Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
435c871e1fb62d00a33cd5982d9b8012fe23f218
CapaKraken/docker-compose.yml
T
Hartmut 435c871e1f security: implement tickets #28-#35 + architecture decision #30 
#28 - TOTP rate limiting (verifyTotp): added totpRateLimiter (10 req/30s),
  throws TOO_MANY_REQUESTS before DB hit; 16 unit tests including rate-limit
  exceeded + userId key isolation.

#29 - /api/reports/allocations role check: only ADMIN/MANAGER/CONTROLLER may
  access; returns 403 otherwise; 9 unit tests (401 unauthenticated, 403 for
  USER/VIEWER, 200 for allowed roles + xlsx format).

#31 - pgAdmin credentials moved out of docker-compose.yml into env vars;
  PGADMIN_PASSWORD is now required (:?) to prevent accidental plaintext
  exposure in committed files.

#34 - Server-side HTML sanitization for comment bodies via stripHtml():
  strips all tags + decodes safe entities before persistence; 16 unit tests
  covering passthrough, injection patterns, entity decoding.

#35 - MFA setup prompt banner (MfaPromptBanner): shown to ADMIN/MANAGER users
  without TOTP enabled; user-scoped localStorage snooze (7 days); links to
  /account/security; accessibility role=alert; 7 structural unit tests.

#33 - Auth anomaly alerting cron (/api/cron/auth-anomaly-check): detects
  HIGH_GLOBAL_FAILURE_RATE and CONCENTRATED_FAILURES in 30-minute window;
  CRITICAL notification to ADMINs; fail-closed via verifyCronSecret;
  10 unit tests.

#32 - MFA enforcement policy: added requireMfaForRoles field to SystemSettings
  schema + Prisma migration; auth.ts blocks login with MFA_REQUIRED_SETUP
  signal if role is enforced but TOTP not set up; signin page redirects to
  /account/security?mfa_required=1; settings schema + view model updated;
  11 unit tests.

#30 - API keys architecture decision documented in LEARNINGS.md; no code
  written — product decision required before implementation.

Co-Authored-By: claude-flow <ruv@ruv.net>
2026-04-01 23:25:06 +02:00

101 lines
2.9 KiB
YAML
Raw Blame History

name: capakraken
services:
postgres:
image: postgres:16-alpine
ports:
- "5433:5432"
environment:
POSTGRES_DB: capakraken
POSTGRES_USER: capakraken
POSTGRES_PASSWORD: capakraken_dev
command: >
postgres
-c log_connections=on
-c log_disconnections=on
-c log_statement=ddl
-c log_line_prefix='%t [%p] %u@%d '
-c log_min_duration_statement=1000
volumes:
- capakraken_pgdata:/var/lib/postgresql/data
healthcheck:
test: ["CMD-SHELL", "pg_isready -U capakraken -d capakraken"]
interval: 5s
timeout: 3s
retries: 5
redis:
image: redis:7-alpine
ports:
- "6380:6379"
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 5s
timeout: 3s
retries: 5
pgadmin:
image: dpage/pgadmin4
ports:
- "5050:80"
environment:
PGADMIN_DEFAULT_EMAIL: ${PGADMIN_EMAIL:-admin@capakraken.dev}
PGADMIN_DEFAULT_PASSWORD: ${PGADMIN_PASSWORD:?PGADMIN_PASSWORD must be set}
depends_on:
postgres:
condition: service_healthy
app:
build:
context: .
dockerfile: Dockerfile.dev
ports:
- "3100:3100"
environment:
# Always use the Docker-internal service name. The host-level DATABASE_URL
# (localhost:5433) must not bleed into the container where "localhost" is
# the container itself, not the host.
DATABASE_URL: postgresql://capakraken:capakraken_dev@postgres:5432/capakraken
REDIS_URL: redis://redis:6379
NEXTAUTH_URL: ${NEXTAUTH_URL:-http://localhost:3100}
NEXTAUTH_SECRET: ${NEXTAUTH_SECRET:?set NEXTAUTH_SECRET}
# Bypass auth + API rate limiters for E2E test runs only.
# MUST remain "false" in any production or staging deployment.
# Set E2E_TEST_MODE=true in the host environment before running E2E tests.
E2E_TEST_MODE: "${E2E_TEST_MODE:-false}"
# AI provider secrets — forwarded from host .env, not hardcoded
AZURE_OPENAI_API_KEY: ${AZURE_OPENAI_API_KEY:-}
OPENAI_API_KEY: ${OPENAI_API_KEY:-}
GEMINI_API_KEY: ${GEMINI_API_KEY:-}
depends_on:
postgres:
condition: service_healthy
redis:
condition: service_healthy
volumes:
- .:/app
# Anonymous volumes mask the bind-mount for generated/installed artefacts.
# Docker seeds them from the image layer on first start; they persist across restarts.
# pnpm stores all packages in the root node_modules/.pnpm virtual store — one volume covers it all.
- /app/node_modules
- /app/apps/web/.next
profiles:
- full
postgres-test:
image: postgres:16-alpine
ports:
- "${POSTGRES_TEST_PORT:-5434}:5432"
environment:
POSTGRES_DB: capakraken_test
POSTGRES_USER: capakraken
POSTGRES_PASSWORD: capakraken_test
tmpfs:
- /var/lib/postgresql/data
profiles:
- test
volumes:
capakraken_pgdata:
name: capakraken_pgdata
Reference in New Issue View Git Blame Copy Permalink