CapaKraken

Author	SHA1	Message	Date
Hartmut	0e119cfe73	security: close audit findings #19–#23 and harden Docker setup (#24 ) #19 MFA QR code: render locally via qrcode package, remove external qrserver.com request #20 Webhook SSRF: add ssrf-guard.ts with DNS-verified IP blocklist; enforce on create/update/test/dispatch #21 /api/perf: fail-closed when CRON_SECRET missing; remove query-string token auth #22 CSP: remove unsafe-eval and unsafe-inline from script-src in production builds #23 Active session registry: forward jti into session object; validate against ActiveSession on every tRPC request #24 Docker: add missing packages/application to Dockerfile.dev; fix pnpm-lock.yaml glob; run db:migrate:deploy on container start so a fresh checkout boots without manual steps Also: fix pre-existing TS error in e2e/allocations.spec.ts (args.length literal type overlap) Co-Authored-By: claude-flow <ruv@ruv.net>	2026-04-01 18:19:21 +02:00
Hartmut	a7362f17bd	refactor(config): enforce runtime auth secret policy	2026-03-30 23:40:00 +02:00
Hartmut	4f48afe7b4	feat(planning): ship holiday-aware planning and assistant upgrades	2026-03-28 22:49:28 +01:00
Hartmut	1fc1e9f24c	feat: AI security controls + PostgreSQL hardening (Week 1 Quick Wins) AI Security (EGAI 4.3.1.3, 4.3.1.4, 4.1.3.1, IAAI 3.6.26): - AI Disclaimer banner in ChatPanel: "AI responses may be inaccurate" - "AI Generated" violet badge on: chat messages, AI summaries, project narratives, AI-generated cover images - HITL: system prompt now requires explicit user confirmation before any data mutation (strongly worded instruction) - Mutation tool audit logging: all 31 write tools logged with tool name, params, userId, userRole via Pino PostgreSQL Hardening (PG Standard V1.6): - Audit logging: log_connections, log_disconnections, log_statement=ddl, log_min_duration_statement=1000 in docker-compose - SUPERUSER removal script: scripts/harden-postgres.sh (NOSUPERUSER + minimal GRANT for app user) - Health check: pg_isready -U capakraken -d capakraken - Documentation: security-architecture.md Section 12 updated Controls closed: EGAI 4.1.3.1, 4.3.1.3, 4.3.1.4, PG 3.3, 3.5 Co-Authored-By: claude-flow <ruv@ruv.net>	2026-03-27 16:18:35 +01:00
Hartmut	cd78f72f33	chore: full technical rename planarchy → capakraken Complete rename of all technical identifiers across the codebase: Package names (11 packages): - @planarchy/* → @capakraken/* in all package.json, tsconfig, imports Import statements: 277 files, 548 occurrences replaced Database & Docker: - PostgreSQL user/db: planarchy → capakraken - Docker volumes: planarchy_pgdata → capakraken_pgdata - Connection strings updated in docker-compose, .env, CI CI/CD: - GitHub Actions workflow: all filter commands updated - Test database credentials updated Infrastructure: - Redis channel: planarchy:sse → capakraken:sse - Logger service name: planarchy-api → capakraken-api - Anonymization seed updated - Start/stop/restart scripts updated Test data: - Seed emails: @planarchy.dev → @capakraken.dev - E2E test credentials: all 11 spec files updated - Email defaults: @planarchy.app → @capakraken.app - localStorage keys: planarchy_* → capakraken_* Documentation: 30+ .md files updated Verification: - pnpm install: workspace resolution works - TypeScript: only pre-existing TS2589 (no new errors) - Engine: 310/310 tests pass - Staffing: 37/37 tests pass Co-Authored-By: claude-flow <ruv@ruv.net>	2026-03-27 13:18:09 +01:00
Hartmut	dd55d0e78b	chore(repo): initialize planarchy workspace	2026-03-14 14:31:09 +01:00

6 Commits