Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
332 Commits 3 Branches 1 Tag
459ab6911bda7fe3565a70260d42dcb64e9a3686
Commit Graph

332 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Hartmut 649c8feb22 fix(api): harden broadcast transactions and estimate fallbacks 2026-03-30 12:18:10 +02:00
Hartmut c82a146f84 docs(scope): add audience scoping backlog 2026-03-30 12:16:16 +02:00
Hartmut 016f862405 fix(holiday-calendar): scope resource holiday reads 2026-03-30 12:10:52 +02:00
Hartmut c7434c968e fix(vacation): scope preview requests to owned resources 2026-03-30 12:07:26 +02:00
Hartmut 6a6e98b5f7 fix(api): harden broadcast and assistant fallback errors 2026-03-30 12:03:27 +02:00
Hartmut 22cff9648e test(entitlement): cover self-service and role boundaries 2026-03-30 12:01:34 +02:00
Hartmut 3a29ce4332 fix(blueprint): require planning access for detailed reads 2026-03-30 11:55:43 +02:00
Hartmut 7aa32f8a5c test(api): harden assistant tool error handling 2026-03-30 11:51:59 +02:00
Hartmut 4ce8577824 test(api): cover notification and user edge cases 2026-03-30 11:51:26 +02:00
Hartmut 4c542d0015 fix(assistant): dedupe missing approval storage warnings 2026-03-30 11:49:05 +02:00
Hartmut 978cd9184d test(assistant): align admin tool descriptions 2026-03-30 11:45:29 +02:00
Hartmut b254ab70ba test(auth): cover notification and user router audiences 2026-03-30 11:08:14 +02:00
Hartmut c8e82ac221 feat(settings): restrict AI readiness checks to admins 2026-03-30 11:00:42 +02:00
Hartmut 81a46c81bd feat(blueprint): scope summary reads to planning audience 2026-03-30 10:55:28 +02:00
Hartmut 9b764008c3 feat(management-level): scope reads to planning audience 2026-03-30 10:45:44 +02:00
Hartmut c2ca6a6d0d feat(holiday-calendar): restrict catalog reads to admins 2026-03-30 10:36:05 +02:00
Hartmut 54769ca0f5 feat(utilization-category): scope reads to planning audience 2026-03-30 10:29:40 +02:00
Hartmut ae74700f7c feat(client): scope planning reads to explicit audience 2026-03-30 10:24:52 +02:00
Hartmut 2b514ea962 feat(org-unit): scope structural reads to resource overview 2026-03-30 10:17:57 +02:00
Hartmut 65fe7ce04f feat(assistant): align resource tool visibility with read audiences 2026-03-30 10:11:55 +02:00
Hartmut bd654251f7 feat(master-data): scope detail reads to resource overview 2026-03-30 10:08:44 +02:00
Hartmut 8495b83b3e docs(security): document audience scoping rollout rules 2026-03-30 09:59:33 +02:00
Hartmut 3a30fecc13 feat(role): scope planning-linked role reads to planning audience 2026-03-30 09:58:39 +02:00
Hartmut 16cf1bcb50 feat(assistant): align system role config visibility with admin reads 2026-03-30 09:56:45 +02:00
Hartmut a25635ee66 feat(auth): restrict system role config reads to admins 2026-03-30 09:46:32 +02:00
Hartmut 98502e6cf8 feat(estimate): scope estimate search to controller audience 2026-03-30 09:44:50 +02:00
Hartmut 806c028974 feat(scenario): scope baseline reads to planning and cost audiences 2026-03-30 09:40:07 +02:00
Hartmut 3aac946443 feat(staffing): enforce planning and cost audiences 2026-03-30 09:36:38 +02:00
Hartmut a960d43ed1 feat(assistant): align tool visibility with route audiences 2026-03-30 09:22:26 +02:00
Hartmut 93c4374973 feat(auth): introduce explicit planning read permission 2026-03-30 09:15:07 +02:00
Hartmut a50ca09333 feat(auth): tighten allocation read audiences 2026-03-30 09:03:44 +02:00
Hartmut db45829eca feat(auth): classify planning and resource read audiences 2026-03-30 08:51:07 +02:00
Hartmut f6daf21983 feat(import): harden untrusted spreadsheet boundaries 2026-03-30 08:02:52 +02:00
Hartmut fac8c1c3a5 feat(sse): scope timeline events to affected audiences 2026-03-30 00:40:24 +02:00
Hartmut 819345acfa feat(platform): harden access scoping and delivery baseline 2026-03-30 00:27:31 +02:00
Hartmut 00b936fa1f feat(assistant): extend audit and import parity 2026-03-29 12:56:29 +02:00
Hartmut 47e4d701ff chore(repo): checkpoint current capakraken implementation state 2026-03-29 12:47:12 +02:00
Hartmut beae1a5d6e feat(assistant): add approval inbox and e2e hardening 2026-03-29 10:10:59 +02:00
Hartmut 4f48afe7b4 feat(planning): ship holiday-aware planning and assistant upgrades 2026-03-28 22:49:28 +01:00
Hartmut 2a005794e7 feat: additive security improvements — prompt guard, content filter, data classification 
Prompt Injection Detection (EGAI 4.6.3.2):
- 12-pattern regex scanner on user messages before AI processing
- Logs warning + creates SecurityAlert audit entry on detection
- Reinforces system prompt instead of blocking (non-breaking)

AI Output Content Filter (EGAI 4.3.2.1):
- Scans AI responses for leaked credentials/secrets
- Auto-redacts passwords, API keys, bearer tokens, private keys
- Logs warning + SecurityAlert audit when redaction occurs

AI Tool Execution Audit Trail (IAAI 3.6.35):
- Every AI tool call creates AiToolExecution audit entry
- Logs tool name, parameters, userId, source: "ai"

Data Classification Labels (EGAI 4.2):
- DATA_CLASSIFICATION constant mapping all fields to HC/C/IR/U
- Exported from @capakraken/shared

All changes strictly additive — no existing logic modified.

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-27 16:23:33 +01:00
Hartmut 1fc1e9f24c feat: AI security controls + PostgreSQL hardening (Week 1 Quick Wins) 
AI Security (EGAI 4.3.1.3, 4.3.1.4, 4.1.3.1, IAAI 3.6.26):
- AI Disclaimer banner in ChatPanel: "AI responses may be inaccurate"
- "AI Generated" violet badge on: chat messages, AI summaries,
  project narratives, AI-generated cover images
- HITL: system prompt now requires explicit user confirmation
  before any data mutation (strongly worded instruction)
- Mutation tool audit logging: all 31 write tools logged with
  tool name, params, userId, userRole via Pino

PostgreSQL Hardening (PG Standard V1.6):
- Audit logging: log_connections, log_disconnections, log_statement=ddl,
  log_min_duration_statement=1000 in docker-compose
- SUPERUSER removal script: scripts/harden-postgres.sh
  (NOSUPERUSER + minimal GRANT for app user)
- Health check: pg_isready -U capakraken -d capakraken
- Documentation: security-architecture.md Section 12 updated

Controls closed: EGAI 4.1.3.1, 4.3.1.3, 4.3.1.4, PG 3.3, 3.5

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-27 16:18:35 +01:00
Hartmut 3f76211955 docs: full ACN standards compliance audit — 6 standards, ~208 controls 
Browsed and analyzed 6 relevant Accenture security standards:
1. Application Security V7.30 (73% compliant)
2. Generative AI Security V1.1 (~33% - NEW, critical)
3. Agentic AI Security V1.2 (~20% - NEW, critical, 36 MCP controls)
4. PostgreSQL Security V1.6 (~32%)
5. Logging & Auditing (~80%)
6. Access Control (~80%)

Overall: ~99/208 controls compliant (~48%)

Top 10 critical action items identified:
1. HITL for AI mutations (AI can create/delete without confirmation)
2. AI content labeling ("AI Generated" badges)
3. AI disclaimer in chat panel
4. PostgreSQL TLS
5. PostgreSQL audit logging
6. PostgreSQL SUPERUSER removal
7. Prompt injection detection
8. AI tool read/write separation
9. Adversarial testing suite
10. Content filtering on AI outputs

6-week implementation roadmap included.

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-27 16:08:37 +01:00
Hartmut 6ba3efd7ea docs: ACN Security Standards Applicability Matrix — 19 of ~87 relevant 
Mapped all Accenture IS Standards against CapaKraken tech stack.
19 standards relevant, ~68 not applicable.

Key findings:
- Application Security Standard: 73% compliant (already analyzed)
- Gen AI + Agentic AI Standards: NEW, critical for HartBOT — must read
- PostgreSQL, nginx, Container, DevSecOps: need gap analysis
- 12 action items across 4 priority tiers

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-27 16:00:23 +01:00
Hartmut cd0c2fe3e2 feat: close 4 more security compliance gaps (46/63 OK, 73%) 
Error-Page Headers (3.3.1.3.03 → OK):
- Cache-Control no-store on ALL routes (API, auth, catch-all)

Proactive Monitoring (3.2.1.04 → OK):
- /api/cron/health-check: DB + Redis check with latency, ADMIN alerts on failure

Security Scanning (3.2.2.7 → improved):
- /api/cron/security-audit: package version check against minimum safe versions

Server Hardening (3.3.1.4 → OK):
- docs/nginx-hardening.conf: complete template (rate limits, SSL, headers)

Database Security (3.3.3 → OK):
- docs/security-architecture.md Section 12: DB auth, isolation, SSL/audit recommendations

Compliance: 46 OK / 5 PARTIAL / 8 TODO / 4 N/A (was 42/9/8/4)

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-27 15:43:44 +01:00
Hartmut 187c28e01e docs: complete ACN V7.30 compliance report — 63 controls mapped 
42 OK (67%), 9 PARTIAL (14%), 8 TODO (13%), 4 N/A (6%)
Full mapping of all EAPPS controls across 20 categories.

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-27 15:33:18 +01:00
Hartmut 103ba009b6 docs: ACN Security Compliance Status Report (management summary) 
19/23 controls implemented (83%). 4 open items require external
access (AIR portal, SAST tool, nginx SSH, HTTPS for cookie prefix).

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-27 15:05:24 +01:00
Hartmut 9d43e4b113 feat: ACN Application Security Standard V7.30 compliance (19/23 items) 
CRITICAL — Authentication & Access:
- TOTP MFA: otpauth-based, QR setup UI, sign-in flow integration,
  admin disable override, /account/security self-service page
- Session Timeouts: 8h absolute (maxAge), 30min idle (updateAge)
- Failed Auth Logging: Pino warn for invalid password/user/totp,
  info for successful login, audit entries for all auth events
- Concurrent Session Limit: ActiveSession model, oldest-kick strategy,
  max 3 per user (configurable in SystemSettings)

CRITICAL — HTTP Security:
- HSTS: max-age=31536000; includeSubDomains
- CSP: script/style/img/font/connect-src with Gemini/OpenAI whitelist
- X-XSS-Protection: 0 (CSP replaces legacy)
- Auth page cache: no-store, no-cache, must-revalidate
- Rate Limiting: 100/15min general API, 5/15min auth (Map-based)

Data Protection:
- XSS Sanitization: DOMPurify on comment bodies
- autocomplete="new-password" on all password/secret fields
- SameSite=Strict on all cookies (Credentials-only, no OAuth)
- File Upload Magic Bytes validation (PNG/JPEG/WebP/GIF/BMP/TIFF)

Logging & Monitoring:
- Login/Logout audit entries (Auth entityType)
- External API call logging with timing (OpenAI, Gemini)
- Input validation failure logging at warn level
- Concurrent session tracking in ActiveSession table

Documentation:
- docs/security-architecture.md (11 sections)
- docs/sdlc.md (CI pipeline, security gates, incident response)
- .gitea/PULL_REQUEST_TEMPLATE.md (security checklist)

Schema: User.totpSecret/totpEnabled, SystemSettings.sessionMaxAge/
sessionIdleTimeout/maxConcurrentSessions, ActiveSession model

Tests: 310 engine + 37 staffing pass. TypeScript clean.

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-27 14:16:39 +01:00
Hartmut 70ae830623 docs: Accenture Application Security Standard V7.30 compliance ToDo 
Gap analysis of CapaKraken against Accenture AppSec Standard V7.30.
23 action items across 3 priority levels.

Critical (before production): MFA, session timeouts, HSTS, CSP,
rate limiting, Sentry DSN, failed auth logging.

High (30 days): AIR registration, security architecture doc,
SAST/DAST, XSS sanitization, login/logout audit.

Already compliant: SQL injection (Prisma), Argon2 hashing, RBAC,
Zod input validation, audit logging, security headers (partial).

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-27 13:50:14 +01:00
Hartmut b5fd969bd3 Merge pull request 'chore: full technical rename planarchy → capakraken' (#18) from chore/rename-capakraken into main 2026-03-27 13:18:56 +01:00
Hartmut cd78f72f33 chore: full technical rename planarchy → capakraken 
Complete rename of all technical identifiers across the codebase:

Package names (11 packages):
- @planarchy/* → @capakraken/* in all package.json, tsconfig, imports

Import statements: 277 files, 548 occurrences replaced

Database & Docker:
- PostgreSQL user/db: planarchy → capakraken
- Docker volumes: planarchy_pgdata → capakraken_pgdata
- Connection strings updated in docker-compose, .env, CI

CI/CD:
- GitHub Actions workflow: all filter commands updated
- Test database credentials updated

Infrastructure:
- Redis channel: planarchy:sse → capakraken:sse
- Logger service name: planarchy-api → capakraken-api
- Anonymization seed updated
- Start/stop/restart scripts updated

Test data:
- Seed emails: @planarchy.dev → @capakraken.dev
- E2E test credentials: all 11 spec files updated
- Email defaults: @planarchy.app → @capakraken.app
- localStorage keys: planarchy_* → capakraken_*

Documentation: 30+ .md files updated

Verification:
- pnpm install: workspace resolution works
- TypeScript: only pre-existing TS2589 (no new errors)
- Engine: 310/310 tests pass
- Staffing: 37/37 tests pass

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-27 13:18:09 +01:00