2026-04-15 - 2026-05-15
Overview
1 Pull request merged by 1 user
Merged
#59 security: bound Zod inputs, add SSE per-user cap and tRPC body limit (#51)
1 Pull request proposed by 1 user
Proposed
#60 security: reject common/weak passwords on every set-password path (#31)
48 Issues closed from 1 user
Closed
#51 Security [MEDIUM]: Systematic Zod .max() audit — 202 unbounded z.string() sites
Closed
#54 Security [MEDIUM]: Dispo workbook path unvalidated + image upload polyglot risk
Closed
#55 Security [MEDIUM]: Audit log fire-and-forget drops entries on DB load + no prompt-input audit
Closed
#56 Security [MEDIUM]: Password-policy client/server divergence + weak secret-entropy check
Closed
#50 Security [HIGH]: Docker + Compose — hardcoded dev password, env-var secrets, placeholder secrets baked in prod image
Closed
#57 Security [MEDIUM]: RBAC permissions cache 60 s — revocation propagates slowly across instances
Closed
#53 Security [MEDIUM]: AI-tool error messages leak Prisma schema details to LLM
Closed
#52 Security [MEDIUM]: Blueprint validator uses native RegExp — admin-set pattern enables ReDoS
Closed
#58 Security [MEDIUM]: Dependency CVEs — upgrade dompurify, vite/esbuild, brace-expansion
Closed
#46 Security [HIGH]: Pino logger has no redact paths — passwords/tokens logged cleartext
Closed
#43 Security [HIGH]: MFA TOTP replay-race + missing backup codes
Closed
#49 Security [HIGH]: SSRF guard misses IPv6 private ranges + webhook dispatcher lacks DNS-rebind protection
Closed
#48 Security [HIGH]: Resource.dynamicFields JSONB merge accepts attacker-controlled keys + unbounded metadata
Closed
#42 Security [HIGH]: E2E_TEST_MODE bypass must fail-fast in production
Closed
#45 Security [HIGH]: CSP wildcards (*.openai.com, *.azure.com), unsafe-inline styles, SVG routes skip CSP
Closed
#44 Security [HIGH]: API middleware default-allows /api/* — new routes inherit public access
Closed
#41 Security [HIGH]: Session/Cookie hardening — Secure flag, concurrent-session enforcement, JTI exposure
Closed
#40 Security [HIGH]: Login timing attack enables user-email enumeration
Closed
#36 Security [CRITICAL]: Unbounded password inputs enable Argon2 DoS
Closed
#37 Security [CRITICAL]: Rate-limiter only keys by email — IP-based brute-force and targeted lockout possible
Closed
#39 Security [HIGH]: Prompt-injection guard trivially bypassable (regex-only, no Unicode normalization)
Closed
#47 Security [HIGH]: Read-only proxy bypass via tRPC callers + missing $transaction/$queryRaw blocks
Closed
#38 Security [HIGH]: Assistant chat message content unbounded — AI cost/memory DoS
Closed
#27 CDP 35948515: HTML5
Closed
#33 CDP 35948520/Checkliste HTML5: 19 Web App Security Checks
Closed
#35 CDP 35948520/Checkliste ReactJs: 8 Web App Security Checks
Closed
#26 CDP 35948517: ReactJs
Closed
#30 CDP 35948516: NodeJS
Closed
#34 CDP 35948520/Checkliste Node.js: 4 Web App Security Checks
Closed
#29 CDP 35948518: Cloud
Closed
#32 CDP 35948520/Checkliste Cloud: 7 Web App Security Checks
Closed
#19 CDP 35948466: Enable Logging (app)
Closed
#15 CDP 35948454: Maintain System Administrator Log (app)
Closed
#14 CDP 35948458: Require Multi-Factor Authentication
Closed
#12 CDP 35948470: Segregation of Duty Access (app)
Closed
#13 CDP 35948455: Provide Role Related Access (app)
Closed
#9 CDP 35948452: Confirm Uniqueness of IDs and Passwords (app/AI)
Closed
#2 CDP 35948467: Application ID (app/AI)
Closed
#5 CDP 35948474: Environment Access (app)
Closed
#4 CDP 35948462: Confirm Business Continuity contractual requirements (app/AI)
Closed
#23 CDP 35948460: Firefighter ID Password Change (app)
Closed
#22 CDP 35948461: Business Need Approval (app)
Closed
#21 CDP 35948453: Firefighter Activity Logging (app)
Closed
#20 CDP 35948463: Mobilize subcontracting entities in CDP plan (app/AI)
Closed
#18 CDP 35948465: Establish Firefighter ID Activation Procedure (app)
Closed
#16 CDP 35948456: Require Reputable Courier for Third Party Transport (app/AI)
Closed
#11 CDP 35948457: Encrypt Transmission of Client Data via Mobile (app/AI)
Closed
#8 CDP 35948459: Log Chain of Custody (app/AI)
58 Issues created by 1 user
Opened
#3 CDP 35948468: Provide Written Notification (app)
Opened
#2 CDP 35948467: Application ID (app/AI)
Opened
#1 CDP Compliance Epic — alle Controls
Opened
#4 CDP 35948462: Confirm Business Continuity contractual requirements (app/AI)
Opened
#7 CDP 35948472: Maintain current application inventory (dev)
Opened
#5 CDP 35948474: Environment Access (app)
Opened
#8 CDP 35948459: Log Chain of Custody (app/AI)
Opened
#11 CDP 35948457: Encrypt Transmission of Client Data via Mobile (app/AI)
Opened
#9 CDP 35948452: Confirm Uniqueness of IDs and Passwords (app/AI)
Opened
#10 CDP 35948471: Deliver project specific CDP training (app/AI)
Opened
#6 CDP 35948473: Implement Patching Process (app/AI)
Opened
#12 CDP 35948470: Segregation of Duty Access (app)
Opened
#13 CDP 35948455: Provide Role Related Access (app)
Opened
#15 CDP 35948454: Maintain System Administrator Log (app)
Opened
#14 CDP 35948458: Require Multi-Factor Authentication
Opened
#16 CDP 35948456: Require Reputable Courier for Third Party Transport (app/AI)
Opened
#17 CDP 35948464: General
Opened
#20 CDP 35948463: Mobilize subcontracting entities in CDP plan (app/AI)
Opened
#19 CDP 35948466: Enable Logging (app)
Opened
#18 CDP 35948465: Establish Firefighter ID Activation Procedure (app)
Opened
#21 CDP 35948453: Firefighter Activity Logging (app)
Opened
#22 CDP 35948461: Business Need Approval (app)
Opened
#24 CDP 35948469: Designate SPOC for Sharing Information (app/AI)
Opened
#23 CDP 35948460: Firefighter ID Password Change (app)
Opened
#25 CDP 35948520: Web Application
Opened
#26 CDP 35948517: ReactJs
Opened
#29 CDP 35948518: Cloud
Opened
#28 CDP 35948519: Utilize a Secure DevOps environment supporting code scanning services
Opened
#27 CDP 35948515: HTML5
Opened
#30 CDP 35948516: NodeJS
Opened
#31 CDP 35948520/Checkliste General: 35 Web App Security Checks
Opened
#35 CDP 35948520/Checkliste ReactJs: 8 Web App Security Checks
Opened
#34 CDP 35948520/Checkliste Node.js: 4 Web App Security Checks
Opened
#32 CDP 35948520/Checkliste Cloud: 7 Web App Security Checks
Opened
#33 CDP 35948520/Checkliste HTML5: 19 Web App Security Checks
Opened
#38 Security [HIGH]: Assistant chat message content unbounded — AI cost/memory DoS
Opened
#40 Security [HIGH]: Login timing attack enables user-email enumeration
Opened
#37 Security [CRITICAL]: Rate-limiter only keys by email — IP-based brute-force and targeted lockout possible
Opened
#36 Security [CRITICAL]: Unbounded password inputs enable Argon2 DoS
Opened
#39 Security [HIGH]: Prompt-injection guard trivially bypassable (regex-only, no Unicode normalization)
Opened
#44 Security [HIGH]: API middleware default-allows /api/* — new routes inherit public access
Opened
#42 Security [HIGH]: E2E_TEST_MODE bypass must fail-fast in production
Opened
#41 Security [HIGH]: Session/Cookie hardening — Secure flag, concurrent-session enforcement, JTI exposure
Opened
#43 Security [HIGH]: MFA TOTP replay-race + missing backup codes
Opened
#45 Security [HIGH]: CSP wildcards (*.openai.com, *.azure.com), unsafe-inline styles, SVG routes skip CSP
Opened
#46 Security [HIGH]: Pino logger has no redact paths — passwords/tokens logged cleartext
Opened
#47 Security [HIGH]: Read-only proxy bypass via tRPC callers + missing $transaction/$queryRaw blocks
Opened
#49 Security [HIGH]: SSRF guard misses IPv6 private ranges + webhook dispatcher lacks DNS-rebind protection
Opened
#50 Security [HIGH]: Docker + Compose — hardcoded dev password, env-var secrets, placeholder secrets baked in prod image
Opened
#53 Security [MEDIUM]: AI-tool error messages leak Prisma schema details to LLM
Opened
#51 Security [MEDIUM]: Systematic Zod .max() audit — 202 unbounded z.string() sites
Opened
#48 Security [HIGH]: Resource.dynamicFields JSONB merge accepts attacker-controlled keys + unbounded metadata
Opened
#52 Security [MEDIUM]: Blueprint validator uses native RegExp — admin-set pattern enables ReDoS
Opened
#55 Security [MEDIUM]: Audit log fire-and-forget drops entries on DB load + no prompt-input audit
Opened
#56 Security [MEDIUM]: Password-policy client/server divergence + weak secret-entropy check
Opened
#54 Security [MEDIUM]: Dispo workbook path unvalidated + image upload polyglot risk
Opened
#57 Security [MEDIUM]: RBAC permissions cache 60 s — revocation propagates slowly across instances
Opened
#58 Security [MEDIUM]: Dependency CVEs — upgrade dompurify, vite/esbuild, brace-expansion