P0 hardening: delivery auth, trusted proxy IP extraction, root cleanup

[f1sherFM]

Summary

This PR includes the first implementation batch from code review issue #39.

Included changes

1. P0 security hardening

• Protect alert-delivery endpoints with API key auth:
  • /alerts/telegram/send
  • /alerts/check-current-and-deliver
  • /alerts/digest/daily-and-deliver
• Harden rate-limit client IP extraction:
  • trust X-Forwarded-For / X-Real-IP only when request comes from trusted proxy networks.

2. Root cleanup

• Removed unused root artifacts:
  • magnitogorsk_current.json
  • magnitogorsk_forecast.json
  • health_status.json
  • IMPLEMENTATION_SUMMARY.md
  • CRITICAL_FIXES.md
  • MEDIUM_LOW_PRIORITY_FIXES.md

Rollout notes (required env)

Set these env vars before enabling delivery endpoints in production:

• ALERTS_API_KEY (single key)
• or ALERTS_API_KEYS (comma-separated list of keys)
• RATE_LIMIT_TRUSTED_PROXIES (comma-separated IP/CIDR allowlist for proxy hops)

Examples:

export ALERTS_API_KEY="replace-with-strong-secret"
export RATE_LIMIT_TRUSTED_PROXIES="127.0.0.1,10.0.0.0/8,192.168.0.0/16"

export ALERTS_API_KEYS="k1,k2,k3"
export RATE_LIMIT_TRUSTED_PROXIES="172.16.0.0/12"

Behavior:

• If delivery auth keys are not configured, protected delivery endpoints return 503 (fail-closed).
• If key is missing/invalid, endpoint returns 401.

Validation

Executed targeted tests covering changed behavior:

python -m pytest -q tests/test_alert_telegram_api.py tests/test_daily_digest.py tests/test_medium_priority_fixes.py

All passed.

Closes #39 (partial).

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 150c0f78f9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Use /128 for standalone IPv6 trusted proxy entries

When RATE_LIMIT_TRUSTED_PROXIES contains a bare IPv6 address (for example 2001:db8::1), this branch appends /32, which expands that single host into a very large network (2001:db8::/32). In _is_trusted_proxy, any client from that range will then be treated as a trusted proxy, so attacker-controlled forwarded headers can be accepted and IP-based limiting can be bypassed in IPv6 deployments.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Honor ALERTS_API_KEYS in web digest delivery client

The backend auth dependency accepts either ALERTS_API_KEY or ALERTS_API_KEYS, but the web client only reads ALERTS_API_KEY here. If an environment is configured with only ALERTS_API_KEYS (which this change explicitly supports), /api/alerts/digest-deliver will send no auth header and the backend returns 401, breaking digest delivery from the web UI.

Useful? React with 👍 / 👎.