trentuna/candle-annotator
8
0
Fork 0
Code Issues Pull requests Releases Packages Activity Actions
candle-annotator/openspec/changes/archive/2026-02-20-code-review-fix/proposal.md
Marko Djordjevic 925e7284e3 Archive code-review-fix change and sync specs to main 
- Synced 14 capability delta specs to main specs
- Created 6 new main specs: api-authentication, error-boundary, input-validation, security-headers, shared-types
- Updated 8 existing specs with security, validation, and performance requirements
- Archived change to openspec/changes/archive/2026-02-20-code-review-fix/

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-20 08:54:59 +01:00

5.2 KiB
Raw Blame History

Why

A comprehensive code review identified 93 issues (13 Critical, 35 Major, 45 Minor) across the entire codebase. The application has zero authentication, hardcoded credentials in committed files, path traversal vectors, unsafe deserialization, frontend race conditions/memory leaks, and zero test files. These must be fixed before any production deployment.

What Changes

Security (Critical)

  • Add authentication middleware to all API endpoints (Next.js + FastAPI)
  • Fix .env gitignore and remove credentials from git history
  • Replace all hardcoded database credentials with env var interpolation
  • Bind PostgreSQL port to localhost only
  • Validate run_id parameters to prevent SSRF/path traversal
  • Add file upload size limits
  • Fix CORS wildcard on ML service
  • Add model file integrity checks (SHA256) for joblib/pickle files

Frontend Stability (Critical + Major)

  • Fix stale closures in fetchPredictions, CandleChart click handler, SpanAnnotationManager keyboard handler
  • Add AbortController to cancel stale prediction requests
  • Fix SpanAnnotationManager preview primitive memory leak
  • Add response.ok checks on all fetch calls
  • Add React Error Boundary
  • Fix hardcoded 1-minute candle interval assumption
  • Use chart.applyOptions() for theme changes instead of re-creating chart
  • Fix fitContent() called on every span change

API Hardening (Major)

  • Add Zod validation on all proxy routes
  • Wrap chart cascade delete in transaction + add span annotation deletion
  • Stop leaking error details to clients (frontend + backend)
  • Require chartId for bulk annotation deletes
  • Add input size limits on batch prediction

Code Quality (Major + Minor)

  • Centralize duplicate interface definitions into src/types/
  • Replace pervasive any types with proper interfaces
  • Move dev dependencies to devDependencies
  • Remove dead code (migrate.ts, get_db_session, dead filter)
  • Replace deprecated Python APIs (on_event, declarative_base, utcnow)

Infrastructure (Major + Minor)

  • Add security response headers (CSP, X-Frame-Options)
  • ML Dockerfile: run as non-root user
  • Create .dockerignore
  • Add rate limiting middleware
  • Pin Docker base images to digests
  • Implement real health checks on ML service
  • Use next/font instead of CSS @import

UX Polish (Minor)

  • Add confirmation dialog for delete-all annotations
  • Fix accessibility (ARIA labels, focus trapping, keyboard nav)
  • Add CSV injection protection to exports
  • Fix dark theme on settings pages
  • Add debounce to confidence slider
  • Add click-outside handler to chart dropdown

Capabilities

New Capabilities

  • api-authentication: API key or session-based auth middleware for Next.js routes and FastAPI endpoints
  • input-validation: Zod schemas for all proxy routes, file upload limits, run_id format validation, batch size limits
  • security-headers: CSP, X-Frame-Options, and other security response headers via Next.js config
  • error-boundary: React Error Boundary wrapping critical component subtrees
  • shared-types: Centralized TypeScript interfaces in src/types/ replacing duplicate definitions across 6+ files

Modified Capabilities

  • docker-deployment: Bind ports to localhost, add .dockerignore, run ML as non-root, pin images, fix healthcheck, TA-Lib HTTPS download
  • backend-api: Transaction-wrapped cascade deletes, generic error responses, scoped bulk delete, rate limiting
  • ml-inference: CORS fix, model integrity checks, path traversal prevention, thread-safe model reads, input size limits
  • ml-training: run_id validation, resource limits, path traversal prevention
  • chart-canvas: Fix stale closures, theme change via applyOptions, fix 1-min interval assumption, extract magic numbers, use refs for click handler
  • span-annotation: Fix keyboard handler stale closure, preview primitive memory leak, fitContent removal, primitive recreation optimization
  • prediction-ui: AbortController for requests, bounded prediction cache, response.ok checks
  • postgres-data-layer: Remove .env from git, env var interpolation for credentials, SSL/TLS support
  • ui-shell: Error boundary integration, confirmation dialogs, accessibility improvements, dark theme fixes, next/font migration
  • label-management: (no spec-level changes, only implementation cleanup)
  • feature-engineering: (no spec-level changes, deprecated API cleanup only)

Impact

  • All 27 API route files in src/app/api/ — auth middleware, error handling, validation
  • src/app/page.tsx — AbortController, response checks, cache bounds, confirmation dialog
  • src/components/CandleChart.tsx — stale closures, theme, interval fix, refs
  • src/components/SpanAnnotationManager.tsx — memory leak, keyboard handler, fitContent, primitives
  • services/ml/app/main.py — CORS, auth, error messages, model integrity, path validation, deprecated APIs
  • services/ml/Dockerfile — non-root user, HTTPS download
  • docker-compose.yml — port bindings, credential interpolation
  • next.config.js — security headers
  • package.json — devDependencies reorganization
  • New files: src/middleware.ts, src/types/*.ts, src/components/ErrorBoundary.tsx, .dockerignore
  • No breaking API changes — all fixes are additive or internal