Owner: Noor (Security & Logging Expert)
Duration: 2-3 days (independent, can run parallel to A & B)
Status: Ready to start
CRITICAL: Must be 100% complete before Phase 3 begins
Subtasks (Implementation Order)
Day 1
Days 2-3
Days 4-5
Success Criteria (GO/NO-GO Gate for Phase 3)
- ✅ CORS uses specific domains (not *)
- ✅ All student endpoints verify in database (returns 404 for invalid IDs)
- ✅ All admin endpoints use Depends(verify_admin)
- ✅ Telegram webhook verifies X-Telegram-Bot-Api-Secret-Token header
- ✅ Rate limiting active (100 req/min global, 10 hints/day per student)
- ✅ No secrets in logs (API keys/tokens/IDs all masked)
- ✅ All string inputs have max_length (prevent DOS)
- ✅ Query params have reasonable bounds (page≤1000, grade 6-8, limit≤100)
- ✅ No stack traces in error responses
- ✅ All unit + integration tests pass
- ✅ Code reviewed by Jodha
BLOCKING RELATIONSHIP
Phase 3 Practice Endpoints CANNOT START until this is 100% complete and approved.
This is the critical path blocker identified in PROJECT_PROGRESS.md.
References
- PHASE1_TASKS.md (Agent C, Section 3)
- SECURITY_ROADMAP_INTEGRATION.md (detailed vulnerability mapping)
- AGENT_CHECKLIST.md (Phase 1 Security Work)
- Depends on: PHASE1-B-1 (complete API)
- Blocks: Phase 3 initiation
Owner: Noor (Security & Logging Expert)
Duration: 2-3 days (independent, can run parallel to A & B)
Status: Ready to start
CRITICAL: Must be 100% complete before Phase 3 begins
Subtasks (Implementation Order)
Day 1
Days 2-3
Days 4-5
Success Criteria (GO/NO-GO Gate for Phase 3)
BLOCKING RELATIONSHIP
Phase 3 Practice Endpoints CANNOT START until this is 100% complete and approved.
This is the critical path blocker identified in PROJECT_PROGRESS.md.
References