From 1f4152c894501e15a857714190f67e4a7c7a2c73 Mon Sep 17 00:00:00 2001 From: Timmy Date: Sat, 21 Mar 2026 19:59:52 +0000 Subject: [PATCH] storkit: create 361_story_remove_deprecated_manual_qa_front_matter_field --- ..._story_harden_docker_setup_for_security.md | 26 ------------------- ...deprecated_manual_qa_front_matter_field.md | 20 ++++++++++++++ 2 files changed, 20 insertions(+), 26 deletions(-) delete mode 100644 .storkit/work/1_backlog/359_story_harden_docker_setup_for_security.md create mode 100644 .storkit/work/1_backlog/361_story_remove_deprecated_manual_qa_front_matter_field.md diff --git a/.storkit/work/1_backlog/359_story_harden_docker_setup_for_security.md b/.storkit/work/1_backlog/359_story_harden_docker_setup_for_security.md deleted file mode 100644 index ba5dc6d..0000000 --- a/.storkit/work/1_backlog/359_story_harden_docker_setup_for_security.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -name: "Harden Docker setup for security" ---- - -# Story 359: Harden Docker setup for security - -## User Story - -As a storkit operator, I want the Docker container to run with hardened security settings, so that a compromised agent or malicious codebase cannot escape the container or affect the host. - -## Acceptance Criteria - -- [ ] Container runs as a non-root user -- [ ] Root filesystem is read-only with only necessary paths writable (e.g. /tmp, cargo cache, claude state volumes) -- [ ] Linux capabilities dropped to minimum required (cap_drop: ALL, add back only what's needed) -- [ ] no-new-privileges flag is set -- [ ] Resource limits (CPU and memory) are configured in docker-compose.yml -- [ ] Outbound network access is restricted where possible -- [ ] ANTHROPIC_API_KEY is passed via Docker secrets or .env file, not hardcoded in compose -- [ ] Image passes a CVE scan with no critical vulnerabilities -- [ ] Port binding uses 127.0.0.1 instead of 0.0.0.0 (e.g. "127.0.0.1:3001:3001") so the web UI is not exposed on all interfaces -- [ ] Git identity is configured via explicit GIT_USER_NAME and GIT_USER_EMAIL env vars; container fails loudly on startup if either is missing (note: multi-user/distributed case where different users need different identities is out of scope and will require a different solution) - -## Out of Scope - -- TBD diff --git a/.storkit/work/1_backlog/361_story_remove_deprecated_manual_qa_front_matter_field.md b/.storkit/work/1_backlog/361_story_remove_deprecated_manual_qa_front_matter_field.md new file mode 100644 index 0000000..5013b6a --- /dev/null +++ b/.storkit/work/1_backlog/361_story_remove_deprecated_manual_qa_front_matter_field.md @@ -0,0 +1,20 @@ +--- +name: "Remove deprecated manual_qa front matter field" +--- + +# Story 361: Remove deprecated manual_qa front matter field + +## User Story + +As a developer, I want the deprecated manual_qa boolean field removed from the codebase, so that the front matter schema stays clean and doesn't accumulate legacy boolean flags alongside the more expressive qa: server|agent|human field that replaced it. + +## Acceptance Criteria + +- [ ] manual_qa field is removed from the FrontMatter and StoryMetadata structs in story_metadata.rs +- [ ] Legacy mapping from manual_qa: true → qa: human is removed +- [ ] Any existing story files using manual_qa are migrated to qa: human +- [ ] Codebase compiles cleanly with no references to manual_qa remaining + +## Out of Scope + +- TBD