Nexus

Hartmut/Nexus

Fork 0

Commit Graph

Author	SHA1	Message	Date
Hartmut	19aeb2ba04	rename(phase 3): compose/DB/infra + stray code refs capakraken → nexus (#62 ) CI / Lint (push) Successful in 3m4s Details CI / Typecheck (push) Successful in 3m6s Details CI / Architecture Guardrails (push) Successful in 3m8s Details CI / Assistant Split Regression (push) Successful in 3m48s Details CI / Build (push) Has been cancelled Details CI / E2E Tests (push) Has been cancelled Details CI / Fresh-Linux Docker Deploy (push) Has been cancelled Details CI / Release Images (push) Has been cancelled Details CI / Unit Tests (push) Has been cancelled Details rename(phase 3): compose/DB/infra + stray code refs capakraken → nexus (#62) Co-authored-by: Hartmut Nörenberg <hn@hartmut-noerenberg.com> Co-committed-by: Hartmut Nörenberg <hn@hartmut-noerenberg.com>	2026-05-21 20:07:18 +02:00
Hartmut	4ff7bc90c3	security: SSRF guard covers IPv6 + DNS-rebind defence via pinned IP (#49 ) Expand the SSRF blocklist from IPv4-only to IPv6 loopback/ULA (fc00::/7)/ link-local (fe80::/10)/multicast/IPv4-mapped, plus the missing IPv4 ranges 0.0.0.0/8, 100.64.0.0/10 CGNAT, and TEST-NET/benchmark ranges. Replace the single-lookup SSRF guard with resolveAndValidate(): resolves all DNS records (lookup { all: true }) so a hostname returning "public + private" is rejected, and returns the first validated address for connection pinning. The webhook dispatcher now switches from plain fetch() to https.request() with a custom Agent.lookup that returns the pre-validated IP. A DNS rebind between the guard check and the TCP connect() can no longer redirect the dial to an internal address. Hostname still flows through for SNI and certificate validation. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-04-17 09:19:07 +02:00
Hartmut	bfdf0a82da	security/platform: close audit findings #19–#26 Tests, CSP nonce middleware, SSRF guard, perf-route hardening, Docker env isolation, migration runbook, RBAC E2E coverage. Tickets resolved: - #19: MfaSetup.test.ts — static source tests confirming local QR rendering - #20: ssrf-guard.test.ts (16 tests) + webhook-procedure-support mock fix - #21: /api/perf route.test.ts (5 tests) — header-only auth, fail-closed - #22: middleware.ts (nonce-based CSP) + middleware.test.ts (6 tests); layout.tsx async + nonce prop; CSP removed from next.config.ts - #23: Active-session registry enforcement verified (already in codebase) - #24: docker-compose.yml REDIS_URL hardcoded (no host-env substitution) - #25: docker-compose.yml REDIS_URL + docs/developer-runbook.md created - #26: e2e/dev-system/rbac-data-access.spec.ts (12 tests, 3 roles × 4 procedures) Quality gates: tsc clean, api 1447/1447, web 189/189 passing. Turbo concurrency capped at 2 (package.json) to prevent OOM under parallel test runs. Co-Authored-By: claude-flow <ruv@ruv.net>	2026-04-01 22:14:20 +02:00

Author

SHA1

Message

Date

Hartmut

19aeb2ba04

rename(phase 3): compose/DB/infra + stray code refs capakraken → nexus (#62 )

CI / Lint (push) Successful in 3m4s

Details

CI / Typecheck (push) Successful in 3m6s

Details

CI / Architecture Guardrails (push) Successful in 3m8s

Details

CI / Assistant Split Regression (push) Successful in 3m48s

Details

CI / Build (push) Has been cancelled

Details

CI / E2E Tests (push) Has been cancelled

Details

CI / Fresh-Linux Docker Deploy (push) Has been cancelled

Details

CI / Release Images (push) Has been cancelled

Details

CI / Unit Tests (push) Has been cancelled

Details

rename(phase 3): compose/DB/infra + stray code refs capakraken → nexus (#62)

Co-authored-by: Hartmut Nörenberg <hn@hartmut-noerenberg.com>
Co-committed-by: Hartmut Nörenberg <hn@hartmut-noerenberg.com>

2026-05-21 20:07:18 +02:00

Hartmut

4ff7bc90c3

security: SSRF guard covers IPv6 + DNS-rebind defence via pinned IP (#49 )

Expand the SSRF blocklist from IPv4-only to IPv6 loopback/ULA (fc00::/7)/
link-local (fe80::/10)/multicast/IPv4-mapped, plus the missing IPv4 ranges
0.0.0.0/8, 100.64.0.0/10 CGNAT, and TEST-NET/benchmark ranges. Replace the
single-lookup SSRF guard with resolveAndValidate(): resolves all DNS records
(lookup { all: true }) so a hostname returning "public + private" is
rejected, and returns the first validated address for connection pinning.

The webhook dispatcher now switches from plain fetch() to https.request()
with a custom Agent.lookup that returns the pre-validated IP. A DNS rebind
between the guard check and the TCP connect() can no longer redirect the
dial to an internal address. Hostname still flows through for SNI and
certificate validation.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-04-17 09:19:07 +02:00

Hartmut

bfdf0a82da

security/platform: close audit findings #19–#26

Tests, CSP nonce middleware, SSRF guard, perf-route hardening,
Docker env isolation, migration runbook, RBAC E2E coverage.

Tickets resolved:
- #19: MfaSetup.test.ts — static source tests confirming local QR rendering
- #20: ssrf-guard.test.ts (16 tests) + webhook-procedure-support mock fix
- #21: /api/perf route.test.ts (5 tests) — header-only auth, fail-closed
- #22: middleware.ts (nonce-based CSP) + middleware.test.ts (6 tests);
       layout.tsx async + nonce prop; CSP removed from next.config.ts
- #23: Active-session registry enforcement verified (already in codebase)
- #24: docker-compose.yml REDIS_URL hardcoded (no host-env substitution)
- #25: docker-compose.yml REDIS_URL + docs/developer-runbook.md created
- #26: e2e/dev-system/rbac-data-access.spec.ts (12 tests, 3 roles × 4 procedures)

Quality gates: tsc clean, api 1447/1447, web 189/189 passing.
Turbo concurrency capped at 2 (package.json) to prevent OOM under
parallel test runs.

Co-Authored-By: claude-flow <ruv@ruv.net>

2026-04-01 22:14:20 +02:00

3 Commits