forked from username/flaskpaste
docs: update project status for v1.2.0
This commit is contained in:
Username
136
ROADMAP.md
136
ROADMAP.md
@@ -2,12 +2,13 @@
|
||||
|
||||
## Current State
|
||||
|
||||
FlaskPaste v1.1.0 is deployed and feature-complete for its core mission: a secure, minimal pastebin API with zero-knowledge encryption support.
|
||||
FlaskPaste v1.2.0 is deployed with PKI integration and comprehensive security tooling.
|
||||
|
||||
**Implemented:**
|
||||
- Full REST API (CRUD operations)
|
||||
- Binary content support with magic-byte MIME detection
|
||||
- Client certificate authentication
|
||||
- Minimal PKI (CA generation, certificate issuance, revocation)
|
||||
- Content-hash deduplication (abuse prevention)
|
||||
- Proof-of-work spam prevention
|
||||
- Entropy enforcement (require encrypted uploads)
|
||||
@@ -15,116 +16,102 @@ FlaskPaste v1.1.0 is deployed and feature-complete for its core mission: a secur
|
||||
- URL prefix support for reverse proxy deployments
|
||||
- /client endpoint for CLI distribution
|
||||
- Automatic paste expiry
|
||||
- Burn-after-read pastes
|
||||
- Custom expiry per paste
|
||||
- Security headers and request tracing
|
||||
- Container deployment support
|
||||
- Comprehensive test suite (98 tests)
|
||||
- Security tooling (ruff, bandit, mypy, pip-audit)
|
||||
- CI/CD pipeline with lint, security, and test jobs
|
||||
- Comprehensive test suite (147 tests)
|
||||
|
||||
## Phase 1: Hardening (Complete)
|
||||
|
||||
Focus: Production readiness and operational excellence.
|
||||
|
||||
```
|
||||
┌───┬─────────────────────────────────────┬────────────────────────────────────┐
|
||||
│ # │ Milestone │ Status
|
||||
├───┼─────────────────────────────────────┼────────────────────────────────────┤
|
||||
│ 1 │ Abuse prevention (dedup) │ Done
|
||||
│ 2 │ Security headers complete │ Done
|
||||
│ 3 │ Request tracing (X-Request-ID) │ Done
|
||||
│ 4 │ Proxy trust validation │ Done
|
||||
│ 5 │ Proof-of-work spam prevention │ Done
|
||||
│ 6 │ Entropy enforcement │ Done
|
||||
│ 7 │ Test coverage > 90% │ Done (98 tests)
|
||||
│ 8 │ Documentation complete │ Done
|
||||
└───┴─────────────────────────────────────┴────────────────────────────────────┘
|
||||
┌───┬─────────────────────────────────┬────────────────────────────────────┐
|
||||
│ # │ Milestone │ Status
|
||||
├───┼─────────────────────────────────┼────────────────────────────────────┤
|
||||
│ 1 │ Abuse prevention (dedup) │ Done
|
||||
│ 2 │ Security headers complete │ Done
|
||||
│ 3 │ Request tracing (X-Request-ID) │ Done
|
||||
│ 4 │ Proxy trust validation │ Done
|
||||
│ 5 │ Proof-of-work spam prevention │ Done
|
||||
│ 6 │ Entropy enforcement │ Done
|
||||
│ 7 │ Test coverage > 90% │ Done (147 tests)
|
||||
│ 8 │ Documentation complete │ Done
|
||||
└───┴─────────────────────────────────┴────────────────────────────────────┘
|
||||
```
|
||||
|
||||
## Phase 2: Operations
|
||||
## Phase 2: Operations (Complete)
|
||||
|
||||
Focus: Deployment, monitoring, and maintenance tooling.
|
||||
|
||||
```
|
||||
┌───┬─────────────────────────────────────┬────────────────────────────────────┐
|
||||
│ # │ Milestone │ Dependencies
|
||||
├───┼─────────────────────────────────────┼────────────────────────────────────┤
|
||||
│ 1 │ Prometheus metrics endpoint │ None
|
||||
│ 2 │ Structured JSON logging │ None
|
||||
│ 3 │ Admin API (stats, cleanup) │ Auth improvements
|
||||
│ 4 │ Ansible deployment role │ None
|
||||
│ 5 │ CI/CD pipeline │ Container registry access
|
||||
└───┴─────────────────────────────────────┴────────────────────────────────────┘
|
||||
┌───┬─────────────────────────────────┬────────────────────────────────────┐
|
||||
│ # │ Milestone │ Status
|
||||
├───┼─────────────────────────────────┼────────────────────────────────────┤
|
||||
│ 1 │ Prometheus metrics endpoint │ Done (prometheus-flask-exporter)
|
||||
│ 2 │ Structured JSON logging │ Done (production mode)
|
||||
│ 3 │ Security tooling (lint/scan) │ Done (ruff, bandit, mypy)
|
||||
│ 4 │ CI/CD pipeline │ Done (Gitea Actions)
|
||||
│ 5 │ Multi-stage Containerfile │ Done
|
||||
└───┴─────────────────────────────────┴────────────────────────────────────┘
|
||||
```
|
||||
|
||||
### Prometheus Metrics
|
||||
|
||||
Expose `/metrics` endpoint with:
|
||||
- `flaskpaste_pastes_total` (counter)
|
||||
- `flaskpaste_pastes_created` (counter)
|
||||
- `flaskpaste_pastes_deleted` (counter)
|
||||
- `flaskpaste_pastes_expired` (counter)
|
||||
- `flaskpaste_storage_bytes` (gauge)
|
||||
- `flaskpaste_request_duration_seconds` (histogram)
|
||||
|
||||
### Structured Logging
|
||||
|
||||
Replace text logs with JSON format:
|
||||
- Timestamp, level, message, request_id
|
||||
- Consistent field names across all log entries
|
||||
- Compatible with log aggregation (Loki, ELK)
|
||||
|
||||
## Phase 3: Features (Complete)
|
||||
|
||||
Focus: User-requested enhancements within scope.
|
||||
|
||||
```
|
||||
┌───┬─────────────────────────────────────┬────────────────────────────────────┐
|
||||
│ # │ Feature │ Status
|
||||
├───┼─────────────────────────────────────┼────────────────────────────────────┤
|
||||
│ 1 │ E2E encryption (client-side) │ Done (CLI -e flag, zero-knowledge)
|
||||
│ 2 │ URL prefix support │ Done
|
||||
│ 3 │ Custom expiry per paste │ Done (X-Expiry header)
|
||||
│ 4 │ Burn-after-read option │ Done (X-Burn-After-Read header)
|
||||
│ 5 │ Paste password protection │ Planned
|
||||
└───┴─────────────────────────────────────┴────────────────────────────────────┘
|
||||
┌───┬─────────────────────────────────┬────────────────────────────────────┐
|
||||
│ # │ Feature │ Status
|
||||
├───┼─────────────────────────────────┼────────────────────────────────────┤
|
||||
│ 1 │ E2E encryption (client-side) │ Done (CLI -e flag, zero-knowledge)
|
||||
│ 2 │ URL prefix support │ Done
|
||||
│ 3 │ Custom expiry per paste │ Done (X-Expiry header)
|
||||
│ 4 │ Burn-after-read option │ Done (X-Burn-After-Read header)
|
||||
│ 5 │ Minimal PKI (CA + issuance) │ Done
|
||||
└───┴─────────────────────────────────┴────────────────────────────────────┘
|
||||
```
|
||||
|
||||
### Burn-After-Read
|
||||
### PKI Features
|
||||
|
||||
Single-access pastes that delete after first retrieval:
|
||||
- `POST /` with `X-Burn-After-Read: true` header
|
||||
- Paste deleted after first `GET /<id>/raw`
|
||||
- Metadata `GET /<id>` does not trigger burn
|
||||
Integrated certificate authority for mTLS:
|
||||
- `POST /pki/ca` - Generate CA (first-run bootstrap)
|
||||
- `GET /pki/status` - CA status and fingerprint
|
||||
- `GET /pki/ca.crt` - Download CA certificate
|
||||
- `POST /pki/issue` - Issue client certificate
|
||||
- `POST /pki/revoke/<serial>` - Revoke certificate
|
||||
- CLI: `fpaste pki status`, `fpaste pki issue`, `fpaste pki revoke`
|
||||
|
||||
### Custom Expiry
|
||||
|
||||
Allow per-paste expiry override:
|
||||
- `POST /` with `X-Expiry: 3600` header (seconds)
|
||||
- Capped at server maximum (e.g., 30 days)
|
||||
- Default unchanged for pastes without header
|
||||
|
||||
## Phase 4: Ecosystem
|
||||
## Phase 4: Ecosystem (In Progress)
|
||||
|
||||
Focus: Integration with external systems.
|
||||
|
||||
```
|
||||
┌───┬─────────────────────────────────────┬────────────────────────────────────┐
|
||||
│ # │ Integration │ Status
|
||||
├───┼─────────────────────────────────────┼────────────────────────────────────┤
|
||||
│ 1 │ CLI client (fpaste) │ Done (with E2E encryption)
|
||||
│ 2 │ /client endpoint │ Done (downloadable CLI)
|
||||
│ 3 │ Neovim/Vim plugin │ Planned
|
||||
│ 4 │ Shell aliases/functions │ Planned
|
||||
│ 5 │ Webhook notifications │ Planned
|
||||
└───┴─────────────────────────────────────┴────────────────────────────────────┘
|
||||
┌───┬─────────────────────────────────┬────────────────────────────────────┐
|
||||
│ # │ Integration │ Status
|
||||
├───┼─────────────────────────────────┼────────────────────────────────────┤
|
||||
│ 1 │ CLI client (fpaste) │ Done (with E2E + PKI)
|
||||
│ 2 │ /client endpoint │ Done (downloadable CLI)
|
||||
│ 3 │ Ansible deployment role │ Planned
|
||||
│ 4 │ Kubernetes manifests │ Planned
|
||||
│ 5 │ Shell aliases/functions │ Planned
|
||||
└───┴─────────────────────────────────┴────────────────────────────────────┘
|
||||
```
|
||||
|
||||
### CLI Client (Complete)
|
||||
|
||||
Standalone Python CLI with encryption support:
|
||||
Standalone Python CLI with encryption and PKI support:
|
||||
- `fpaste create file.txt` - Create paste from file
|
||||
- `fpaste create -e file.txt` - Create encrypted paste (E2E)
|
||||
- `fpaste get <id>` - Get paste (auto-decrypts with URL fragment key)
|
||||
- `fpaste delete <id>` - Delete paste
|
||||
- `fpaste info` - Show server info
|
||||
- `fpaste pki status` - Show PKI status
|
||||
- `fpaste pki issue -n "name"` - Request client certificate
|
||||
- `fpaste pki revoke <serial>` - Revoke certificate
|
||||
- Config file for server URL and cert fingerprint
|
||||
- Downloadable via `curl https://server/client > fpaste`
|
||||
|
||||
@@ -154,6 +141,9 @@ These features will not be implemented:
|
||||
| 2024-12 | Burn-after-read | Single-use pastes for sensitive data
|
||||
| 2024-12 | Custom expiry | Per-paste TTL override
|
||||
| 2024-12 | Multi-stage Containerfile | Smaller production images
|
||||
| 2024-12 | Minimal PKI | Self-contained mTLS without external CA
|
||||
| 2024-12 | Security tooling (ruff/bandit) | Code quality and security scanning
|
||||
| 2024-12 | CI/CD with job dependencies | Tests wait for lint to pass
|
||||
|
||||
## Review Schedule
|
||||
|
||||
|
||||
Reference in New Issue
Block a user