Hartmut
9d43e4b113
CRITICAL — Authentication & Access: - TOTP MFA: otpauth-based, QR setup UI, sign-in flow integration, admin disable override, /account/security self-service page - Session Timeouts: 8h absolute (maxAge), 30min idle (updateAge) - Failed Auth Logging: Pino warn for invalid password/user/totp, info for successful login, audit entries for all auth events - Concurrent Session Limit: ActiveSession model, oldest-kick strategy, max 3 per user (configurable in SystemSettings) CRITICAL — HTTP Security: - HSTS: max-age=31536000; includeSubDomains - CSP: script/style/img/font/connect-src with Gemini/OpenAI whitelist - X-XSS-Protection: 0 (CSP replaces legacy) - Auth page cache: no-store, no-cache, must-revalidate - Rate Limiting: 100/15min general API, 5/15min auth (Map-based) Data Protection: - XSS Sanitization: DOMPurify on comment bodies - autocomplete="new-password" on all password/secret fields - SameSite=Strict on all cookies (Credentials-only, no OAuth) - File Upload Magic Bytes validation (PNG/JPEG/WebP/GIF/BMP/TIFF) Logging & Monitoring: - Login/Logout audit entries (Auth entityType) - External API call logging with timing (OpenAI, Gemini) - Input validation failure logging at warn level - Concurrent session tracking in ActiveSession table Documentation: - docs/security-architecture.md (11 sections) - docs/sdlc.md (CI pipeline, security gates, incident response) - .gitea/PULL_REQUEST_TEMPLATE.md (security checklist) Schema: User.totpSecret/totpEnabled, SystemSettings.sessionMaxAge/ sessionIdleTimeout/maxConcurrentSessions, ActiveSession model Tests: 310 engine + 37 staffing pass. TypeScript clean. Co-Authored-By: claude-flow <ruv@ruv.net>
58 lines
1.8 KiB
Markdown
58 lines
1.8 KiB
Markdown
# Secure Development Lifecycle (SDLC) — CapaKraken
|
|
|
|
> Version: 1.0 | Date: 2026-03-27
|
|
|
|
---
|
|
|
|
## Development Workflow
|
|
|
|
```
|
|
Feature Branch -> Pull Request -> CI Pipeline -> Code Review -> Merge to main -> Deploy
|
|
```
|
|
|
|
## CI Pipeline (Quality Gates)
|
|
|
|
Every pull request must pass:
|
|
|
|
1. **TypeScript strict check**: `pnpm --filter @capakraken/web exec tsc --noEmit`
|
|
2. **Linting**: `pnpm lint` (ESLint with strict rules)
|
|
3. **Unit tests**: `pnpm test:unit` (Vitest, engine + staffing packages)
|
|
4. **E2E tests**: Playwright tests for critical user flows
|
|
|
|
## Security Gates
|
|
|
|
| Gate | Tool | Stage |
|
|
|------|------|-------|
|
|
| Type safety | TypeScript strict mode | Build |
|
|
| Input validation | Zod schemas on all tRPC procedures | Build + Runtime |
|
|
| Dependency vulnerabilities | Dependabot + `pnpm audit` | PR + Weekly |
|
|
| Audit logging | `createAuditEntry()` required for data mutations | Code review |
|
|
| RBAC enforcement | `requirePermission()` on new procedures | Code review |
|
|
| No hardcoded secrets | PR review checklist | Code review |
|
|
| SQL injection prevention | Prisma ORM (parameterized queries only) | Architecture |
|
|
|
|
## PR Review Checklist
|
|
|
|
See `.github/PULL_REQUEST_TEMPLATE.md` for the security checklist that must be completed on every PR.
|
|
|
|
## Branch Protection
|
|
|
|
- Direct pushes to `main` are blocked
|
|
- Minimum 1 approval required
|
|
- CI must pass before merge
|
|
- Force-pushes to `main` are prohibited
|
|
|
|
## Secret Management
|
|
|
|
- No secrets in source code
|
|
- Environment variables for all credentials (`DATABASE_URL`, API keys)
|
|
- `SystemSettings` table for runtime-configurable secrets (AI keys, SMTP credentials)
|
|
- `.env` files excluded from version control via `.gitignore`
|
|
|
|
## Incident Response
|
|
|
|
1. Identify and contain the issue
|
|
2. Create audit log review for affected timeframe
|
|
3. Patch and deploy fix
|
|
4. Post-mortem documented in `LEARNINGS.md`
|