Hartmut
20fb39fd05
fix(security): harden production Docker — bind DB/Redis to localhost, add Redis auth
...
- Postgres and Redis ports now bind to 127.0.0.1 only, preventing exposure
to the network even if the host firewall has a gap
- Redis requires a password (REDIS_PASSWORD) via --requirepass; REDIS_URL in
app and migrator services updated to include the credential
- Redis healthcheck updated to pass -a flag so it still works with auth enabled
- REDIS_PASSWORD added to .env.example with generation hint
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-04-09 21:41:15 +02:00
Hartmut
7bcc831b5c
refactor(ops): standardize image-based production delivery
2026-03-30 23:35:29 +02:00
Hartmut
4f48afe7b4
feat(planning): ship holiday-aware planning and assistant upgrades
2026-03-28 22:49:28 +01:00
Hartmut
1fc1e9f24c
feat: AI security controls + PostgreSQL hardening (Week 1 Quick Wins)
...
AI Security (EGAI 4.3.1.3, 4.3.1.4, 4.1.3.1, IAAI 3.6.26):
- AI Disclaimer banner in ChatPanel: "AI responses may be inaccurate"
- "AI Generated" violet badge on: chat messages, AI summaries,
project narratives, AI-generated cover images
- HITL: system prompt now requires explicit user confirmation
before any data mutation (strongly worded instruction)
- Mutation tool audit logging: all 31 write tools logged with
tool name, params, userId, userRole via Pino
PostgreSQL Hardening (PG Standard V1.6):
- Audit logging: log_connections, log_disconnections, log_statement=ddl,
log_min_duration_statement=1000 in docker-compose
- SUPERUSER removal script: scripts/harden-postgres.sh
(NOSUPERUSER + minimal GRANT for app user)
- Health check: pg_isready -U capakraken -d capakraken
- Documentation: security-architecture.md Section 12 updated
Controls closed: EGAI 4.1.3.1, 4.3.1.3, 4.3.1.4, PG 3.3, 3.5
Co-Authored-By: claude-flow <ruv@ruv.net >
2026-03-27 16:18:35 +01:00
Hartmut
cd78f72f33
chore: full technical rename planarchy → capakraken
...
Complete rename of all technical identifiers across the codebase:
Package names (11 packages):
- @planarchy/* → @capakraken/* in all package.json, tsconfig, imports
Import statements: 277 files, 548 occurrences replaced
Database & Docker:
- PostgreSQL user/db: planarchy → capakraken
- Docker volumes: planarchy_pgdata → capakraken_pgdata
- Connection strings updated in docker-compose, .env, CI
CI/CD:
- GitHub Actions workflow: all filter commands updated
- Test database credentials updated
Infrastructure:
- Redis channel: planarchy:sse → capakraken:sse
- Logger service name: planarchy-api → capakraken-api
- Anonymization seed updated
- Start/stop/restart scripts updated
Test data:
- Seed emails: @planarchy.dev → @capakraken.dev
- E2E test credentials: all 11 spec files updated
- Email defaults: @planarchy.app → @capakraken.app
- localStorage keys: planarchy_* → capakraken_*
Documentation: 30+ .md files updated
Verification:
- pnpm install: workspace resolution works
- TypeScript: only pre-existing TS2589 (no new errors)
- Engine: 310/310 tests pass
- Staffing: 37/37 tests pass
Co-Authored-By: claude-flow <ruv@ruv.net >
2026-03-27 13:18:09 +01:00
Hartmut
0d78fe1770
feat: Sprint 0 — CI/CD pipeline, production Docker, health checks
...
CI Pipeline (.github/workflows/ci.yml):
- 5 jobs: typecheck, lint, test, build, e2e (parallel where possible)
- PostgreSQL 16 + Redis 7 service containers for test/e2e
- pnpm store, Turborepo, Playwright browser caching
- Concurrency groups cancel in-progress runs
Production Docker:
- Dockerfile.prod: 3-stage build (deps → build → runtime ~150MB)
- docker-compose.prod.yml: postgres + redis + app with health checks
- .dockerignore for fast builds
- next.config.ts: output: "standalone" for minimal runtime
Health Check Endpoints:
- GET /api/health — liveness probe (200 OK, no deps)
- GET /api/ready — readiness probe (postgres + redis connectivity)
Documentation:
- docs/ci-cd-manual.md — full pipeline manual with troubleshooting
- plan.md — Product Owner strategic plan (bottlenecks, growth, automation)
Co-Authored-By: claude-flow <ruv@ruv.net >
2026-03-19 20:33:18 +01:00
Hartmut