Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
790 Commits 3 Branches 1 Tag
40ca0c3046ba2f6682ff3e1335334e6af9a1d6b3
Commit Graph

790 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Hartmut a0fcc0afbb test(notification): expand audience auth coverage 2026-03-30 12:33:10 +02:00
Hartmut 019c267435 test(api): harden estimate races and user auth boundaries 2026-03-30 12:32:51 +02:00
Hartmut 3c4894a966 docs(scope): refresh backlog status after hardening batch 2026-03-30 12:25:56 +02:00
Hartmut d7c295b51c test(project): cover image config checks 2026-03-30 12:24:33 +02:00
Hartmut 732538857b test(api): cover remaining timeline and broadcast fallback races 2026-03-30 12:23:46 +02:00
Hartmut a9a01e8df0 test(resource): cover chapter and skill import access 2026-03-30 12:23:35 +02:00
Hartmut d3ad350821 test(assistant): document self-service approval access 2026-03-30 12:20:55 +02:00
Hartmut c9a35452dc fix(blueprint): require planning access for global field defs 2026-03-30 12:18:59 +02:00
Hartmut 649c8feb22 fix(api): harden broadcast transactions and estimate fallbacks 2026-03-30 12:18:10 +02:00
Hartmut c82a146f84 docs(scope): add audience scoping backlog 2026-03-30 12:16:16 +02:00
Hartmut 016f862405 fix(holiday-calendar): scope resource holiday reads 2026-03-30 12:10:52 +02:00
Hartmut c7434c968e fix(vacation): scope preview requests to owned resources 2026-03-30 12:07:26 +02:00
Hartmut 6a6e98b5f7 fix(api): harden broadcast and assistant fallback errors 2026-03-30 12:03:27 +02:00
Hartmut 22cff9648e test(entitlement): cover self-service and role boundaries 2026-03-30 12:01:34 +02:00
Hartmut 3a29ce4332 fix(blueprint): require planning access for detailed reads 2026-03-30 11:55:43 +02:00
Hartmut 7aa32f8a5c test(api): harden assistant tool error handling 2026-03-30 11:51:59 +02:00
Hartmut 4ce8577824 test(api): cover notification and user edge cases 2026-03-30 11:51:26 +02:00
Hartmut 4c542d0015 fix(assistant): dedupe missing approval storage warnings 2026-03-30 11:49:05 +02:00
Hartmut 978cd9184d test(assistant): align admin tool descriptions 2026-03-30 11:45:29 +02:00
Hartmut b254ab70ba test(auth): cover notification and user router audiences 2026-03-30 11:08:14 +02:00
Hartmut c8e82ac221 feat(settings): restrict AI readiness checks to admins 2026-03-30 11:00:42 +02:00
Hartmut 81a46c81bd feat(blueprint): scope summary reads to planning audience 2026-03-30 10:55:28 +02:00
Hartmut 9b764008c3 feat(management-level): scope reads to planning audience 2026-03-30 10:45:44 +02:00
Hartmut c2ca6a6d0d feat(holiday-calendar): restrict catalog reads to admins 2026-03-30 10:36:05 +02:00
Hartmut 54769ca0f5 feat(utilization-category): scope reads to planning audience 2026-03-30 10:29:40 +02:00
Hartmut ae74700f7c feat(client): scope planning reads to explicit audience 2026-03-30 10:24:52 +02:00
Hartmut 2b514ea962 feat(org-unit): scope structural reads to resource overview 2026-03-30 10:17:57 +02:00
Hartmut 65fe7ce04f feat(assistant): align resource tool visibility with read audiences 2026-03-30 10:11:55 +02:00
Hartmut bd654251f7 feat(master-data): scope detail reads to resource overview 2026-03-30 10:08:44 +02:00
Hartmut 8495b83b3e docs(security): document audience scoping rollout rules 2026-03-30 09:59:33 +02:00
Hartmut 3a30fecc13 feat(role): scope planning-linked role reads to planning audience 2026-03-30 09:58:39 +02:00
Hartmut 16cf1bcb50 feat(assistant): align system role config visibility with admin reads 2026-03-30 09:56:45 +02:00
Hartmut a25635ee66 feat(auth): restrict system role config reads to admins 2026-03-30 09:46:32 +02:00
Hartmut 98502e6cf8 feat(estimate): scope estimate search to controller audience 2026-03-30 09:44:50 +02:00
Hartmut 806c028974 feat(scenario): scope baseline reads to planning and cost audiences 2026-03-30 09:40:07 +02:00
Hartmut 3aac946443 feat(staffing): enforce planning and cost audiences 2026-03-30 09:36:38 +02:00
Hartmut a960d43ed1 feat(assistant): align tool visibility with route audiences 2026-03-30 09:22:26 +02:00
Hartmut 93c4374973 feat(auth): introduce explicit planning read permission 2026-03-30 09:15:07 +02:00
Hartmut a50ca09333 feat(auth): tighten allocation read audiences 2026-03-30 09:03:44 +02:00
Hartmut db45829eca feat(auth): classify planning and resource read audiences 2026-03-30 08:51:07 +02:00
Hartmut f6daf21983 feat(import): harden untrusted spreadsheet boundaries 2026-03-30 08:02:52 +02:00
Hartmut fac8c1c3a5 feat(sse): scope timeline events to affected audiences 2026-03-30 00:40:24 +02:00
Hartmut 819345acfa feat(platform): harden access scoping and delivery baseline 2026-03-30 00:27:31 +02:00
Hartmut 00b936fa1f feat(assistant): extend audit and import parity 2026-03-29 12:56:29 +02:00
Hartmut 47e4d701ff chore(repo): checkpoint current capakraken implementation state 2026-03-29 12:47:12 +02:00
Hartmut beae1a5d6e feat(assistant): add approval inbox and e2e hardening 2026-03-29 10:10:59 +02:00
Hartmut 4f48afe7b4 feat(planning): ship holiday-aware planning and assistant upgrades 2026-03-28 22:49:28 +01:00
Hartmut 2a005794e7 feat: additive security improvements — prompt guard, content filter, data classification 
Prompt Injection Detection (EGAI 4.6.3.2):
- 12-pattern regex scanner on user messages before AI processing
- Logs warning + creates SecurityAlert audit entry on detection
- Reinforces system prompt instead of blocking (non-breaking)

AI Output Content Filter (EGAI 4.3.2.1):
- Scans AI responses for leaked credentials/secrets
- Auto-redacts passwords, API keys, bearer tokens, private keys
- Logs warning + SecurityAlert audit when redaction occurs

AI Tool Execution Audit Trail (IAAI 3.6.35):
- Every AI tool call creates AiToolExecution audit entry
- Logs tool name, parameters, userId, source: "ai"

Data Classification Labels (EGAI 4.2):
- DATA_CLASSIFICATION constant mapping all fields to HC/C/IR/U
- Exported from @capakraken/shared

All changes strictly additive — no existing logic modified.

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-27 16:23:33 +01:00
Hartmut 1fc1e9f24c feat: AI security controls + PostgreSQL hardening (Week 1 Quick Wins) 
AI Security (EGAI 4.3.1.3, 4.3.1.4, 4.1.3.1, IAAI 3.6.26):
- AI Disclaimer banner in ChatPanel: "AI responses may be inaccurate"
- "AI Generated" violet badge on: chat messages, AI summaries,
  project narratives, AI-generated cover images
- HITL: system prompt now requires explicit user confirmation
  before any data mutation (strongly worded instruction)
- Mutation tool audit logging: all 31 write tools logged with
  tool name, params, userId, userRole via Pino

PostgreSQL Hardening (PG Standard V1.6):
- Audit logging: log_connections, log_disconnections, log_statement=ddl,
  log_min_duration_statement=1000 in docker-compose
- SUPERUSER removal script: scripts/harden-postgres.sh
  (NOSUPERUSER + minimal GRANT for app user)
- Health check: pg_isready -U capakraken -d capakraken
- Documentation: security-architecture.md Section 12 updated

Controls closed: EGAI 4.1.3.1, 4.3.1.3, 4.3.1.4, PG 3.3, 3.5

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-27 16:18:35 +01:00
Hartmut 3f76211955 docs: full ACN standards compliance audit — 6 standards, ~208 controls 
Browsed and analyzed 6 relevant Accenture security standards:
1. Application Security V7.30 (73% compliant)
2. Generative AI Security V1.1 (~33% - NEW, critical)
3. Agentic AI Security V1.2 (~20% - NEW, critical, 36 MCP controls)
4. PostgreSQL Security V1.6 (~32%)
5. Logging & Auditing (~80%)
6. Access Control (~80%)

Overall: ~99/208 controls compliant (~48%)

Top 10 critical action items identified:
1. HITL for AI mutations (AI can create/delete without confirmation)
2. AI content labeling ("AI Generated" badges)
3. AI disclaimer in chat panel
4. PostgreSQL TLS
5. PostgreSQL audit logging
6. PostgreSQL SUPERUSER removal
7. Prompt injection detection
8. AI tool read/write separation
9. Adversarial testing suite
10. Content filtering on AI outputs

6-week implementation roadmap included.

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-27 16:08:37 +01:00