Josh Bruce Online

Security Review

Scope: static scan of repository files for sensitive data, security controls, and publicly accessible debug/admin content.

Red (High)

• Publicly embedded personal data in agent-worker-code.js (full name, date of birth, physical appearance, school details, scout role, Instagram handle) at agent-worker-code.js:130. This is sensitive PII exposed in a deployable worker.
• Open Firestore rules in hearts/firestore.rules:1 allow read/write to all documents for anyone.
• Open Firestore dev rules in authors/firestore-dev.rules:1 allow read/write to all documents for anyone if accidentally deployed.
• Private/discrete photo gallery is publicly accessible in secretgoonstash/index.html with 12 images in secretgoonstash/, and the docs explicitly frame it as private/discrete (secretgoonstash/secretgoonstash-docs.md:4). net/index.html:318 also labels it as a private photo collection, increasing discoverability.

Amber (Medium)

• Firebase API keys and database endpoints are embedded in client code and documentation across multiple projects. Keys are expected to be public, but any permissive rules would expose data or allow tampering. Files include: 2048/index.html, authors/authors-docs.md, authors/index.html, blockman/index.html, bong/bong-docs.md, bong/index.html, button/button-docs.md, button/cnfg.js, chaseopoly/chaseopoly-docs.md, chaseopoly/index.html, corner/assets/createLucideIcon-CL7w_XVi.js, doubletake/doubletake-docs.md, doubletake/index.html, hb/adminanalyticsdash.html, hb/fb7x9k2m.js, hb/hb-docs.md, hearts/HEARTS_DOCUMENTATION.md, hearts/index.html, ilearn/app.js, itemhunt/index.html, itemhunt/itemhunt-docs.md, place/index.html, place/place-docs.md, polytrack/README.md, polytrack/index.html, polytrack/polytrack-docs.md, polytrackbeta/index.html, pong/index.html, pong/pong-docs.md, rps/index.html, sirtet/index.html, sirtet/sirtet-docs.md, sirtet/sirtetCnfg.js, tetris/cnfg.js, waffle/dashboard.html, waffle/index.html.
• Client-side-only access control for admin analytics in hb/adminanalyticsdash.html:482 (AUTHORIZED_EMAIL check) with exposed email address; if backend rules are not strict, access can be bypassed.
• Worker endpoint allows any origin (Access-Control-Allow-Origin: *) and has no auth/rate limiting in agent-worker-code.js:3, enabling third-party usage of the OpenAI-backed endpoint.
• Publicly exposed contact or identity details: jb-agent.js:703 (email/socials and full name), hb/index.html:1620 (school email in mailto), .github/workflows/main.yml:41 (author email), mailgen/The Economist.html:1213 (third-party email addresses embedded in a template).
• “Secret” pages rely on obscurity and are enumerated in net/index.html:264 (e.g., secret/index.html), increasing discoverability.
• Debug/test pages are publicly accessible and may expose internal behaviors or unintended functionality: route/debug.html, route/test.html, route/test-canvas.html, sweeper/test-mines.html, sweeper/chunk-tests.html, sweeper/verify-game.html, sweeper/test-chording.html, apirequest/index.html, and the dev panel toggled by ?dev=1 in authors/index.html:1474.
• Public personal media likely intended for limited audiences is accessible in yeetster2023/ (photos/videos).

Notes

• This review is based on repo contents only; actual risk depends on deployed Firebase rules, hosting configuration, and whether these pages are linked from production navigation.