MQL5-Google-Onedrive/.jules/sentinel.md

Sentinel's Journal

2026-02-07 - Telegram Bot Authorization Bypass

Vulnerability: The Telegram Deployment Bot (scripts/telegram_deploy_bot.py) contained a "Fail Open" vulnerability where omitting the TELEGRAM_ALLOWED_USER_IDS environment variable resulted in granting access to all Telegram users instead of none. Learning: Security controls must default to deny (Fail Closed). Implicitly allowing access when configuration is missing creates silent vulnerabilities that are hard to detect until exploited. Prevention: Ensure all authorization checks explicitly return False or throw an exception if the access control list is empty or undefined. Never default to True in security-critical paths.

2026-02-13 - [Documentation] Cloudflare Nameservers and Domain Unification

• Updated Cloudflare nameservers to daisy.ns.cloudflare.com and rocco.ns.cloudflare.com.
• Unified domain name to lengkundee01.org across CNAME and PWA documentation.

2026-02-27 - [Code Quality] Secure Error Logging vs Printing

Vulnerability: The Web Dashboard (scripts/web_dashboard.py) was leaking raw exception strings to users (return f"Error: {e}", 500). While fixing this to return a generic error, the initial fix used print(e, file=sys.stderr). Learning: Using print to stderr for exceptions is insufficient for production debugging as it loses the stack trace, making root cause analysis difficult while still hiding details from users. Prevention: Always use logging.exception("Message") in except blocks. This automatically captures and logs the full stack trace securely to the server logs while allowing the application to return a sanitized, generic error message to the user.