GRO-2294: Route Optimization security hardening (geocode-batch limit cap + redact settings secret) #193

Merged

Flea Flicker merged 42 commits from flea/gro-2294-route-opt-hardening into dev 2026-06-09 06:17:42 +00:00

Conversation 0 Commits 42 Files Changed 13

+1001 -16

Flea Flicker commented 2026-06-09 06:12:56 +00:00

Member

Copy Link

Copy Source

GRO-2294 — Route Optimization security hardening (LOW)

Two non-blocking, defense-in-depth fixes surfaced by the GRO-2162 feature-level security review of Route Optimization (GRO-1164). Both in groombook/api.

1. Enforce the ?limit cap on batch geocoding

POST /api/clients/geocode-batch documented "default 50, max 500" but only validated > 0. The handler now clamps to GEOCODE_BATCH_MAX_LIMIT (500) after the positive-integer check (Math.min(Math.floor(limit), 500)), bounding synchronous request duration and per-request Google API cost. src/routes/clients.ts.

2. Redact googleMapsApiKey from the settings GET projection

GET /api/admin/settings returned the full row including the AES-256-GCM googleMapsApiKey ciphertext. A redactSettings() helper now strips it on both the existing-row and auto-create branches. The secret has no other API consumer and is never needed client-side. src/routes/settings.ts.

Tests

• src/__tests__/geocodeBatchLimit.test.ts — default 50, in-cap passthrough, over-cap clamp to 500, fractional floor, reject 0/non-numeric (6 tests).
• src/__tests__/settings.test.ts — googleMapsApiKey omitted on both GET branches; non-secret fields preserved (2 tests).
• Full suite green: 668 passed. tsc --noEmit and eslint clean.

UAT Playbook

Updated UAT_PLAYBOOK.md: added TC-API-2.13a (geocode-batch ?limit cap enforced) and updated TC-API-13.1 (settings GET must not include googleMapsApiKey).

Source issue: GRO-2294

cc @cpfarhood

## GRO-2294 — Route Optimization security hardening (LOW) Two non-blocking, defense-in-depth fixes surfaced by the [GRO-2162](/GRO/issues/GRO-2162) feature-level security review of Route Optimization ([GRO-1164](/GRO/issues/GRO-1164)). Both in `groombook/api`. ### 1. Enforce the `?limit` cap on batch geocoding `POST /api/clients/geocode-batch` documented "default 50, max 500" but only validated `> 0`. The handler now clamps to `GEOCODE_BATCH_MAX_LIMIT` (500) after the positive-integer check (`Math.min(Math.floor(limit), 500)`), bounding synchronous request duration and per-request Google API cost. `src/routes/clients.ts`. ### 2. Redact `googleMapsApiKey` from the settings GET projection `GET /api/admin/settings` returned the full row including the AES-256-GCM `googleMapsApiKey` ciphertext. A `redactSettings()` helper now strips it on both the existing-row and auto-create branches. The secret has no other API consumer and is never needed client-side. `src/routes/settings.ts`. ### Tests - `src/__tests__/geocodeBatchLimit.test.ts` — default 50, in-cap passthrough, over-cap clamp to 500, fractional floor, reject `0`/non-numeric (6 tests). - `src/__tests__/settings.test.ts` — `googleMapsApiKey` omitted on both GET branches; non-secret fields preserved (2 tests). - Full suite green: **668 passed**. `tsc --noEmit` and `eslint` clean. ### UAT Playbook Updated `UAT_PLAYBOOK.md`: added **TC-API-2.13a** (geocode-batch `?limit` cap enforced) and updated **TC-API-13.1** (settings GET must not include `googleMapsApiKey`). Source issue: [GRO-2294](/GRO/issues/GRO-2294) cc @cpfarhood

Flea Flicker added 42 commits 2026-06-09 06:12:56 +00:00

Merge pull request 'chore: migrate .github/workflows to .gitea/workflows' (#22) from gitea/migrate-workflows into main ... e01c12a316

chore: migrate .github/workflows to .gitea/workflows

Migrate CI workflow from GitHub Actions to Gitea Actions.
- Registry: ghcr.io → git.farh.net
- Auth: secrets.GITHUB_TOKEN → gitea.token
- Cache: type=gha → type=registry

Part of GRO-1315.

Merge pull request 'promote: uat → main (GRO-1509 OIDC accountLinking fix)' (#46) from uat into main ... 081379c189

Merge uat → main: GRO-1509 OIDC accountLinking fix

Sign-offs cleared:
- QA: GRO-1510 ✓
- UAT: GRO-1515 ✓
- Security: GRO-1516 ✓
- Infra: groombook/infra PR #413 ✓

Add .mcp.json 185fce8e17

chore: trigger CI from uat for GRO-1754 dd83f29736

Merge pull request 'chore: trigger CI from uat for GRO-1754' (#81) from fix/gro-1754-uat-ci into main ba95088653

Merge pull request 'promote(dev→main): GRO-1752 schema fix for UAT (CI trigger)' (#82) from dev into main c8bbb12edb

fix(ci): remove duplicate provenance keys causing YAML parse error ... 152abfc4d5

Duplicate 'provenance: false' in each docker/build-push-action step caused
Gitea to reject the workflow file, breaking push CI and workflow_dispatch.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Merge pull request 'promote: uat → main (GRO-1757 SSO auto-provision fix)' (#89) from uat into main 403634eb96

Merge pull request 'Promote dev→uat: GRO-1982 pet_size_category extra_large enum migration' (#126) from dev into uat ... 8af5a49d14

Promote dev→uat: GRO-1983 seed-job pnpm fix + GRO-1982 extra_large enum migration

Carries the accumulated dev state into uat (PR #125 docker pnpm fix + 0037 migration).

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Merge pull request 'promote(db): register extra_large via migration 0038 to UAT (GRO-2004)' (#131) from dev into uat f7f88156e1

Merge pull request 'promote(docker): bake pnpm via npm to remove Corepack runtime downloads (GRO-1981)' (#133) from dev into uat ... 5a4b9a98bd

Promote GRO-1985 (parent GRO-1981) dev->uat. cc @cpfarhood

Merge pull request 'Promote dev → uat: UAT seed-password source-of-truth playbook (GRO-2000)' (#134) from dev into uat 6a81a52a50

Merge pull request 'promote: uat → main — pnpm-offline Docker hardening + accumulated UAT fixes (GRO-1985)' (#136) from uat into main ... 766728865e

promote: uat → main — pnpm-offline Docker hardening + accumulated UAT fixes (GRO-1985)

UAT PASS: GRO-2015
Security PASS: GRO-2024 (Barkley Trimsworth)
UAT CI: run #2313 — 3/3 jobs green (incl. offline pnpm smoke tests)

promote(uat): GRO-2014 profile-summary error-handling fix (dev→uat) (#138) 23484dc90a

promote(uat): GRO-2013 owner-bypass + GRO-2033 idempotent migrations (dev→uat) ... 16c959434b

Merge dev into uat. Resolves test-file/playbook conflicts created by PR #138's
squash merge by taking dev's superset versions (verified: all GRO-2014 tests +
TC ids preserved, plus GRO-2013 additions). No-ff merge so dev becomes an
ancestor of uat, preventing future squash-divergence conflicts.

Carries:
- GRO-2013 deployed-tree owner-bypass (src/routes/pets.ts, reconciled 20-test file)
- GRO-2033 idempotent migrations 0039/0040

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Merge pull request 'promote(uat): GRO-2013 owner-bypass + GRO-2033 idempotent migrations (dev→uat)' (#142) from dogfather/gro-2013-promote-uat into uat 4e9c4c5e08

Merge pull request 'Promote dev→uat: rbac Better-Auth auto-provision (GRO-2052)' (#144) from dev into uat ... 7181d41b24

Promote dev→uat: rbac Better-Auth auto-provision (GRO-2052)

Makes the pets.ts owner-bypass reachable for Better-Auth email/password customers by auto-provisioning a groomer staff row keyed on user.id. Unblocks GRO-2050 and GRO-2035.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Merge pull request 'promote(main): GRO-2033 prod migration fix + GRO-2013/2014 + rbac auto-provision (uat→main)' (#145) from uat into main ... 2a6242d3de

promote(main): GRO-2033 prod migration fix + GRO-2013/2014 + rbac auto-provision (uat→main)

CI green. UAT regression GRO-2035 PASS. Migrations 0039/0040 idempotent — signed off by CEO.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

promote(dev→uat): owner-bypass read audit row (GRO-2063) (#147) ... bf97849324

Promote GRO-2063 defense-in-depth audit row to uat. CI green. QA + CTO approved on dev PR #146.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Merge pull request 'Promote dev→uat: GRO-2033 services_pkey seed fix (fc6c6ef7)' (#149) from dev into uat 411c42b2c4

promote(uat→main): owner-bypass audit fix (GRO-2062) + services seed-idempotency fix (GRO-2064) c92fb2539d

docs(UAT_PLAYBOOK): add TC-UAT-2/3 for uat-groomer linked/unlinked pet profile-summary (GRO-2100) ... bd384bdf5c

Lint Roller review on PR #152 flagged that the GRO-2100 seed change produces
new observable UAT API behavior that the playbook must reflect. Add two
deterministic rows pinning the contract GRO-1987 TC-UAT-2/3 will exercise:

- TC-UAT-2: uat-groomer + linked pet c0000001-...-002 (UAT Pup Alpha) → 200
- TC-UAT-3: uat-groomer + unlinked pet c0000001-...-003 (UAT Pup Beta) → 403

The 403-vs-404 note in TC-UAT-3 mirrors the verification note in the
GRO-2100 issue body so the QA runner knows where to file if the API
returns 404 (a separate RBAC defect, not against the seed).

ci: retrigger GRO-2100 PR #152 Build & Push Docker Images (Reset image build failed — docker registry flake) d4a4ddce37

Merge pull request 'Promote dev→uat: GRO-2100 uat-groomer ↔ UAT Pup Alpha linkage' (#152) from promote/dev-to-uat-gro-2100 into uat ... f2931d7be2

Merge pull request #152 from groombook/promote/dev-to-uat-gro-2100

Promote dev→uat: GRO-2100 uat-groomer ↔ UAT Pup Alpha linkage

chore(uat): GRO-2100 promote uat-groomer seed-linkage ordering fix to uat (#154) ... e639cc82d1

Co-authored-by: Flea Flicker <flea@groombook.dev>
Co-committed-by: Flea Flicker <flea@groombook.dev>

Merge pull request 'dev → uat: GRO-2123 seed advisory lock' (#156) from dev-to-uat-gro-2123 into uat e2eacbc9fe

Merge pull request 'chore: delete stale apps/api/src/db/seed.ts duplicate (GRO-2129)' (#158) from dev into uat 6538406db2

Merge pull request 'promote(uat→main): GRO-2123 seed advisory lock + GRO-2100 uat-groomer linkage ordering' (#157) from uat into main fc072d51f4

Merge pull request 'dev → uat: GRO-2187 portal pet PATCH + GET enrichment (carries GRO-2152)' (#166) from dev-to-uat-gro-2187 into uat b3db206588

Merge pull request 'dev → uat: GRO-2153 abstracted geocoding service' (#168) from dev-to-uat-gro-2153 into uat 027e012a58

dev → uat: GRO-2154 geocoding endpoints (Phase 1.3) (#171) 8721f0b63c

dev → uat: portal photoKey S3 key-hijack fix (GRO-2187/GRO-2198) (#173) 8cf72d926d

Merge uat → main: portal pet PATCH + photoKey S3 key-hijack fix (GRO-2187) (#174) 6e2e46daf8

dev → uat: GRO-2155 route optimization endpoints (carries GRO-2163) (#176) 587fd4ec95

dev → uat: GRO-2203 portal pet PATCH malformed-petId 500→404 (#178) eb92f99c4a

Merge dev into uat: promote GRO-2156 route travel buffer + reorder (Phase 2.2) ... 6120b96c7c

Resolves UAT_PLAYBOOK.md conflict by unioning uat-only TC-UAT-2/3 (GRO-2100)
with dev's §4.16 update + new §4.17. Code files taken from dev (superset).

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Merge dev into uat: add GRO-2234 portal session sliding TTL + re-mint to dev→uat batch 636fa713e1

Merge pull request 'Promote dev → uat: GRO-2155/2156/2203/2211/2163 + GRO-2234 (cumulative batch)' (#182) from flea/dev-to-uat-gro-2156 into uat 96dbb8c41d

Merge pull request 'promote(uat→main FROZEN @6120b96): + GRO-2156 route buffer/reorder (supersedes #185)' (#186) from release/main-6120b96 into main ... 1ad43ce701

promote(uat→main FROZEN @6120b96): GRO-2214+GRO-2211+GRO-2203+GRO-2155+GRO-2163+GRO-2156

CTO-reviewed, CEO-merged per SDLC Phase 4 governance.
Carries: GRO-2214 waitlist validation, GRO-2211, GRO-2203 pet PATCH, GRO-2155+GRO-2163 route optimization, GRO-2156 route buffer/reorder.
All gates passed: QA, Security, UAT 6/6 PASS.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Merge pull request 'uat→main (PROD): GRO-2234 portal session fix + validated batch' (#191) from flea/uat-to-main-gro-2234-api into main bfe1a29c08

uat→main (PROD): GRO-2157 nav export + GRO-2225/2235 (frozen @4868f18) (#192) ... e9ad92de01

feat: nav export + conflict guard + UAT seed (GRO-2157, GRO-2225, GRO-2235)

Squash-merges PR #192: uat→main PROD promotion.
Freezes at validated SHA 4868f18 (UAT regression GRO-2261 11/11 PASS).
Bundles: GRO-2157 (nav export), GRO-2225 (UAT seed), GRO-2235 (conflict guard).
CTO-reviewed and approved (review #4542).

Co-authored-by: Flea Flicker <22+gb_flea@noreply.git.farh.net>
Co-committed-by: Flea Flicker <22+gb_flea@noreply.git.farh.net>

GRO-2294: Route Optimization security hardening (LOW) ... c7007051d7

Two defense-in-depth fixes from the GRO-2162 feature-level security review:

1. Enforce the documented ?limit cap on POST /api/clients/geocode-batch.
   The handler now clamps limit to GEOCODE_BATCH_MAX_LIMIT (500) after the
   positive-integer check, bounding synchronous request duration and per-request
   external API cost when routeOptimizationProvider = "google".

2. Redact the encrypted googleMapsApiKey from GET /api/admin/settings on both
   the existing-row and auto-create branches. The ciphertext is never needed
   client-side and is now stripped via redactSettings().

Adds route-level tests for the limit clamp (default/passthrough/clamp/floor/
reject) and the settings redaction (both branches). Updates UAT_PLAYBOOK.md
TC-API-2.13a and TC-API-13.1.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Flea Flicker merged commit fe412933ea into dev 2026-06-09 06:17:42 +00:00

Flea Flicker referenced this issue from a commit 2026-06-09 06:20:00 +00:00

GRO-2294: Route Optimization security hardening (geocode-batch limit cap + redact settings secret) (#193)

Flea Flicker referenced this pull request 2026-06-09 07:27:33 +00:00

uat→main (PROD): GRO-2294 Route Optimization security hardening (frozen @2566fb8) #197

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

bug

Something isn't working

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

question

Further information is requested

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: groombook/api#193