Security:
- .dockerignore + Dockerfile: stop baking .env / the 346MB OSM pbf into image
layers; install pinned from uv.lock (reproducible builds) (SEC-04/05).
- docker-compose: DB port binds ${DB_BIND_ADDR:-127.0.0.1} — loopback-only by
default; remote tooling moves to an SSH tunnel (SEC-01).
- webhook_receiver: CRITICAL startup warning + WEBHOOK_REQUIRE_TOKEN=1 fail-closed
when JIMI_WEBHOOK_TOKEN is empty (SEC-02 / FIX-W01).
Correctness:
- FIX-M22/E07: capture cur.rowcount BEFORE RELEASE SAVEPOINT in poll_alarms/
poll_trips/poll_parking — the RELEASE reported -1, producing "Alarms: -4 new
events inserted" logs and negative ingestion_log.rows_inserted.
- FIX-W02: parse application/json push bodies (were silently dropped).
- FIX-W03: move webhook DB work off the event loop via asyncio.to_thread.
- FIX-M23: poll_trips phased so no txn/connection is held across Tracksolid +
Nominatim (1 req/s) network calls.
- FIX-M24: sync_devices disables devices absent from every target (guarded).
- FIX-W04: reject device-clock-garbage alarm_time (2019 timestamps observed).
- get_token(): don't relabel already-aware timestamptz expiries (BUG-P9).
Observability/lifecycle:
- migration 21: v_ingest_health restricted to active pipeline endpoints so
one-shot tools stop wedging /health/ingest at 'stale' (dry-run verified).
- FIX-M25: daily purge_audit_logs() trims ingestion_log (90d) + refresh_log (180d).
- remove orphaned duplicate migrations/10_driver_clock_views.sql; ruff lint config.
+5 webhook tests (82 pass). Report/plan/work-log in docs/reports/260702_*.
Local only; not deployed. CLAUDE.md fix-history edits left uncommitted (that file
also carries unrelated in-progress edits).
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
39 lines
562 B
Text
39 lines
562 B
Text
# SEC-04: keep secrets and bulk artefacts out of image layers.
|
|
# The Dockerfile ends with `COPY . .` — everything not listed here ships in the image.
|
|
|
|
# Secrets — never in an image layer
|
|
.env
|
|
.env.*
|
|
*.pw
|
|
|
|
# VCS / local tooling
|
|
.git
|
|
.gitignore
|
|
.claude
|
|
.pytest_cache
|
|
.ruff_cache
|
|
.venv
|
|
__pycache__
|
|
*.pyc
|
|
*.pyo
|
|
.DS_Store
|
|
*.code-workspace
|
|
|
|
# Bulk data artefacts (rebuildable / operator-side only)
|
|
*.osm.pbf
|
|
*.geojson
|
|
csv/
|
|
data/
|
|
tools/data/
|
|
shell_stations.csv
|
|
|
|
# Not needed at runtime
|
|
docs/
|
|
tests/
|
|
agents/
|
|
db_audit/
|
|
legacy/
|
|
SOUL.md
|
|
README.md
|
|
CLAUDE.md
|
|
uv.lock.bak
|