Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
522 Commits 3 Branches 1 Tag
745be7ee8b050455be982796bbb5c5ef94b00e31
Commit Graph

111 Commits

Author SHA1 Message Date
Hartmut fec4aa2e23 refactor(api): extract assistant user admin slice 2026-03-30 21:33:49 +02:00
Hartmut 7d3c6d978e refactor(api): extract assistant self-service slice 2026-03-30 21:31:06 +02:00
Hartmut 72394747f9 refactor(api): extract assistant config readmodels 2026-03-30 21:27:23 +02:00
Hartmut 9571d454d4 refactor(api): extract assistant chargeability and country slices 2026-03-30 21:19:16 +02:00
Hartmut 447d42acb8 refactor(api): extract assistant tool admin slices 2026-03-30 20:56:00 +02:00
Hartmut a36bca7ca7 refactor(admin): split system settings into section modules 2026-03-30 20:04:06 +02:00
Hartmut a19d2cbae0 refactor(settings): adopt environment-only runtime secret flow 2026-03-30 19:55:06 +02:00
Hartmut fed7aa5b61 refactor(runtime): prefer env-backed secrets at runtime 2026-03-30 19:17:32 +02:00
Hartmut 4f5d410b94 docs(architecture): refresh hardening status 2026-03-30 18:56:53 +02:00
Hartmut dd71e8f80b fix(comment): align mention audience with entity visibility 2026-03-30 18:50:36 +02:00
Hartmut 34067f1576 fix(tooling): harden database env loading 2026-03-30 14:42:44 +02:00
Hartmut 82466a4e34 fix(api): derive secure sse subscriptions 2026-03-30 14:20:18 +02:00
Hartmut f0bea6235d fix(web): reuse project combobox in timeline popovers 2026-03-30 13:34:59 +02:00
Hartmut 58824545fc fix(assistant): align tool metadata with router audiences 2026-03-30 13:18:00 +02:00
Hartmut 94ad3004b7 docs(scope): mark notification follow-up complete 2026-03-30 12:33:54 +02:00
Hartmut 3c4894a966 docs(scope): refresh backlog status after hardening batch 2026-03-30 12:25:56 +02:00
Hartmut a9a01e8df0 test(resource): cover chapter and skill import access 2026-03-30 12:23:35 +02:00
Hartmut d3ad350821 test(assistant): document self-service approval access 2026-03-30 12:20:55 +02:00
Hartmut c9a35452dc fix(blueprint): require planning access for global field defs 2026-03-30 12:18:59 +02:00
Hartmut c82a146f84 docs(scope): add audience scoping backlog 2026-03-30 12:16:16 +02:00
Hartmut 016f862405 fix(holiday-calendar): scope resource holiday reads 2026-03-30 12:10:52 +02:00
Hartmut c7434c968e fix(vacation): scope preview requests to owned resources 2026-03-30 12:07:26 +02:00
Hartmut 22cff9648e test(entitlement): cover self-service and role boundaries 2026-03-30 12:01:34 +02:00
Hartmut 3a29ce4332 fix(blueprint): require planning access for detailed reads 2026-03-30 11:55:43 +02:00
Hartmut b254ab70ba test(auth): cover notification and user router audiences 2026-03-30 11:08:14 +02:00
Hartmut c8e82ac221 feat(settings): restrict AI readiness checks to admins 2026-03-30 11:00:42 +02:00
Hartmut 81a46c81bd feat(blueprint): scope summary reads to planning audience 2026-03-30 10:55:28 +02:00
Hartmut 9b764008c3 feat(management-level): scope reads to planning audience 2026-03-30 10:45:44 +02:00
Hartmut c2ca6a6d0d feat(holiday-calendar): restrict catalog reads to admins 2026-03-30 10:36:05 +02:00
Hartmut 54769ca0f5 feat(utilization-category): scope reads to planning audience 2026-03-30 10:29:40 +02:00
Hartmut ae74700f7c feat(client): scope planning reads to explicit audience 2026-03-30 10:24:52 +02:00
Hartmut 2b514ea962 feat(org-unit): scope structural reads to resource overview 2026-03-30 10:17:57 +02:00
Hartmut 65fe7ce04f feat(assistant): align resource tool visibility with read audiences 2026-03-30 10:11:55 +02:00
Hartmut bd654251f7 feat(master-data): scope detail reads to resource overview 2026-03-30 10:08:44 +02:00
Hartmut 8495b83b3e docs(security): document audience scoping rollout rules 2026-03-30 09:59:33 +02:00
Hartmut 93c4374973 feat(auth): introduce explicit planning read permission 2026-03-30 09:15:07 +02:00
Hartmut a50ca09333 feat(auth): tighten allocation read audiences 2026-03-30 09:03:44 +02:00
Hartmut db45829eca feat(auth): classify planning and resource read audiences 2026-03-30 08:51:07 +02:00
Hartmut f6daf21983 feat(import): harden untrusted spreadsheet boundaries 2026-03-30 08:02:52 +02:00
Hartmut fac8c1c3a5 feat(sse): scope timeline events to affected audiences 2026-03-30 00:40:24 +02:00
Hartmut 819345acfa feat(platform): harden access scoping and delivery baseline 2026-03-30 00:27:31 +02:00
Hartmut 00b936fa1f feat(assistant): extend audit and import parity 2026-03-29 12:56:29 +02:00
Hartmut 47e4d701ff chore(repo): checkpoint current capakraken implementation state 2026-03-29 12:47:12 +02:00
Hartmut beae1a5d6e feat(assistant): add approval inbox and e2e hardening 2026-03-29 10:10:59 +02:00
Hartmut 4f48afe7b4 feat(planning): ship holiday-aware planning and assistant upgrades 2026-03-28 22:49:28 +01:00
Hartmut 1fc1e9f24c feat: AI security controls + PostgreSQL hardening (Week 1 Quick Wins) 
AI Security (EGAI 4.3.1.3, 4.3.1.4, 4.1.3.1, IAAI 3.6.26):
- AI Disclaimer banner in ChatPanel: "AI responses may be inaccurate"
- "AI Generated" violet badge on: chat messages, AI summaries,
  project narratives, AI-generated cover images
- HITL: system prompt now requires explicit user confirmation
  before any data mutation (strongly worded instruction)
- Mutation tool audit logging: all 31 write tools logged with
  tool name, params, userId, userRole via Pino

PostgreSQL Hardening (PG Standard V1.6):
- Audit logging: log_connections, log_disconnections, log_statement=ddl,
  log_min_duration_statement=1000 in docker-compose
- SUPERUSER removal script: scripts/harden-postgres.sh
  (NOSUPERUSER + minimal GRANT for app user)
- Health check: pg_isready -U capakraken -d capakraken
- Documentation: security-architecture.md Section 12 updated

Controls closed: EGAI 4.1.3.1, 4.3.1.3, 4.3.1.4, PG 3.3, 3.5

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-27 16:18:35 +01:00
Hartmut 3f76211955 docs: full ACN standards compliance audit — 6 standards, ~208 controls 
Browsed and analyzed 6 relevant Accenture security standards:
1. Application Security V7.30 (73% compliant)
2. Generative AI Security V1.1 (~33% - NEW, critical)
3. Agentic AI Security V1.2 (~20% - NEW, critical, 36 MCP controls)
4. PostgreSQL Security V1.6 (~32%)
5. Logging & Auditing (~80%)
6. Access Control (~80%)

Overall: ~99/208 controls compliant (~48%)

Top 10 critical action items identified:
1. HITL for AI mutations (AI can create/delete without confirmation)
2. AI content labeling ("AI Generated" badges)
3. AI disclaimer in chat panel
4. PostgreSQL TLS
5. PostgreSQL audit logging
6. PostgreSQL SUPERUSER removal
7. Prompt injection detection
8. AI tool read/write separation
9. Adversarial testing suite
10. Content filtering on AI outputs

6-week implementation roadmap included.

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-27 16:08:37 +01:00
Hartmut 6ba3efd7ea docs: ACN Security Standards Applicability Matrix — 19 of ~87 relevant 
Mapped all Accenture IS Standards against CapaKraken tech stack.
19 standards relevant, ~68 not applicable.

Key findings:
- Application Security Standard: 73% compliant (already analyzed)
- Gen AI + Agentic AI Standards: NEW, critical for HartBOT — must read
- PostgreSQL, nginx, Container, DevSecOps: need gap analysis
- 12 action items across 4 priority tiers

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-27 16:00:23 +01:00
Hartmut cd0c2fe3e2 feat: close 4 more security compliance gaps (46/63 OK, 73%) 
Error-Page Headers (3.3.1.3.03 → OK):
- Cache-Control no-store on ALL routes (API, auth, catch-all)

Proactive Monitoring (3.2.1.04 → OK):
- /api/cron/health-check: DB + Redis check with latency, ADMIN alerts on failure

Security Scanning (3.2.2.7 → improved):
- /api/cron/security-audit: package version check against minimum safe versions

Server Hardening (3.3.1.4 → OK):
- docs/nginx-hardening.conf: complete template (rate limits, SSL, headers)

Database Security (3.3.3 → OK):
- docs/security-architecture.md Section 12: DB auth, isolation, SSL/audit recommendations

Compliance: 46 OK / 5 PARTIAL / 8 TODO / 4 N/A (was 42/9/8/4)

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-27 15:43:44 +01:00
Hartmut 187c28e01e docs: complete ACN V7.30 compliance report — 63 controls mapped 
42 OK (67%), 9 PARTIAL (14%), 8 TODO (13%), 4 N/A (6%)
Full mapping of all EAPPS controls across 20 categories.

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-27 15:33:18 +01:00