Hartmut/Nexus
1
0
Fork 0
Code Issues 11 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

rename(phase 1): CapaKraken → Nexus across code, UI, docs, CI
CI / Unit Tests (pull_request) Successful in 5m46s
Details
CI / Lint (pull_request) Failing after 3m49s
Details
CI / E2E Tests (pull_request) Has been skipped
Details
CI / Fresh-Linux Docker Deploy (pull_request) Has been skipped
Details
CI / Assistant Split Regression (pull_request) Failing after 35s
Details
CI / Architecture Guardrails (pull_request) Failing after 2m14s
Details
CI / Typecheck (pull_request) Successful in 4m22s
Details
CI / Build (pull_request) Has been skipped
Details
CI / Release Images (pull_request) Has been skipped
Details

Browse Source 
- @capakraken/* → @nexus/* across 12 packages (root + 11 workspaces),
  1551 import lines migrated via codemod
- User-visible brand strings renamed (emails, page titles, PWA
  manifest, mobile header, MFA backup-codes header, tooltips, signin
  page, invite page, weekly digest, install prompt)
- TOTP issuer "CapaKraken" → "Nexus" (existing secrets still valid;
  re-enrollment relabels them in users' authenticator apps)
- Function rename: assertCapaKrakenDbTarget → assertNexusDbTarget
- LocalStorage migration shim in apps/web/src/app/layout.tsx copies
  capakraken_* → nexus_* on first load (guarded by nexus_migrated_v1
  sentinel; runs once per browser, then never again)
- Service-worker cache name capakraken-v2 → nexus-v2 with one-time
  caches.delete('capakraken-v2') from the same shim
- Email-domain fixtures @capakraken.{dev,app} → @nexus.{dev,app} in
  seed data, e2e specs, SMTP default fallback
- Dockerfile.dev / Dockerfile.prod / all .github/workflows/*.yml
  pnpm --filter @capakraken/* → @nexus/*
- README, CLAUDE.md, LEARNINGS.md, all docs/*.md, .env.example,
  tooling/deploy/.env.production.example brand sweep

Phase 1 deliberately leaves untouched (handled in Phase 3 cutover):
- PostgreSQL DB name "capakraken" and POSTGRES_USER "capakraken"
- Volume names capakraken_pgdata etc.
- Compose project name "capakraken" / "capakraken-prod"
- db-target-guard default expectedDatabase
- env-var CAPAKRAKEN_EXPECTED_DB_NAME
- Container DNS names in docker-compose.ci.yml

Quality gates green: pnpm typecheck (7/7), pnpm test:unit (7/7),
pnpm lint (0 errors), check:exports/imports/architecture all pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Hartmut Nörenberg
2026-05-21 15:10:44 +02:00
parent d9a7ec0338
commit 4a5edeef3e
941 changed files with 24475 additions and 16760 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/acn-standards-applicability.md
+72 -70
View File
@@ -1,4 +1,4 @@
# CapaKraken — Accenture Security Standards Applicability Matrix
# Nexus — Accenture Security Standards Applicability Matrix
**Stand:** 2026-03-27 | **Quelle:** in.accenture.com/protectingaccenture/is-to-operations/architecture-standards/
@@ -6,44 +6,44 @@
## Zusammenfassung
| Kategorie | Relevant | Nicht relevant | Gesamt |
|-----------|----------|---------------|--------|
| Enterprise Security Standards | **12** | 7 | 19 |
| AI Security Standards | **2** | 1 | 3 |
| Infrastructure Standards | **5** | ~60 | ~65 |
| **Gesamt relevant** | **19** | ~68 | ~87 |
| Kategorie | Relevant | Nicht relevant | Gesamt |
| ----------------------------- | -------- | -------------- | ------ |
| Enterprise Security Standards | **12** | 7 | 19 |
| AI Security Standards | **2** | 1 | 3 |
| Infrastructure Standards | **5** | ~60 | ~65 |
| **Gesamt relevant** | **19** | ~68 | ~87 |
---
## Teil 1: Enterprise Security Standards
### RELEVANT fuer CapaKraken (12 Standards)
### RELEVANT fuer Nexus (12 Standards)
| # | Standard | Relevanz | CapaKraken Status | Handlungsbedarf |
|---|----------|----------|------------------|----------------|
| 1 | **Application Security Standard** | KERN-Standard | 73% compliant (46/63 Controls) | Bereits detailliert analysiert — siehe `acn-security-compliance-status.md` |
| 2 | **API Management Security Standard** | tRPC-API | TEILWEISE — Rate Limiting, Auth, Validation vorhanden | Standard lesen und gegen tRPC-Implementierung abgleichen |
| 3 | **Data Classification and Protection** | Personaldaten (Names, Emails, Rates) | TEILWEISE — RBAC + Audit vorhanden, keine formale Datenklassifizierung | Datenklassifizierung durchfuehren (welche Felder sind HC/C/IR?) |
| 4 | **Encryption Standard** | Passwoerter, API Keys, DB-Verbindung | TEILWEISE — Argon2 Hashing, HTTPS via nginx, DB ohne TLS | PostgreSQL TLS aktivieren, Key-Rotation Prozess definieren |
| 5 | **Identification and Authentication Standard** | Login, MFA, Session Mgmt | HOCH — Auth.js + TOTP MFA + Session Timeouts implementiert | ESO-Integration evaluieren (aktuell eigene Auth) |
| 6 | **Logging and Auditing Standard** | Activity History | HOCH — Pino Logger + Audit Entries auf 29/36 Router | Log-Retention Policy definieren, zentrales Log-Shipping |
| 7 | **Access Control Standard** | RBAC, Permissions | HOCH — 5-stufiges RBAC + per-User Overrides | Formale Access-Review Prozedur dokumentieren |
| 8 | **Security Remediation and Patch Management** | Dependencies | TEILWEISE — Dependabot + npm audit Cron | Patch-SLA definieren (Critical: 48h, High: 7d, Medium: 30d) |
| 9 | **User Authorization Standard** | Wer darf was | HOCH — RBAC mit PermissionKey-System | Bereits implementiert, Review-Prozess dokumentieren |
| 10 | **Data Integrity Standard** | Daten-Konsistenz | TEILWEISE — Prisma Transactions, Audit Trail | Backup-Strategie + Integrity-Checks definieren |
| 11 | **SaaS and PaaS Cloud Computing Security** | Falls Cloud-Deployment | NIEDRIG aktuell (On-Prem Docker) | Relevant bei Cloud-Migration |
| 12 | **Mobile Application Security Standard** | PWA auf Mobile | NIEDRIG — PWA ist kein native App | Service Worker Security pruefen |
| # | Standard | Relevanz | Nexus Status | Handlungsbedarf |
| --- | ---------------------------------------------- | ------------------------------------ | ---------------------------------------------------------------------- | -------------------------------------------------------------------------- |
| 1 | **Application Security Standard** | KERN-Standard | 73% compliant (46/63 Controls) | Bereits detailliert analysiert — siehe `acn-security-compliance-status.md` |
| 2 | **API Management Security Standard** | tRPC-API | TEILWEISE — Rate Limiting, Auth, Validation vorhanden | Standard lesen und gegen tRPC-Implementierung abgleichen |
| 3 | **Data Classification and Protection** | Personaldaten (Names, Emails, Rates) | TEILWEISE — RBAC + Audit vorhanden, keine formale Datenklassifizierung | Datenklassifizierung durchfuehren (welche Felder sind HC/C/IR?) |
| 4 | **Encryption Standard** | Passwoerter, API Keys, DB-Verbindung | TEILWEISE — Argon2 Hashing, HTTPS via nginx, DB ohne TLS | PostgreSQL TLS aktivieren, Key-Rotation Prozess definieren |
| 5 | **Identification and Authentication Standard** | Login, MFA, Session Mgmt | HOCH — Auth.js + TOTP MFA + Session Timeouts implementiert | ESO-Integration evaluieren (aktuell eigene Auth) |
| 6 | **Logging and Auditing Standard** | Activity History | HOCH — Pino Logger + Audit Entries auf 29/36 Router | Log-Retention Policy definieren, zentrales Log-Shipping |
| 7 | **Access Control Standard** | RBAC, Permissions | HOCH — 5-stufiges RBAC + per-User Overrides | Formale Access-Review Prozedur dokumentieren |
| 8 | **Security Remediation and Patch Management** | Dependencies | TEILWEISE — Dependabot + npm audit Cron | Patch-SLA definieren (Critical: 48h, High: 7d, Medium: 30d) |
| 9 | **User Authorization Standard** | Wer darf was | HOCH — RBAC mit PermissionKey-System | Bereits implementiert, Review-Prozess dokumentieren |
| 10 | **Data Integrity Standard** | Daten-Konsistenz | TEILWEISE — Prisma Transactions, Audit Trail | Backup-Strategie + Integrity-Checks definieren |
| 11 | **SaaS and PaaS Cloud Computing Security** | Falls Cloud-Deployment | NIEDRIG aktuell (On-Prem Docker) | Relevant bei Cloud-Migration |
| 12 | **Mobile Application Security Standard** | PWA auf Mobile | NIEDRIG — PWA ist kein native App | Service Worker Security pruefen |
### NICHT RELEVANT fuer CapaKraken (7 Standards)
### NICHT RELEVANT fuer Nexus (7 Standards)
| Standard | Grund |
|----------|-------|
| IaaS Cloud Computing Security | Kein IaaS-Deployment (Docker on-prem) |
| Domain Registration Security | Keine eigene Domain-Registrierung |
| External Personnel Access | Keine externen Nutzer |
| Public Key Infrastructure (PKI) | Keine PKI-Infrastruktur |
| Remote Access Standard | Kein VPN/Remote-Access-Thema |
| Asset Protection Standard (AFS) | Nur fuer Accenture LLP Software |
| Standard | Grund |
| ------------------------------------------ | ------------------------------------------ |
| IaaS Cloud Computing Security | Kein IaaS-Deployment (Docker on-prem) |
| Domain Registration Security | Keine eigene Domain-Registrierung |
| External Personnel Access | Keine externen Nutzer |
| Public Key Infrastructure (PKI) | Keine PKI-Infrastruktur |
| Remote Access Standard | Kein VPN/Remote-Access-Thema |
| Asset Protection Standard (AFS) | Nur fuer Accenture LLP Software |
| Asset Classification & Protection (Tier 0) | Fuer Infrastruktur-Assets, nicht App-Level |
---
@@ -52,15 +52,15 @@
### RELEVANT (2 Standards)
| # | Standard | Relevanz | CapaKraken Status | Handlungsbedarf |
|---|----------|----------|------------------|----------------|
| 13 | **Generative AI Security Standard** | Azure OpenAI + Gemini Integration | TODO | Standard lesen — betrifft AI Summary, Narrative Generation, Image Generation |
| 14 | **Agentic AI Security Standard** | HartBOT AI Assistant mit 87+ Tools | TODO | Standard lesen — betrifft Function Calling, Tool Execution, Data Access |
| # | Standard | Relevanz | Nexus Status | Handlungsbedarf |
| --- | ----------------------------------- | ---------------------------------- | ------------ | ---------------------------------------------------------------------------- |
| 13 | **Generative AI Security Standard** | Azure OpenAI + Gemini Integration | TODO | Standard lesen — betrifft AI Summary, Narrative Generation, Image Generation |
| 14 | **Agentic AI Security Standard** | HartBOT AI Assistant mit 87+ Tools | TODO | Standard lesen — betrifft Function Calling, Tool Execution, Data Access |
### NICHT RELEVANT (1)
| Standard | Grund |
|----------|-------|
| Standard | Grund |
| ---------------------------- | ------------------------------------------------------ |
| Secure Vibe Coding Guideline | Fuer AI-gestuetzte Code-Generierung, nicht App-Feature |
---
@@ -69,17 +69,18 @@
### RELEVANT (5 Standards)
| # | Standard | Relevanz | CapaKraken Status | Handlungsbedarf |
|---|----------|----------|------------------|----------------|
| 15 | **PostgreSQL Security Standard** | Haupt-Datenbank | TODO | Standard lesen und gegen aktuelle Config abgleichen |
| 16 | **Nginx Security Standard** | Reverse Proxy | TEILWEISE — Hardening-Template vorhanden (`docs/nginx-hardening.conf`) | Template anwenden + gegen Standard pruefen |
| 17 | **Container Security Standard** | Docker Deployment | TODO | Docker-Compose Hardening (non-root, read-only FS, resource limits) |
| 18 | **DevSecOps Standard** | CI/CD Pipeline | TEILWEISE — GitHub Actions CI, Dependabot | Standard lesen, Compliance-Gaps identifizieren |
| 19 | **Secure Code Repositories Standard** | Gitea | TEILWEISE — Auth vorhanden, Branch Protection unklar | Branch Protection Rules + Signed Commits evaluieren |
| # | Standard | Relevanz | Nexus Status | Handlungsbedarf |
| --- | ------------------------------------- | ----------------- | ---------------------------------------------------------------------- | ------------------------------------------------------------------ |
| 15 | **PostgreSQL Security Standard** | Haupt-Datenbank | TODO | Standard lesen und gegen aktuelle Config abgleichen |
| 16 | **Nginx Security Standard** | Reverse Proxy | TEILWEISE — Hardening-Template vorhanden (`docs/nginx-hardening.conf`) | Template anwenden + gegen Standard pruefen |
| 17 | **Container Security Standard** | Docker Deployment | TODO | Docker-Compose Hardening (non-root, read-only FS, resource limits) |
| 18 | **DevSecOps Standard** | CI/CD Pipeline | TEILWEISE — GitHub Actions CI, Dependabot | Standard lesen, Compliance-Gaps identifizieren |
| 19 | **Secure Code Repositories Standard** | Gitea | TEILWEISE — Auth vorhanden, Branch Protection unklar | Branch Protection Rules + Signed Commits evaluieren |
### NICHT RELEVANT (~60 Standards)
Betrifft Technologien die CapaKraken nicht nutzt:
Betrifft Technologien die Nexus nicht nutzt:
- Windows/MacOS/Linux Workstation Standards (kein Desktop-Client)
- Microsoft 365/Teams/SharePoint/Defender Standards
- Network/Firewall/VPN/Switch Standards
@@ -94,45 +95,46 @@ Betrifft Technologien die CapaKraken nicht nutzt:
### Sofort (diese Woche)
| # | Aktion | Aufwand | Wer |
|---|--------|---------|-----|
| A1 | **Gen AI Security Standard lesen** und Gap-Analyse erstellen | 2h | Entwickler |
| A2 | **Agentic AI Security Standard lesen** — HartBOT betrifft | 2h | Entwickler |
| A3 | **Datenklassifizierung** durchfuehren: welche Felder sind HC/Confidential/Internal/Unrestricted | 4h | PO + Entwickler |
| # | Aktion | Aufwand | Wer |
| --- | ----------------------------------------------------------------------------------------------- | ------- | --------------- |
| A1 | **Gen AI Security Standard lesen** und Gap-Analyse erstellen | 2h | Entwickler |
| A2 | **Agentic AI Security Standard lesen** — HartBOT betrifft | 2h | Entwickler |
| A3 | **Datenklassifizierung** durchfuehren: welche Felder sind HC/Confidential/Internal/Unrestricted | 4h | PO + Entwickler |
### Kurzfristig (2 Wochen)
| # | Aktion | Aufwand | Wer |
|---|--------|---------|-----|
| B1 | **PostgreSQL Security Standard** lesen und abgleichen | 3h | DBA/DevOps |
| B2 | **Container Security** — Docker non-root, read-only, resource limits | 1 Tag | DevOps |
| B3 | **API Management Security Standard** gegen tRPC pruefen | 3h | Entwickler |
| B4 | **Encryption Standard** — PostgreSQL TLS, Key-Rotation | 1 Tag | DevOps |
| B5 | **nginx Hardening-Template anwenden** (bereits erstellt) | 30min | Ops |
| # | Aktion | Aufwand | Wer |
| --- | -------------------------------------------------------------------- | ------- | ---------- |
| B1 | **PostgreSQL Security Standard** lesen und abgleichen | 3h | DBA/DevOps |
| B2 | **Container Security** — Docker non-root, read-only, resource limits | 1 Tag | DevOps |
| B3 | **API Management Security Standard** gegen tRPC pruefen | 3h | Entwickler |
| B4 | **Encryption Standard** — PostgreSQL TLS, Key-Rotation | 1 Tag | DevOps |
| B5 | **nginx Hardening-Template anwenden** (bereits erstellt) | 30min | Ops |
### Mittelfristig (1 Monat)
| # | Aktion | Aufwand | Wer |
|---|--------|---------|-----|
| C1 | **Logging Standard** abgleichen — Log-Retention, zentrales Shipping | 1 Tag | DevOps |
| C2 | **DevSecOps Standard** — Pipeline-Compliance pruefen | 4h | DevOps |
| C3 | **Secure Code Repositories** — Branch Protection, Signed Commits | 2h | DevOps |
| C4 | **Patch Management SLA** definieren und dokumentieren | 2h | PO |
| C5 | **Access Review Prozedur** dokumentieren | 2h | PO |
| # | Aktion | Aufwand | Wer |
| --- | ------------------------------------------------------------------- | ------- | ------ |
| C1 | **Logging Standard** abgleichen — Log-Retention, zentrales Shipping | 1 Tag | DevOps |
| C2 | **DevSecOps Standard** — Pipeline-Compliance pruefen | 4h | DevOps |
| C3 | **Secure Code Repositories** — Branch Protection, Signed Commits | 2h | DevOps |
| C4 | **Patch Management SLA** definieren und dokumentieren | 2h | PO |
| C5 | **Access Review Prozedur** dokumentieren | 2h | PO |
### Spaeter / Bei Bedarf
| # | Aktion | Trigger |
|---|--------|---------|
| D1 | SaaS/PaaS Cloud Security | Bei Cloud-Migration |
| D2 | Mobile Application Security | Bei nativer Mobile-App |
| D3 | Data Integrity — Backup-Strategie | Vor Production Go-Live |
| # | Aktion | Trigger |
| --- | --------------------------------- | ---------------------- |
| D1 | SaaS/PaaS Cloud Security | Bei Cloud-Migration |
| D2 | Mobile Application Security | Bei nativer Mobile-App |
| D3 | Data Integrity — Backup-Strategie | Vor Production Go-Live |
---
## Wichtigste Erkenntnis
Die **zwei AI Security Standards** (Generative AI + Agentic AI) sind **neu und kritisch**CapaKraken nutzt:
Die **zwei AI Security Standards** (Generative AI + Agentic AI) sind **neu und kritisch**Nexus nutzt:
- Azure OpenAI / Gemini fuer Text-Summaries und Bild-Generierung
- Einen AI Assistant (HartBOT) mit 87+ Tools und Zugriff auf alle Geschaeftsdaten
- Function Calling fuer automatisierte Aktionen (Allocations erstellen, Projekte aendern)