- dispo workbook imports are pinned to DISPO_IMPORT_DIR (default ./imports):
tRPC input rejects absolute paths and .. segments, runtime reader
re-validates containment via path.relative. Closes a path-traversal
class that reached ExcelJS CVEs through admin/compromised tokens.
- image validator now checks the full 8-byte PNG magic, enforces PNG IEND
and JPEG EOI trailers, scans the decoded buffer for markup polyglot
markers (<script, <svg, <iframe, javascript:, onerror=, ...), and
explicitly rejects SVG. Provider-generated covers (DALL-E, Gemini) run
through the same validator before persistence — an untrusted upstream
cannot smuggle a stored-XSS payload past us.
- added image-validation.test.ts and tightened documentation.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- docker-compose.yml: require ${POSTGRES_PASSWORD} for the postgres service
and the app container's DATABASE_URL. No default — compose refuses to start
without it, mirroring the existing PGADMIN_PASSWORD pattern.
- Dockerfile.prod: move auth/db ENV assignments from persistent ENV lines into
an inline env prefix on the `pnpm build` RUN step. Placeholders are still
available to `next build` but no longer persist in the builder layer or in
the published migrator image (which is FROM builder).
- Dockerfile.dev: add HEALTHCHECK against /api/health and install curl for it.
- .dockerignore: cover nested **/.env*, **/*.pem, **/*.key, **/secrets/**.
- runtime-env.ts: add the CI build placeholder strings to the disallowed-secret
set so a misconfigured prod deploy using the baked-in ARG defaults fails
startup instead of silently running with a known-bad secret.
- .env.example: document the new POSTGRES_PASSWORD requirement.
- CI: write POSTGRES_PASSWORD into the Fresh-Linux Docker Deploy job's .env
(must match docker-compose.ci.yml's hardcoded DATABASE_URL), and provide a
dummy value in the E2E job where compose validates all services' interp.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Install husky v9 + lint-staged: pre-commit runs eslint --fix and prettier on staged files
- Tighten ESLint base config: no-console→error, ban-ts-comment (ts-ignore banned, ts-expect-error with description allowed), reportUnusedDisableDirectives→error
- Migrate web app from deprecated `next lint` to `eslint src/` with flat config and react-hooks plugin
- Convert all 5 @ts-ignore to @ts-expect-error with descriptions, remove stale disable comments
- Add NEXT_PUBLIC_SENTRY_DSN to docker-compose.prod.yml and .env.example
- Add coverage artifact upload step to CI test job
- Pre-existing violations (102 warnings) downgraded to warn in web config for Phase 2 cleanup
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Postgres and Redis ports now bind to 127.0.0.1 only, preventing exposure
to the network even if the host firewall has a gap
- Redis requires a password (REDIS_PASSWORD) via --requirepass; REDIS_URL in
app and migrator services updated to include the credential
- Redis healthcheck updated to pass -a flag so it still works with auth enabled
- REDIS_PASSWORD added to .env.example with generation hint
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replaces the minimal 17-line stub with a comprehensive, commented
reference covering all env vars: app/auth, database, Redis, SMTP,
pgAdmin, logging, security/cron, and testing flags. Each section
explains when the var is required and what values are expected.
Co-Authored-By: claude-flow <ruv@ruv.net>
Hartmut