• Joined on 2026-04-12
Hartmut opened issue Hartmut/Nexus#49 2026-04-16 22:05:11 +02:00
Security [HIGH]: SSRF guard misses IPv6 private ranges + webhook dispatcher lacks DNS-rebind protection
Hartmut opened issue Hartmut/Nexus#50 2026-04-16 22:05:11 +02:00
Security [HIGH]: Docker + Compose — hardcoded dev password, env-var secrets, placeholder secrets baked in prod image
Hartmut opened issue Hartmut/Nexus#47 2026-04-16 22:05:10 +02:00
Security [HIGH]: Read-only proxy bypass via tRPC callers + missing $transaction/$queryRaw blocks
Hartmut opened issue Hartmut/Nexus#46 2026-04-16 22:05:10 +02:00
Security [HIGH]: Pino logger has no redact paths — passwords/tokens logged cleartext
Hartmut opened issue Hartmut/Nexus#45 2026-04-16 22:05:10 +02:00
Security [HIGH]: CSP wildcards (*.openai.com, *.azure.com), unsafe-inline styles, SVG routes skip CSP
Hartmut opened issue Hartmut/Nexus#44 2026-04-16 22:05:09 +02:00
Security [HIGH]: API middleware default-allows /api/* — new routes inherit public access
Hartmut opened issue Hartmut/Nexus#43 2026-04-16 22:05:09 +02:00
Security [HIGH]: MFA TOTP replay-race + missing backup codes
Hartmut opened issue Hartmut/Nexus#41 2026-04-16 22:05:09 +02:00
Security [HIGH]: Session/Cookie hardening — Secure flag, concurrent-session enforcement, JTI exposure
Hartmut opened issue Hartmut/Nexus#42 2026-04-16 22:05:09 +02:00
Security [HIGH]: E2E_TEST_MODE bypass must fail-fast in production
Hartmut opened issue Hartmut/Nexus#38 2026-04-16 22:05:08 +02:00
Security [HIGH]: Assistant chat message content unbounded — AI cost/memory DoS
Hartmut opened issue Hartmut/Nexus#39 2026-04-16 22:05:08 +02:00
Security [HIGH]: Prompt-injection guard trivially bypassable (regex-only, no Unicode normalization)
Hartmut opened issue Hartmut/Nexus#36 2026-04-16 22:05:08 +02:00
Security [CRITICAL]: Unbounded password inputs enable Argon2 DoS
Hartmut opened issue Hartmut/Nexus#37 2026-04-16 22:05:08 +02:00
Security [CRITICAL]: Rate-limiter only keys by email — IP-based brute-force and targeted lockout possible
Hartmut opened issue Hartmut/Nexus#40 2026-04-16 22:05:08 +02:00
Security [HIGH]: Login timing attack enables user-email enumeration
Hartmut commented on issue Hartmut/Nexus#28 2026-04-16 10:20:07 +02:00
CDP 35948519: Utilize a Secure DevOps environment supporting code scanning services

Action Plan

CDP-Requirement: CI/CD-Pipeline muss SAST + DAST + SCA durchführen, Critical/High blocken.

Status — Coverage-Matrix

Hartmut commented on issue Hartmut/Nexus#24 2026-04-16 10:20:07 +02:00
CDP 35948469: Designate SPOC for Sharing Information (app/AI)

Action Plan

CDP-Requirement: Single Point of Contact für Outbound-Sharing von Projekt-Dokumenten/Daten designieren.

Designation

  • SPOC: h.noerenberg (Projekt-Owner, Repo-Owner,…
Hartmut commented on issue Hartmut/Nexus#1 2026-04-16 10:20:07 +02:00
CDP Compliance Epic — alle Controls

Progress Update — 2026-04-16

Controls-Status

Anwendbare Controls (20):

Hartmut commented on issue Hartmut/Nexus#10 2026-04-16 10:20:06 +02:00
CDP 35948471: Deliver project specific CDP training (app/AI)

Action Plan

CDP-Requirement: Alle Team-Mitglieder müssen binnen 30 Tagen nach Onboarding CDP-Training absolvieren.

Status

  • Team: Aktuell 1-Person-Team (h.noerenberg) — kein…
Hartmut commented on issue Hartmut/Nexus#7 2026-04-16 10:20:06 +02:00
CDP 35948472: Maintain current application inventory (dev)

Action Plan

CDP-Requirement: Application-Inventory in Accenture-System (AIR — Accenture Information Repository) eintragen.

Status

  • Internes App-Inventory-Dokument: `docs/acn-sta…
Hartmut commented on issue Hartmut/Nexus#3 2026-04-16 10:20:06 +02:00
CDP 35948468: Provide Written Notification (app)

Action Plan

CDP-Requirement: Admin-Rollenzuweisung muss formell schriftlich kommuniziert werden.

Status

  • Infrastruktur vorhanden: packages/api/src/lib/email.ts (nodemailer) —…