feat: AI security controls + PostgreSQL hardening (Week 1 Quick Wins)

AI Security (EGAI 4.3.1.3, 4.3.1.4, 4.1.3.1, IAAI 3.6.26): - AI Disclaimer banner in ChatPanel: "AI responses may be inaccurate" - "AI Generated" violet badge on: chat messages, AI summaries, project narratives, AI-generated cover images - HITL: system prompt now requires explicit user confirmation before any data mutation (strongly worded instruction) - Mutation tool audit logging: all 31 write tools logged with tool name, params, userId, userRole via Pino PostgreSQL Hardening (PG Standard V1.6): - Audit logging: log_connections, log_disconnections, log_statement=ddl, log_min_duration_statement=1000 in docker-compose - SUPERUSER removal script: scripts/harden-postgres.sh (NOSUPERUSER + minimal GRANT for app user) - Health check: pg_isready -U capakraken -d capakraken - Documentation: security-architecture.md Section 12 updated Controls closed: EGAI 4.1.3.1, 4.3.1.3, 4.3.1.4, PG 3.3, 3.5 Co-Authored-By: claude-flow <ruv@ruv.net>
2026-03-27 16:18:35 +01:00
parent 3f76211955
commit 1fc1e9f24c
11 changed files with 126 additions and 10 deletions
@@ -8,10 +8,17 @@ services:
      POSTGRES_DB: capakraken
      POSTGRES_USER: capakraken
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-changeme}
+    command: >
+      postgres
+      -c log_connections=on
+      -c log_disconnections=on
+      -c log_statement=ddl
+      -c log_line_prefix='%t [%p] %u@%d '
+      -c log_min_duration_statement=1000
    volumes:
      - capakraken_prod_pgdata:/var/lib/postgresql/data
    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U capakraken"]
+      test: ["CMD-SHELL", "pg_isready -U capakraken -d capakraken"]
      interval: 10s
      timeout: 5s
      retries: 5