fix: code hardening from senior dev audit #40

2026-05-21T00:55:31Z

lerko commented

2026-05-21 00:55:31 +00:00

Summary

Full pass through the codebase addressing gaps found in a senior dev audit. Five phases, all complete:

Security: Cap API list limit at 200, sanitize markdown output with DOMPurify (XSS fix), tighten ~/.nib dir perms to 0700
Data integrity: Add missing DB indexes (deleted_at, modified_at), fix v2 migration swallowed errors, add v4 schema migration
CI: Gitea Actions workflow — vet, format check, test with -race, build on every push/PR
Architecture: Thread context.Context through all Store methods (18 files) — enables request cancellation, timeouts, graceful shutdown
Test coverage: 16 new cmd/ tests covering add, ls, delete, promote, demote, absorb, export, backup (happy + error paths)
Features: nib export (JSON dump) and nib backup (atomic VACUUM INTO, WAL-safe)

Test plan

go test ./... -count=1 — all pass
go build ./... — compiles clean
go vet ./... — no issues
Verify CI workflow triggers on this PR
Smoke test: nib add, nib ls, nib export, nib backup

## Summary Full pass through the codebase addressing gaps found in a senior dev audit. Five phases, all complete: - **Security**: Cap API list limit at 200, sanitize markdown output with DOMPurify (XSS fix), tighten ~/.nib dir perms to 0700 - **Data integrity**: Add missing DB indexes (deleted_at, modified_at), fix v2 migration swallowed errors, add v4 schema migration - **CI**: Gitea Actions workflow — vet, format check, test with -race, build on every push/PR - **Architecture**: Thread context.Context through all Store methods (18 files) — enables request cancellation, timeouts, graceful shutdown - **Test coverage**: 16 new cmd/ tests covering add, ls, delete, promote, demote, absorb, export, backup (happy + error paths) - **Features**: `nib export` (JSON dump) and `nib backup` (atomic VACUUM INTO, WAL-safe) ## Test plan - [x] go test ./... -count=1 — all pass - [x] go build ./... — compiles clean - [x] go vet ./... — no issues - [ ] Verify CI workflow triggers on this PR - [ ] Smoke test: nib add, nib ls, nib export, nib backup

lerko added 6 commits 2026-05-21 00:55:32 +00:00

fix: harden API, DB, and web layer from audit findings 8663beeb96

- Cap list API limit at 200 to prevent unbounded queries
- Sanitize markdown output with DOMPurify to prevent XSS
- Add v4 migration with indexes on deleted_at and modified_at
- Fix v2 migration swallowed ALTER TABLE errors
- Tighten ~/.nib directory permissions to 0o700

ci: add Gitea Actions workflow for test and lint on PR 50b80f4407

refactor(db): thread context.Context through all Store methods d715b053e7

Enables request-scoped cancellation, timeouts, and graceful shutdown
for all database operations across API handlers, CLI commands, and TUI.

test(cmd): add tests for add, delete, promote, demote, absorb, ls 33f6d99ba7

Covers happy paths, error cases (not found, already promoted,
already fluid, crystallized target, same-entity absorb), and
empty result sets. Uses NIB_DB env var for test isolation.

feat: add export and backup commands 2152baeb4f

- nib export: dump all entities to JSON (stdout or --output file)
- nib backup: atomic SQLite backup via VACUUM INTO (WAL-safe)
- Store.Backup() method on db layer
- Tests for both commands

chore: mark all audit phases complete in TODO

CI / test (pull_request) Failing after 56s

Details

ceb29fdd7b

lerko merged commit eea59b3f3c into main

2026-05-21 01:04:31 +00:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: lerko/nib-v1#40