI / Check (push) Has been cancelled
Details
CI / Clippy (push) Has been cancelled
Details
CI / Formatting (push) Has been cancelled
Details
CI / Test (push) Has been cancelled
Details
CI / Release Build (push) Has been cancelled
Details
docs: sync documentation with current implementation and archive stale plan
2026-03-06 14:28:04 -05:00

2.7 KiB
Raw Blame History

Project Plan: LLM Proxy Enhancements & Security Upgrade

This document outlines the roadmap for standardizing frontend security, cleaning up the codebase, upgrading session management to HMAC-signed tokens, and extending integration testing.

Phase 1: Frontend Security Standardization

Primary Agent: frontend-developer

  • Audit static/js/pages/users.js for manual HTML string concatenation.
  • Replace custom escaping or unescaped injections with window.api.escapeHtml.
  • Verify user list and user detail rendering for XSS vulnerabilities.

Phase 2: Codebase Cleanup

Primary Agent: backend-developer

  • Identify and remove unused imports in src/config/mod.rs.
  • Identify and remove unused imports in src/providers/mod.rs.
  • Run cargo clippy and cargo fmt to ensure adherence to standards.

Phase 3: HMAC Architectural Upgrade

Primary Agents: fullstack-developer, security-auditor, backend-developer

3.1 Design (Security Auditor)

  • Define Token Structure: base64(payload).signature.
    • Payload: { "session_id": "...", "username": "...", "role": "...", "exp": ... }
  • Select HMAC algorithm (HMAC-SHA256).
  • Define environment variable for secret key: SESSION_SECRET.

3.2 Implementation (Backend Developer)

  • Refactor src/dashboard/sessions.rs:
    • Integrate hmac and sha2 crates (or similar).
    • Update create_session to return signed tokens.
    • Update validate_session to verify signature before checking store.
  • Implement activity-based session refresh:
    • If session is valid and >50% through its TTL, extend expires_at and issue new signed token.

3.3 Integration (Fullstack Developer)

  • Update dashboard API handlers to handle new token format.
  • Update frontend session storage/retrieval if necessary.

Phase 4: Extended Integration Testing

Primary Agent: qa-automation

  • Setup test environment with encrypted key storage enabled.
  • Implement end-to-end flow:
    1. Store encrypted provider key via API.
    2. Authenticate through Proxy.
    3. Make proxied LLM request (verifying decryption and usage).
  • Validate HMAC token expiration and refresh logic in automated tests.

Phase 5: Code Quality & Refactoring

Primary Agent: fullstack-developer

  • Refactor dashboard monolith into modular sub-modules (auth.rs, usage.rs, etc.).
  • Standardize error handling and remove unwrap() in production paths.
  • Implement system health metrics and backup functionality.

Technical Standards

  • Rust: No unwrap() in production code; use proper error handling (Result).
  • Frontend: Always use window.api wrappers for sensitive operations.
  • Security: Secrets must never be logged or hardcoded.
Reference in New Issue View Git Blame Copy Permalink