Hartmut
9d43e4b113
CRITICAL — Authentication & Access: - TOTP MFA: otpauth-based, QR setup UI, sign-in flow integration, admin disable override, /account/security self-service page - Session Timeouts: 8h absolute (maxAge), 30min idle (updateAge) - Failed Auth Logging: Pino warn for invalid password/user/totp, info for successful login, audit entries for all auth events - Concurrent Session Limit: ActiveSession model, oldest-kick strategy, max 3 per user (configurable in SystemSettings) CRITICAL — HTTP Security: - HSTS: max-age=31536000; includeSubDomains - CSP: script/style/img/font/connect-src with Gemini/OpenAI whitelist - X-XSS-Protection: 0 (CSP replaces legacy) - Auth page cache: no-store, no-cache, must-revalidate - Rate Limiting: 100/15min general API, 5/15min auth (Map-based) Data Protection: - XSS Sanitization: DOMPurify on comment bodies - autocomplete="new-password" on all password/secret fields - SameSite=Strict on all cookies (Credentials-only, no OAuth) - File Upload Magic Bytes validation (PNG/JPEG/WebP/GIF/BMP/TIFF) Logging & Monitoring: - Login/Logout audit entries (Auth entityType) - External API call logging with timing (OpenAI, Gemini) - Input validation failure logging at warn level - Concurrent session tracking in ActiveSession table Documentation: - docs/security-architecture.md (11 sections) - docs/sdlc.md (CI pipeline, security gates, incident response) - .gitea/PULL_REQUEST_TEMPLATE.md (security checklist) Schema: User.totpSecret/totpEnabled, SystemSettings.sessionMaxAge/ sessionIdleTimeout/maxConcurrentSessions, ActiveSession model Tests: 310 engine + 37 staffing pass. TypeScript clean. Co-Authored-By: claude-flow <ruv@ruv.net>
Documentation Index
Date: 2026-03-12 Purpose: Single entry point for active Planarchy product and technical documentation.
Canonical Documents
| Topic | File | Use |
|---|---|---|
| Active roadmap and open gaps | product-roadmap.md | Primary backlog and current delivery order |
| Estimating system design | estimating-extension-design.md | Workbook analysis, field mapping, and implementation plan |
| Dispo import implementation | dispo-import-implementation.md | Clean-slate Dispo v2 import design, mapping rules, staging flow, and commit policy |
| Dispo import ticket pack | dispo-import-implementation-tickets.md | Worker-ready delivery slices, dependencies, and acceptance criteria for the Dispo import |
| Demand/assignment cutover guide | demand-assignment-migration-cutover.md | Go/no-go criteria, staged cutover, and readiness artifact policy |
| Strategic architecture direction | v2-architecture-proposal-2026-03-11.md | Longer-horizon architecture target |
| Implementation history | LEARNINGS.md | Append-only decisions and lessons |
| Agent/project guidance | CLAUDE.md | Working conventions and quality gates |
Archive Policy
Older plan and proposal markdown files stay in the repository only as archive notes when:
- the feature is already implemented enough to leave the active backlog
- the content was merged into a canonical document
- the file still has historical value, but should not drive current work
Archive-note files should point back to the relevant canonical document instead of carrying parallel backlog state.
Current Archive Notes
All archived markdown plan and proposal files now live under docs/old-markdowns/.