username/flaskpaste
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: update for v1.4.0 features
Some checks failed
CI / Lint & Format (push) Successful in 16s
Details
CI / Security Scan (push) Failing after 19s
Details
CI / Tests (push) Failing after 35s
Details

Browse Source 
- Add anti-flood, rate limiting, scheduled cleanup to feature lists
- Update version to 1.4.0, test count to 205
- Document /pastes endpoint with query parameters
- Add anti-flood fields to /challenge response
- Update CLI docs with new commands (list, search, export)
- Add decision log entries for recent features
This commit is contained in:
Username
2025-12-20 21:36:09 +01:00
parent 98bc656c87
commit b47c26dd14
6 changed files with 129 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
ROADMAP.md
View File

@@ -2,7 +2,7 @@
## Current State
FlaskPaste v1.2.0 is deployed with PKI integration and comprehensive security tooling.
FlaskPaste v1.4.0 is deployed with comprehensive security hardening and abuse prevention.
**Implemented:**
- Full REST API (CRUD operations)
@@ -11,6 +11,8 @@ FlaskPaste v1.2.0 is deployed with PKI integration and comprehensive security to
- Minimal PKI (CA generation, certificate issuance, revocation)
- Content-hash deduplication (abuse prevention)
- Proof-of-work spam prevention
- Anti-flood system (dynamic PoW difficulty under load)
- IP-based rate limiting (configurable per-IP limits)
- Entropy enforcement (require encrypted uploads)
- E2E encryption in CLI (AES-256-GCM, key in URL fragment)
- URL prefix support for reverse proxy deployments
@@ -18,11 +20,13 @@ FlaskPaste v1.2.0 is deployed with PKI integration and comprehensive security to
- Automatic paste expiry
- Burn-after-read pastes
- Custom expiry per paste
- Scheduled cleanup (pastes, hashes, rate limits)
- Security headers and request tracing
- Container deployment support
- Security tooling (ruff, bandit, mypy, pip-audit)
- CI/CD pipeline with lint, security, and test jobs
- Comprehensive test suite (147 tests)
- CLI with list, search, update, export commands
- Comprehensive test suite (205 tests)
## Phase 1: Hardening (Complete)
@@ -38,7 +42,7 @@ Focus: Production readiness and operational excellence.
│ 4 │ Proxy trust validation │ Done
│ 5 │ Proof-of-work spam prevention │ Done
│ 6 │ Entropy enforcement │ Done
│ 7 │ Test coverage > 90% │ Done (147 tests)
│ 7 │ Test coverage > 90% │ Done (205 tests)
│ 8 │ Documentation complete │ Done
└───┴─────────────────────────────────┴────────────────────────────────────┘
```
@@ -67,14 +71,26 @@ Focus: User-requested enhancements within scope.
┌───┬─────────────────────────────────┬────────────────────────────────────┐
│ # │ Feature │ Status
├───┼─────────────────────────────────┼────────────────────────────────────┤
│ 1 │ E2E encryption (client-side) │ Done (CLI -e flag, zero-knowledge)
│ 1 │ E2E encryption (client-side) │ Done (CLI encrypts by default)
│ 2 │ URL prefix support │ Done
│ 3 │ Custom expiry per paste │ Done (X-Expiry header)
│ 4 │ Burn-after-read option │ Done (X-Burn-After-Read header)
│ 5 │ Minimal PKI (CA + issuance) │ Done
│ 6 │ Anti-flood (dynamic PoW) │ Done (v1.4.0)
│ 7 │ IP-based rate limiting │ Done (v1.4.0)
│ 8 │ Scheduled cleanup │ Done (v1.4.0)
└───┴─────────────────────────────────┴────────────────────────────────────┘
```
### Anti-Flood System (v1.4.0)
Dynamic proof-of-work difficulty that increases under abuse:
- Base difficulty: 20 bits (configurable)
- Threshold: 5 requests per 60s window triggers increase
- Step: +2 bits per threshold breach
- Maximum: 28 bits
- Decay: Returns to base after 60s of normal traffic
### PKI Features
Integrated certificate authority for mTLS:
@@ -103,15 +119,20 @@ Focus: Integration with external systems.
### CLI Client (Complete)
Standalone Python CLI with encryption and PKI support:
- `fpaste create file.txt` - Create paste from file
- `fpaste create -e file.txt` - Create encrypted paste (E2E)
Standalone Python CLI with encryption, PKI, and paste management:
- `fpaste file.txt` - Create encrypted paste (file path shortcut)
- `fpaste create -E file.txt` - Create unencrypted paste
- `fpaste get <id>` - Get paste (auto-decrypts with URL fragment key)
- `fpaste delete <id>` - Delete paste
- `fpaste info` - Show server info
- `fpaste info` - Show server info (includes PoW difficulty)
- `fpaste list` - List your pastes
- `fpaste search --type image/*` - Search pastes by type/date
- `fpaste update <id>` - Update paste content/metadata
- `fpaste export -o dir/` - Export all pastes to directory
- `fpaste pki status` - Show PKI status
- `fpaste pki issue -n "name"` - Request client certificate
- `fpaste pki revoke <serial>` - Revoke certificate
- Automatic retry on PoW failure (max 5 attempts)
- Config file for server URL and cert fingerprint
- Downloadable via `curl https://server/client > fpaste`
@@ -144,6 +165,11 @@ These features will not be implemented:
| 2024-12 | Minimal PKI | Self-contained mTLS without external CA
| 2024-12 | Security tooling (ruff/bandit) | Code quality and security scanning
| 2024-12 | CI/CD with job dependencies | Tests wait for lint to pass
| 2024-12 | Anti-flood dynamic PoW | Adaptive difficulty under attack
| 2024-12 | IP-based rate limiting | Per-IP request throttling
| 2024-12 | Scheduled cleanup (in-process) | No external cron needed
| 2024-12 | CLI encrypt-by-default | Security-first design
| 2024-12 | CLI retry on PoW failure | Graceful handling of stale tokens
## Review Schedule