 Hartmut
|
6dac993521
|
refactor(web): extract allocation drag finalize helpers
|
2026-04-01 09:57:29 +02:00 |
|
|
Hartmut
|
54c6cf2e2d
|
refactor(web): extract optimistic timeline reconciliation
|
2026-04-01 09:53:40 +02:00 |
|
|
Hartmut
|
848797b4d2
|
refactor(web): extract timeline range selection helpers
|
2026-04-01 09:51:18 +02:00 |
|
|
Hartmut
|
43f04d66c8
|
refactor(web): extract timeline multi-select helpers
|
2026-04-01 09:50:03 +02:00 |
|
|
Hartmut
|
3abb3bc865
|
refactor(web): extract timeline touch helpers
|
2026-04-01 09:48:04 +02:00 |
|
|
Hartmut
|
5e8babd1e6
|
test(web): cover timeline live preview render edges
|
2026-04-01 09:41:43 +02:00 |
|
|
Hartmut
|
5011d071b8
|
refactor(web): extract timeline live preview helpers
|
2026-04-01 09:40:07 +02:00 |
|
|
Hartmut
|
2855567456
|
test(web): cover timeline project row layout
|
2026-04-01 09:29:43 +02:00 |
|
|
Hartmut
|
85744d1879
|
test(web): cover timeline render helper edges
|
2026-04-01 09:26:44 +02:00 |
|
|
Hartmut
|
1f71b345ee
|
test(web): cover allocation visual state helpers
|
2026-04-01 09:24:38 +02:00 |
|
|
Hartmut
|
f70ce9480d
|
test(web): cover timeline drag math guards
|
2026-04-01 09:23:45 +02:00 |
|
|
Hartmut
|
403d59ad73
|
fix(web): stabilize timeline hover date matching
|
2026-04-01 09:15:24 +02:00 |
|
|
Hartmut
|
71c4e61735
|
test(web): cover timeline sse edge paths
|
2026-04-01 09:10:45 +02:00 |
|
|
Hartmut
|
e75f69bcf5
|
refactor(web): extract timeline sse invalidation policy
|
2026-04-01 08:59:25 +02:00 |
|
|
Hartmut
|
4edf3a32ac
|
fix(web): keep segmented timeline allocations actionable
|
2026-04-01 08:54:15 +02:00 |
|
|
Hartmut
|
8c5be51251
|
feat(platform): checkpoint current implementation state
|
2026-04-01 07:42:03 +02:00 |
|
|
Hartmut
|
7908ab6d05
|
feat(web): strengthen report builder explainability
|
2026-03-31 23:07:36 +02:00 |
|
|
Hartmut
|
8cb34a1c9b
|
feat(web): expand chargeability export explainability
|
2026-03-31 23:06:39 +02:00 |
|
|
Hartmut
|
dfa289213c
|
refactor(web): share allocation workbook export helper
|
2026-03-31 23:06:21 +02:00 |
|
|
Hartmut
|
c3b3dffb6e
|
fix(web): harden timeline sse reconnect lifecycle
|
2026-03-31 23:06:07 +02:00 |
|
|
Hartmut
|
73ef3b2bba
|
test(web): align workbook export buffer typing
|
2026-03-31 23:06:00 +02:00 |
|
|
Hartmut
|
160ba99b5c
|
refactor(insights): share workbook export and ai defaults
|
2026-03-31 22:53:53 +02:00 |
|
|
Hartmut
|
05eeaab3f7
|
chore(settings): align default ai model handling
|
2026-03-31 22:52:29 +02:00 |
|
|
Hartmut
|
7ace137d16
|
feat(dashboard): tighten explainability detail views
|
2026-03-31 22:50:47 +02:00 |
|
|
Hartmut
|
db50e2e555
|
feat(import): harden workbook parser boundaries
|
2026-03-31 22:48:30 +02:00 |
|
|
Hartmut
|
a7362f17bd
|
refactor(config): enforce runtime auth secret policy
|
2026-03-30 23:40:00 +02:00 |
|
|
Hartmut
|
ef5e8016a4
|
refactor(api): add redis-backed rate limiting fallback
|
2026-03-30 23:23:56 +02:00 |
|
|
Hartmut
|
a36bca7ca7
|
refactor(admin): split system settings into section modules
|
2026-03-30 20:04:06 +02:00 |
|
|
Hartmut
|
a19d2cbae0
|
refactor(settings): adopt environment-only runtime secret flow
|
2026-03-30 19:55:06 +02:00 |
|
|
Hartmut
|
dd71e8f80b
|
fix(comment): align mention audience with entity visibility
|
2026-03-30 18:50:36 +02:00 |
|
|
Hartmut
|
be6be64e3d
|
test(web): cover timeline and estimate fallback flows
|
2026-03-30 14:37:10 +02:00 |
|
|
Hartmut
|
82466a4e34
|
fix(api): derive secure sse subscriptions
|
2026-03-30 14:20:18 +02:00 |
|
|
Hartmut
|
27b0e38b93
|
fix(web): portal remaining overlay menus
|
2026-03-30 14:20:05 +02:00 |
|
|
Hartmut
|
ea2efabd7f
|
fix(web): portal autocomplete overlays
|
2026-03-30 14:14:15 +02:00 |
|
|
Hartmut
|
f0bea6235d
|
fix(web): reuse project combobox in timeline popovers
|
2026-03-30 13:34:59 +02:00 |
|
|
Hartmut
|
9268a38df4
|
fix(web): restore comment typing and portal combobox menus
|
2026-03-30 13:32:51 +02:00 |
|
|
Hartmut
|
5b60cf5553
|
fix(web): portal skill tag suggestions
|
2026-03-30 13:29:28 +02:00 |
|
|
Hartmut
|
fcfe09ac1d
|
fix(web): open project demand strips in demand popover
|
2026-03-30 13:26:54 +02:00 |
|
|
Hartmut
|
5a345cd2e4
|
fix(web): portal timeline hover tooltips
|
2026-03-30 13:19:43 +02:00 |
|
|
Hartmut
|
e20bf64eef
|
fix(web): portal timeline overlays above stacked panels
|
2026-03-30 13:18:08 +02:00 |
|
|
Hartmut
|
93c4374973
|
feat(auth): introduce explicit planning read permission
|
2026-03-30 09:15:07 +02:00 |
|
|
Hartmut
|
f6daf21983
|
feat(import): harden untrusted spreadsheet boundaries
|
2026-03-30 08:02:52 +02:00 |
|
|
Hartmut
|
fac8c1c3a5
|
feat(sse): scope timeline events to affected audiences
|
2026-03-30 00:40:24 +02:00 |
|
|
Hartmut
|
819345acfa
|
feat(platform): harden access scoping and delivery baseline
|
2026-03-30 00:27:31 +02:00 |
|
|
Hartmut
|
47e4d701ff
|
chore(repo): checkpoint current capakraken implementation state
|
2026-03-29 12:47:12 +02:00 |
|
|
Hartmut
|
beae1a5d6e
|
feat(assistant): add approval inbox and e2e hardening
|
2026-03-29 10:10:59 +02:00 |
|
|
Hartmut
|
4f48afe7b4
|
feat(planning): ship holiday-aware planning and assistant upgrades
|
2026-03-28 22:49:28 +01:00 |
|
|
Hartmut
|
1fc1e9f24c
|
feat: AI security controls + PostgreSQL hardening (Week 1 Quick Wins)
AI Security (EGAI 4.3.1.3, 4.3.1.4, 4.1.3.1, IAAI 3.6.26):
- AI Disclaimer banner in ChatPanel: "AI responses may be inaccurate"
- "AI Generated" violet badge on: chat messages, AI summaries,
project narratives, AI-generated cover images
- HITL: system prompt now requires explicit user confirmation
before any data mutation (strongly worded instruction)
- Mutation tool audit logging: all 31 write tools logged with
tool name, params, userId, userRole via Pino
PostgreSQL Hardening (PG Standard V1.6):
- Audit logging: log_connections, log_disconnections, log_statement=ddl,
log_min_duration_statement=1000 in docker-compose
- SUPERUSER removal script: scripts/harden-postgres.sh
(NOSUPERUSER + minimal GRANT for app user)
- Health check: pg_isready -U capakraken -d capakraken
- Documentation: security-architecture.md Section 12 updated
Controls closed: EGAI 4.1.3.1, 4.3.1.3, 4.3.1.4, PG 3.3, 3.5
Co-Authored-By: claude-flow <ruv@ruv.net>
|
2026-03-27 16:18:35 +01:00 |
|
|
Hartmut
|
cd0c2fe3e2
|
feat: close 4 more security compliance gaps (46/63 OK, 73%)
Error-Page Headers (3.3.1.3.03 → OK):
- Cache-Control no-store on ALL routes (API, auth, catch-all)
Proactive Monitoring (3.2.1.04 → OK):
- /api/cron/health-check: DB + Redis check with latency, ADMIN alerts on failure
Security Scanning (3.2.2.7 → improved):
- /api/cron/security-audit: package version check against minimum safe versions
Server Hardening (3.3.1.4 → OK):
- docs/nginx-hardening.conf: complete template (rate limits, SSL, headers)
Database Security (3.3.3 → OK):
- docs/security-architecture.md Section 12: DB auth, isolation, SSL/audit recommendations
Compliance: 46 OK / 5 PARTIAL / 8 TODO / 4 N/A (was 42/9/8/4)
Co-Authored-By: claude-flow <ruv@ruv.net>
|
2026-03-27 15:43:44 +01:00 |
|
|
Hartmut
|
9d43e4b113
|
feat: ACN Application Security Standard V7.30 compliance (19/23 items)
CRITICAL — Authentication & Access:
- TOTP MFA: otpauth-based, QR setup UI, sign-in flow integration,
admin disable override, /account/security self-service page
- Session Timeouts: 8h absolute (maxAge), 30min idle (updateAge)
- Failed Auth Logging: Pino warn for invalid password/user/totp,
info for successful login, audit entries for all auth events
- Concurrent Session Limit: ActiveSession model, oldest-kick strategy,
max 3 per user (configurable in SystemSettings)
CRITICAL — HTTP Security:
- HSTS: max-age=31536000; includeSubDomains
- CSP: script/style/img/font/connect-src with Gemini/OpenAI whitelist
- X-XSS-Protection: 0 (CSP replaces legacy)
- Auth page cache: no-store, no-cache, must-revalidate
- Rate Limiting: 100/15min general API, 5/15min auth (Map-based)
Data Protection:
- XSS Sanitization: DOMPurify on comment bodies
- autocomplete="new-password" on all password/secret fields
- SameSite=Strict on all cookies (Credentials-only, no OAuth)
- File Upload Magic Bytes validation (PNG/JPEG/WebP/GIF/BMP/TIFF)
Logging & Monitoring:
- Login/Logout audit entries (Auth entityType)
- External API call logging with timing (OpenAI, Gemini)
- Input validation failure logging at warn level
- Concurrent session tracking in ActiveSession table
Documentation:
- docs/security-architecture.md (11 sections)
- docs/sdlc.md (CI pipeline, security gates, incident response)
- .gitea/PULL_REQUEST_TEMPLATE.md (security checklist)
Schema: User.totpSecret/totpEnabled, SystemSettings.sessionMaxAge/
sessionIdleTimeout/maxConcurrentSessions, ActiveSession model
Tests: 310 engine + 37 staffing pass. TypeScript clean.
Co-Authored-By: claude-flow <ruv@ruv.net>
|
2026-03-27 14:16:39 +01:00 |
|