# services Todos

_Synced from: /home/josie/development/personal/josiedot/health/services/todo.txt_
_Last sync: 2026-03-04T10:10:24.510Z_

## Active

### No Priority

- [ ] ## Features
- [ ] ### Data
- [ ] #23 - Crawler of trusted sites + LLM parser to populate data
- [ ] #33 - Add more generic meds for ;info and ;combo
- [ ] Annotations for cannabis strains to break down THC/CBD content
- [ ] ### Infrastructure
- [ ] #41 - Update compose.yml for local dev
- [ ] #44 - API client shard that can be imported by bots
- [ ] Decommission irc-ingestion (replaced by irc-bot)
- [ ] ### API
- [ ] General formatting and naming structure more consistent
- [ ] Improve performance
- [ ] ## Security Issues
- [ ] ### Critical (Fix Immediately)
- [ ] | Issue | Location | Description |
- [ ] |-------|----------|-------------|
- [ ] | Default Credentials | | Falls back to admin/admin if env vars not set | core/src/router.cr:43-44
- [ ] ### High Priority
- [ ] | Issue | Location | Description |
- [ ] |-------|----------|-------------|
- [ ] | CSV Timestamp Manipulation | core/src/handlers/log_handler.cr | Import accepts any timestamp (year 1900, future dates) |
- [ ] | CSV Formula Injection | core/src/csv_parser.cr | =cmd payloads could execute in Excel when exported |
- [ ] ### Medium Priority
- [ ] | Issue | Location | Description |
- [ ] |-------|----------|-------------|
- [ ] | Timing Attack on Password | | Uses == instead of constant-time comparison | core/src/router.cr:221
- [ ] | Overly Permissive CORS | | Access-Control-Allow-Origin: * | core/src/router.cr:63
- [ ] | Missing Security Headers | core/src/router.cr | No X-Frame-Options, CSP, HSTS |
- [ ] | Race Condition in Webhook Hash | | No mutex on | @pending_requests discord-bot/src/webhook_server.cr:11
- [ ] ### Low Priority
- [ ] | Issue | Location | Description |
- [ ] |-------|----------|-------------|
- [ ] | No TLS Config on HTTP Client | discord-bot/src/api_client.cr | No cert validation configured |