security: align client password policy with server, enforce AUTH_SECRET length + entropy (#56)

Client-side validators (reset-password, invite-accept, first-admin setup,
user-create modal) previously checked password.length < 8 while every
server-side Zod schema required .min(12). External API consumers (or a
confused browser UI) could get past the client check but fail at the tRPC
boundary — or worse, quietly under-enforce policy compared to what
admins expect.

Fix: introduce PASSWORD_MIN_LENGTH (12) and PASSWORD_MAX_LENGTH (128) in
@capakraken/shared and import them from every pre-submit client validator
and every server Zod schema. Single source of truth; drift becomes a
compile error rather than a security finding.

Also hardens the AUTH_SECRET runtime check: in addition to the existing
placeholder-blacklist, production startup now rejects secrets shorter
than 32 chars OR with Shannon entropy below 3.5 bits/char. That covers
low-entropy-but-long values like "aaaa..." (38 chars, entropy 0) which
would have passed the previous checks.

Documented the rotation process for AUTH_SECRET + POSTGRES_PASSWORD in
docs/security-architecture.md §3.

Verified:
- pnpm test:unit — 396 files / 1922 tests passed
- pnpm --filter @capakraken/web exec tsc --noEmit — clean
- pnpm --filter @capakraken/api exec tsc --noEmit — clean

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

packages/api/src/router/auth.ts

@@ -1,4 +1,9 @@
 import { randomBytes } from "node:crypto";
+import {
+  PASSWORD_MAX_LENGTH,
+  PASSWORD_MIN_LENGTH,
+  PASSWORD_POLICY_MESSAGE,
+} from "@capakraken/shared";
 import { TRPCError } from "@trpc/server";
 import { z } from "zod";
 import { createTRPCRouter, publicProcedure } from "../trpc.js";
@@ -78,7 +83,10 @@ export const authRouter = createTRPCRouter({
     .input(
       z.object({
         token: z.string().min(1),
-        password: z.string().min(12, "Password must be at least 12 characters.").max(128),
+        password: z
+          .string()
+          .min(PASSWORD_MIN_LENGTH, PASSWORD_POLICY_MESSAGE)
+          .max(PASSWORD_MAX_LENGTH),
       }),
     )
     .mutation(async ({ ctx, input }) => {

packages/api/src/router/invite.ts

@@ -2,6 +2,11 @@ import { randomBytes } from "node:crypto";
 import { TRPCError } from "@trpc/server";
 import { z } from "zod";
 import { SystemRole } from "@capakraken/db";
+import {
+  PASSWORD_MAX_LENGTH,
+  PASSWORD_MIN_LENGTH,
+  PASSWORD_POLICY_MESSAGE,
+} from "@capakraken/shared";
 import { createTRPCRouter, adminProcedure, publicProcedure } from "../trpc.js";
 import { getAppBaseUrl } from "../lib/app-base-url.js";
 import { sendEmail } from "../lib/email.js";
@@ -114,7 +119,10 @@ export const inviteRouter = createTRPCRouter({
     .input(
       z.object({
         token: z.string(),
-        password: z.string().min(12, "Password must be at least 12 characters.").max(128),
+        password: z
+          .string()
+          .min(PASSWORD_MIN_LENGTH, PASSWORD_POLICY_MESSAGE)
+          .max(PASSWORD_MAX_LENGTH),
       }),
     )
     .mutation(async ({ ctx, input }) => {

packages/api/src/router/user-procedure-support.ts

@@ -1,4 +1,9 @@
 import { Prisma } from "@capakraken/db";
+import {
+  PASSWORD_MAX_LENGTH,
+  PASSWORD_MIN_LENGTH,
+  PASSWORD_POLICY_MESSAGE,
+} from "@capakraken/shared";
 import { PermissionOverrides, SystemRole, resolvePermissions } from "@capakraken/shared/types";
 import { TRPCError } from "@trpc/server";
 import { z } from "zod";
@@ -11,12 +16,12 @@ export const CreateUserInputSchema = z.object({
   email: z.string().email(),
   name: z.string().min(1),
   systemRole: z.nativeEnum(SystemRole).default(SystemRole.USER),
-  password: z.string().min(12).max(128),
+  password: z.string().min(PASSWORD_MIN_LENGTH, PASSWORD_POLICY_MESSAGE).max(PASSWORD_MAX_LENGTH),
 });
 
 export const SetUserPasswordInputSchema = z.object({
   userId: z.string(),
-  password: z.string().min(12, "Password must be at least 12 characters").max(128),
+  password: z.string().min(PASSWORD_MIN_LENGTH, PASSWORD_POLICY_MESSAGE).max(PASSWORD_MAX_LENGTH),
 });
 
 export const UpdateUserRoleInputSchema = z.object({

packages/shared/src/constants/index.ts

@@ -25,7 +25,13 @@ export function averagePerWorkingDay(totalHours: number, workingDays: number): n
 }
 
 export const DAY_KEYS: readonly (keyof WeekdayAvailability)[] = [
-  "sunday", "monday", "tuesday", "wednesday", "thursday", "friday", "saturday",
+  "sunday",
+  "monday",
+  "tuesday",
+  "wednesday",
+  "thursday",
+  "friday",
+  "saturday",
 ] as const;
 
 export function normalizeCityName(cityName?: string | null): string | null {
@@ -51,6 +57,13 @@ export const BUDGET_WARNING_THRESHOLDS = {
 export const DEFAULT_WORKING_HOURS_PER_DAY = 8;
 export const DEFAULT_OPENAI_MODEL = "gpt-5.4";
 
+// Single source of truth for password policy. Server-side Zod schemas and
+// client-side pre-submit validators must both import these so divergence
+// (e.g. client allowing 8 chars when server requires 12) cannot recur.
+export const PASSWORD_MIN_LENGTH = 12;
+export const PASSWORD_MAX_LENGTH = 128;
+export const PASSWORD_POLICY_MESSAGE = `Password must be at least ${PASSWORD_MIN_LENGTH} characters.`;
+
 export const DEFAULT_AVAILABILITY = {
   monday: 8,
   tuesday: 8,
@@ -60,7 +73,7 @@ export const DEFAULT_AVAILABILITY = {
 } as const;
 
 export const VALUE_SCORE_WEIGHTS = {
-  SKILL_DEPTH: 0.30,
+  SKILL_DEPTH: 0.3,
   SKILL_BREADTH: 0.15,
   COST_EFFICIENCY: 0.25,
   CHARGEABILITY: 0.15,