dan/ops-jrz1
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

bd daemon sync: 2026-01-08 10:26:56

Browse source
This commit is contained in:
Dan 2026-01-08 10:26:56 -08:00
parent 33a538da51
commit 05ddd35f56
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.beads/issues.jsonl
View file

@ -96,7 +96,7 @@
{"id":"ops-jrz1-jwl","title":"Update cpu-watchdog source to use 'killswitch' not /usr/local/bin path","description":"scripts/cpu-watchdog:36 has hardcoded /usr/local/bin/killswitch. The Nix build uses replaceStrings to fix this, but source should reflect reality. Change to just 'killswitch'.","status":"closed","priority":3,"issue_type":"task","created_at":"2026-01-03T17:35:57.848239876-08:00","created_by":"dan","updated_at":"2026-01-05T09:12:47.271207156-08:00","closed_at":"2026-01-05T09:12:47.271207156-08:00","close_reason":"Updated scripts to use killswitch directly, removed replaceStrings from config"}
{"id":"ops-jrz1-k1z","title":"killswitch: Rename USER variable to avoid shadowing","description":"USER=\"$1\" shadows shell builtin $USER. Rename to TARGET_USER for clarity. scripts/killswitch:15","status":"closed","priority":3,"issue_type":"task","created_at":"2026-01-03T08:17:35.258067292-08:00","created_by":"dan","updated_at":"2026-01-03T09:31:54.318499842-08:00","closed_at":"2026-01-03T09:31:54.318499842-08:00","close_reason":"Renamed USER to TARGET_USER to avoid shadowing shell builtin"}
{"id":"ops-jrz1-k2a","title":"Security posture and threat analysis for dev server","description":"Perform security analysis for the shared dev server environment.\n\n## Scope\n- Multi-user SSH access\n- Agentic coders (Claude, etc.) running with user privileges\n- Shared Slack tokens\n- Network egress\n- Nix store access\n\n## Questions to answer\n- What's the threat model? (curious devs vs malicious actors)\n- What can a compromised user account access?\n- What can an agentic coder do that a human couldn't?\n- Are there secrets at risk?\n- What isolation is needed?\n\n## Deliverables\n- Threat model document\n- Risk assessment\n- Recommendations for mitigations","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-02T16:34:32.681248615-08:00","created_by":"dan","updated_at":"2026-01-02T19:14:53.774623716-08:00","closed_at":"2026-01-02T19:14:53.774623716-08:00","close_reason":"Closed"}
{"id":"ops-jrz1-kfk","title":"VM test: Scope DNS to specific hostnames","description":"Change dnsmasq from wildcard 'address=/#/127.0.0.1' to specific hostnames like 'address=/matrix.example.org/127.0.0.1'. More explicit, less likely to mask DNS misconfig bugs.","status":"in_progress","priority":4,"issue_type":"task","created_at":"2026-01-08T00:58:32.367556436-08:00","created_by":"dan","updated_at":"2026-01-08T10:25:39.795588404-08:00"}
{"id":"ops-jrz1-kfk","title":"VM test: Scope DNS to specific hostnames","description":"Change dnsmasq from wildcard 'address=/#/127.0.0.1' to specific hostnames like 'address=/matrix.example.org/127.0.0.1'. More explicit, less likely to mask DNS misconfig bugs.","status":"closed","priority":4,"issue_type":"task","created_at":"2026-01-08T00:58:32.367556436-08:00","created_by":"dan","updated_at":"2026-01-08T10:26:56.433679799-08:00","closed_at":"2026-01-08T10:26:56.433679799-08:00","close_reason":"Changed to explicit hostnames: matrix.example.org, example.org"}
{"id":"ops-jrz1-kg0","title":"Switch to subdomain routing (dan.code.clarun.xyz)","description":"Path-based routing (/code/dan/) is fragile. Extensions assume root path, cookies scope incorrectly, PWA breaks. Switch to wildcard subdomains for cleaner isolation.","status":"closed","priority":1,"issue_type":"task","created_at":"2025-12-05T15:32:19.283887085-08:00","updated_at":"2025-12-05T17:23:11.983564455-08:00","closed_at":"2025-12-05T17:23:11.983564455-08:00","dependencies":[{"issue_id":"ops-jrz1-kg0","depends_on_id":"ops-jrz1-3so","type":"parent-child","created_at":"2025-12-05T17:05:47.043217984-08:00","created_by":"daemon","metadata":"{}"}]}
{"id":"ops-jrz1-kgx","title":"Improve egress rate limiting: higher limits, better feedback, DROP instead of REJECT","description":"Current 30/min burst 60 is too aggressive for npm install. Changes: (1) Raise to 150/min burst 300, (2) Add logging users can check, (3) Switch REJECT to DROP so apps back off naturally instead of hard fail.","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-07T11:04:51.82736813-08:00","created_by":"dan","updated_at":"2026-01-07T11:10:35.322969917-08:00","closed_at":"2026-01-07T11:10:35.322969917-08:00","close_reason":"Implemented: 150/min burst 300, DROP instead of REJECT, added egress-status command for users"}
{"id":"ops-jrz1-kia","title":"Container reset mechanism (keep workspace)","description":"If user breaks their environment, need simple way to wipe container and restore default image while preserving /workspace. Script or admin command.","status":"closed","priority":3,"issue_type":"task","created_at":"2025-12-05T15:32:31.045592689-08:00","updated_at":"2025-12-28T00:05:44.757842852-05:00","closed_at":"2025-12-28T00:05:44.757842852-05:00","close_reason":"Parent epic cancelled - browser-based dev approach abandoned","dependencies":[{"issue_id":"ops-jrz1-kia","depends_on_id":"ops-jrz1-3so","type":"parent-child","created_at":"2025-12-05T17:05:47.275530016-08:00","created_by":"daemon","metadata":"{}"}]}