164 lines
8.6 KiB
Markdown
164 lines
8.6 KiB
Markdown
## PR-1 Blocker Remediation Plan
|
|
|
|
### Introduction
|
|
|
|
This plan remediates only PR-1 failed QA/security gates identified in:
|
|
|
|
- `docs/reports/qa_report_pr1.md`
|
|
- `docs/reports/pr1_supervisor_review.md`
|
|
|
|
Scope is strictly limited to PR-1 blockers and evidence gaps. PR-2/PR-3 work is explicitly out of scope.
|
|
|
|
### Research Findings (PR-1 Blockers Only)
|
|
|
|
Confirmed PR-1 release blockers:
|
|
|
|
1. Targeted Playwright gate failing (`Authorization header required` in test bootstrap path).
|
|
2. Backend test failures (`TestSetSecureCookie_*`) preventing backend QA gate completion.
|
|
3. Docker image scan failing with one High vulnerability (`GHSA-69x3-g4r3-p962`, `github.com/slackhq/nebula`).
|
|
4. Missing/invalid local patch preflight artifacts (`test-results/local-patch-report.md` and `.json`).
|
|
5. Missing freshness-gate evidence artifact(s) required by current PR-1 spec/supervisor review.
|
|
6. Missing explicit emergency/security regression evidence and one report inconsistency in PR-1 status docs.
|
|
|
|
### Prioritized Blockers by Release Impact
|
|
|
|
| Priority | Blocker | Release Impact | Primary Owner | Supporting Owner |
|
|
|---|---|---|---|---|
|
|
| P0 | E2E auth bootstrap failure in targeted suite | Blocks proof of user-facing correctness in PR-1 path | Playwright Dev | Backend Dev |
|
|
| P0 | Backend `TestSetSecureCookie_*` failures | Blocks backend quality/security gate for PR-1 | Backend Dev | QA Security |
|
|
| P0 | High image vulnerability (`GHSA-69x3-g4r3-p962`) | Hard security release block | DevOps | Backend Dev |
|
|
| P1 | Missing local patch preflight artifacts | Blocks auditability of changed-line risk | QA Security | DevOps |
|
|
| P1 | Missing freshness-gate evidence artifact(s) | Blocks supervisor/spec compliance | QA Security | DevOps |
|
|
| P1 | Missing explicit emergency/security regression evidence + report inconsistency | Blocks supervisor approval confidence | QA Security | Playwright Dev |
|
|
|
|
### Owner Mapping (Exact Roles)
|
|
|
|
- **Backend Dev**
|
|
- Resolve cookie behavior/test expectation mismatch for PR-1 auth/cookie logic.
|
|
- Support Playwright bootstrap auth fix when API/auth path changes are required.
|
|
- Support dependency remediation if backend module updates are needed.
|
|
|
|
- **DevOps**
|
|
- Remediate image SBOM vulnerability path and rebuild/rescan image.
|
|
- Ensure local patch/freshness artifacts are emitted, persisted, and reproducible in CI-aligned paths.
|
|
|
|
- **QA Security**
|
|
- Own evidence completeness: patch preflight artifacts, freshness artifact(s), and explicit emergency/security regression proof.
|
|
- Validate supervisor-facing status report accuracy and traceability.
|
|
|
|
- **Playwright Dev**
|
|
- Fix and stabilize targeted Playwright suite bootstrap/authorization behavior.
|
|
- Produce deterministic targeted E2E evidence for emergency/security control flows.
|
|
|
|
### Execution Order (Fix First, Verify Once)
|
|
|
|
#### Phase A — Implement all fixes (no full reruns yet)
|
|
|
|
1. **Playwright Dev + Backend Dev**: Fix auth bootstrap path causing `Authorization header required` in targeted PR-1 E2E setup.
|
|
2. **Backend Dev**: Fix `TestSetSecureCookie_*` mismatch (policy-consistent behavior for localhost/scheme/forwarded cases).
|
|
3. **DevOps + Backend Dev**: Upgrade vulnerable dependency path to a non-vulnerable version and rebuild image.
|
|
4. **QA Security + DevOps**: Correct artifact generation paths for local patch preflight and freshness snapshots.
|
|
5. **QA Security + Playwright Dev**: Ensure explicit emergency/security regression evidence is generated and report inconsistency is corrected.
|
|
|
|
#### Phase B — Single consolidated verification pass
|
|
|
|
Run once, in order, after all Phase A fixes are merged into PR-1 branch:
|
|
|
|
1. Targeted Playwright PR-1 suites (including security/emergency affected flows).
|
|
2. Backend test gate (including `TestSetSecureCookie_*`).
|
|
3. Local patch preflight artifact generation and existence checks.
|
|
4. Freshness-gate artifact generation and existence checks.
|
|
5. CodeQL check-findings (confirm target PR-1 rules remain clear).
|
|
6. Docker image security scan (confirm zero High/Critical).
|
|
7. Supervisor evidence pack update (`docs/reports/*`) and re-audit submission.
|
|
|
|
### Acceptance Criteria by Blocker
|
|
|
|
#### B1 — Targeted Playwright Gate (P0)
|
|
- Targeted PR-1 suites pass with no auth bootstrap failures.
|
|
- No `Authorization header required` error occurs in setup/fixture path.
|
|
- Emergency/security-related user flows in PR-1 scope have explicit pass evidence.
|
|
|
|
#### B2 — Backend Cookie Test Failures (P0)
|
|
- `TestSetSecureCookie_*` tests pass consistently.
|
|
- Behavior aligns with intended security policy for secure cookie handling.
|
|
- No regression introduced to authentication/session flows in PR-1 scope.
|
|
|
|
#### B3 — Docker High Vulnerability (P0)
|
|
- Image scan reports `High=0` and `Critical=0`.
|
|
- `GHSA-69x3-g4r3-p962` no longer appears in resulting image SBOM/scan output.
|
|
- Remediation is reproducible in CI-aligned scan flow.
|
|
|
|
#### B4 — Local Patch Preflight Artifacts (P1)
|
|
- `test-results/local-patch-report.md` exists after run.
|
|
- `test-results/local-patch-report.json` exists after run.
|
|
- Artifact content reflects current PR-1 diff and is not stale.
|
|
|
|
#### B5 — Freshness-Gate Evidence (P1)
|
|
- Freshness snapshot artifact(s) required by PR-1 spec are generated in `docs/reports/`.
|
|
- Artifact filenames/timestamps are referenced in PR-1 status reporting.
|
|
- Supervisor can trace freshness evidence without manual reconstruction.
|
|
|
|
#### B6 — Emergency/Security Evidence + Report Consistency (P1)
|
|
- PR-1 status docs explicitly separate implemented vs validated vs pending (no ambiguity).
|
|
- Inconsistency in backend status report regarding cookie logic is corrected.
|
|
- Emergency/security regression evidence is linked to exact test executions.
|
|
|
|
### Technical Specifications (PR-1 Remediation Only)
|
|
|
|
#### Evidence Contracts
|
|
|
|
- Patch preflight artifacts must be present at:
|
|
- `test-results/local-patch-report.md`
|
|
- `test-results/local-patch-report.json`
|
|
- Freshness evidence must be present in `docs/reports/` and referenced by filename in status reports.
|
|
- PR-1 status reports must include:
|
|
- execution timestamp,
|
|
- exact command(s),
|
|
- pass/fail result,
|
|
- artifact references.
|
|
|
|
#### Scope Guardrails
|
|
|
|
- Do not add new PR-2/PR-3 features.
|
|
- Do not widen test scope beyond PR-1-impacted flows except for mandatory gate runs.
|
|
- Do not refactor unrelated subsystems.
|
|
|
|
### Risks and Mitigations
|
|
|
|
| Risk | Likelihood | Impact | Mitigation | Owner |
|
|
|---|---|---|---|---|
|
|
| Fixing one gate re-breaks another (e.g., cookie policy vs E2E bootstrap) | Medium | High | Complete all code/tooling fixes first, then single consolidated verification pass | Backend Dev + Playwright Dev |
|
|
| Security fix in dependency introduces compatibility drift | Medium | High | Pin fixed version, run image scan and targeted runtime smoke in same verification pass | DevOps |
|
|
| Artifact generation succeeds in logs but files missing on disk | Medium | Medium | Add explicit post-run file existence checks and fail-fast behavior | QA Security + DevOps |
|
|
| Supervisor rejects evidence due to formatting/traceability gaps | Low | High | Standardize report sections: implemented/validated/pending + artifact links | QA Security |
|
|
|
|
### PR Slicing Strategy
|
|
|
|
- **Decision:** Single PR-1 remediation slice (`PR-1R`) only.
|
|
- **Reason:** Scope is blocker closure and evidence completion for an already-open PR-1; splitting increases coordination overhead and rerun count.
|
|
- **Slice:** `PR-1R`
|
|
- **Scope:** Only P0/P1 blockers listed above.
|
|
- **Dependencies:** Existing PR-1 branch state and current QA/supervisor findings.
|
|
- **Validation Gate:** One consolidated verification pass defined in this plan.
|
|
- **Rollback/Contingency:** Revert only remediation commits within `PR-1R`; do not pull PR-2/PR-3 changes for fallback.
|
|
|
|
### Final PR-1 Re-Audit Checklist
|
|
|
|
- [ ] Targeted Playwright PR-1 suites pass (no auth bootstrap errors).
|
|
- [ ] Backend `TestSetSecureCookie_*` and related backend gates pass.
|
|
- [ ] Docker image scan shows zero High/Critical vulnerabilities.
|
|
- [ ] `test-results/local-patch-report.md` exists and is current.
|
|
- [ ] `test-results/local-patch-report.json` exists and is current.
|
|
- [ ] Freshness-gate artifact(s) exist in `docs/reports/` and are referenced.
|
|
- [ ] Emergency/security regression evidence is explicit and linked.
|
|
- [ ] PR-1 report inconsistency (cookie logic statement) is corrected.
|
|
- [ ] CodeQL target PR-1 findings remain clear (`go/log-injection`, `go/cookie-secure-not-set`, `js/regex/missing-regexp-anchor`, `js/insecure-temporary-file`).
|
|
- [ ] Supervisor re-review package is complete with commands, timestamps, and artifact links.
|
|
|
|
### Out of Scope
|
|
|
|
- Any PR-2 or PR-3 feature scope.
|
|
- New architectural changes unrelated to PR-1 blocker closure.
|
|
- Non-blocking cleanup not required for PR-1 re-audit approval.
|