Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
d1075af77d3d929ee2f48327d6e26d9c60f8e4f4
CapaKraken/apps/web
T
History
Hartmut d1075af77d security: tighten CSP — drop provider wildcards, add object/frame/worker-src (#45) 
Browser code never calls OpenAI/Azure/Gemini directly; all AI traffic is
server-side tRPC. connect-src is now locked to 'self'. Added object-src 'none',
frame-src 'none', media-src 'self', and worker-src 'self' blob:. style-src
keeps 'unsafe-inline' for React + @react-pdf/renderer (documented residual
risk — script-src is nonce-based so CSS injection cannot escalate to JS).

Added three regression tests covering connect-src no-wildcards, object/frame-src
'none', and worker-src scope.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-17 09:08:40 +02:00
..
e2e
test(web/e2e): verify root redirect via HTTP not Chromium navigation
2026-04-13 06:44:39 +02:00
public
feat: user invite flow, deactivate/delete, favicon, dashboard loading fix, admin full-width
2026-04-02 20:19:26 +02:00
src
security: tighten CSP — drop provider wildcards, add object/frame/worker-src (#45)
2026-04-17 09:08:40 +02:00
.gitignore
test(e2e): fix dev-system test suite — storageState + strict-mode + signout
2026-04-01 19:09:49 +02:00
eslint.config.mjs
chore: add pre-commit hooks, tighten ESLint, activate Sentry DSN, publish CI coverage (Phase 1)
2026-04-10 14:49:29 +02:00
next-env.d.ts
feat(platform): checkpoint current implementation state
2026-04-01 07:42:03 +02:00
next.config.ts
perf(api,web,db): refactor and optimize for enterprise readiness
2026-04-11 22:34:41 +02:00
package.json
security: bound password inputs, configure pino redact, patch deps (#36 #46 #58)
2026-04-17 08:13:25 +02:00
playwright.ci.config.ts
ci: bridge docker-deploy compose to gitea_gitea; bypass turbo for e2e
2026-04-12 23:22:50 +02:00
playwright.config.ts
feat(planning): ship holiday-aware planning and assistant upgrades
2026-03-28 22:49:28 +01:00
playwright.dev.config.ts
test(e2e): fix dev-system test suite — storageState + strict-mode + signout
2026-04-01 19:09:49 +02:00
postcss.config.js
chore(repo): initialize planarchy workspace
2026-03-14 14:31:09 +01:00
sentry.client.config.ts
feat: integrate Sentry error tracking
2026-03-22 18:38:27 +01:00
sentry.edge.config.ts
feat: integrate Sentry error tracking
2026-03-22 18:38:27 +01:00
sentry.server.config.ts
feat: integrate Sentry error tracking
2026-03-22 18:38:27 +01:00
tailwind.config.ts
fix: add missing brand-950 to Tailwind config
2026-03-22 20:39:08 +01:00
tsconfig.json
feat(planning): ship holiday-aware planning and assistant upgrades
2026-03-28 22:49:28 +01:00
tsconfig.typecheck.json
feat(platform): checkpoint current implementation state
2026-04-01 07:42:03 +02:00
typecheck-env.d.ts
feat(platform): checkpoint current implementation state
2026-04-01 07:42:03 +02:00
vitest.config.mts
test(web): add 57 UI component and hook tests with jsdom cleanup
2026-04-10 17:06:42 +02:00