Hartmut 3452464809 fix(security): invalidate sessions on password change and remove hash from permission API responses ...

- setUserPassword and resetPassword now call activeSession.deleteMany after
  updating the passwordHash, so any pre-change sessions are immediately revoked
  (CWE-613 session fixation after credential change)
- setUserPermissions and resetUserPermissions now use explicit Prisma select to
  exclude passwordHash and totpSecret from the returned user object

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-09 21:37:56 +02:00

..

api

fix(security): invalidate sessions on password change and remove hash from permission API responses

2026-04-09 21:37:56 +02:00

application

Merge branch 'worktree-agent-a8de1898' - Phase 2A entitlement use-cases

2026-04-09 20:16:38 +02:00

db

feat(api): add audit helpers, tool registry, shared tool manifest types, and UI primitives

2026-04-09 21:14:26 +02:00

engine

feat(timeline): add pulse animation for in-flight drag mutations

2026-04-09 13:28:46 +02:00

shared

feat(api): add audit helpers, tool registry, shared tool manifest types, and UI primitives

2026-04-09 21:14:26 +02:00

staffing

fix(merge): resolve post-merge type errors from batch-1 agents

2026-04-09 14:38:32 +02:00

ui

fix(infra): apply missing migrations, fix Dockerfile.dev ui package reference

2026-04-09 20:29:21 +02:00