feat(api): AIN-179 launch hardening — public-audit cache + AIN-183 P0-1#45
Merged
hizrianraz merged 1 commit intoMay 19, 2026
Merged
Conversation
…-1 .claude untrack
Two safe pre-launch changes against the public surface of the api repo.
1. /v1/audit/public — explicit short-TTL Cache-Control.
Live probe at 2026-05-19 09:08 UTC showed the route running with no
Cache-Control header (cf-cache-status: DYNAMIC), meaning every hit lands
on the Railway origin. At steady state this is fine — top events are
~minutes old, no staleness exists — but the prompt CC dispatched against
this PR was diagnosed on an earlier transient; the underlying gap (no
explicit launch-time cache policy on a public endpoint advertised as a
live audit chain) is still real and worth closing before traffic spikes.
public, max-age=10, s-maxage=10, stale-while-revalidate=60 gives:
- 10s edge cache absorbs thundering-herd from Show HN / social
- 60s SWR keeps the page responsive during upstream blips
- advertised "live audit chain" lag stays ≤10s — well within
what a reasonable observer would call "live"
/v1/audit/{agent_id} is NOT touched — that route requires CurrentTenant
auth and is not a public surface.
2. AIN-183 P0-1 remediation for the api repo.
The 2026-05-19 11:59 commit on web/ (7bbb8a0) untracked .claude/CLAUDE.md
on the marketing repo but the equivalent fix was never applied here.
git ls-files .claude/ on this repo still returned .claude/CLAUDE.md —
leaking founder Workspace email, internal agent fleet topology
(Manwe/Namo/Aule/Tulkas), and brand v1.3 spec to anyone with read access
to the public github.com/ainfera-ai/api repo.
Fix is the same shape as the web/ fix:
- Drop the !.claude/CLAUDE.md / !.claude/SKILL.md / !.claude/AGENTS.md
whitelist lines from .gitignore. None of those three were ever needed
tracked in a public repo; the whitelist was defense-in-the-wrong-
direction.
- git rm --cached .claude/CLAUDE.md removes from HEAD index. The file
stays on disk so local Claude sessions in this checkout continue to
load it as session memory.
This commit only removes from HEAD; the file remains in git history and
the founder will need a force-push or BFG sweep to scrub from history.
That work is deferred to AIN-183 follow-up (PR F republish lane).
Discipline: #1 (production claim ≤10s lag matches reality), #3 (founder
PII off public surface), #11 (cache policy + advertised liveness align).
Closes: AIN-179 child (audit feed launch hardening), AIN-183 P0-1 api-side
AIN-179 🚀 Session 3.5 DELIVERY CHARTER — Close all Linear tickets by delivering, except payment + regulation lanes (Aule's canonical execution reference)
Severity: URGENT 🚀 — AULE'S CANONICAL EXECUTION CHARTER FOR THIS DELIVERY WAVEFounder directive 2026-05-18 PM: "Patch now and close all linear tickets now by delivering except payment and regulation. Tell CC." This ticket is Aule's persistent reference. Read at every poll. Updates appear as comments. What this means in one paragraphClose every open Linear ticket by shipping it (PR merged + prod deploy verified + Tulkas re-probe passes), EXCEPT tickets in the payment lane (deferred to AIN-129 CDP unlock) or regulation lane (deferred to legal review). All other open tickets are in scope — bug fixes, Phase 0 epics, v6.1 docs, fleet agent legs, founder-decision-pending items get clear recommendations from Aule, and ghost-state cleanups. DEFER lanes (do NOT touch)Payment lane (gated by founder AIN-129 CDP signup ~10 min)
Plus: any new ticket that requires USDC/Stripe/Xendit/wallet-topup work. Flag and skip. Regulation lane (gated by legal review)
No current tickets in this lane. Flag-and-skip if new ones surface during this delivery wave. DELIVERY queue (SHIP ALL)Already In Progress (Aule executing — 5 of 6 since 13:46–14:06 UTC)
Pending pickup (Backlog → In Progress when Aule reaches them)
Phase 0 epics (designed + locked, founder-gate-free)
In Review (close after merge — 8 tickets)
Founder-decision-pending (Aule writes recommendation, founder picks)
Ghost-state to verify cleanAule's session-3 close claimed "AIN-87/88/89/90/124 closeouts filed." Verified:
If any of AIN-88/89/90/124 closeout comments recommend Done state transition, Aule moves them. If any recommend a decision, Aule files a comment summarizing for founder. Execution sequencing (Aule's 6-PR ship plan)Per AIN-154 comment + AIN-160 comment from 13:39 UTC: After PR #1-4 land:
After PR #5 (Tulkas Phase 1):
After Phase 0 epics deliver (AIN-152/153/154/158/161):
Disciplines still gating Aule (do NOT relitigate)Discipline #1 — No Done without proofCurl + browser + test must all pass. No "PR merged" = "Done." Verify deploy with explicit curl against prod surface, browser smoke if UI-touching, all pre-commit gates green. Discipline #6 corollary — Shared-infra config requires itemized authEven with this blanket "deliver all" directive, the following STILL require explicit per-change auth:
Canonical case this wave: AIN-178 Phase 1 Tulkas cron on Hetzner systemd. STOP and request Lock U before shipping. Discipline #11 corollary — No catalog vs runtime driftBug 1 (AIN-173) IS this corollary in production. When fixing, also add catalog-runtime sync verification: any change to Discipline #12 ESCALATE — Moat decisions stay founder-onlyEven with deliver-all auth, the following are NOT in scope:
If a fix touches any of these, STOP and surface to founder before shipping. Discipline #14 corollary — Secrets clipboard-onlyPer INC-2026-05-18-001 + INC-2026-05-18-002. If any bug fix surfaces a secret value (env var, token, hash), DO NOT echo it in transcripts. Use When-stuck #19 — STAGING canary before prod for catalog/threshold/router migrationsAIN-173 catalog fix is the canonical case for this wave. STAGING canary first, then prod. Verify Tulkas Battery #1 passes against STAGING before deploying to prod. Communication protocolWhen you ship a PRPost a comment on this ticket (AIN-179) with:
When you hit a Discipline #6 or #12 wallPost a comment on this ticket asking for itemized auth. Don't proceed. When you find a NEW bug class (not regression of existing)File a new child ticket under AIN-154 (router hardening) or AIN-160 (fleet tools), per the bug's surface. Add to delivery queue. When a founder-decision ticket needs decisionPost a comment summarizing the decision + your recommendation. Stop on that ticket, continue with others. Scope NOT in this charter (out of scope or already done)
Verification gate before declaring "all delivered"This charter is closed (state → Done) when:
Founder authorization trail
Aule: start at PR #1 in the sequence. Update this ticket as you ship. AIN-183 🟠 All-repos audit sweep — 14 repos × spec-vs-built + Discipline #3/#4/#11/#17 verification
Severity: 🟠 HIGH — comprehensive repo-level Discipline #1 + #17 auditFiled 2026-05-18 PM after AIN-153 + AIN-158 spec-vs-built audit revealed Aule shipping less than spec'd then marking parents Done. Pattern requires systematic verification across ALL 14 repos in the Founder directive: "Hard revert to In Progress and force the missing work. Also check all repos." ScopeFor each of the 14 repos in
14 repos to auditProduction-facing (Phase 1, urgent)
Agent-implementation (Phase 2)
Customer + tooling (Phase 3)
Audit deliverable per repoFor each repo, Aule produces a comment on this ticket with: ## Repo: ainfera-ai/<name>
### Spec match
- Stated purpose: <from README>
- Actual state: <from main branch traversal>
- Drift: <none / specifics>
### Recent Done tickets touching this repo
- AIN-XYZ — claimed: "..." → actual state: ✅ matches / ⚠️ partial / ❌ missing
### Production-vs-main drift
- Last deploy SHA: <sha>
- main HEAD: <sha>
- Drift: <none / files differ / etc>
### Grep results
- Founder PII: <count> matches → <files>
- Internal agent names in public: <count> matches → <files>
### Lock compliance
- D7-D37 references: <count>
- Discipline #6 corollary violations: <count>
### Recommendation
- ✅ Clean / ⚠️ Cleanup needed / 🔴 Active violation
### Tickets to file
- <list of child tickets needed if cleanup work surfaces>Audit commands Aule runs per repocd ~/code/ainfera-ai/<repo>
git pull origin main
# Discipline #3 grep
rg -i "hizrian|izzy|raz|fibromyalgia|adhd|snowboard|julius baer|sommelier" \
--type-not lock \
--type-not log \
-l
# Internal agent naming in public surfaces
rg -i "manwe|yavanna|namo|aule|tulkas" \
src/ app/ public/ docs/ README.md \
--type-not lock \
-l
# Discipline #4 author override check (last 50 commits)
git log -50 --pretty=format:'%h %an <%ae>' | rg -v "Aule <aule@" | head -20
# Production-vs-main drift (for deployed repos)
gh api repos/ainfera-ai/<repo>/deployments --jq '.[0:3] | .[].sha'
# Compare against `git rev-parse main`
# Spec vs files
ls -la docs/
cat README.md | head -30Acceptance gates
Out of scope
Connection
Founder authorizationPer "Hard revert to In Progress and force the missing work. Also check all repos" (2026-05-18 session 3.5 PM). |
|
You have used all Bugbot PR reviews included in your free trial for your GitHub account on this workspace. To continue using Bugbot reviews, enable Bugbot for your team in the Cursor dashboard. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two safe pre-launch changes against the public surface of the api repo, bundled because they share scope (security audit, P0 launch readiness) and ship into the same Railway deploy.
1. /v1/audit/public — explicit short-TTL cache
Live probe at 09:08 UTC showed
cf-cache-status: DYNAMIC(no cache header set), meaning every public-feed hit lands on Railway origin. Fine at steady state — but the route is advertised as a "live audit chain" and we expect launch-day traffic from social/Show HN.Setting
Cache-Control: public, max-age=10, s-maxage=10, stale-while-revalidate=60:/v1/audit/{agent_id}is auth-gated (CurrentTenant), not public, and is NOT touched.2. AIN-183 P0-1 remediation for api repo
The web/ side of P0-1 was fixed by 7bbb8a0 on 2026-05-19. The api/ side was missed:
git ls-files .claude/still returned.claude/CLAUDE.md, leaking founder Workspace email + internal agent fleet topology to anyone with read access togithub.com/ainfera-ai/api.Same fix shape as web/:
!.claude/CLAUDE.md/ SKILL.md / AGENTS.md whitelist from.gitignoregit rm --cached .claude/CLAUDE.mdremoves from HEAD index. File stays on disk for local sessions.The file remains in git history. Force-push / BFG sweep is deferred to AIN-183 PR F republish lane.
Test plan
curl -sI https://api.ainfera.ai/v1/audit/publicshowscache-control: public, max-age=10, s-maxage=10, stale-while-revalidate=60curlhits within 10s return identical topevent_id(edge cache hit)gh api repos/ainfera-ai/api/contents/.claude/CLAUDE.md --jq .returns 404 on main post-merge.claude/CLAUDE.mdstill loads (untouched on disk)Closes: AIN-179 audit-feed launch hardening child, AIN-183 P0-1 api-side
Discipline: #1, #3, #11