feat: ACN Application Security Standard V7.30 compliance (19/23 items)

CRITICAL — Authentication & Access: - TOTP MFA: otpauth-based, QR setup UI, sign-in flow integration, admin disable override, /account/security self-service page - Session Timeouts: 8h absolute (maxAge), 30min idle (updateAge) - Failed Auth Logging: Pino warn for invalid password/user/totp, info for successful login, audit entries for all auth events - Concurrent Session Limit: ActiveSession model, oldest-kick strategy, max 3 per user (configurable in SystemSettings) CRITICAL — HTTP Security: - HSTS: max-age=31536000; includeSubDomains - CSP: script/style/img/font/connect-src with Gemini/OpenAI whitelist - X-XSS-Protection: 0 (CSP replaces legacy) - Auth page cache: no-store, no-cache, must-revalidate - Rate Limiting: 100/15min general API, 5/15min auth (Map-based) Data Protection: - XSS Sanitization: DOMPurify on comment bodies - autocomplete="new-password" on all password/secret fields - SameSite=Strict on all cookies (Credentials-only, no OAuth) - File Upload Magic Bytes validation (PNG/JPEG/WebP/GIF/BMP/TIFF) Logging & Monitoring: - Login/Logout audit entries (Auth entityType) - External API call logging with timing (OpenAI, Gemini) - Input validation failure logging at warn level - Concurrent session tracking in ActiveSession table Documentation: - docs/security-architecture.md (11 sections) - docs/sdlc.md (CI pipeline, security gates, incident response) - .gitea/PULL_REQUEST_TEMPLATE.md (security checklist) Schema: User.totpSecret/totpEnabled, SystemSettings.sessionMaxAge/ sessionIdleTimeout/maxConcurrentSessions, ActiveSession model Tests: 310 engine + 37 staffing pass. TypeScript clean. Co-Authored-By: claude-flow <ruv@ruv.net>
2026-03-27 14:16:39 +01:00
parent 70ae830623
commit 9d43e4b113
31 changed files with 1337 additions and 107 deletions
@@ -7,7 +7,7 @@ import { z } from "zod";
 import { TRPCError } from "@trpc/server";
 import { resolvePermissions, type PermissionOverrides, type SystemRole } from "@capakraken/shared";
 import { createTRPCRouter, protectedProcedure } from "../trpc.js";
-import { createAiClient, isAiConfigured, parseAiError } from "../ai-client.js";
+import { createAiClient, isAiConfigured, loggedAiCall, parseAiError } from "../ai-client.js";
 import { TOOL_DEFINITIONS, executeTool, type ToolContext, type ToolAction } from "./assistant-tools.js";

 const MAX_TOOL_ITERATIONS = 8;
@@ -167,15 +167,19 @@ export const assistantRouter = createTRPCRouter({
      for (let i = 0; i < MAX_TOOL_ITERATIONS; i++) {
        // eslint-disable-next-line @typescript-eslint/no-explicit-any
        let response: any;
+        const provider = settings!.aiProvider ?? "openai";
+        const msgLen = openaiMessages.reduce((n, m) => n + (typeof m.content === "string" ? m.content.length : 0), 0);
        try {
-          response = await client.chat.completions.create({
-            model,
-            messages: openaiMessages,
-            // eslint-disable-next-line @typescript-eslint/no-explicit-any
-            tools: availableTools as any,
-            max_completion_tokens: maxTokens,
-            temperature,
-          });
+          response = await loggedAiCall(provider, model, msgLen, () =>
+            client.chat.completions.create({
+              model,
+              messages: openaiMessages,
+              // eslint-disable-next-line @typescript-eslint/no-explicit-any
+              tools: availableTools as any,
+              max_completion_tokens: maxTokens,
+              temperature,
+            }),
+          );
        } catch (err) {
          throw new TRPCError({
            code: "INTERNAL_SERVER_ERROR",