F-002 fix: Remove secrets and externalize config

This commit is contained in:
rikrdo
2026-05-25 08:00:05 +02:00
parent d3a558352d
commit 3d41579ad3
58 changed files with 1192807 additions and 52 deletions

View File

@@ -0,0 +1,31 @@
# Architect Artefact — Feature: F-001
## SDD Changes
- Added `spec/sdd/architecture.md`
- Added component docs:
- `spec/sdd/components/legacy-web-module.md`
- `spec/sdd/components/bulk-seo-worker.md`
- `spec/sdd/components/development-data-baseline.md`
- Added ADR:
- `spec/sdd/decisions/001-store-legacy-app-under-project-web.md`
## BDD Coverage
- Added `spec/bdd/features/layout/legacy-app-layout.feature`
- Coverage target:
- stable web module path
- stable SQL dump path
- design trace exists
## Technical decisions
- Use `project/web/index/new` as stable repo path for copied legacy web code.
- Use `project/sql/db-25052026.sql` as stable path for local dev dump.
- Keep legacy internal module tree unchanged in this feature.
## Risks found
- Legacy code has hard-coded secrets and production URLs.
- External files `login.php` and `success.php` are not in repo.
- SQL dump may contain production-like data.
## Next step
- Move files with no content change.
- Re-run verify after move.

View File

@@ -0,0 +1,24 @@
# Documenter Artefact — Feature: F-001
## What changed
- Added SDD record for legacy PHP product module.
- Added ADR for stable repo layout.
- Added BDD trace for layout move.
- Moved legacy web code to `project/web/index/new`.
- Moved SQL dump to `project/sql/db-25052026.sql`.
## Files to know
- `spec/sdd/architecture.md`
- `spec/sdd/components/legacy-web-module.md`
- `spec/sdd/components/bulk-seo-worker.md`
- `spec/sdd/components/development-data-baseline.md`
- `spec/sdd/decisions/001-store-legacy-app-under-project-web.md`
- `spec/bdd/features/layout/legacy-app-layout.feature`
- `project/web/index/new/`
- `project/sql/db-25052026.sql`
## Notes for next feature
- Remove secrets from PHP files.
- Externalize DB and API config.
- Replace production-coupled URLs and missing external dependencies.
- Move runtime logs out of web tree.

View File

@@ -0,0 +1,38 @@
# Implementer Artefact — Feature: F-001
## Summary
Moved legacy PHP module into stable ARNES project path.
Moved SQL dump into stable project data path.
Kept legacy module internal tree unchanged.
Updated local project path docs.
## Changes
- moved `project/new` -> `project/web/index/new`
- moved `project/db-25052026.sql` -> `project/sql/db-25052026.sql`
- updated `project/README.md`
- updated `spec/tech.md`
- updated `work/current.md`
## Evidence
- before file count in module: `124`
- after file count in module: `124`
- before size of module: `640K`
- after size of module: `640K`
- SQL dump present after move: `project/sql/db-25052026.sql` (`229M`)
- old path removed: `project/new`
- verify result: `./scripts/verify.sh` OK
## Checks run
- `find project/new -type f | wc -l`
- `du -sh project/new project/db-25052026.sql`
- `mv project/new project/web/index/new`
- `mv project/db-25052026.sql project/sql/db-25052026.sql`
- `find project -maxdepth 4 | sort`
- `find project/web/index/new -type f | wc -l`
- `du -sh project/web/index/new project/sql/db-25052026.sql`
- `./scripts/verify.sh`
## Notes
- No functional refactor done.
- No secret cleanup done.
- External dependencies `login.php` and `success.php` still live outside repo.

View File

@@ -0,0 +1,22 @@
{
"feature_id": "F-001",
"agent": "qa",
"verdict": "APPROVED",
"summary": "Acceptance criteria for layout move are satisfied. Design trace exists, target paths exist, old path is removed, and core harness verification is green.",
"traceability": [
"AC: SDD docs exist and explain current legacy app structure -> spec/sdd/architecture.md and component docs created",
"AC: ADR records why code moves under project/web and SQL under project/sql -> spec/sdd/decisions/001-store-legacy-app-under-project-web.md",
"AC: Legacy code is moved with same contents and no file loss -> implementer evidence shows same file count and size before/after",
"AC: SQL dump is kept as local development baseline in project/sql -> project/sql/db-25052026.sql exists and is referenced in docs",
"AC: verify.sh is green -> ./scripts/verify.sh passed after move"
],
"evidence": [
"Reviewed spec/bdd/features/layout/legacy-app-layout.feature",
"Reviewed work/artifacts/F-001/implementer.md",
"Checked project/web/index/new exists",
"Checked project/sql/db-25052026.sql exists",
"Checked project/new is removed",
"Checked ./scripts/verify.sh output is OK"
],
"timestamp": "2026-05-25T05:45:00Z"
}

View File

@@ -0,0 +1,14 @@
{
"feature_id": "F-001",
"agent": "reviewer",
"verdict": "APPROVED",
"summary": "Layout move is correct. SDD and BDD trace exist. Legacy module and SQL dump now live in explicit stable paths. No file loss was found in move evidence.",
"evidence": [
"Reviewed work/artifacts/F-001/architect.md",
"Reviewed work/artifacts/F-001/implementer.md",
"Checked project tree under project/web/index/new and project/sql/db-25052026.sql",
"Confirmed old path project/new is removed",
"Confirmed ./scripts/verify.sh is green"
],
"timestamp": "2026-05-25T05:45:00Z"
}

View File

@@ -0,0 +1,52 @@
{
"feature_id": "F-001",
"agent": "security",
"verdict": "CHANGES_REQUESTED",
"summary": "Legacy code still contains hard-coded API credentials, database credentials, and production-coupled endpoints inside versioned files. Feature cannot pass security gate until secrets are removed or externalized.",
"checks": [
"secret scan",
"input and config review",
"repo path review"
],
"findings": [
{
"severity": "high",
"title": "Hard-coded API credential in legacy PHP files",
"status": "open",
"paths": [
"project/web/index/new/describe.php",
"project/web/index/new/worker_bulk.php",
"project/web/index/new/productos_bulk_update.php"
]
},
{
"severity": "high",
"title": "Hard-coded database credentials in versioned PHP files",
"status": "open",
"paths": [
"project/web/index/new/worker_bulk.php",
"project/web/index/new/productos_modificados.php",
"project/web/index/new/productos_bulk_update.php",
"project/web/index/new/db/conn.php"
]
},
{
"severity": "medium",
"title": "Code is coupled to production URLs and external auth/success endpoints",
"status": "open",
"paths": [
"project/web/index/new/index.php",
"project/web/index/new/inc/header.php",
"project/web/index/new/productos_modificados.php",
"project/web/index/new/productos_bulk_update.php"
]
}
],
"evidence": [
"Ran secret scan on project/web/index/new excluding logs",
"Found hard-coded API and DB credentials in PHP source files",
"Found production URL coupling and external endpoint references",
"Reviewed ADR risk note that secrets remain in repo"
],
"timestamp": "2026-05-25T05:45:00Z"
}