Resolved in commit c4b01c1bfc41605009a33910e458e03c51a33155 on branch security/audit-2026-04-17.
What changed
Dispo workbook path allowlist
- New
DISPO_IMPORT_DIRenv var (defaults to…
Fixed on security/audit-2026-04-17 @ 3392297.
auth.ts (credentials provider + signOut): every createAuditEntry() call on the auth path is now awaited. The old fire-and-forget pattern…
Fixed on branch security/audit-2026-04-17 (commit 01c45d0).
What changed
1. Client/server password policy aligned
New shared constants in @capakraken/shared:
- `PASSWORD_MIN_LENGTH =…
Fixed on branch security/audit-2026-04-17 (commit 805bb04).
What changed
1. Hardcoded dev password removed
docker-compose.yml now requires ${POSTGRES_PASSWORD:?...} for both the…
Resolved in e2dddd3 on branch security/audit-2026-04-17.
Changes
packages/api/src/trpc.ts— shrinkROLE_DEFAULTS_TTLfrom 60s to 10s as fail-safe; publish/subscribe on `capakraken:rba…
Fixed in commit 23c6e0e on branch security/audit-2026-04-17.
Approach. Added sanitizeAssistantErrorMessage() in packages/api/src/router/assistant-tools/helpers.ts (lines 22-55). The…
Resolved in commit 019702c (security: ReDoS hardening on blueprint field validator).
Three-layer defence:
- Save-time (
packages/shared/src/schemas/blueprint.schema.ts:33-54) —…