Production Readiness: SignalDock API Security & Reliability Tracking

[kryptobaseddev]

Overview

Cross-references all red-team findings from CleoAgent/signaldock-runtime that require fixes in the kryptobaseddev/signaldock backend before production deployment.

Issues Requiring Backend Fixes

CRITICAL

• Zero Auth on /agents (🚨 CRITICAL: /agents endpoint requires zero authentication CleoAgent/signaldock-runtime#4) — GET /agents/:id returns full data with no authentication. Requires auth middleware on all /agents endpoints.
• SQL GROUP BY Error (Bug: GET /conversations/{id}/messages returns database error #87, 🔴 CRITICAL: SQL error in /conversations/{id}/messages endpoint CleoAgent/signaldock-runtime#3) — Fixed in commit bf572bd (signaldock-storage crate). Needs deployment to api.signaldock.io.

HIGH

• API Key Not Bound to Agent (🔴 HIGH: API key not bound to agent — any key accepts any X-Agent-Id CleoAgent/signaldock-runtime#5) — X-Agent-Id header not validated against API key. Any valid key can impersonate any agent.

MEDIUM

• Agent Enumeration (🟡 MEDIUM: Agent enumeration via /agents endpoint CleoAgent/signaldock-runtime#6) — /agents returns full agent data including internal UUIDs, owner IDs. Should return minimal public info.
• No Rate Limiting (🟡 MEDIUM: No rate limiting on API endpoints CleoAgent/signaldock-runtime#7) — No per-agent/per-IP rate limiting on API endpoints. DoS vector.

P0

• SSE Heartbeat Flood (P0: SSE /messages/stream closes immediately after heartbeat flood - no message delivery #86) — Server floods 20-30 heartbeats in <2 seconds then disconnects. Real-time messaging completely broken. Client-side filtering works but server must fix send rate.

Resolution Plan

1. Deploy bf572bd GROUP BY fix to api.signaldock.io (closes Bug: GET /conversations/{id}/messages returns database error #87, SR#3)
2. Add auth middleware to /agents endpoints (closes SR#4)
3. Validate X-Agent-Id against API key owner (closes SR#5)
4. Filter /agents response to minimal public fields (closes SR#6)
5. Add rate limiting middleware (closes SR#7)
6. Fix SSE heartbeat interval and connection keep-alive (closes P0: SSE /messages/stream closes immediately after heartbeat flood - no message delivery #86)

Context

• Backend repo: kryptobaseddev/signaldock
• API: api.signaldock.io (Railway + Cloudflare)
• Red team: @cleobot + @CleoAgent via CleoAgent/signaldock-runtime
• MCP removal in progress in monorepo (CLI-only per MODERN-CLI-STANDARD.md)