SEC-C-01: Replace Neon PostgreSQL credentials (npg_Ssfy6HKO0cXI) with local
dev connection strings in all 19 appsettings.json files. Production credentials
must be injected via ConnectionStrings__DefaultConnection env var. Add
appsettings.Production.json and appsettings.Staging.json to .gitignore.
SEC-C-02: Add services/goodgo-mcp-server/.env to root .gitignore. Create
.env.example with safe placeholder values documenting required variables.
SEC-C-03: Wrap AddDeveloperSigningCredential() in env check — development only.
Non-development environments must provide X.509 certificate via
IdentityServer:SigningCertificatePath and IdentityServer:SigningCertificatePassword.
SEC-C-04: Remove 4 unauthenticated debug endpoints from StaffController:
GET debug/all, POST debug/seed, POST debug/update-userid, POST debug/update-merchant.
These endpoints allowed privilege escalation and data exfiltration without auth.
SEC-C-05: Removed endpoints containing SQL injection via string interpolation
(lines 307, 367 in StaffController). Also removed [AllowAnonymous] from
GET lookup endpoint — inherits class-level [Authorize].
BREAKING: debug/* endpoints are permanently removed. BFF lookup endpoint now
requires authentication.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Added new dependencies including clsx, lucide-react, recharts, and various Radix UI components to improve UI functionality.
- Upgraded Tailwind CSS to version 4.0.0 and updated configuration to utilize CSS variables for theming and responsive design.
- Introduced global styles and improved accessibility features in the layout and components.
- Removed outdated login page and refactored authentication store for better state management.
- Enhanced API service with additional authentication methods and improved error handling.
These changes aim to modernize the web applications and improve user experience through better design and functionality.
- Updated `.gitignore` to clarify environment variable handling.
- Enhanced `pnpm-lock.yaml` with new dependencies for Jest and Supertest, including type definitions.
- Improved bilingual documentation in `SKILL.md` files for better clarity on comment patterns and project rules.
- Refined `docker-compose.yml` for local development, adding detailed instructions and access points.
- Updated environment variable example in `env.local.example` for better guidance on configuration.
- Removed outdated architecture documentation from the service template.
- Enhanced Dockerfile for improved security and performance during builds.
- Added Swagger documentation setup in the service template for better API documentation.
- Improved error handling and logging middleware for enhanced debugging capabilities.
- Enhanced `README.md` with a quick start guide and detailed project structure.
- Updated `SETUP_GUIDE.md` by removing it as it was redundant.
- Improved `local-development.md` and `development.md` with clearer instructions for database migrations.
- Added bilingual comments in various scripts for better understanding and usability.
- Updated `.gitignore` to include specific build scripts while ignoring others.
- Enhanced `scripts` for database management, including backup and seeding functionalities with bilingual support.
