199 lines
7.4 KiB
Bash
Executable File
199 lines
7.4 KiB
Bash
Executable File
#!/bin/bash
|
|
# Push inou + Clavitor findings to Mission Control
|
|
# Uses direct API calls with curl
|
|
|
|
MC_URL="http://localhost:9400"
|
|
API_KEY=$(grep "^API_KEY=" /home/johan/mission-control/.data/.auto-generated | cut -d= -f2 | tr -d '\n\r')
|
|
# echo "DEBUG: Using API key: ${API_KEY:0:30}..."
|
|
|
|
echo "Pushing Clavitor and inou findings to Mission Control..."
|
|
echo ""
|
|
|
|
# Debug
|
|
# echo "API_KEY: ${API_KEY:0:20}..."
|
|
# echo ""
|
|
|
|
# First, test auth
|
|
echo "Testing API connection..."
|
|
# Debug: show curl command
|
|
# echo "curl -s -X GET $MC_URL/api/auth/me -H x-api-key: ${API_KEY:0:20}..."
|
|
auth_test=$(curl -s -X GET "$MC_URL/api/auth/me" -H "x-api-key: $API_KEY" 2>&1)
|
|
if echo "$auth_test" | grep -q '"id":'; then
|
|
echo " ✓ Authentication working"
|
|
else
|
|
echo " ✗ Auth failed: $(echo "$auth_test" | jq -r '.error // . // "unknown"' | head -c 100)"
|
|
echo ""
|
|
fi
|
|
echo ""
|
|
|
|
# Helper to create task
|
|
create_task() {
|
|
local title="$1"
|
|
local desc="$2"
|
|
local priority="$3"
|
|
local tags="$4"
|
|
local meta="$5"
|
|
|
|
# Build JSON body using jq
|
|
body=$(jq -n \
|
|
--arg title "$title" \
|
|
--arg desc "$desc" \
|
|
--arg priority "$priority" \
|
|
--arg tags "$tags" \
|
|
--arg meta "$meta" \
|
|
'{
|
|
title: $title,
|
|
description: $desc,
|
|
priority: $priority,
|
|
status: "inbox",
|
|
tags: ($tags | split(",")),
|
|
metadata: ($meta | fromjson? // {})
|
|
}')
|
|
|
|
echo "Creating: ${title:0:50}..."
|
|
|
|
# Make API call with proper error handling
|
|
response=$(curl -s -w "\n%{http_code}" -X POST "$MC_URL/api/tasks" \
|
|
-H "x-api-key: $API_KEY" \
|
|
-H "Content-Type: application/json" \
|
|
-d "$body" 2>&1)
|
|
|
|
http_code=$(echo "$response" | tail -n1)
|
|
body_response=$(echo "$response" | sed '$d')
|
|
|
|
if [ "$http_code" = "201" ] || [ "$http_code" = "200" ]; then
|
|
task_id=$(echo "$body_response" | jq -r '.task.id // .id // "unknown"')
|
|
echo " ✓ Created task ID: $task_id"
|
|
else
|
|
echo " ✗ Failed (HTTP $http_code): $(echo "$body_response" | jq -r '.error // .message // . // "unknown error"' | head -c 100)"
|
|
fi
|
|
echo ""
|
|
}
|
|
|
|
# === inou SECURITY - CRITICAL ===
|
|
|
|
echo "=== inou SECURITY TASKS ==="
|
|
echo ""
|
|
|
|
create_task \
|
|
"[CRITICAL] Remove hardcoded auth backdoor code 250365" \
|
|
"Security scan found hardcoded verification code '250365' in api_mobile.go:128 allowing universal authentication bypass. This bypasses entire email verification security control.\n\nLocation: /repos/inou-portal/portal/api_mobile.go:127-128\n\nAction: Remove backdoor code immediately." \
|
|
"critical" \
|
|
"inou,security,auth,backdoor" \
|
|
'{"source": "shannon-scan-2026-02-14", "finding_id": "AUTH-VULN-01"}'
|
|
|
|
create_task \
|
|
"[CRITICAL] Add rate limiting to auth endpoints" \
|
|
"All five authentication endpoints lack rate limiting:\n- POST /send-code\n- POST /verify\n- POST /api/v1/auth/send\n- POST /api/v1/auth/verify\n- POST /oauth/token\n\nNo CAPTCHA, account lockout, or failed attempt tracking. Enables brute-force attacks.\n\nAction: Implement rate limiting middleware in defense.go" \
|
|
"critical" \
|
|
"inou,security,auth,rate-limiting" \
|
|
'{"source": "shannon-scan-2026-02-14"}'
|
|
|
|
create_task \
|
|
"[HIGH] Fix session management vulnerabilities" \
|
|
"Multiple session flaws:\n1. Session identifiers never rotated on login (session fixation)\n2. Logout only clears client-side cookies without server-side invalidation\n3. Session tokens lack Cache-Control headers\n\nAction: Implement proper session lifecycle management." \
|
|
"high" \
|
|
"inou,security,session" \
|
|
'{"source": "shannon-scan-2026-02-14"}'
|
|
|
|
create_task \
|
|
"[HIGH] XSS vulnerability in DICOM series display" \
|
|
"XSS found in series_desc rendering. JavaScript payload injection via DICOM metadata.\n\nAction: Implement HTML entity encoding in /api/series responses." \
|
|
"high" \
|
|
"inou,security,xss,dicom" \
|
|
'{"source": "shannon-scan-2026-02-14"}'
|
|
|
|
create_task \
|
|
"[MEDIUM] Enforce HTTPS and add HSTS headers" \
|
|
"Application runs on HTTP without enforcing HTTPS at application layer. Missing HSTS headers.\n\nAction: Add HTTPS redirect middleware and HSTS headers." \
|
|
"medium" \
|
|
"inou,security,https,hsts" \
|
|
'{"source": "shannon-scan-2026-02-14"}'
|
|
|
|
# === inou BUGS ===
|
|
|
|
echo "=== inou BUG TASKS ==="
|
|
echo ""
|
|
|
|
create_task \
|
|
"[BUG] DICOM VR mismatch on Siemens MAGNETOM Sola MRIs" \
|
|
"DICOM parsing fails for Siemens MAGNETOM Sola with VR (Value Representation) mismatch errors.\n\nStatus: PARKED — needs attention when ready.\n\nNote: May be related to specific Siemens private tags or VR parsing." \
|
|
"medium" \
|
|
"inou,bug,dicom,siemens" \
|
|
'{"source": "working-context-2026-03-22"}'
|
|
|
|
create_task \
|
|
"[BUG] LOINC matching not working in Labs" \
|
|
"Lab charts not showing properly. LOINC matching failing.\n\nRoot cause: Production DB has 0 entries with loinc in data JSON. Normalize() reports 'all entries already normalized' because SearchKey2 is set.\n\nAction: Investigate LOINC data population in lab import pipeline." \
|
|
"medium" \
|
|
"inou,bug,labs,loinc" \
|
|
'{"source": "memory/2026-02-24.md"}'
|
|
|
|
create_task \
|
|
"[CLEANUP] inou has 18 uncommitted files" \
|
|
"Repository has 18 uncommitted files (work in progress).\n\nAction: Review, commit, or stash changes. Ensure nothing critical is lost." \
|
|
"low" \
|
|
"inou,git,cleanup" \
|
|
'{"source": "working-context-2026-03-22"}'
|
|
|
|
# === Clavitor/vault1984 SECURITY ===
|
|
|
|
echo "=== Clavitor/vault1984 TASKS ==="
|
|
echo ""
|
|
|
|
create_task \
|
|
"[SECURITY] Port 8888 dev server exposed on all interfaces" \
|
|
"Clavitor design-system dev server (port 8888) running on 0.0.0.0 — all interfaces. Compiled and left running since Mar 22 morning.\n\nAction: Kill dev server when not actively developing. Or bind to localhost only." \
|
|
"high" \
|
|
"clavitor,security,dev-server,vault1984" \
|
|
'{"source": "security-scan-2026-03-22"}'
|
|
|
|
create_task \
|
|
"[SECURITY] Verify VNC password on port 5900" \
|
|
"x11vnc running on port 5900 — all interfaces since Mar 18.\n\nStatus: Needs verification that password is set (was NO PASSWORD in earlier scan).\n\nAction: Verify password protection. Kill if not needed." \
|
|
"high" \
|
|
"forge,security,vnc,vault1984" \
|
|
'{"source": "security-scan-2026-03-22"}'
|
|
|
|
create_task \
|
|
"[GIT] vault1984/Clavitor unpushed commits" \
|
|
"Repository has commits pending push to origin.\n\nAction: Review and push when ready." \
|
|
"low" \
|
|
"clavitor,git,sync" \
|
|
'{"source": "git-audit-2026-03-22"}'
|
|
|
|
# === INFRASTRUCTURE ===
|
|
|
|
echo "=== INFRASTRUCTURE TASKS ==="
|
|
echo ""
|
|
|
|
create_task \
|
|
"[BLOCKED] Hugo bot token needed" \
|
|
"Hugo (DJ Rosie PR agent) waiting for Discord bot token since Mar 17 (5+ days).\n\nAction: Johan to provide Discord bot token for Hugo." \
|
|
"medium" \
|
|
"hugo,discord,blocked,rozie" \
|
|
'{"source": "MEMORY.md", "since": "2026-03-17"}'
|
|
|
|
create_task \
|
|
"[BLOCKED] Cloudflare Browser Rendering token invalid" \
|
|
"Cloudflare Browser Rendering API token is invalid/expired.\n\nAction: Get new token from dash.cloudflare.com and update config." \
|
|
"medium" \
|
|
"cloudflare,token,blocked" \
|
|
'{"source": "MEMORY.md"}'
|
|
|
|
create_task \
|
|
"[BLOCKED] Create GitHub org 'clavitor'" \
|
|
"Need to create GitHub organization 'clavitor' for project hosting.\n\nRequires token with admin:org scope.\n\nAction: Create org or provide token." \
|
|
"low" \
|
|
"github,clavitor,org,blocked" \
|
|
'{"source": "MEMORY.md"}'
|
|
|
|
create_task \
|
|
"[MAINTENANCE] Kernel reboot pending (6.8.0-106)" \
|
|
"Kernel 6.8.0-106-generic installed (Mar 13) but not yet running.\n\nAction: Reboot at convenient time to apply updates." \
|
|
"low" \
|
|
"forge,kernel,reboot" \
|
|
'{"source": "MEMORY.md", "since": "2026-03-13"}'
|
|
|
|
echo "=== ALL TASKS CREATED ==="
|