Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
771 Commits 3 Branches 1 Tag
93a7fbaa4c7d1732c771bf41b58ca670d74f2839
Commit Graph

116 Commits

Author SHA1 Message Date
Hartmut c2d05b4b99 security: Unicode-aware prompt-injection guard (#39) 
checkPromptInjection now NFKD-normalises, strips zero-width / combining
chars, and folds common Cyrillic / Greek homoglyphs before matching. 10
documented bypass examples (fullwidth, ZWJ, ZWSP, soft-hyphen, Cyrillic
е/о, combining marks, LRM, BOM) are covered by unit tests. Security
docs explicitly mark the guard as defense-in-depth — real boundary is
per-tool requirePermission.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-04-17 08:53:38 +02:00
Hartmut 600a86ca71 docs: add project README with screenshots and setup guide 
- Hero dashboard screenshot, badge bar, and feature overview
- 6-screenshot gallery (timeline, chargeability, allocations, widgets, admin)
- Tech stack table and monorepo structure diagram
- Getting started guide (Docker + host-native)
- Service reference, scripts reference, production deployment guide
- Environment variables reference and architecture overview

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-10 14:07:08 +02:00
Hartmut 4a49ec4f05 fix(sanity): resolve 15 gaps from sanity check audit (G-01 through G-15) 
- G-01: ProjectWizard renders blueprint fieldDefs with DynamicFieldInput component
- G-02: Blueprint rolePresets validated via RolePresetsSchema in wizard; API keeps loose schema
- G-03: ProjectWizard step 2/3 validation (role, hoursPerDay, headcount required)
- G-04: EstimateWizard validates baseCurrency and demand line cost rates
- G-05: Project lifecycle transition guards with ALLOWED_TRANSITIONS map
- G-06: Blueprint validator extended for minLength/maxLength/pattern and DATE range checks
- G-07: assertBlueprintDynamicFields merges global blueprint fieldDefs into validation
- G-08: (tracked — chapter managed dropdown; deferred to backend ticket)
- G-09: JSDoc added to lcrCents/ucrCents clarifying LCR/UCR terminology
- G-10: Dispo route redirect already in place — closed as done
- G-11: packages/ui empty by design — closed as documented
- G-12: @deprecated JSDoc added to CreateAllocationSchema and UpdateAllocationSchema
- G-13: ProjectWizard review step enhanced with blueprint name, field values, skills, assignments
- G-14: ProjectWizard handleSubmit collects per-item warnings instead of silent swallowing
- G-15: Vacation cancel reverses usedDays entitlement for APPROVED ANNUAL/OTHER vacations

Tests: all 1575 passing (1 pre-existing failure in insights-summary unrelated to these changes)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-06 00:11:12 +02:00
Hartmut 8c9ba5363c docs: mark P1 timeline/SSE/scenario work complete in plan and roadmap 
All Workstream C–F tasks completed:
- C: drag+selection conflict fix (FloatingActionBar clears on drag start)
- D: SSE edge-case tests (hide-during-reconnect, first-ever-failure)
- E: scenario module unit tests — 31 tests across all 4 scenario modules
- F: .env.example expanded, plan and roadmap updated

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-04-02 21:34:15 +02:00
Hartmut d4641e27aa feat: first-run setup wizard, CLI seed script, and installation docs 
- /setup Server Component + SetupClient form + createFirstAdmin Server Action:
  zero-users guard (TOCTOU-safe), argon2 hash, ADMIN user creation,
  redirects to /auth/signin after setup
- scripts/setup-admin.mjs: CLI alternative for headless/container setups
- docs/installation.md: 7-section install guide (clone → configure → run → verify)

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-04-02 20:45:15 +02:00
Hartmut bfdf0a82da security/platform: close audit findings #19–#26 
Tests, CSP nonce middleware, SSRF guard, perf-route hardening,
Docker env isolation, migration runbook, RBAC E2E coverage.

Tickets resolved:
- #19: MfaSetup.test.ts — static source tests confirming local QR rendering
- #20: ssrf-guard.test.ts (16 tests) + webhook-procedure-support mock fix
- #21: /api/perf route.test.ts (5 tests) — header-only auth, fail-closed
- #22: middleware.ts (nonce-based CSP) + middleware.test.ts (6 tests);
       layout.tsx async + nonce prop; CSP removed from next.config.ts
- #23: Active-session registry enforcement verified (already in codebase)
- #24: docker-compose.yml REDIS_URL hardcoded (no host-env substitution)
- #25: docker-compose.yml REDIS_URL + docs/developer-runbook.md created
- #26: e2e/dev-system/rbac-data-access.spec.ts (12 tests, 3 roles × 4 procedures)

Quality gates: tsc clean, api 1447/1447, web 189/189 passing.
Turbo concurrency capped at 2 (package.json) to prevent OOM under
parallel test runs.

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-04-01 22:14:20 +02:00
Hartmut 4b14db9dc6 fix(timeline): pause sse while hidden 2026-04-01 15:05:34 +02:00
Hartmut 3258b59e21 fix(timeline): resync after sse reconnect 2026-04-01 15:04:00 +02:00
Hartmut d4652b7a42 fix(timeline): cancel stranded drag interactions 2026-04-01 14:57:56 +02:00
Hartmut a71bbeb640 fix(timeline): stabilize overlay lifecycle 2026-04-01 14:41:03 +02:00
Hartmut 6c138964ca docs(repo): sync quality guardrail references 2026-04-01 09:05:23 +02:00
Hartmut 6249f61ce1 chore(repo): add parallel worktree hygiene guardrail 2026-04-01 08:53:14 +02:00
Hartmut 90f2f3c123 docs(backlog): add showcase quality working backlog 2026-04-01 08:36:26 +02:00
Hartmut 41916a4e46 refactor(api): share owned resource read access 2026-04-01 07:35:34 +02:00
Hartmut a0c98cf24d test(api): close assistant split regression gaps 2026-04-01 07:33:00 +02:00
Hartmut 6929482eb0 docs(api): note assistant split test gaps 2026-04-01 00:53:12 +02:00
Hartmut f2d65d3cd4 test(api): add assistant split regression runner 2026-04-01 00:51:23 +02:00
Hartmut ac29ce3567 refactor(sse): narrow canonical audience scopes 2026-03-31 22:56:12 +02:00
Hartmut db50e2e555 feat(import): harden workbook parser boundaries 2026-03-31 22:48:30 +02:00
Hartmut bec1b98688 docs(api): close router verification backlog 2026-03-31 21:50:03 +02:00
Hartmut e34c22f3b0 refactor(api): extract project procedures 2026-03-31 21:28:56 +02:00
Hartmut b1799e4f54 refactor(api): extract computation graph procedures 2026-03-31 21:24:28 +02:00
Hartmut 884f1012c9 refactor(api): extract role read procedures 2026-03-31 21:22:44 +02:00
Hartmut cba4d44f16 refactor(api): extract webhook procedures 2026-03-31 21:18:29 +02:00
Hartmut 70171d43fd refactor(api): extract calculation rule procedures 2026-03-31 21:15:02 +02:00
Hartmut 06642e6dc9 docs(api): refresh procedure support backlog 2026-03-31 21:12:53 +02:00
Hartmut e08a992a65 refactor(api): extract entitlement procedures 2026-03-31 21:05:56 +02:00
Hartmut a490d68a3b refactor(api): extract resource summary read procedures 2026-03-31 20:59:26 +02:00
Hartmut 9d6fffc775 refactor(api): extract dashboard procedures 2026-03-31 20:54:54 +02:00
Hartmut 6837568ffe refactor(api): extract notification procedures 2026-03-31 20:50:14 +02:00
Hartmut 958d2368c1 refactor(api): extract chargeability report procedures 2026-03-31 20:42:33 +02:00
Hartmut 00d5fe7923 docs(api): refresh procedure support backlog 2026-03-31 20:37:16 +02:00
Hartmut f14d2679cc refactor(api): extract import export procedures 2026-03-31 20:36:46 +02:00
Hartmut 1d3f1a007f refactor(api): extract dispo procedures 2026-03-31 20:32:59 +02:00
Hartmut a2f9b713c1 refactor(api): extract org unit procedures 2026-03-31 20:28:33 +02:00
Hartmut e641782d50 docs(api): track remaining procedure-support slices 2026-03-31 20:25:22 +02:00
Hartmut e375d634f6 docs(api): capture procedure-support pattern 2026-03-31 20:17:09 +02:00
Hartmut 4586e94c95 refactor(api): extract settings procedures 2026-03-31 19:46:50 +02:00
Hartmut a7362f17bd refactor(config): enforce runtime auth secret policy 2026-03-30 23:40:00 +02:00
Hartmut 7bcc831b5c refactor(ops): standardize image-based production delivery 2026-03-30 23:35:29 +02:00
Hartmut ef5e8016a4 refactor(api): add redis-backed rate limiting fallback 2026-03-30 23:23:56 +02:00
Hartmut bcfb18393e refactor(api): extract assistant vacation entitlement slice 2026-03-30 23:09:32 +02:00
Hartmut 45c25b17c1 refactor(api): extract assistant country read slice 2026-03-30 22:53:59 +02:00
Hartmut 0cc7b9805a refactor(api): extract assistant planning navigation slice 2026-03-30 22:51:39 +02:00
Hartmut aed99cb894 refactor(api): extract assistant import export dispo slice 2026-03-30 22:45:00 +02:00
Hartmut 4d8c91d705 refactor(api): extract assistant scenario rate-analysis slice 2026-03-30 22:38:01 +02:00
Hartmut d55ab67e04 refactor(api): extract assistant audit-history slice 2026-03-30 22:30:51 +02:00
Hartmut ab32c7804b refactor(api): extract assistant comments slice 2026-03-30 22:29:07 +02:00
Hartmut 73fdf1c6ab refactor(api): extract assistant dashboard insights slice 2026-03-30 22:23:05 +02:00
Hartmut 6c6afdd059 refactor(api): extract assistant blueprint rate-card slice 2026-03-30 22:17:41 +02:00