Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
577 Commits 3 Branches 1 Tag
e75d966b8d461177bd16a77415b2ba36072ebbba
Commit Graph

202 Commits

Author SHA1 Message Date
Hartmut 5bc7cace26 fix(auth): make active-session check fail-open; add missing DB migration 
The active_sessions table was never migrated to production — the model
was added to the Prisma schema via db push only. prisma migrate deploy
was a no-op because no migration directories existed.

Without the table, prisma.activeSession.findUnique() throws P2021,
crashing the tRPC handler with 500 on every authenticated request.
This silently emptied all admin pages (users, system-roles, etc.).

Changes:
- Wrap the jti ActiveSession lookup in try-catch so the tRPC handler
  degrades gracefully (fail-open) if the table is temporarily missing
- Add packages/db/prisma/migrations/20260401000000_active_sessions/
  so prisma migrate deploy creates the table on next production deploy
  (idempotent via IF NOT EXISTS — safe if table already exists)

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-04-01 18:38:05 +02:00
Hartmut 0e119cfe73 security: close audit findings #19–#23 and harden Docker setup (#24) 
#19 MFA QR code: render locally via qrcode package, remove external qrserver.com request
#20 Webhook SSRF: add ssrf-guard.ts with DNS-verified IP blocklist; enforce on create/update/test/dispatch
#21 /api/perf: fail-closed when CRON_SECRET missing; remove query-string token auth
#22 CSP: remove unsafe-eval and unsafe-inline from script-src in production builds
#23 Active session registry: forward jti into session object; validate against ActiveSession on every tRPC request

#24 Docker: add missing packages/application to Dockerfile.dev; fix pnpm-lock.yaml glob;
    run db:migrate:deploy on container start so a fresh checkout boots without manual steps

Also: fix pre-existing TS error in e2e/allocations.spec.ts (args.length literal type overlap)

Co-Authored-By: claude-flow <ruv@ruv.net>
 2026-04-01 18:19:21 +02:00
Hartmut 57ea9d8310 fix(allocations): recover from fully filtered empty state 2026-04-01 15:18:08 +02:00
Hartmut b841cc9127 fix(allocations): expand grouped rows by default 2026-04-01 15:18:07 +02:00
Hartmut fd75628e9d fix(allocations): recover from fully filtered empty state 2026-04-01 15:16:57 +02:00
Hartmut 7df751d5eb fix(allocations): expand grouped rows by default 2026-04-01 15:13:24 +02:00
Hartmut 4b14db9dc6 fix(timeline): pause sse while hidden 2026-04-01 15:05:34 +02:00
Hartmut 3258b59e21 fix(timeline): resync after sse reconnect 2026-04-01 15:04:00 +02:00
Hartmut d4652b7a42 fix(timeline): cancel stranded drag interactions 2026-04-01 14:57:56 +02:00
Hartmut a71bbeb640 fix(timeline): stabilize overlay lifecycle 2026-04-01 14:41:03 +02:00
Hartmut fa5e654739 fix(timeline): harden project view interactions 2026-04-01 14:10:28 +02:00
Hartmut e103174d39 refactor(web): extract preview target setup 2026-04-01 11:59:10 +02:00
Hartmut 2a7769a0de refactor(web): extract range release resolution 2026-04-01 11:53:11 +02:00
Hartmut 1e2bd3d4eb refactor(web): extract project drag finalize 2026-04-01 11:49:14 +02:00
Hartmut 463caedcfd refactor(web): extract touch event forwarding 2026-04-01 11:39:39 +02:00
Hartmut 37c6e03d23 refactor(web): extract allocation release effects 2026-04-01 11:35:17 +02:00
Hartmut f4e9831dea refactor(web): extract allocation drag session 2026-04-01 11:27:03 +02:00
Hartmut 510459fbff refactor(web): extract allocation multi-drag session 2026-04-01 11:22:18 +02:00
Hartmut 5402189158 refactor(web): extract drag position helpers 2026-04-01 11:18:31 +02:00
Hartmut 3fe3a5fb2a refactor(web): extract project drag session 2026-04-01 11:16:15 +02:00
Hartmut 0181f2b304 refactor(web): extract multi-select session 2026-04-01 11:14:28 +02:00
Hartmut b14be80e32 refactor(web): extract timeline drag cleanup 2026-04-01 11:12:20 +02:00
Hartmut 922394c56a refactor(web): split touch canvas adapters 2026-04-01 11:09:26 +02:00
Hartmut a4789d718b refactor(web): centralize multi-select release handling 2026-04-01 10:50:21 +02:00
Hartmut ca947befde refactor(web): extract allocation release classification 2026-04-01 10:48:47 +02:00
Hartmut 0ab1374853 refactor(web): centralize touch mouse adapters 2026-04-01 10:43:38 +02:00
Hartmut eda8722d83 refactor(web): extract document drag listeners 2026-04-01 10:39:28 +02:00
Hartmut 84c5760392 refactor(web): extract range selection bootstrap 2026-04-01 10:17:39 +02:00
Hartmut c941b1e5cf refactor(web): extract allocation drag action plans 2026-04-01 10:15:54 +02:00
Hartmut 203bb8751d refactor(web): extract allocation drag bootstrap 2026-04-01 10:10:06 +02:00
Hartmut 892a9c5ccf refactor(web): extract project drag helpers 2026-04-01 10:06:32 +02:00
Hartmut c32f56ba89 refactor(web): extract allocation multi-drag helpers 2026-04-01 10:03:16 +02:00
Hartmut 6dac993521 refactor(web): extract allocation drag finalize helpers 2026-04-01 09:57:29 +02:00
Hartmut 54c6cf2e2d refactor(web): extract optimistic timeline reconciliation 2026-04-01 09:53:40 +02:00
Hartmut 848797b4d2 refactor(web): extract timeline range selection helpers 2026-04-01 09:51:18 +02:00
Hartmut 43f04d66c8 refactor(web): extract timeline multi-select helpers 2026-04-01 09:50:03 +02:00
Hartmut 3abb3bc865 refactor(web): extract timeline touch helpers 2026-04-01 09:48:04 +02:00
Hartmut 5e8babd1e6 test(web): cover timeline live preview render edges 2026-04-01 09:41:43 +02:00
Hartmut 5011d071b8 refactor(web): extract timeline live preview helpers 2026-04-01 09:40:07 +02:00
Hartmut 2855567456 test(web): cover timeline project row layout 2026-04-01 09:29:43 +02:00
Hartmut 85744d1879 test(web): cover timeline render helper edges 2026-04-01 09:26:44 +02:00
Hartmut 1f71b345ee test(web): cover allocation visual state helpers 2026-04-01 09:24:38 +02:00
Hartmut f70ce9480d test(web): cover timeline drag math guards 2026-04-01 09:23:45 +02:00
Hartmut 403d59ad73 fix(web): stabilize timeline hover date matching 2026-04-01 09:15:24 +02:00
Hartmut 71c4e61735 test(web): cover timeline sse edge paths 2026-04-01 09:10:45 +02:00
Hartmut e75f69bcf5 refactor(web): extract timeline sse invalidation policy 2026-04-01 08:59:25 +02:00
Hartmut 4edf3a32ac fix(web): keep segmented timeline allocations actionable 2026-04-01 08:54:15 +02:00
Hartmut 8c5be51251 feat(platform): checkpoint current implementation state 2026-04-01 07:42:03 +02:00
Hartmut 7908ab6d05 feat(web): strengthen report builder explainability 2026-03-31 23:07:36 +02:00
Hartmut 8cb34a1c9b feat(web): expand chargeability export explainability 2026-03-31 23:06:39 +02:00