Hartmut/Nexus
1
0
Fork 0
Code Issues 11 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
rename/nexus-code
Nexus/docs/acn-security-compliance-status.md
T
Hartmut 4a5edeef3e
CI / Unit Tests (pull_request) Successful in 5m46s
Details
CI / Lint (pull_request) Failing after 3m49s
Details
CI / E2E Tests (pull_request) Has been skipped
Details
CI / Fresh-Linux Docker Deploy (pull_request) Has been skipped
Details
CI / Assistant Split Regression (pull_request) Failing after 35s
Details
CI / Architecture Guardrails (pull_request) Failing after 2m14s
Details
CI / Typecheck (pull_request) Successful in 4m22s
Details
CI / Build (pull_request) Has been skipped
Details
CI / Release Images (pull_request) Has been skipped
Details
rename(phase 1): CapaKraken → Nexus across code, UI, docs, CI 
- @capakraken/* → @nexus/* across 12 packages (root + 11 workspaces),
  1551 import lines migrated via codemod
- User-visible brand strings renamed (emails, page titles, PWA
  manifest, mobile header, MFA backup-codes header, tooltips, signin
  page, invite page, weekly digest, install prompt)
- TOTP issuer "CapaKraken" → "Nexus" (existing secrets still valid;
  re-enrollment relabels them in users' authenticator apps)
- Function rename: assertCapaKrakenDbTarget → assertNexusDbTarget
- LocalStorage migration shim in apps/web/src/app/layout.tsx copies
  capakraken_* → nexus_* on first load (guarded by nexus_migrated_v1
  sentinel; runs once per browser, then never again)
- Service-worker cache name capakraken-v2 → nexus-v2 with one-time
  caches.delete('capakraken-v2') from the same shim
- Email-domain fixtures @capakraken.{dev,app} → @nexus.{dev,app} in
  seed data, e2e specs, SMTP default fallback
- Dockerfile.dev / Dockerfile.prod / all .github/workflows/*.yml
  pnpm --filter @capakraken/* → @nexus/*
- README, CLAUDE.md, LEARNINGS.md, all docs/*.md, .env.example,
  tooling/deploy/.env.production.example brand sweep

Phase 1 deliberately leaves untouched (handled in Phase 3 cutover):
- PostgreSQL DB name "capakraken" and POSTGRES_USER "capakraken"
- Volume names capakraken_pgdata etc.
- Compose project name "capakraken" / "capakraken-prod"
- db-target-guard default expectedDatabase
- env-var CAPAKRAKEN_EXPECTED_DB_NAME
- Container DNS names in docker-compose.ci.yml

Quality gates green: pnpm typecheck (7/7), pnpm test:unit (7/7),
pnpm lint (0 errors), check:exports/imports/architecture all pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-21 15:10:44 +02:00

17 KiB
Raw Permalink Blame History

Nexus — Accenture Application Security Standard V7.30

Vollstaendiger Compliance Status Report

Stand: 2026-03-27 | Standard: V 7.30 (13.02.2026)

Zusammenfassung

Status Anzahl Prozent
OK (Compliant) 46 73%
PARTIAL (Teilweise) 5 8%
TODO (Offen) 8 13%
N/A (Nicht anwendbar) 4 6%
Gesamt 63

3.1 Governance (2 Controls)

EAPPS # Control Status Nachweis/Luecke
3.1.1.01 App in AIR registriert TODO Noch nicht registriert — braucht Accenture AIR Portal
3.1.1.02 Komponenten trackbar OK Git-basiertes Monorepo, alle Packages versioniert

3.2.1 Application Architecture (4 Controls)

EAPPS # Control Status Nachweis/Luecke
3.2.1.01 Security Architecture Document OK docs/security-architecture.md (11 Sektionen)
3.2.1.02 Firewall/Segregation OK PostgreSQL nur intern, nginx Reverse Proxy
3.2.1.03 Kein direkter DB-Internet-Zugang OK PostgreSQL nur ueber Docker-Netzwerk (Port 5433 lokal)
3.2.1.04 Proaktives Monitoring OK Health-Endpoints + /api/cron/health-check (DB+Redis Check mit ADMIN-Alert bei Failure)

3.2.2.1 Identity and Access Management (5 Controls)

EAPPS # Control Status Nachweis/Luecke
3.2.2.1.01 Identification & Authentication Standard OK Auth.js v5 + Argon2 Hashing + TOTP MFA
3.2.2.1.02 OAuth v2.0 fuer APIs N/A Interne App, kein oeffentliches API — tRPC mit Server-Sessions
3.2.2.1.03 Token Validity Periods OK Session maxAge=8h, updateAge=30min (idle)
3.2.2.1.04 Immutable Claims OK Server-side Sessions, keine Client-JWT
3.2.2.1.05 ADAL zu MSAL Migration N/A Keine Microsoft-Auth-Library im Einsatz

3.2.2.2 Multi-Factor Authentication (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.2.2.2.01 MFA implementiert OK TOTP via otpauth, QR-Setup, Sign-in Integration

3.2.2.3 Input & Output Validation (14 Controls)

EAPPS # Control Status Nachweis/Luecke
3.2.2.3.01 Input Validation Controls OK Zod-Schemas auf allen tRPC-Procedures
3.2.2.3.02 Passwort-Felder maskiert OK type="password" durchgehend
3.2.2.3.03 Laengen-Validierung OK Zod .min() / .max() auf relevanten Feldern
3.2.2.3.04 Numerische Bereichs-Validierung OK Zod .min() / .max() auf Number-Feldern
3.2.2.3.05 Malicious Characters ablehnen OK DOMPurify auf User-Text, Zod-Typ-Validierung
3.2.2.3.06 Parameterized SQL OK Prisma ORM — alle Queries parameterized
3.2.2.3.07 Admin-Dashboard Input ausnahme OK Admin-Procedures hinter adminProcedure RBAC
3.2.2.3.08 App hinter Company Firewall PARTIAL nginx Reverse Proxy, kein VPN-only Zugang
3.2.2.3.09 ESO/MFA integriert OK TOTP MFA implementiert (kein ESO, aber eigene MFA)
3.2.2.3.10 Internal Company Use only OK Nur interne Nutzer mit Accounts
3.2.2.3.11 Admin-Zugang beschraenkt OK RBAC: adminProcedure, separate Admin-Seiten
3.2.2.3.12 Logging fuer unauthorisierten Zugang OK Failed Auth Logging via Pino + Audit-Entries
3.2.2.3.13 HTTP Security Headers OK HSTS, CSP, X-Frame-Options, X-Content-Type-Options
3.2.2.3.14 Predefined Assessments TODO Kein formaler Security Assessment durchgefuehrt

3.2.2.4 Session Management (5 Controls)

EAPPS # Control Status Nachweis/Luecke
3.2.2.4.01 Unpredictable Session IDs + Timeout OK Auth.js crypto Sessions, 8h/30min Timeouts
3.2.2.4.02 Concurrent Sessions limitiert OK Max 3 per User, aelteste wird gekickt
3.2.2.4.03 Session Management Best Practices OK HttpOnly, Secure, SameSite=Strict Cookies
3.2.2.4.04 Nur server-issued Session IDs OK Auth.js server-side Sessions
3.2.2.4.05 Idle Timeout konfigurierbar (SaaS) OK SystemSettings: sessionIdleTimeout (Default 30min)

3.2.2.5 Insecure File Upload (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.2.2.5.01 Sichere File-Upload Validierung OK Magic Bytes Check (PNG/JPEG/WebP/GIF/BMP/TIFF), Groessen-Limit

3.2.2.6 Error Handling (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.2.2.6.01 Keine tech. Fehlerdetails an User OK tRPC Error-Codes, Stack nur in Dev, Sentry fuer Prod

3.2.2.7 Security Assessments (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.2.2.7.01 Regelmaessige Security Scans PARTIAL Dependabot + npm audit in CI + /api/cron/security-audit (in-app), kein SAST/DAST Tool

3.2.2.8 Other Controls (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.2.2.8.01 Secure Development Lifecycle OK docs/sdlc.md, CI/CD Pipeline, PR Security Checklist

3.2.3 Data Protection (3 Controls)

EAPPS # Control Status Nachweis/Luecke
3.2.3.01 Autocomplete off fuer Passwoerter OK autocomplete="new-password" auf allen Passwort-Feldern
3.2.3.02 Source-Code nur Dev-Team OK Gitea mit Authentifizierung
3.2.3.03 Keine Prod-Daten in Non-Prod OK Fiktive Seed-Daten (Marvel Characters)

3.2.4 Change Management (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.2.4.01 Change Management Prozess OK Git PRs + CI + Activity History Audit Trail

3.2.5 Legal (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.2.5.01 License Compliance OK Open-Source Lizenzen (MIT, Apache) via pnpm

3.2.6 Code Signing (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.2.6.01 Executable Code Signing N/A Web-App, keine distributable Executables

3.2.7 Logging and Auditing (3 Controls)

EAPPS # Control Status Nachweis/Luecke
3.2.7.01 Application Event Logging OK Auth failures, config changes, API errors, high-risk ops, ext. API calls
3.2.7.02 Job Scheduler Monitoring N/A Kein Job Scheduler (Cron-Endpoints manuell aufrufbar)
3.2.7.03 Access Logs + Review OK Pino structured logging + Activity History Admin-UI

3.3.1.1 Web Authentication (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.3.1.1.01 Web Auth Standard OK Auth.js + Argon2 + TOTP MFA

3.3.1.2 Web Input Validation (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.3.1.2.01 XSS/Injection-frei OK DOMPurify + Zod + Prisma (kein Raw-SQL/HTML)

3.3.1.3 HTTP Response Headers (5 Controls)

EAPPS # Control Status Nachweis/Luecke
3.3.1.3.01 Security Headers definiert OK HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
3.3.1.3.02 CORS Headers OK Next.js default CORS (same-origin)
3.3.1.3.03 Error-Page Headers OK Cache-Control no-store auf allen Routen (auth, API, catch-all) via next.config.ts
3.3.1.3.04 Server Header entfernen TODO nginx zeigt noch Server-Version (braucht Server-Zugang)
3.3.1.3.05 X-Powered-By entfernen OK Next.js entfernt automatisch

3.3.1.4 Web Server Hardening (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.3.1.4.01 Server Hardening OK Next.js Standalone + nginx Hardening Template (docs/nginx-hardening.conf: rate limits, SSL, header stripping)

3.3.1.5 HTTP Methods (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.3.1.5.01 Nur erlaubte HTTP Methods OK tRPC nutzt nur GET/POST, andere Methods nicht exponiert

3.3.1.6 Cookies (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.3.1.6.01 Sichere Cookie-Attribute OK HttpOnly, Secure (Prod), SameSite=Strict

3.3.1.7 Browser Cache Protection (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.3.1.7.01 Sensitive Seiten nicht cachen OK Auth-Seiten: Cache-Control: no-store

3.3.1.8 Sensitive Information Protection (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.3.1.8.01 Sensitive Daten schuetzen OK API Keys/Passwoerter nie an Client, Audit-Log sanitized

3.3.1.9 Common Exploits Protection (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.3.1.9.01 CSRF/Clickjacking/etc. Schutz OK SameSite=Strict, X-Frame-Options: DENY, CSRF Token (Auth.js)

3.3.1.10 Web Error Handling (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.3.1.10.01 Custom Error Pages OK Next.js global-error.tsx + tRPC Error-Codes

3.3.1.11 SOAP Security (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.3.1.11.01 SOAP Security N/A Kein SOAP — nur tRPC/REST

3.3.1.12 API Management (2 Controls)

EAPPS # Control Status Nachweis/Luecke
3.3.1.12.01 API Security Controls OK Auth auf allen Endpoints, Zod Validation, Rate Limiting
3.3.1.12.02 API Rate Limiting OK 100/15min allgemein, 5/15min Auth

3.3.3 Databases (1 Control)

EAPPS # Control Status Nachweis/Luecke
3.3.3.01 DB Security Guidelines OK Dokumentiert in docs/security-architecture.md Sek. 12: Auth, Network Isolation, SSL/Audit/pg_hba Empfehlungen

Offene Items — Wer/Was/Wann

# Control Status Verantwortlich Aufwand Prioritaet
1 AIR Registration TODO Projektleiter 2h HOCH
2 Security Assessment/Pentest TODO Security Team 3-5 Tage HOCH
3 SAST/DAST Tool (SonarQube/Snyk) TODO DevOps 2-3 Tage HOCH
4 nginx Server-Header entfernen TODO Ops/Infra 15min MITTEL
5 Externes Uptime-Monitoring OK DevOps ERLEDIGT — /api/cron/health-check
6 nginx Hardening vervollstaendigen OK Ops/Infra ERLEDIGT — docs/nginx-hardening.conf Template
7 DB-Level Audit Logging OK DBA/DevOps ERLEDIGT — Dokumentiert in security-architecture.md Sek. 12
8 Error-Page Headers (3xx/4xx/5xx) OK Entwickler ERLEDIGT — next.config.ts Cache-Control auf allen Routen
Reference in New Issue View Git Blame Copy Permalink