KNEL/FetchApply
2
0
Fork 0
Code Pull Requests Actions Packages Releases 1 Activity
Files
84f3ca3b0e67c493485226bbe3ba581e8632ce58
FetchApply/ProjectDocs/claude-todo.md
ReachableCEO 83d5cf2f8d moved docs 
Switching to using vendored shell framework
moved SafeDownload to vendored shell framework repo
2025-07-14 12:17:29 -05:00

5.3 KiB
Raw Blame History

Claude TODO - TSYS FetchApply Automation Tasks

Purpose: Actionable items optimized for AI assistant implementation
Priority: Critical → High → Medium → Low

🚨 CRITICAL (Immediate Security Fixes)

RESOLVED: Secure Deployment Method

Previous Issue: curl | bash deployment method
Status: Fixed in README.md - now uses git clone + local script execution

RESOLVED: Replace HTTP URLs with HTTPS

Files modified:

  • ProjectCode/Dell/Server/omsa.sh - Converted 11 HTTP URLs to HTTPS (Ubuntu archive, Dell repo)
  • ProjectCode/legacy/prox7.sh - Converted 2 HTTP URLs to HTTPS (Proxmox downloads)
  • ProjectCode/Modules/RandD/sslStackFromSource.sh - Converted 3 HTTP URLs to HTTPS (Apache sources)

Status: All HTTP URLs in active scripts converted to HTTPS. Only remaining HTTP references are in comments and LibreNMS agent files (external dependencies).

TASK-002: Add Download Integrity Verification

Create new function in: Framework-Includes/VerifyDownload.sh Function to implement:

function verify_download() {
    local url="$1"
    local expected_hash="$2"
    local output_file="$3"
    
    curl -fsSL "$url" -o "$output_file"
    local actual_hash=$(sha256sum "$output_file" | cut -d' ' -f1)
    
    if [ "$actual_hash" != "$expected_hash" ]; then
        print_error "Hash verification failed for $output_file"
        rm -f "$output_file"
        return 1
    fi
    print_info "Download verified: $output_file"
}

TASK-003: Create Secure Deployment Script

Create: ProjectCode/SecureSetupNewSystem.sh Features to implement:

  • GPG signature verification
  • SHA256 checksum validation
  • HTTPS-only downloads
  • Rollback capability

🔶 HIGH (Security Enhancements)

TASK-004: Remove Hardcoded SSH Keys

Files to modify:

  • ProjectCode/ConfigFiles/SSH/AuthorizedKeys/root-ssh-authorized-keys
  • ProjectCode/ConfigFiles/SSH/AuthorizedKeys/localuser-ssh-authorized-keys
  • ProjectCode/Modules/Security/secharden-ssh.sh:31,40,51

Implementation approach:

  1. Create environment variable support: SSH_KEYS_URL or SSH_KEYS_VAULT_PATH
  2. Modify secharden-ssh.sh to fetch keys from secure source
  3. Add key validation before deployment

TASK-005: Add Secrets Management Framework

Create: Framework-Includes/SecretsManager.sh Functions to implement:

function get_secret() { }           # Retrieve secret from vault
function validate_secret() { }      # Validate secret format
function rotate_secret() { }        # Trigger secret rotation

TASK-006: Enhanced Preflight Checks

Modify: Framework-Includes/PreflightCheck.sh Add checks for:

  • Network connectivity to required hosts
  • Disk space requirements
  • Existing conflicting software
  • Required system capabilities

🔹 MEDIUM (Operational Improvements)

TASK-007: Add Configuration Backup

Create: Framework-Includes/ConfigBackup.sh Functions:

function backup_config() { }        # Create timestamped backup
function restore_config() { }       # Restore from backup
function list_backups() { }         # Show available backups

TASK-008: Implement State Tracking

Create: Framework-Includes/StateManager.sh Track:

  • Deployment progress
  • Module completion status
  • Rollback points
  • System changes made

TASK-009: Add Retry Logic

Enhance existing scripts with:

  • Configurable retry attempts for network operations
  • Exponential backoff for failed operations
  • Circuit breaker for repeatedly failing services

🔸 LOW (Quality of Life)

TASK-010: Enhanced Logging

Modify: Framework-Includes/Logging.sh Add:

  • Structured logging (JSON format option)
  • Log levels (DEBUG, INFO, WARN, ERROR)
  • Remote logging capability
  • Log rotation management

TASK-011: Progress Indicators

Add to: Framework-Includes/PrettyPrint.sh

function show_progress() { }        # Display progress bar
function update_status() { }        # Update current operation

TASK-012: Dry Run Mode

Add to: ProjectCode/SetupNewSystem.sh Implementation:

  • --dry-run flag support
  • Preview of changes without execution
  • Dependency analysis output

Implementation Order for Claude

Updated Priority After Security Fix (July 14, 2025):

  1. Start with TASK-001 (HTTPS enforcement - simple find/replace operations)
  2. Create framework functions (TASK-002, TASK-005, TASK-007)
  3. Enhance existing modules (TASK-004, TASK-006)
  4. Add operational features (TASK-008, TASK-009)
  5. Improve user experience (TASK-010, TASK-011, TASK-012)

Note: Major deployment security risk resolved - remaining tasks focus on hardening internal operations.

File Location Patterns

  • Framework components: Framework-Includes/*.sh
  • Security modules: ProjectCode/Modules/Security/*.sh
  • Configuration files: ProjectCode/ConfigFiles/*/
  • Main entry point: ProjectCode/SetupNewSystem.sh

Testing Strategy

For each task:

  1. Create backup of original files
  2. Implement changes incrementally
  3. Test with bash -n for syntax validation
  4. Verify functionality with controlled test runs
  5. Document changes made

Error Handling Requirements

All new functions must:

  • Use set -euo pipefail compatibility
  • Integrate with existing error handling framework
  • Log errors to $LOGFILENAME
  • Return appropriate exit codes
  • Clean up temporary files on failure