• Joined on 2026-04-12
Hartmut closed issue Hartmut/Nexus#54 2026-04-17 15:27:07 +02:00
Security [MEDIUM]: Dispo workbook path unvalidated + image upload polyglot risk
Hartmut commented on issue Hartmut/Nexus#54 2026-04-17 15:27:03 +02:00
Security [MEDIUM]: Dispo workbook path unvalidated + image upload polyglot risk

Resolved in commit c4b01c1bfc41605009a33910e458e03c51a33155 on branch security/audit-2026-04-17.

What changed

Dispo workbook path allowlist

  • New DISPO_IMPORT_DIR env var (defaults to…
Hartmut pushed to security/audit-2026-04-17 at Hartmut/Nexus 2026-04-17 15:26:31 +02:00
c4b01c1bfc security: workbook path allowlist + stronger image polyglot validation (#54)
Hartmut commented on issue Hartmut/Nexus#55 2026-04-17 15:07:10 +02:00
Security [MEDIUM]: Audit log fire-and-forget drops entries on DB load + no prompt-input audit

Fixed on security/audit-2026-04-17 @ 3392297.

auth.ts (credentials provider + signOut): every createAuditEntry() call on the auth path is now awaited. The old fire-and-forget pattern…

Hartmut closed issue Hartmut/Nexus#55 2026-04-17 15:07:02 +02:00
Security [MEDIUM]: Audit log fire-and-forget drops entries on DB load + no prompt-input audit
Hartmut pushed to security/audit-2026-04-17 at Hartmut/Nexus 2026-04-17 15:06:22 +02:00
3392297791 security: await audit writes, add per-turn AssistantPrompt audit (#55)
Hartmut closed issue Hartmut/Nexus#56 2026-04-17 14:57:17 +02:00
Security [MEDIUM]: Password-policy client/server divergence + weak secret-entropy check
Hartmut commented on issue Hartmut/Nexus#56 2026-04-17 14:57:13 +02:00
Security [MEDIUM]: Password-policy client/server divergence + weak secret-entropy check

Fixed on branch security/audit-2026-04-17 (commit 01c45d0).

What changed

1. Client/server password policy aligned New shared constants in @capakraken/shared:

  • `PASSWORD_MIN_LENGTH =…
Hartmut pushed to security/audit-2026-04-17 at Hartmut/Nexus 2026-04-17 14:56:49 +02:00
01c45d0344 security: align client password policy with server, enforce AUTH_SECRET length + entropy (#56)
Hartmut closed issue Hartmut/Nexus#50 2026-04-17 14:51:17 +02:00
Security [HIGH]: Docker + Compose — hardcoded dev password, env-var secrets, placeholder secrets baked in prod image
Hartmut commented on issue Hartmut/Nexus#50 2026-04-17 14:51:13 +02:00
Security [HIGH]: Docker + Compose — hardcoded dev password, env-var secrets, placeholder secrets baked in prod image

Fixed on branch security/audit-2026-04-17 (commit 805bb04).

What changed

1. Hardcoded dev password removed docker-compose.yml now requires ${POSTGRES_PASSWORD:?...} for both the…

Hartmut pushed to security/audit-2026-04-17 at Hartmut/Nexus 2026-04-17 14:50:09 +02:00
805bb0464f security(docker): remove hardcoded dev password, stop placeholder secrets leaking into migrator image (#50)
Hartmut created branch security/audit-2026-04-17 in Hartmut/Nexus 2026-04-17 14:42:23 +02:00
Hartmut pushed to security/audit-2026-04-17 at Hartmut/Nexus 2026-04-17 14:42:23 +02:00
e2dddd30df security: RBAC cache cross-instance invalidation + force re-login on role/perm change (#57)
23c6e0e04b security: sanitise Prisma error leaks in AI-tool helpers (#53)
019702c043 security: ReDoS hardening on blueprint field validator (#52)
b9040cb328 test(security): scoped-caller forwarding preserves read-only proxy (#47)
3d89d7d8eb security: redact sensitive fields in audit DB entries (#46)
Compare 10 commits »
Hartmut commented on issue Hartmut/Nexus#57 2026-04-17 13:01:39 +02:00
Security [MEDIUM]: RBAC permissions cache 60 s — revocation propagates slowly across instances

Resolved in e2dddd3 on branch security/audit-2026-04-17.

Changes

  • packages/api/src/trpc.ts — shrink ROLE_DEFAULTS_TTL from 60s to 10s as fail-safe; publish/subscribe on `capakraken:rba…
Hartmut closed issue Hartmut/Nexus#57 2026-04-17 13:01:39 +02:00
Security [MEDIUM]: RBAC permissions cache 60 s — revocation propagates slowly across instances
Hartmut commented on issue Hartmut/Nexus#53 2026-04-17 09:40:18 +02:00
Security [MEDIUM]: AI-tool error messages leak Prisma schema details to LLM

Fixed in commit 23c6e0e on branch security/audit-2026-04-17.

Approach. Added sanitizeAssistantErrorMessage() in packages/api/src/router/assistant-tools/helpers.ts (lines 22-55). The…

Hartmut closed issue Hartmut/Nexus#53 2026-04-17 09:40:18 +02:00
Security [MEDIUM]: AI-tool error messages leak Prisma schema details to LLM
Hartmut commented on issue Hartmut/Nexus#52 2026-04-17 09:33:58 +02:00
Security [MEDIUM]: Blueprint validator uses native RegExp — admin-set pattern enables ReDoS

Resolved in commit 019702c (security: ReDoS hardening on blueprint field validator).

Three-layer defence:

  1. Save-time (packages/shared/src/schemas/blueprint.schema.ts:33-54) —…
Hartmut closed issue Hartmut/Nexus#52 2026-04-17 09:33:58 +02:00
Security [MEDIUM]: Blueprint validator uses native RegExp — admin-set pattern enables ReDoS