Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
528 Commits 3 Branches 1 Tag
dc5bbdc47dde03c1f77ffa8dd5d10374cd1b6498
Commit Graph

155 Commits

Author SHA1 Message Date
Hartmut 403d59ad73 fix(web): stabilize timeline hover date matching 2026-04-01 09:15:24 +02:00
Hartmut 71c4e61735 test(web): cover timeline sse edge paths 2026-04-01 09:10:45 +02:00
Hartmut e75f69bcf5 refactor(web): extract timeline sse invalidation policy 2026-04-01 08:59:25 +02:00
Hartmut 4edf3a32ac fix(web): keep segmented timeline allocations actionable 2026-04-01 08:54:15 +02:00
Hartmut 8c5be51251 feat(platform): checkpoint current implementation state 2026-04-01 07:42:03 +02:00
Hartmut 7908ab6d05 feat(web): strengthen report builder explainability 2026-03-31 23:07:36 +02:00
Hartmut 8cb34a1c9b feat(web): expand chargeability export explainability 2026-03-31 23:06:39 +02:00
Hartmut dfa289213c refactor(web): share allocation workbook export helper 2026-03-31 23:06:21 +02:00
Hartmut c3b3dffb6e fix(web): harden timeline sse reconnect lifecycle 2026-03-31 23:06:07 +02:00
Hartmut 73ef3b2bba test(web): align workbook export buffer typing 2026-03-31 23:06:00 +02:00
Hartmut 160ba99b5c refactor(insights): share workbook export and ai defaults 2026-03-31 22:53:53 +02:00
Hartmut 05eeaab3f7 chore(settings): align default ai model handling 2026-03-31 22:52:29 +02:00
Hartmut 7ace137d16 feat(dashboard): tighten explainability detail views 2026-03-31 22:50:47 +02:00
Hartmut db50e2e555 feat(import): harden workbook parser boundaries 2026-03-31 22:48:30 +02:00
Hartmut a7362f17bd refactor(config): enforce runtime auth secret policy 2026-03-30 23:40:00 +02:00
Hartmut ef5e8016a4 refactor(api): add redis-backed rate limiting fallback 2026-03-30 23:23:56 +02:00
Hartmut a36bca7ca7 refactor(admin): split system settings into section modules 2026-03-30 20:04:06 +02:00
Hartmut a19d2cbae0 refactor(settings): adopt environment-only runtime secret flow 2026-03-30 19:55:06 +02:00
Hartmut dd71e8f80b fix(comment): align mention audience with entity visibility 2026-03-30 18:50:36 +02:00
Hartmut 82466a4e34 fix(api): derive secure sse subscriptions 2026-03-30 14:20:18 +02:00
Hartmut 27b0e38b93 fix(web): portal remaining overlay menus 2026-03-30 14:20:05 +02:00
Hartmut ea2efabd7f fix(web): portal autocomplete overlays 2026-03-30 14:14:15 +02:00
Hartmut f0bea6235d fix(web): reuse project combobox in timeline popovers 2026-03-30 13:34:59 +02:00
Hartmut 9268a38df4 fix(web): restore comment typing and portal combobox menus 2026-03-30 13:32:51 +02:00
Hartmut 5b60cf5553 fix(web): portal skill tag suggestions 2026-03-30 13:29:28 +02:00
Hartmut fcfe09ac1d fix(web): open project demand strips in demand popover 2026-03-30 13:26:54 +02:00
Hartmut 5a345cd2e4 fix(web): portal timeline hover tooltips 2026-03-30 13:19:43 +02:00
Hartmut e20bf64eef fix(web): portal timeline overlays above stacked panels 2026-03-30 13:18:08 +02:00
Hartmut 93c4374973 feat(auth): introduce explicit planning read permission 2026-03-30 09:15:07 +02:00
Hartmut f6daf21983 feat(import): harden untrusted spreadsheet boundaries 2026-03-30 08:02:52 +02:00
Hartmut fac8c1c3a5 feat(sse): scope timeline events to affected audiences 2026-03-30 00:40:24 +02:00
Hartmut 819345acfa feat(platform): harden access scoping and delivery baseline 2026-03-30 00:27:31 +02:00
Hartmut 47e4d701ff chore(repo): checkpoint current capakraken implementation state 2026-03-29 12:47:12 +02:00
Hartmut beae1a5d6e feat(assistant): add approval inbox and e2e hardening 2026-03-29 10:10:59 +02:00
Hartmut 4f48afe7b4 feat(planning): ship holiday-aware planning and assistant upgrades 2026-03-28 22:49:28 +01:00
Hartmut 1fc1e9f24c feat: AI security controls + PostgreSQL hardening (Week 1 Quick Wins) 
AI Security (EGAI 4.3.1.3, 4.3.1.4, 4.1.3.1, IAAI 3.6.26):
- AI Disclaimer banner in ChatPanel: "AI responses may be inaccurate"
- "AI Generated" violet badge on: chat messages, AI summaries,
  project narratives, AI-generated cover images
- HITL: system prompt now requires explicit user confirmation
  before any data mutation (strongly worded instruction)
- Mutation tool audit logging: all 31 write tools logged with
  tool name, params, userId, userRole via Pino

PostgreSQL Hardening (PG Standard V1.6):
- Audit logging: log_connections, log_disconnections, log_statement=ddl,
  log_min_duration_statement=1000 in docker-compose
- SUPERUSER removal script: scripts/harden-postgres.sh
  (NOSUPERUSER + minimal GRANT for app user)
- Health check: pg_isready -U capakraken -d capakraken
- Documentation: security-architecture.md Section 12 updated

Controls closed: EGAI 4.1.3.1, 4.3.1.3, 4.3.1.4, PG 3.3, 3.5

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-27 16:18:35 +01:00
Hartmut cd0c2fe3e2 feat: close 4 more security compliance gaps (46/63 OK, 73%) 
Error-Page Headers (3.3.1.3.03 → OK):
- Cache-Control no-store on ALL routes (API, auth, catch-all)

Proactive Monitoring (3.2.1.04 → OK):
- /api/cron/health-check: DB + Redis check with latency, ADMIN alerts on failure

Security Scanning (3.2.2.7 → improved):
- /api/cron/security-audit: package version check against minimum safe versions

Server Hardening (3.3.1.4 → OK):
- docs/nginx-hardening.conf: complete template (rate limits, SSL, headers)

Database Security (3.3.3 → OK):
- docs/security-architecture.md Section 12: DB auth, isolation, SSL/audit recommendations

Compliance: 46 OK / 5 PARTIAL / 8 TODO / 4 N/A (was 42/9/8/4)

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-27 15:43:44 +01:00
Hartmut 9d43e4b113 feat: ACN Application Security Standard V7.30 compliance (19/23 items) 
CRITICAL — Authentication & Access:
- TOTP MFA: otpauth-based, QR setup UI, sign-in flow integration,
  admin disable override, /account/security self-service page
- Session Timeouts: 8h absolute (maxAge), 30min idle (updateAge)
- Failed Auth Logging: Pino warn for invalid password/user/totp,
  info for successful login, audit entries for all auth events
- Concurrent Session Limit: ActiveSession model, oldest-kick strategy,
  max 3 per user (configurable in SystemSettings)

CRITICAL — HTTP Security:
- HSTS: max-age=31536000; includeSubDomains
- CSP: script/style/img/font/connect-src with Gemini/OpenAI whitelist
- X-XSS-Protection: 0 (CSP replaces legacy)
- Auth page cache: no-store, no-cache, must-revalidate
- Rate Limiting: 100/15min general API, 5/15min auth (Map-based)

Data Protection:
- XSS Sanitization: DOMPurify on comment bodies
- autocomplete="new-password" on all password/secret fields
- SameSite=Strict on all cookies (Credentials-only, no OAuth)
- File Upload Magic Bytes validation (PNG/JPEG/WebP/GIF/BMP/TIFF)

Logging & Monitoring:
- Login/Logout audit entries (Auth entityType)
- External API call logging with timing (OpenAI, Gemini)
- Input validation failure logging at warn level
- Concurrent session tracking in ActiveSession table

Documentation:
- docs/security-architecture.md (11 sections)
- docs/sdlc.md (CI pipeline, security gates, incident response)
- .gitea/PULL_REQUEST_TEMPLATE.md (security checklist)

Schema: User.totpSecret/totpEnabled, SystemSettings.sessionMaxAge/
sessionIdleTimeout/maxConcurrentSessions, ActiveSession model

Tests: 310 engine + 37 staffing pass. TypeScript clean.

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-27 14:16:39 +01:00
Hartmut cd78f72f33 chore: full technical rename planarchy → capakraken 
Complete rename of all technical identifiers across the codebase:

Package names (11 packages):
- @planarchy/* → @capakraken/* in all package.json, tsconfig, imports

Import statements: 277 files, 548 occurrences replaced

Database & Docker:
- PostgreSQL user/db: planarchy → capakraken
- Docker volumes: planarchy_pgdata → capakraken_pgdata
- Connection strings updated in docker-compose, .env, CI

CI/CD:
- GitHub Actions workflow: all filter commands updated
- Test database credentials updated

Infrastructure:
- Redis channel: planarchy:sse → capakraken:sse
- Logger service name: planarchy-api → capakraken-api
- Anonymization seed updated
- Start/stop/restart scripts updated

Test data:
- Seed emails: @planarchy.dev → @capakraken.dev
- E2E test credentials: all 11 spec files updated
- Email defaults: @planarchy.app → @capakraken.app
- localStorage keys: planarchy_* → capakraken_*

Documentation: 30+ .md files updated

Verification:
- pnpm install: workspace resolution works
- TypeScript: only pre-existing TS2589 (no new errors)
- Engine: 310/310 tests pass
- Staffing: 37/37 tests pass

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-27 13:18:09 +01:00
Hartmut bf3751f667 fix: invert shoring ratio logic — higher offshore = better 
The shoring indicator logic was backwards. In the business context,
higher offshore = more cost-efficient = GOOD.

Inverted logic:
- Green: offshore >= threshold (target met, e.g. >= 55%)
- Yellow: offshore close to threshold (threshold-10 to threshold)
- Red: offshore below threshold (too little offshore, too expensive)

Updated:
- ShoringIndicator: getSeverity() inverted, badge text updated
- ProjectModal: "Max Offshore" renamed to "Min Offshore" with new tooltip
- AI Tool: status text reflects "target met" vs "below target"
- Tool description: "higher offshore is better, threshold is minimum"

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-26 13:07:36 +01:00
Hartmut d58f121c12 feat: clickable project names in ProjectHealth widget 
Project names in the health widget now link to /projects/[id] detail page.
Hover: brand color transition for visual feedback.

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-26 13:01:42 +01:00
Hartmut be2d2c0d56 feat: Shoring column in ProjectHealth widget + populate country data 
Widget: added "Shoring" column with ShoringBadge per project showing
offshore % with color indicator (green/yellow/red).

Backend: added id field to ProjectHealthRow for badge queries.

Database: assigned diverse countries to 11 resources for realistic
shoring data (25 DE, 5 ES, 4 IN, 2 US instead of all-DE).

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-26 11:49:28 +01:00
Hartmut 92a982b151 feat: Nearshore-Ratio indicator per project 
Engine (packages/engine):
- calculateShoringRatio() pure function: onshore/offshore hours,
  country breakdown, threshold check, weighted by hours not headcount
- 12 unit tests: empty, 100% onshore/offshore, mixed ratios,
  custom threshold, case-insensitive, unknown country, FTE weighting

Schema:
- Project.shoringThreshold (default 55%) — per-project configurable
- Project.onshoreCountryCode (default "DE") — configurable onshore country

API (project router):
- getShoringRatio query: loads assignments with resource.country,
  computes ratio, returns full breakdown
- update mutation: accepts shoringThreshold + onshoreCountryCode

UI:
- ShoringIndicator: stacked horizontal bar with country segments,
  severity badge (green/yellow/red), hover tooltip, dark theme
- ShoringBadge: mini colored dot + % for project list column
- ProjectModal: "Max Offshore %" number input
- Project detail: indicator after budget status card
- Project list: "Shoring" column (default hidden, toggleable)

AI Assistant:
- get_shoring_ratio tool: human-readable breakdown with threshold alert

Colors: green (<threshold-10), yellow (threshold-10 to threshold), red (>=threshold)
Default: 55% offshore threshold, "DE" as onshore country

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-26 11:45:50 +01:00
Hartmut a9107add7b feat: unique icons for all admin navigation items 
Replaced generic AdminIcon (gear) with distinct icons:
- Blueprints: document with lines
- Clients: building/office
- Countries: globe
- Org Units: layout/grid
- Util. Categories: tag
- Mgmt Levels: horizontal lines (hierarchy)
- Data Import: upload arrow
- Calc. Rules: calculator
- Users: people group
- System Roles: shield with checkmark
- Settings: detailed gear (distinct from AdminIcon)
- Webhooks: chain link

Existing unique icons kept: Broadcasts (megaphone), Activity Log (clock)

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-26 08:44:25 +01:00
Hartmut e5d7ca1293 refactor: rename Planarchy to CapaKraken (branding only) 
User-facing rename across 20 files:
- Layout title/meta: "CapaKraken — Resource & Capacity Planning"
- Sidebar logo: "CapaKraken" with "RESOURCE & CAPACITY PLANNING"
- Sign-in page: "CapaKraken Control Center", "Sign in to CapaKraken"
- PWA manifest: name + short_name
- PDF reports: footer text
- Install prompt: "Install CapaKraken"
- AI assistant system prompt
- Webhooks test payload
- Email subject lines
- Tooltips, descriptions, empty states

NOT changed (technical identifiers):
- Package names (@planarchy/*)
- Import paths
- Database names
- Docker container names
- localStorage keys
- Domain URLs
- CLAUDE.md

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-25 21:46:15 +01:00
Hartmut ea02ca7106 fix: match Project View grid lines to Resource View 
The Project View used its own buildProjectRowGridBackground() which
rendered CSS gradients with hardcoded rgba colors (no dark mode).
The Resource View used shared gridLines from useTimelineLayout which
renders React div elements with proper dark: Tailwind classes.

Fix: replaced the CSS gradient approach with the shared gridLines
in both resource rows and open demand rows within the Project View.
Removed the now-unused buildProjectRowGridBackground function (~40 LOC).

Both views now use identical grid lines with:
- Brand-colored today marker
- Amber weekend highlights
- Proper dark mode colors via Tailwind classes

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-24 11:46:43 +01:00
Hartmut c865a9e8cc fix: ScenarioPlanner resources.map crash — extract array from query result 
resource.list returns { resources: [...], total } but ScenarioPlanner
expected a flat array. Fixed by extracting .resources from the response.

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-24 09:04:19 +01:00
Hartmut 05fd0e21ea fix: disable Sentry webpack wrapper in dev mode 
The withSentryConfig() wrapper caused recurring worker.js crashes
in Next.js dev mode (vendor-chunks/lib/worker.js MODULE_NOT_FOUND).
This crashed the server mid-request during image generation and
other long-running operations.

Fix: only apply withSentryConfig in production. In dev mode, use
the raw Next.js config. Sentry instrumentation also gated to
production only.

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-23 18:28:02 +01:00
Hartmut 835ed6ef27 fix: correct Gemini model names + add model dropdown 
Corrected model names (per Google AI docs):
- gemini-2.5-flash-image (was gemini-2.0-flash-preview-image-generation)
- gemini-3-pro-image-preview (Nano Banana Pro)
- gemini-3.1-flash-image-preview (Nano Banana 2)

UI: replaced text input with dropdown selector showing all 3 models
with human-readable descriptions.

Default changed to gemini-2.5-flash-image (fast, high-volume).

AI Assistant: generate_project_cover tool description updated to be
provider-agnostic (works with both DALL-E and Gemini).

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-23 17:46:41 +01:00
Hartmut 3ceba38ac8 feat: Gemini image generation test button in admin settings 
API: new testGeminiConnection adminProcedure
- Generates a simple test image via Gemini API
- Returns { ok, model } on success, { ok: false, error } on failure
- Audit logged: "Gemini test succeeded/failed"

UI: "Test Gemini" button next to "Save Image Settings"
- Only visible when Gemini provider is selected
- Shows green success or red error result below the buttons
- Displays the model name on success

Model: gemini-2.0-flash-preview-image-generation (correct name)

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-03-23 15:11:28 +01:00