cw2007/POSA_Copyrighter
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

docs: record remediation implementation status in plan

Browse source
This commit is contained in:
유창욱 2026-06-20 20:57:02 +09:00
parent da917755dd
commit bd35cf6f3f
1 changed files with 33 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
docs/superpowers/plans/2026-06-20-project-review-remediation.md
View file

@ -514,10 +514,42 @@ For EACH module above, repeat this micro-cycle:
--- ---
## Implementation status (2026-06-20)
All HIGH/MEDIUM/LOW findings implemented, tested, and committed on branch
`fix/project-review-remediation`; full suite **400 passed**. Commits:
- Phase 1 (HTTP hardening) → `e9a15e8`; auth reworked to HttpOnly cookie after
security review → `1abb110`.
- Phase 2 (WAL/busy_timeout/atomic decision) → `20a6f55`.
- Phase 3 (deps manifest + offline runbook) → `8958dd1`.
- Phase 4 (SSRF guard) → `62e2d18`.
- Phase 5 + 6 (PII retention purge, transmission audit, provider-counter
atomicity, promote idempotency, seed serialization, LLM short-circuit,
migration crash-safety) + Phase 7 tests + Task 20 readiness → `7f5799e`.
- Phase 8 (frontend safeUrl/apiJson/onerror) → `f8aa10f`; protocol-relative
URL fix after security review → `7317bfb`.
### Phase 9 (god-file split) — partial
Done as behavior-preserving module extractions (suite-gated), `sqlite_store.py`
5333 → ~4955 lines:
- `store_url_utils.py` (URL helpers) → `e66f9d5`
- `store_remote_fetch.py` (fetch + SSRF + opener) and `store_schema.py`
(DDL/typed-columns/constraint migration) → `da91775`
Remaining (in progress / follow-up): the `CopyrighterStore` class methods are
the bulk and need class-level decomposition (mixin modules), which first
requires extracting the shared module-level helpers (serialization/text/id +
the 670-line `_PageImageParser` + css/page extraction, currently coupled to
`_normalized_image_url`/`_unique_texts`) into shared modules to avoid circular
imports. NOT a pure no-op like the prior extractions; gate each step on the
full suite. Cross-file URL-helper dedup (Task 28) is intentionally NOT done —
the integration adapters' suffix policy diverges from the store's (`.svg`).
## Deferred (explicitly out of this plan, log as follow-ups) ## Deferred (explicitly out of this plan, log as follow-ups)
- Full `GovernancePolicyRegistry` role enforcement on every read/serve path (Task 2 + Task 9 cover the high-impact subset). - Full `GovernancePolicyRegistry` role enforcement on every read/serve path (Task 2 + Task 9 cover the high-impact subset).
- `mark_evidence_status` atomic state+audit transaction (same pattern as `record_decision`; deferred per Phase 2 note).
- `rerun_enrichment` per-submission in-progress lock (LOW; cosmetic `lastRerunDiff` only). - `rerun_enrichment` per-submission in-progress lock (LOW; cosmetic `lastRerunDiff` only).
- `seed_from_image_store` per-row claim lock (MEDIUM; converges on data, dup side-effects only) — mitigated once auth limits operators.
- Optimistic-concurrency `version` column on submissions (LOW). - Optimistic-concurrency `version` column on submissions (LOW).
## Self-review notes ## Self-review notes