- TODO: add app container architecture section with socket proxy, network
isolation, image allowlist, and Podman evaluation items
- security-auditor: hard rules for never mounting raw Docker socket and
never spawning privileged containers
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
/.cache/pip is owned by root; as UID 1001 pip emits a cache-permission
warning. Container is ephemeral so caching has no value — disable it
with PIP_NO_CACHE_DIR=1.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Creates /tmp/venv inside the ephemeral container, installs bandit there,
and runs the security check via the venv's Python. No --user installs,
no script-location warnings, no writes outside the container's /tmp.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
--no-warn-script-location: bandit scripts go to /tmp/.local/bin which is
not on PATH, but we invoke via 'python -m bandit' so this is harmless.
PIP_DISABLE_PIP_VERSION_CHECK=1: silence the version upgrade notice.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
docker run was using python:3.12-slim's default root user, causing pip
to warn about running as root. Fix: add -u 1001:1001, set HOME=/tmp so
pip --user has a writable install location, and pass --user to pip.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- CLAUDE.md: add step 5 to infrastructure protocol (tear down after testing)
- .claude/settings.local.json: add git push, docker compose, docker run to
allowed commands accumulated during this session
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- scripts/seed.py: seed three fixed dev users on every startup:
test_admin@example.com / Secure_Dev1! (admin)
test_1@example.com / Secure_Dev2! (user)
test_2@example.com / Secure_Dev3! (user)
Upsert logic: missing users are created; existing users have their admin
flag corrected if it drifted; all passwords pass the strength policy
- TODO.md: add permissions registry item (user_app_permissions table,
admin UI to grant/revoke per-app access per user)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- deps.py: get_current_admin returns 404 Not Found for non-superusers instead
of 403 Forbidden — hides endpoint existence from unauthorised callers
- App.tsx: AdminRoute redirects non-admins to /login instead of /, making
the route indistinguishable from a non-existent page
Layer 3 (network-level IP restriction via Traefik) tracked in TODO.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Backend:
- schemas/user.py: is_admin (validation_alias=is_superuser) on UserOut and
UserAdminOut; UserAdminCreate extends UserCreate with is_admin flag
- deps.py: get_current_admin dependency — 403 for non-superusers
- routers/admin.py: GET/POST /api/admin/users, DELETE and PATCH /active per
user; self-delete and self-deactivate blocked
- main.py: register /api/admin router
- scripts/seed.py: seed test user with is_superuser=True; promotes existing
user if already created without the flag
Frontend:
- api/client.ts: UserData type with is_admin, admin API functions
- components/Nav.tsx: Admin link visible only when user.is_admin is true
- pages/AdminPage.tsx: user table with add-user form, delete, toggle active
- App.tsx: AdminRoute guard (403-redirects non-admins to /); /admin route
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- frontend prod: USER root for adduser, then USER appuser (1001:1001); fixes
build failure caused by nginx-unprivileged already setting USER nginx
- docker-compose: frontend user updated to 1001:1001 (was 101:101)
- CLAUDE.md: add infrastructure change protocol (update README + test both
stacks after any Dockerfile/compose/nginx change); fix stale passlib ref
- README: container table shows nginx-unprivileged image, UID column, internal
port 8080 note; Current State notes all containers run as non-root
Both dev and prod stacks tested and verified (health, login, /users/me,
frontend serving, all containers confirmed non-root via docker inspect).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- backend: appuser UID/GID 1001 via useradd, USER directive, --chown on COPY
- frontend builder: appuser UID/GID 1001 via adduser, USER directive
- frontend prod: switch to nginxinc/nginx-unprivileged:alpine (nginx UID 101), listen on 8080
- docker-compose: explicit user: for all services (70:70 db, 1001:1001 backend/frontend-dev, 101:101 frontend-prod)
- nginx.conf: listen 8080 to match unprivileged image
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- vite.config.ts: proxy target via VITE_API_TARGET env var (falls back to localhost)
- docker-compose.dev.yml: set VITE_API_TARGET=http://backend:8000
- Add /login-success and /register-success placeholder pages
- Show real API error messages in login/register forms
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Generate frontend/package-lock.json (required by npm ci)
- Add network: host to BuildKit build stages to fix DNS in pip installs
- Switch pyproject.toml build backend to setuptools.build_meta (stable)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
curo1305