david.delagneau/fidelity-ai-workspace
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update work items and daily logs for project fidelity

Browse Source 
- Updated work items with new statuses, notes, and dependencies:
  - `PDIAP-15838` moved to Done, draft PR remains unmerged.
  - `PDIAP-15836` status updated to backlog-ready, sequenced after `PDIAP-15838`.
  - `PDIAP-12284` reopened for UIKit removal, dependency for `PDIAP-15836`.
  - Added new backlog items: `PDIAP-11961`, `PDIAP-11962`, `PDIAP-11562`, `PDIAP-12226`, `PDIAP-12227`, `PDIAP-12228`.
- Completed `PDIAP-16167`, documented findings in Confluence.
- Created daily log for 2026-05-05 summarizing work item updates and backlog triage.
- Added diagnostic script for workspace analysis.
This commit is contained in:
David Delagneau
2026-05-05 15:54:45 -06:00
parent 63e784cc97
commit 2a234701c5
15 changed files with 443 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
project-knowledge/02-work-items/pdiap-11962.md Normal file
View File

@@ -0,0 +1,52 @@
---
type: work-item
project: fidelity
status: backlog-review
ticket: PDIAP-11962
title: "Closure of secret scanning alerts"
systems: [xflowsdk]
workstreams: [security, backlog-triage]
people: [jeff-dewitte]
related: [pdiap-11961]
updated: 2026-05-05
tags:
- work-item
- fidelity
- security
---
# PDIAP-11962 - Closure of secret scanning alerts
## Status
- Backlog item under review for future work.
- Earlier alert-closure process appears partially completed, but two Google API Key alerts remain open.
---
## Current Findings
- David found an October 9, 2025 email confirming the prior submission.
- Follow-up shows Matthew closed the earlier alerts/story on March 5, 2026.
- Two Google API Key alerts remain open and were not part of that closure.
- Those alerts appear tied to an old `MockPageViewWithHiddenToggle` commit from April 18, 2025, not newly introduced REST-story work.
- Google API Key rotation is not owned by David/XFlow directly; backend support or clarification may be needed if rotation/invalidating is required.
---
## Historical Slack Context
- October 2025 Slack context ties this story to `PDIAP-11573 - Remediate secret scanning alerts in XFlow iOS SDK`.
- The intended sequence was:
1. report inactive secrets through the SSDLC/AAVD process,
2. use `PDIAP-11961` to handle invalidation/rotation of still-active Google API keys,
3. use `PDIAP-11962` to close the GitHub alerts after `PDIAP-11961` is completed.
- Slack context from October 10, 2025 says inactive secrets were reported in `ESWR-35407`, `PDIAP-11961` was created for active-secret invalidation, and `PDIAP-11962` was created to manage alert closure after invalidation.
- Slack context from November 19, 2025 says the secret-remediation alerts were still present and none had been marked resolved at that time.
- Treat `PDIAP-11962` as the closure/follow-up story, not the rotation/invalidation story itself.
---
## Related Work
- `PDIAP-11961 - Remediation of Exposed Secrets in XFlow iOS SDK - Request for Rotation/Invalidation` is the related story for the remaining Google API Key alerts and is not assigned yet.