feat: ACN Application Security Standard V7.30 compliance (19/23 items)
CRITICAL — Authentication & Access: - TOTP MFA: otpauth-based, QR setup UI, sign-in flow integration, admin disable override, /account/security self-service page - Session Timeouts: 8h absolute (maxAge), 30min idle (updateAge) - Failed Auth Logging: Pino warn for invalid password/user/totp, info for successful login, audit entries for all auth events - Concurrent Session Limit: ActiveSession model, oldest-kick strategy, max 3 per user (configurable in SystemSettings) CRITICAL — HTTP Security: - HSTS: max-age=31536000; includeSubDomains - CSP: script/style/img/font/connect-src with Gemini/OpenAI whitelist - X-XSS-Protection: 0 (CSP replaces legacy) - Auth page cache: no-store, no-cache, must-revalidate - Rate Limiting: 100/15min general API, 5/15min auth (Map-based) Data Protection: - XSS Sanitization: DOMPurify on comment bodies - autocomplete="new-password" on all password/secret fields - SameSite=Strict on all cookies (Credentials-only, no OAuth) - File Upload Magic Bytes validation (PNG/JPEG/WebP/GIF/BMP/TIFF) Logging & Monitoring: - Login/Logout audit entries (Auth entityType) - External API call logging with timing (OpenAI, Gemini) - Input validation failure logging at warn level - Concurrent session tracking in ActiveSession table Documentation: - docs/security-architecture.md (11 sections) - docs/sdlc.md (CI pipeline, security gates, incident response) - .gitea/PULL_REQUEST_TEMPLATE.md (security checklist) Schema: User.totpSecret/totpEnabled, SystemSettings.sessionMaxAge/ sessionIdleTimeout/maxConcurrentSessions, ActiveSession model Tests: 310 engine + 37 staffing pass. TypeScript clean. Co-Authored-By: claude-flow <ruv@ruv.net>
This commit is contained in:
@@ -8,7 +8,7 @@ import { calculateAllocation, checkDuplicateAssignment, countWorkingDays } from
|
||||
import { computeBudgetStatus } from "@capakraken/engine";
|
||||
import type { PermissionKey } from "@capakraken/shared";
|
||||
import { parseTaskAction } from "@capakraken/shared";
|
||||
import { createAiClient, createDalleClient, isAiConfigured, isDalleConfigured, parseAiError } from "../ai-client.js";
|
||||
import { createAiClient, createDalleClient, isAiConfigured, isDalleConfigured, loggedAiCall, parseAiError } from "../ai-client.js";
|
||||
import { getTaskAction } from "../lib/task-actions.js";
|
||||
import { fmtEur } from "../lib/format-utils.js";
|
||||
import { resolveRecipients } from "../lib/notification-targeting.js";
|
||||
@@ -5327,15 +5327,18 @@ const executors = {
|
||||
const maxTokens = settings!.aiMaxCompletionTokens ?? 300;
|
||||
const temperature = settings!.aiTemperature ?? 1;
|
||||
|
||||
const completion = await client.chat.completions.create({
|
||||
messages: [
|
||||
{ role: "system", content: "You are a project management analyst providing brief executive summaries. Be factual and action-oriented." },
|
||||
{ role: "user", content: prompt },
|
||||
],
|
||||
max_completion_tokens: maxTokens,
|
||||
model,
|
||||
...(temperature !== 1 ? { temperature } : {}),
|
||||
});
|
||||
const provider = settings!.aiProvider ?? "openai";
|
||||
const completion = await loggedAiCall(provider, model, prompt.length, () =>
|
||||
client.chat.completions.create({
|
||||
messages: [
|
||||
{ role: "system", content: "You are a project management analyst providing brief executive summaries. Be factual and action-oriented." },
|
||||
{ role: "user", content: prompt },
|
||||
],
|
||||
max_completion_tokens: maxTokens,
|
||||
model,
|
||||
...(temperature !== 1 ? { temperature } : {}),
|
||||
}),
|
||||
);
|
||||
const narrative = completion.choices[0]?.message?.content?.trim() ?? "";
|
||||
|
||||
if (!narrative) return { error: "AI returned an empty response." };
|
||||
|
||||
Reference in New Issue
Block a user