curo/Business-Management
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
31 Commits 1 Branch 0 Tags
52a2967f61e340b600e367718c437bac454e28c7
Commit Graph

6 Commits

Author SHA1 Message Date
curo1305 d423bea134 Isolate backend and db from host: two Docker networks 
- backend-net (internal: true): db ↔ backend ↔ frontend reverse proxy
- frontend-net: frontend only; single host port binding (80 prod / 5173 dev)
- Remove ports: from db (5432) and backend (8000) — unreachable from host
- Security auditor: hard rule to never add host ports to db or backend

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-14 00:06:38 +02:00
curo1305 03fcc6e117 Document app container architecture and socket proxy requirement 
- TODO: add app container architecture section with socket proxy, network
  isolation, image allowlist, and Podman evaluation items
- security-auditor: hard rules for never mounting raw Docker socket and
  never spawning privileged containers

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-13 23:19:38 +02:00
curo1305 e2c55556ac Switch JWT signing from HS256 to RS256 (4096-bit RSA) 
- Replace symmetric SECRET_KEY with JWT_PRIVATE_KEY / JWT_PUBLIC_KEY (PEM)
- Add iat claim to every token
- Add expand_newlines validator in config for single-line .env PEM values
- Add scripts/generate_jwt_keys.py key-generation helper
- Update security-auditor agent JWT checklist with RS256 enforcement rules
- Mark RS256 as done in TODO.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-13 23:00:35 +02:00
curo1305 0af5e8cc24 Harden JWT: 8-hour expiry, add JWT vulnerability checks 
- Reduce ACCESS_TOKEN_EXPIRE_MINUTES from 24h to 8h (no permanent sessions)
- Add JWT_PATTERNS to security_check.py: algorithm=none, verify_exp=False,
  multi-day timedelta, oversized EXPIRE_MINUTES, hardcoded secret
- Add JWT security checklist to security-auditor agent
- Document auth/session security items in TODO.md

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-13 22:54:53 +02:00
curo1305 b9485ca492 Switch UX/UI tooling to self-hosted Penpot; add setup checklist 
- ux-designer.md: replace Figma with Penpot REST API approach; add
  next-session checklist (LXC setup, project creation, access token,
  component library decision, agent connection)
- TODO.md: add Penpot setup section with five actionable items
- changelog: document the tooling decision and rationale

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-13 22:07:44 +02:00
curo1305 f37c7ae55d Add four custom subagent definitions 
- .claude/agents/backend-dev.md: advisory, read-only, FastAPI/SQLAlchemy expert
- .claude/agents/frontend-dev.md: advisory, read-only, React/TS/TanStack expert
- .claude/agents/ux-designer.md: advisory, read-only, UX + Figma MCP setup guide
- .claude/agents/security-auditor.md: active, full write access, fixes
  vulnerabilities directly; uses claude-opus-4-6 for deeper reasoning

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-13 21:04:19 +02:00