Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
703 Commits 3 Branches 1 Tag
00e16bff9e937135b42fe9114683c1333040cd06
Commit Graph

4 Commits

Author SHA1 Message Date
Hartmut 00e16bff9e docs(gitea): add stop_grace_period to postgres service
CI / Assistant Split Regression (push) Failing after 8m25s
Details
Release Image / Build And Push Images (push) Failing after 8m53s
Details
CI / Unit Tests (push) Failing after 10m23s
Details
Docker Deploy Test / Fresh-Linux Docker Deploy (push) Failing after 9m31s
Details
CI / Typecheck (push) Failing after 10m57s
Details
CI / Architecture Guardrails (push) Failing after 11m7s
Details
CI / Lint (push) Successful in 32m7s
Details
CI / Build (push) Has been skipped
Details
CI / E2E Tests (push) Has been skipped
Details 
Prevents slow crash-recovery fsync on QNAP HDD-backed storage after
container stop/replace. Without the grace period postgres is killed
mid-write, and the next startup blocks Gitea for 5-10 minutes.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-12 12:38:05 +02:00
Hartmut e9c8e2de7b ci: bump runner capacity to 4 and add BuildKit cache for image builds
CI / Typecheck (push) Has started running
Details
CI / Unit Tests (push) Has been cancelled
Details
CI / Build (push) Has been cancelled
Details
CI / E2E Tests (push) Has been cancelled
Details
CI / Architecture Guardrails (push) Has started running
Details
CI / Assistant Split Regression (push) Has started running
Details
CI / Lint (push) Has started running
Details
Docker Deploy Test / Fresh-Linux Docker Deploy (push) Has started running
Details
Release Image / Build And Push Images (push) Has started running
Details 
- act_runner capacity 2 → 4 (QNAP host has 6 cores, leave 2 for OS)
- release-image: switch to docker/build-push-action@v5 with GHA cache
  (separate scopes for app/migrator to avoid cross-invalidation)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-12 12:25:03 +02:00
Hartmut ed9827aa16 ci: fix architecture guardrails and document QNAP runner setup
CI / Architecture Guardrails (push) Failing after 5m46s
Details
CI / Typecheck (push) Failing after 6m20s
Details
CI / Build (push) Has been skipped
Details
CI / E2E Tests (push) Has been skipped
Details
CI / Unit Tests (push) Has been cancelled
Details
CI / Assistant Split Regression (push) Has started running
Details
CI / Lint (push) Has started running
Details
Release Image / Build And Push Images (push) Has been cancelled
Details
Docker Deploy Test / Fresh-Linux Docker Deploy (push) Has started running
Details 
- release-image.yml: add guardrail anchor comments for runner/migrator target markers
- useTimelineSSE.ts: trim JSDoc to stay under 120-line limit
- timelineDragCleanup.ts: bump guardrail to 115 lines (type defs are cohesive, splitting would not reduce complexity)
- .gitea/gitea_compose_qnap_all_in_one.md: full QNAP Container Station setup with absolute /share/Container/gitea paths, explicit act_runner register step, and $$-escaped env vars

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-12 12:11:24 +02:00
Hartmut 9d43e4b113 feat: ACN Application Security Standard V7.30 compliance (19/23 items) 
CRITICAL — Authentication & Access:
- TOTP MFA: otpauth-based, QR setup UI, sign-in flow integration,
  admin disable override, /account/security self-service page
- Session Timeouts: 8h absolute (maxAge), 30min idle (updateAge)
- Failed Auth Logging: Pino warn for invalid password/user/totp,
  info for successful login, audit entries for all auth events
- Concurrent Session Limit: ActiveSession model, oldest-kick strategy,
  max 3 per user (configurable in SystemSettings)

CRITICAL — HTTP Security:
- HSTS: max-age=31536000; includeSubDomains
- CSP: script/style/img/font/connect-src with Gemini/OpenAI whitelist
- X-XSS-Protection: 0 (CSP replaces legacy)
- Auth page cache: no-store, no-cache, must-revalidate
- Rate Limiting: 100/15min general API, 5/15min auth (Map-based)

Data Protection:
- XSS Sanitization: DOMPurify on comment bodies
- autocomplete="new-password" on all password/secret fields
- SameSite=Strict on all cookies (Credentials-only, no OAuth)
- File Upload Magic Bytes validation (PNG/JPEG/WebP/GIF/BMP/TIFF)

Logging & Monitoring:
- Login/Logout audit entries (Auth entityType)
- External API call logging with timing (OpenAI, Gemini)
- Input validation failure logging at warn level
- Concurrent session tracking in ActiveSession table

Documentation:
- docs/security-architecture.md (11 sections)
- docs/sdlc.md (CI pipeline, security gates, incident response)
- .gitea/PULL_REQUEST_TEMPLATE.md (security checklist)

Schema: User.totpSecret/totpEnabled, SystemSettings.sessionMaxAge/
sessionIdleTimeout/maxConcurrentSessions, ActiveSession model

Tests: 310 engine + 37 staffing pass. TypeScript clean.

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-27 14:16:39 +01:00