Fixed on security/audit-2026-04-17 @ 3392297.
auth.ts (credentials provider + signOut): every createAuditEntry() call on the auth path is now awaited. The old fire-and-forget pattern…
Fixed on branch security/audit-2026-04-17 (commit 01c45d0).
What changed
1. Client/server password policy aligned
New shared constants in @capakraken/shared:
- `PASSWORD_MIN_LENGTH =…
01c45d0344
security: align client password policy with server, enforce AUTH_SECRET length + entropy (#56)
Fixed on branch security/audit-2026-04-17 (commit 805bb04).
What changed
1. Hardcoded dev password removed
docker-compose.yml now requires ${POSTGRES_PASSWORD:?...} for both the…
805bb0464f
security(docker): remove hardcoded dev password, stop placeholder secrets leaking into migrator image (#50)
e2dddd30df
security: RBAC cache cross-instance invalidation + force re-login on role/perm change (#57)
Resolved in e2dddd3 on branch security/audit-2026-04-17.
Changes
packages/api/src/trpc.ts— shrinkROLE_DEFAULTS_TTLfrom 60s to 10s as fail-safe; publish/subscribe on `capakraken:rba…
Fixed in commit 23c6e0e on branch security/audit-2026-04-17.
Approach. Added sanitizeAssistantErrorMessage() in packages/api/src/router/assistant-tools/helpers.ts (lines 22-55). The…
Resolved in commit 019702c (security: ReDoS hardening on blueprint field validator).
Three-layer defence:
- Save-time (
packages/shared/src/schemas/blueprint.schema.ts:33-54) —…
Acceptance criteria met. pnpm audit --audit-level=moderate on main:
1 vulnerabilities found
Severity: 1 moderate
Resolved upgrades (main commit 534945f):
dompurify→ 3.3.4+…