Business-Management

Author	SHA1	Message	Date
curo1305	0d34867a69	Add PDF document service with AI extraction and per-app settings - New `features/doc-service` FastAPI microservice: PDF upload, async text extraction (pdfplumber), AI classification via Anthropic/Ollama/ LM Studio, per-user categories, file download - Alembic migration isolated with `alembic_version_doc_service` table - Main backend: httpx proxy routers for /api/documents/* and /api/documents/categories/, admin settings API at /api/settings/ - Runtime config in /config/doc_service_config.json (shared Docker volume); api_key masking on reads; atomic write with os.replace() - Frontend: DocumentsPage, DocumentAdminSettingsPage, updated AppsPage launcher hub, simplified Nav (removed Settings link), new routes - docker-compose: doc-service service, doc_data + app_config volumes, removed internal:true from backend-net for outbound AI API calls - Fix pre-commit hook: probe Docker socket path so git subprocess picks up Docker Desktop on macOS - Fix security_check.py: use sys.executable for bandit so venv python is used instead of system python Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-14 05:28:11 +02:00
curo1305	e2c55556ac	Switch JWT signing from HS256 to RS256 (4096-bit RSA) - Replace symmetric SECRET_KEY with JWT_PRIVATE_KEY / JWT_PUBLIC_KEY (PEM) - Add iat claim to every token - Add expand_newlines validator in config for single-line .env PEM values - Add scripts/generate_jwt_keys.py key-generation helper - Update security-auditor agent JWT checklist with RS256 enforcement rules - Mark RS256 as done in TODO.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-13 23:00:35 +02:00
curo1305	0af5e8cc24	Harden JWT: 8-hour expiry, add JWT vulnerability checks - Reduce ACCESS_TOKEN_EXPIRE_MINUTES from 24h to 8h (no permanent sessions) - Add JWT_PATTERNS to security_check.py: algorithm=none, verify_exp=False, multi-day timedelta, oversized EXPIRE_MINUTES, hardcoded secret - Add JWT security checklist to security-auditor agent - Document auth/session security items in TODO.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-13 22:54:53 +02:00
curo1305	343f12259c	Add profile feature, input sanitization, and stronger security checks Backend: - app/core/sanitize.py: shared sanitize_str, normalize_email, validate_phone, validate_date_of_birth — applied to every user-supplied DB-bound input - app/schemas/user.py: sanitize full_name, normalize email on UserCreate - app/models/profile.py: profiles table (position, phone, dob, address, updated_at) - app/models/user.py: Profile back-ref, is_superuser admin-role comment - app/schemas/profile.py: ProfileRead/ProfileUpdate with full sanitization - app/routers/profile.py: GET+PUT /api/profile/me (lazy profile creation) - app/main.py: register /api/profile router - alembic migration 676084df61d1: create profiles table Frontend: - components/Nav.tsx: shared nav (Dashboard \| Profile \| Logout) - pages/ProfilePage.tsx: profile view + inline edit form with error handling - pages/DashboardPage.tsx: use Nav component - api/client.ts: ProfileData type, getProfile, updateProfile - App.tsx: /profile private route Security: - scripts/security_check.py: tighter SQL injection patterns (f-string/format/% in execute/query/text()), new SANIT category for raw request→DB patterns Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-13 18:15:47 +02:00
curo1305	61cef2eacd	Add test user seed, password validation, and pre-commit security hook - backend/scripts/seed.py: creates test@example.com on dev startup - backend/scripts/start_dev.sh: runs migrations + seed + uvicorn --reload - backend/app/schemas/user.py: password validator (length, case, digit, special char, forbidden words) - scripts/security_check.py: Docker-based scanner for secrets, dangerous patterns, weak crypto, bandit - .githooks/pre-commit: runs security_check.py in python:3.12-slim on every commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-12 15:54:23 +02:00

5 Commits