Skip to content

fix: correct stale documentation and enforce detekt in CI#3

Merged
CybotTM merged 4 commits intomainfrom
fix/audit-cleanup
Feb 25, 2026
Merged

fix: correct stale documentation and enforce detekt in CI#3
CybotTM merged 4 commits intomainfrom
fix/audit-cleanup

Conversation

@CybotTM
Copy link
Copy Markdown
Owner

@CybotTM CybotTM commented Feb 25, 2026
edited
Loading

Summary

Comprehensive documentation audit and cleanup across the entire codebase, verified through 3 review cycles.

Changes

Crypto library references (Tink removed in SEC2-A-13):

  • Remove all Tink references from README.md, AGENTS.md, android/AGENTS.md, server/AGENTS.md
  • Update docs/protocol/encryption-spec.md: Android uses BouncyCastle + JCA, not Tink
  • Note: TinkCryptoManager.kt class name retained (historical, explained in code comment)

Authentication references (app uses Ed25519 challenge-response, not JWT/passwords):

  • Fix root AGENTS.md security section: challenge-response auth, not JWT/bcrypt
  • Fix server/AGENTS.md: replace KIDSYNC_JWT_SECRET with actual env vars, update util listing
  • Fix android/AGENTS.md: AuthInterceptor does session token auth, not JWT refresh
  • Rewrite docs/disaster-recovery.md: replace JWT Secret Rotation/TOTP sections with session invalidation and signing key compromise procedures
  • Fix docs/disaster-recovery.md Docker migration: remove stale JWT env vars
  • Fix docs/privacy-policy.md: replace email/password/bcrypt with Ed25519 keys and device IDs

Test count accuracy:

  • Update server test count from 44 to 456 (40 test classes) across AGENTS.md files
  • Update CONTRIBUTING.md test requirements

Configuration completeness:

  • Add 5 missing env vars to .env.example (limits, push token key, blob types)
  • Fix server origin default documentation

DEFERRED item tracking:

  • Add DEFERRED(INFRA-01) to Ktor XForwardedHeaders limitation in Application.kt
  • Add DEFERRED(INFRA-02) to Room migration placeholder in DatabaseModule.kt

CI enforcement:

  • Remove continue-on-error: true from server detekt step (maxIssues: 0 now enforced)

Files Changed (12)

  • README.md — Tink→BouncyCastle, remove stale JWT_SECRET reference
  • AGENTS.md — Tink→BouncyCastle, fix auth, update test counts
  • android/AGENTS.md — Tink→BouncyCastle+JCA, fix AuthInterceptor
  • server/AGENTS.md — Fix util listing, env vars, test suites (456 tests)
  • CONTRIBUTING.md — Update test count requirement
  • docs/protocol/encryption-spec.md — Fix Android library mapping
  • docs/disaster-recovery.md — Replace JWT/TOTP with session/key procedures
  • docs/privacy-policy.md — Replace password auth with keypair auth
  • .env.example — Add missing configuration variables
  • .github/workflows/ci.yml — Enforce server detekt (no continue-on-error)
  • server/.../Application.kt — Add DEFERRED(INFRA-01) tracking ID
  • android/.../DatabaseModule.kt — Add DEFERRED(INFRA-02) tracking ID

Review Cycles

  1. Cycle 1: Found missing .env.example vars, server origin discrepancy — fixed
  2. Cycle 2: Found CONTRIBUTING.md test count, missing DEFERRED tracking IDs — fixed
  3. Cycle 3: Found stale JWT env vars in disaster-recovery Docker migration, bcrypt/password references in privacy-policy — fixed

Test plan

  • All CI jobs pass (Server Tests, Android Build, Conformance Tests)
  • Server detekt enforces zero violations (no continue-on-error)
  • grep -r "TODO" server/src/main android/app/src/main returns nothing
  • grep -r "JWT\|TOTP\|bcrypt" *.md server/AGENTS.md android/AGENTS.md docs/disaster-recovery.md docs/privacy-policy.md returns nothing

@CybotTM
fix: correct stale docs (Tink→BouncyCastle, JWT→challenge-response, t…
4e0459c 
…est counts)

- Remove Tink references from README, AGENTS.md, android/AGENTS.md,
  and encryption-spec.md (Tink was removed in SEC2-A-13, app uses
  BouncyCastle + JCA)
- Fix AGENTS.md security section: challenge-response auth, not JWT/bcrypt
- Update server test count from 44 to 456 (40 test classes)
- Update server/AGENTS.md: fix util listing, env var table, test suites
- Fix disaster-recovery.md: replace JWT/TOTP sections with session
  invalidation and signing key compromise procedures
- Fix recovery flow description to match zero-knowledge architecture
- Remove continue-on-error from server detekt CI step (now maxIssues: 0)
@CybotTM
fix: add missing env vars to .env.example, fix server origin default …
7c6b59d 
…docs

- Add KIDSYNC_MAX_SNAPSHOTS_PER_BUCKET, KIDSYNC_MAX_DEVICES_PER_BUCKET,
  KIDSYNC_SNAPSHOT_RATE_LIMIT, KIDSYNC_ALLOWED_BLOB_CONTENT_TYPES, and
  KIDSYNC_PUSH_TOKEN_KEY to .env.example with descriptions
- Fix server/AGENTS.md: KIDSYNC_SERVER_ORIGIN default is api.kidsync.app,
  not (unset)

Review cycle 1 findings addressed.
@CybotTM
fix: update CONTRIBUTING.md test count, add DEFERRED tracking IDs
b57b75b 
- CONTRIBUTING.md: update server test count from 44+ to 456
- Application.kt: tag XForwardedHeaders limitation as DEFERRED(INFRA-01)
- DatabaseModule.kt: tag Room migration placeholder as DEFERRED(INFRA-02)

Review cycle 2 findings addressed.
@CybotTM
fix: remove last JWT/password references from disaster-recovery and p…
0ffc97f 
…rivacy-policy

- disaster-recovery.md: replace stale KIDSYNC_JWT_SECRET/ISSUER/AUDIENCE
  docker env vars with KIDSYNC_SERVER_ORIGIN, update migration notes
- disaster-recovery.md: fix DNS cutover timing (60min session TTL, not 15min)
- privacy-policy.md: replace email/password/bcrypt account data with
  Ed25519 signing key, X25519 encryption key, and device ID

Review cycle 3 findings addressed.
@CybotTM CybotTM merged commit 597d338 into main Feb 25, 2026
4 checks passed
@CybotTM CybotTM deleted the fix/audit-cleanup branch February 25, 2026 11:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@CybotTM