5 Commits

Author	SHA1	Message	Date
Hartmut	4a5edeef3e	rename(phase 1): CapaKraken → Nexus across code, UI, docs, CI ... - @capakraken/* → @nexus/* across 12 packages (root + 11 workspaces), 1551 import lines migrated via codemod - User-visible brand strings renamed (emails, page titles, PWA manifest, mobile header, MFA backup-codes header, tooltips, signin page, invite page, weekly digest, install prompt) - TOTP issuer "CapaKraken" → "Nexus" (existing secrets still valid; re-enrollment relabels them in users' authenticator apps) - Function rename: assertCapaKrakenDbTarget → assertNexusDbTarget - LocalStorage migration shim in apps/web/src/app/layout.tsx copies capakraken_* → nexus_* on first load (guarded by nexus_migrated_v1 sentinel; runs once per browser, then never again) - Service-worker cache name capakraken-v2 → nexus-v2 with one-time caches.delete('capakraken-v2') from the same shim - Email-domain fixtures @capakraken.{dev,app} → @nexus.{dev,app} in seed data, e2e specs, SMTP default fallback - Dockerfile.dev / Dockerfile.prod / all .github/workflows/*.yml pnpm --filter @capakraken/* → @nexus/* - README, CLAUDE.md, LEARNINGS.md, all docs/*.md, .env.example, tooling/deploy/.env.production.example brand sweep Phase 1 deliberately leaves untouched (handled in Phase 3 cutover): - PostgreSQL DB name "capakraken" and POSTGRES_USER "capakraken" - Volume names capakraken_pgdata etc. - Compose project name "capakraken" / "capakraken-prod" - db-target-guard default expectedDatabase - env-var CAPAKRAKEN_EXPECTED_DB_NAME - Container DNS names in docker-compose.ci.yml Quality gates green: pnpm typecheck (7/7), pnpm test:unit (7/7), pnpm lint (0 errors), check:exports/imports/architecture all pass. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-21 15:10:44 +02:00
Hartmut	fe79810a85	security: MFA backup codes — issue on enable, redeem at login, regenerate on demand (#43) ... Adds a one-time-use backup code set so users with a lost authenticator are not locked out. Codes are Crockford base32 (XXXXX-XXXXX), hashed with argon2id, and redeemed under a WHERE-guarded delete so a concurrent replay race fails closed. - New MfaBackupCode model + migration - Issue 10 codes inside the enable transaction; show plaintext exactly once - Sign-in page accepts TOTP or backup code, reporting remaining count - regenerateBackupCodes tRPC mutation wipes + reissues atomically - Unit coverage for generator, normalizer, verify, redeem, and race path Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-04-17 18:47:18 +02:00
Hartmut	82acc56b8d	chore: add pre-commit hooks, tighten ESLint, activate Sentry DSN, publish CI coverage (Phase 1) ... - Install husky v9 + lint-staged: pre-commit runs eslint --fix and prettier on staged files - Tighten ESLint base config: no-console→error, ban-ts-comment (ts-ignore banned, ts-expect-error with description allowed), reportUnusedDisableDirectives→error - Migrate web app from deprecated `next lint` to `eslint src/` with flat config and react-hooks plugin - Convert all 5 @ts-ignore to @ts-expect-error with descriptions, remove stale disable comments - Add NEXT_PUBLIC_SENTRY_DSN to docker-compose.prod.yml and .env.example - Add coverage artifact upload step to CI test job - Pre-existing violations (102 warnings) downgraded to warn in web config for Phase 2 cleanup Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-10 14:49:29 +02:00
Hartmut	0e119cfe73	security: close audit findings #19–#23 and harden Docker setup (#24) ... #19 MFA QR code: render locally via qrcode package, remove external qrserver.com request #20 Webhook SSRF: add ssrf-guard.ts with DNS-verified IP blocklist; enforce on create/update/test/dispatch #21 /api/perf: fail-closed when CRON_SECRET missing; remove query-string token auth #22 CSP: remove unsafe-eval and unsafe-inline from script-src in production builds #23 Active session registry: forward jti into session object; validate against ActiveSession on every tRPC request #24 Docker: add missing packages/application to Dockerfile.dev; fix pnpm-lock.yaml glob; run db:migrate:deploy on container start so a fresh checkout boots without manual steps Also: fix pre-existing TS error in e2e/allocations.spec.ts (args.length literal type overlap) Co-Authored-By: claude-flow <ruv@ruv.net>	2026-04-01 18:19:21 +02:00
Hartmut	9d43e4b113	feat: ACN Application Security Standard V7.30 compliance (19/23 items) ... CRITICAL — Authentication & Access: - TOTP MFA: otpauth-based, QR setup UI, sign-in flow integration, admin disable override, /account/security self-service page - Session Timeouts: 8h absolute (maxAge), 30min idle (updateAge) - Failed Auth Logging: Pino warn for invalid password/user/totp, info for successful login, audit entries for all auth events - Concurrent Session Limit: ActiveSession model, oldest-kick strategy, max 3 per user (configurable in SystemSettings) CRITICAL — HTTP Security: - HSTS: max-age=31536000; includeSubDomains - CSP: script/style/img/font/connect-src with Gemini/OpenAI whitelist - X-XSS-Protection: 0 (CSP replaces legacy) - Auth page cache: no-store, no-cache, must-revalidate - Rate Limiting: 100/15min general API, 5/15min auth (Map-based) Data Protection: - XSS Sanitization: DOMPurify on comment bodies - autocomplete="new-password" on all password/secret fields - SameSite=Strict on all cookies (Credentials-only, no OAuth) - File Upload Magic Bytes validation (PNG/JPEG/WebP/GIF/BMP/TIFF) Logging & Monitoring: - Login/Logout audit entries (Auth entityType) - External API call logging with timing (OpenAI, Gemini) - Input validation failure logging at warn level - Concurrent session tracking in ActiveSession table Documentation: - docs/security-architecture.md (11 sections) - docs/sdlc.md (CI pipeline, security gates, incident response) - .gitea/PULL_REQUEST_TEMPLATE.md (security checklist) Schema: User.totpSecret/totpEnabled, SystemSettings.sessionMaxAge/ sessionIdleTimeout/maxConcurrentSessions, ActiveSession model Tests: 310 engine + 37 staffing pass. TypeScript clean. Co-Authored-By: claude-flow <ruv@ruv.net>	2026-03-27 14:16:39 +01:00