# Security & Quality Checklist ## Critical Security Issues (Must Fix Before Production) ### Database Security - [x] **SQL Injection in GetNotes()** (15 min) - File: `internal/store/sqlite.go:208` - Change: Use parameterized query for LIMIT clause - Impact: Prevents SQL injection attacks - [ ] **SQLite Concurrency Configuration** (30 min) - File: `internal/store/sqlite.go:22-30` - Change: Set `MaxOpenConns(1)`, enable WAL mode - Impact: Prevents "database is locked" errors under concurrent load - [ ] **Database File Permissions** (15 min) - File: `internal/store/sqlite.go:22-24` - Change: Set file to 0600, create dir with 0700 - Impact: Prevents unauthorized access to cached data ### Input/Output Security - [ ] **Path Traversal in Obsidian** (1 hour) - File: `internal/api/obsidian.go:49-70` - Change: Validate paths stay within vault, skip symlinks - Impact: Prevents arbitrary file read attacks ### Network Security - [ ] **HTTPS Support** (1 hour) - File: `cmd/dashboard/main.go:86-94` - Change: Add TLS configuration and ListenAndServeTLS - Impact: Prevents credential theft via network sniffing --- ## High Priority Issues (Should Fix Soon) ### Concurrency & Performance - [ ] **Context Cancellation in Goroutines** (30 min) - File: `internal/handlers/handlers.go:151-207` - Change: Check `ctx.Done()` before locking mutex in each goroutine - Impact: Prevents goroutine leaks and resource exhaustion - [ ] **Parallelize Trello Card Fetching** (1 hour) - File: `internal/api/trello.go:196-204` - Change: Use goroutines with bounded concurrency for card fetching - Impact: Reduces API call time from N+1 sequential to parallel - [ ] **Reduce Mutex Contention in aggregateData** (45 min) - File: `internal/handlers/handlers.go:154-205` - Change: Store results locally, lock only for final assignment - Impact: Better parallelism, faster page loads - [ ] **HTTP Client Connection Pooling** (30 min) - File: `internal/api/*.go` (all clients) - Change: Configure Transport with MaxIdleConns, MaxIdleConnsPerHost - Impact: Prevents port exhaustion and API rate limiting ### Security Hardening - [ ] **Rate Limiting on Endpoints** (1 hour) - File: `cmd/dashboard/main.go:67, 73` - Change: Add rate limiting middleware - Impact: Prevents DoS attacks and API quota exhaustion - [ ] **CSRF Protection** (2 hours) - File: `cmd/dashboard/main.go:67` - Change: Add CSRF middleware for POST endpoints - Impact: Prevents cross-site request forgery (needed for Phase 2) - [ ] **Sanitize API Keys in Logs** (30 min) - File: `internal/api/*.go` (all clients) - Change: Redact keys/tokens in error messages - Impact: Prevents credential leaks via log files ### Error Handling - [ ] **Check JSON Unmarshal Errors** (30 min) - File: `internal/store/sqlite.go:155, 234` - Change: Log errors, provide defaults - Impact: Prevents silent data loss - [ ] **Sanitize Error Messages** (1 hour) - File: `internal/handlers/handlers.go` (multiple locations) - Change: Return generic errors to users, log details internally - Impact: Prevents information disclosure --- ## Medium Priority Issues (Nice to Have) ### Code Quality - [ ] **Database Connection Health Check** (15 min) - File: `internal/store/sqlite.go:22-30` - Change: Add `db.Ping()` after opening connection - Impact: Fail fast on database issues - [ ] **Null Object Pattern for Optional Clients** (1 hour) - File: `internal/handlers/handlers.go`, `cmd/dashboard/main.go` - Change: Implement null objects instead of nil checks - Impact: Eliminates nil pointer risks - [ ] **Context Timeouts for Database Operations** (2 hours) - File: `internal/store/sqlite.go` (all methods) - Change: Use `QueryContext`, `ExecContext`, add context parameters - Impact: Prevents indefinite blocking - [ ] **Validate API Response Data** (2 hours) - File: `internal/api/*.go` (all clients) - Change: Add validation functions for API responses - Impact: Protection against malicious API servers ### Testing - [ ] **Add Edge Case Tests** (2 hours) - Files: Various test files - Tests: Empty responses, malformed JSON, network errors - Impact: More robust error handling ### Security Headers - [ ] **Add Security Headers Middleware** (30 min) - File: `cmd/dashboard/main.go` - Change: Add X-Frame-Options, CSP, X-Content-Type-Options, etc. - Impact: Defense in depth - [ ] **Content Security Policy** (1 hour) - File: `cmd/dashboard/main.go` - Change: Add CSP header with appropriate directives - Impact: XSS protection ### Configuration - [ ] **Validate Config at Startup** (30 min) - File: `internal/config/config.go:61-76` - Change: Add token strength validation, file path checks - Impact: Fail fast on misconfiguration - [ ] **Make HTTP Timeouts Configurable** (30 min) - File: `internal/api/*.go` (all clients) - Change: Add `APITimeoutSeconds` to config - Impact: Flexibility for different environments --- ## Low Priority / Future Enhancements ### Monitoring & Observability - [ ] **Structured Logging** (4 hours) - Change: Replace log.Printf with structured logger (zap/zerolog) - Impact: Better log analysis and debugging - [ ] **Health Check Endpoint** (30 min) - File: `cmd/dashboard/main.go` - Change: Add `/health` endpoint checking DB, API connectivity - Impact: Better monitoring - [ ] **Metrics Collection** (4 hours) - Change: Add Prometheus metrics for API calls, cache hits, errors - Impact: Performance monitoring ### Code Organization - [ ] **Extract Constants** (1 hour) - Files: Various - Change: Move magic numbers to constants - Impact: Better maintainability - [ ] **Standardize Error Messages** (1 hour) - Files: Various - Change: Consistent capitalization and formatting - Impact: Better UX ### Database - [ ] **Database Encryption at Rest** (2 hours) - File: `internal/store/sqlite.go` - Change: Use SQLCipher - Impact: Data protection - [ ] **Migration Versioning Table** (1 hour) - File: `internal/store/sqlite.go:41-68` - Change: Track which migrations have run - Impact: Better migration management --- ## Estimated Time Summary | Priority | Count | Estimated Time | |----------|-------|----------------| | Critical | 4 items | ~2.5 hours | | High | 7 items | ~6.5 hours | | Medium | 8 items | ~9.5 hours | | Low | 8 items | ~14 hours | | **Total** | **27 items** | **~32.5 hours** | ### Recommended Sprint 1 (Critical + High Priority) - **Duration**: 1-2 weeks part-time - **Items**: 11 items - **Time**: ~9 hours - **Focus**: Security hardening and performance ### Recommended Sprint 2 (Medium Priority) - **Duration**: 1-2 weeks part-time - **Items**: 8 items - **Time**: ~9.5 hours - **Focus**: Code quality and testing --- ## Quick Wins (< 30 minutes each) These can be done in small chunks: 1. ✓ SQL injection fix (15 min) 2. ✓ Database permissions (15 min) 3. ✓ Health check endpoint (15 min) 4. ✓ Security headers middleware (30 min) 5. ✓ Database ping check (15 min) 6. ✓ Check JSON unmarshal errors (30 min) 7. ✓ Extract constants (30 min) 8. ✓ Config validation (30 min) **Total Quick Wins**: ~3.5 hours, addresses 8 issues --- ## Notes - Priority order considers both security impact and implementation effort - Times are estimates for an experienced Go developer - Some items may reveal additional issues during implementation - Testing time not included (add ~30% for comprehensive testing) - Code review time not included (add ~20% for peer review)