Skip to content

Commit b84487a

Browse files
homoludenshomoludens
committed
code-review-fix 5.4 document rollout and rollback checkpoints
1 parent f993a08 commit b84487a

2 files changed

Lines changed: 37 additions & 1 deletion

File tree

README.md

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -93,6 +93,42 @@ Run tests in Docker:
9393
docker compose exec app pytest
9494
```
9595

96+
## Rollout and Rollback Checkpoints (Route/Security Changes)
97+
98+
Use these checkpoints when deploying route-method and security-control changes.
99+
100+
### Rollout
101+
102+
1. Pre-deploy verification:
103+
```bash
104+
pytest tests/test_mark_mutation_security.py tests/test_stored_xss_regression.py tests/test_fetch_path_url_targets.py tests/test_config_and_import_status_isolation.py
105+
```
106+
2. Deploy and verify route-method hardening:
107+
- Confirm `GET /mark/delete/<id>` and `GET /mark/inc` return `405`.
108+
- Confirm UI delete/click flows still work via form/JS `POST` requests with CSRF token.
109+
3. Verify security controls:
110+
- Confirm stored HTML renders escaped/sanitized (no script execution).
111+
- Confirm private/loopback/link-local fetch targets are rejected.
112+
- Confirm production startup fails fast when required secrets are missing.
113+
4. Observe runtime after deploy:
114+
- Watch for spikes in `400` CSRF failures (could indicate stale clients/forms).
115+
- Watch for unexpected URL validation rejections on legitimate public links.
116+
117+
### Rollback
118+
119+
1. If route-method changes break clients:
120+
- Roll back the route-method/template commit(s) first (`/mark/delete`, `/mark/inc`), then redeploy.
121+
- Re-run `tests/test_mark_mutation_security.py` to confirm restored behavior.
122+
2. If security controls block legitimate behavior:
123+
- Roll back the specific control commit(s) (HTML sanitization, URL target validation, or config guard) instead of full rollback.
124+
- Re-run the matching regression tests before redeploying:
125+
```bash
126+
pytest tests/test_stored_xss_regression.py tests/test_fetch_path_url_targets.py tests/test_config_and_import_status_isolation.py
127+
```
128+
3. Post-rollback validation:
129+
- Smoke-test add/edit/delete/click flows in UI.
130+
- Confirm app startup and login succeed in the target environment.
131+
96132
## Docker Commands
97133

98134
```bash

openspec/changes/code-review-fix/tasks.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,4 +34,4 @@
3434
- [x] 5.1 Create a baseline pytest structure for auth, mark CRUD, import, and security regression suites. `Complexity: Middle`
3535
- [x] 5.2 Add CI/local test command updates so new regression suites are executable by default. `Complexity: Low`
3636
- [x] 5.3 Run the new/updated test suites and fix any discovered regressions. `Complexity: High`
37-
- [ ] 5.4 Document rollout and rollback checkpoints for route method changes and security controls. `Complexity: Low`
37+
- [x] 5.4 Document rollout and rollback checkpoints for route method changes and security controls. `Complexity: Low`

0 commit comments

Comments
 (0)