Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
47e4d701ffbaf7df36012607f6888770f8e9f6a6
CapaKraken/docs/sdlc.md
T
Hartmut 9d43e4b113 feat: ACN Application Security Standard V7.30 compliance (19/23 items) 
CRITICAL — Authentication & Access:
- TOTP MFA: otpauth-based, QR setup UI, sign-in flow integration,
  admin disable override, /account/security self-service page
- Session Timeouts: 8h absolute (maxAge), 30min idle (updateAge)
- Failed Auth Logging: Pino warn for invalid password/user/totp,
  info for successful login, audit entries for all auth events
- Concurrent Session Limit: ActiveSession model, oldest-kick strategy,
  max 3 per user (configurable in SystemSettings)

CRITICAL — HTTP Security:
- HSTS: max-age=31536000; includeSubDomains
- CSP: script/style/img/font/connect-src with Gemini/OpenAI whitelist
- X-XSS-Protection: 0 (CSP replaces legacy)
- Auth page cache: no-store, no-cache, must-revalidate
- Rate Limiting: 100/15min general API, 5/15min auth (Map-based)

Data Protection:
- XSS Sanitization: DOMPurify on comment bodies
- autocomplete="new-password" on all password/secret fields
- SameSite=Strict on all cookies (Credentials-only, no OAuth)
- File Upload Magic Bytes validation (PNG/JPEG/WebP/GIF/BMP/TIFF)

Logging & Monitoring:
- Login/Logout audit entries (Auth entityType)
- External API call logging with timing (OpenAI, Gemini)
- Input validation failure logging at warn level
- Concurrent session tracking in ActiveSession table

Documentation:
- docs/security-architecture.md (11 sections)
- docs/sdlc.md (CI pipeline, security gates, incident response)
- .gitea/PULL_REQUEST_TEMPLATE.md (security checklist)

Schema: User.totpSecret/totpEnabled, SystemSettings.sessionMaxAge/
sessionIdleTimeout/maxConcurrentSessions, ActiveSession model

Tests: 310 engine + 37 staffing pass. TypeScript clean.

Co-Authored-By: claude-flow <ruv@ruv.net>
2026-03-27 14:16:39 +01:00

1.8 KiB
Raw Blame History

Secure Development Lifecycle (SDLC) — CapaKraken

Version: 1.0 | Date: 2026-03-27

Development Workflow

Feature Branch -> Pull Request -> CI Pipeline -> Code Review -> Merge to main -> Deploy

CI Pipeline (Quality Gates)

Every pull request must pass:

  1. TypeScript strict check: pnpm --filter @capakraken/web exec tsc --noEmit
  2. Linting: pnpm lint (ESLint with strict rules)
  3. Unit tests: pnpm test:unit (Vitest, engine + staffing packages)
  4. E2E tests: Playwright tests for critical user flows

Security Gates

Gate Tool Stage
Type safety TypeScript strict mode Build
Input validation Zod schemas on all tRPC procedures Build + Runtime
Dependency vulnerabilities Dependabot + pnpm audit PR + Weekly
Audit logging createAuditEntry() required for data mutations Code review
RBAC enforcement requirePermission() on new procedures Code review
No hardcoded secrets PR review checklist Code review
SQL injection prevention Prisma ORM (parameterized queries only) Architecture

PR Review Checklist

See .github/PULL_REQUEST_TEMPLATE.md for the security checklist that must be completed on every PR.

Branch Protection

  • Direct pushes to main are blocked
  • Minimum 1 approval required
  • CI must pass before merge
  • Force-pushes to main are prohibited

Secret Management

  • No secrets in source code
  • Environment variables for all credentials (DATABASE_URL, API keys)
  • SystemSettings table for runtime-configurable secrets (AI keys, SMTP credentials)
  • .env files excluded from version control via .gitignore

Incident Response

  1. Identify and contain the issue
  2. Create audit log review for affected timeframe
  3. Patch and deploy fix
  4. Post-mortem documented in LEARNINGS.md
Reference in New Issue View Git Blame Copy Permalink