security: close audit findings #19–#23 and harden Docker setup (#24)
#19 MFA QR code: render locally via qrcode package, remove external qrserver.com request #20 Webhook SSRF: add ssrf-guard.ts with DNS-verified IP blocklist; enforce on create/update/test/dispatch #21 /api/perf: fail-closed when CRON_SECRET missing; remove query-string token auth #22 CSP: remove unsafe-eval and unsafe-inline from script-src in production builds #23 Active session registry: forward jti into session object; validate against ActiveSession on every tRPC request #24 Docker: add missing packages/application to Dockerfile.dev; fix pnpm-lock.yaml glob; run db:migrate:deploy on container start so a fresh checkout boots without manual steps Also: fix pre-existing TS error in e2e/allocations.spec.ts (args.length literal type overlap) Co-Authored-By: claude-flow <ruv@ruv.net>
This commit is contained in:
@@ -63,6 +63,9 @@ services:
|
||||
condition: service_healthy
|
||||
volumes:
|
||||
- .:/app
|
||||
# Anonymous volumes mask the bind-mount for generated/installed artefacts.
|
||||
# Docker seeds them from the image layer on first start; they persist across restarts.
|
||||
# pnpm stores all packages in the root node_modules/.pnpm virtual store — one volume covers it all.
|
||||
- /app/node_modules
|
||||
- /app/apps/web/.next
|
||||
profiles:
|
||||
|
||||
Reference in New Issue
Block a user