curo/kite
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
248 Commits 1 Branch 0 Tags
1a34209bb026f0bfb8a18abeb907f6aa7c937877
Commit Graph

248 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
curo1305 1a34209bb0 fix(06.2): CR-06 RFC 5987-encode Content-Disposition filename to prevent header injection 2026-06-01 14:26:46 +02:00
curo1305 653cb3a98b fix(06.2): CR-05 remove UUID dash-stripping in quota SQL — PostgreSQL expects dashed UUID format 2026-06-01 14:26:24 +02:00
curo1305 3fa7e8b866 fix(06.2): CR-04 WR-05 audit export functions use 401-refresh-retry and safe URL.revokeObjectURL 2026-06-01 14:26:05 +02:00
curo1305 792d4639d1 fix(06.2): CR-03 serialize metadata_ with json.dumps in CSV export instead of Python repr 2026-06-01 14:25:29 +02:00
curo1305 50859bb430 fix(06.2): CR-02 add MinIOBackend guard in download_daily_export before accessing _client 2026-06-01 14:25:06 +02:00
curo1305 a3ad36cc82 fix(06.2): CR-01 event-type filter uses prefix LIKE match instead of exact equality 2026-06-01 14:24:50 +02:00
curo1305 7e549b6312 docs(02-06): complete UAT gap closure plan summary 
- SUMMARY.md for plan 02-06 (5 UAT gaps closed)
- Backend fix verified; frontend auth layout, admin guard, Account tab, QR code implemented
 2026-05-31 20:41:36 +02:00
curo1305 c08ea42b1b feat(02-06): Account tab in SettingsView + QR code in TotpEnrollment (GAPs 3, 5) 
- frontend/package.json: add qrcode@1.5.4 to runtime dependencies
- TotpEnrollment.vue: import QRCode; generate data URL in startSetup(); render img tag
- SettingsAccountTab.vue: new component with all AccountView content (2FA, password, sessions)
- SettingsView.vue: add Account tab rendering SettingsAccountTab; import SettingsAccountTab
 2026-05-31 20:40:28 +02:00
curo1305 97314ce486 docs(06.2): add code review report 2026-05-31 20:38:59 +02:00
curo1305 aa957d6c50 feat(02-06): auth layout switching + admin role guard (GAPs 2, 3, 4) 
- App.vue: conditionally renders AuthLayout for auth routes, app shell otherwise
- router/index.js: meta.layout='auth' on all four auth routes
- router/index.js: meta.requiresAdmin=true on /admin route
- router/index.js: beforeEach role check redirects non-admin to /
- router/index.js: /account redirects to /settings
 2026-05-31 20:37:46 +02:00
curo1305 579c8366e9 docs(06.2): update phase verification report after plan-05 gap closure 2026-05-31 20:30:43 +02:00
curo1305 b2488c91c8 docs(02): add root causes from diagnosis 2026-05-31 20:28:57 +02:00
curo1305 52d6efb8a2 docs(06.2): add code review report 2026-05-31 20:23:32 +02:00
curo1305 33697f2713 test(02): complete UAT — 10 passed, 6 issues, 2 blocked 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-31 20:21:16 +02:00
curo1305 8cc46a8d8d docs(phase-06.2): resolve UAT gaps after 06.2-05 gap closure 2026-05-31 20:16:43 +02:00
curo1305 c3c7030e91 docs(phase-06.2): update tracking after wave 3 — all 5 plans complete 2026-05-31 20:16:08 +02:00
curo1305 8a078e4040 chore: merge executor worktree (worktree-agent-ad4015e9fb03e9447) 2026-05-31 20:13:19 +02:00
curo1305 e30401ddff docs(06.2-05): complete plan summary — 4 UAT gaps closed 
- Task 1: @handle in AccountView + AdminUsersTab
- Task 2: actionable cloud error (Settings link) + audit log @ prefix
- Task 3: clearFilters() + activeFilterCount + Clear filters button + filter count badge
 2026-05-31 20:12:27 +02:00
curo1305 5d457d68bf feat(06.2-05): clear filters button and active filter count in AuditLogTab 
- Add clearFilters() function that resets all filter fields and refetches
- Add activeFilterCount computed property (counts non-empty filter fields)
- Add "Clear filters" button (visible only when activeFilterCount > 0)
- Wrap Export CSV button with filter count indicator (amber text below button)
- Add computed to vue import
 2026-05-31 20:11:02 +02:00
curo1305 f5e111bfa2 feat(06.2-05): actionable cloud error + audit log @ prefix 
- CloudFolderView: detect no-connection error and show actionable message
  directing user to Settings; add router-link to /settings and Retry button
- AuditLogTab: prefix user handles with @ in the User column
 2026-05-31 20:10:22 +02:00
curo1305 045e723f7a feat(06.2-05): show @handle in AccountView and AdminUsersTab 
- Add Username row (@handle) to Account information section in AccountView.vue
- Add Handle column (th + td with @prefix) to users table in AdminUsersTab.vue
- Both use existing data already present in API responses (no backend changes)
 2026-05-31 20:09:50 +02:00
curo1305 6307d9dd86 test(06.2): update UAT with root cause diagnoses for all 4 gaps 2026-05-31 20:01:56 +02:00
curo1305 1d8c7dba91 test(06.2): complete UAT — 3 passed, 4 issues, 2 skipped, 2 blocked 2026-05-31 16:10:54 +02:00
curo1305 77263bd569 docs(phase-06.2): mark validation strategy nyquist-compliant 
All 11 Wave 0 test stubs verified green (50 passed, 4 xfailed).
Updated per-task map, wave 0 checklist, sign-off, and audit trail.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-31 15:44:25 +02:00
curo1305 73b180ac9d docs(phase-06.2): add security threat verification report 
16/16 threats CLOSED — mitigate dispositions verified in code with exact file:line citations.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-31 15:41:33 +02:00
curo1305 f037d2be45 docs(06.2): add phase verification report 2026-05-31 15:36:08 +02:00
curo1305 758d1a687e docs(06.2): add code review report 2026-05-31 15:29:57 +02:00
curo1305 abb964531f docs(phase-06.2): update tracking after wave 2 — plan 06.2-04 complete 2026-05-31 15:24:44 +02:00
curo1305 46f7505e36 chore: merge executor worktree (worktree-agent-af66944050628b0e4) 2026-05-31 15:23:36 +02:00
curo1305 893da5b9ba docs(06.2-04): complete ADMIN-06 audit enrichment + daily exports — 10 tests pass 
- Handle-enriched audit log (user_handle, actor_handle via aliased double-JOIN)
- user_handle filter with handle-to-UUID resolution, empty result for unknown handles
- fetch+Blob CSV export replacing window.location.href (T-06.2-04-03)
- GET /audit-log/daily-exports and /daily-exports/{date} with date regex validation
- Daily exports section in AuditLogTab with date dropdown + Download button
- Full audit test suite: 10 passed; backend suite: 337 passed, 1 pre-existing failure
 2026-05-31 15:22:46 +02:00
curo1305 0647e6e9bf feat(06.2-04): frontend — user_handle filter, fetch+Blob export, daily-export section 
- adminListAuditLog: rename user_id param to user_handle (backend API change)
- adminExportAuditLogCsv(): fetch+Blob pattern — sends Bearer header (D-13, T-06.2-04-03)
- adminListDailyExports(): raw fetch returning JSON for daily export listing (D-17)
- adminDownloadDailyExport(date): fetch+Blob download with audit-{date}.csv filename (D-17)
- AuditLogTab: rename filters.user_id to filters.user_handle + label 'User handle' (D-12, C-5)
- AuditLogTab: exportCsv() replaced with async fetch+Blob call, exportingCsv loading state
- AuditLogTab: daily exports section below pagination — date dropdown + Download button (D-17, C-4)
- window.location.href removed from AuditLogTab (broken auth bypass closed)
- Build exits 0, full backend suite: 337 passed, 1 pre-existing failure
 2026-05-31 15:21:23 +02:00
curo1305 f176235ee8 docs(phase-04): update VALIDATION.md — Nyquist-compliant (all gaps resolved) 
Mark nyquist_compliant: true. All 22 tasks now have automated coverage.
4 gaps resolved: FOLD-04 sort, FOLD-05 FTS, SEC-08 credentials_enc, SEC-09
MinIO cleanup. 1 impl bug logged and fixed (FTS try/except misplacement).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-31 15:21:08 +02:00
curo1305 62daf0d750 test(phase-04): fill Nyquist validation gaps — FOLD-04, FOLD-05, SEC-08, SEC-09 
Add 6 new tests covering document sort (name/size), FTS search cross-user
isolation, credentials_enc exclusion from all responses, and MinIO object
cleanup on user deletion.

Fix FTS try/except misplacement in api/documents.py — was wrapping the ORM
statement builder (never raises) instead of the execute call, causing HTTP 500
on SQLite test env. Now falls back to unfiltered results when @@ unsupported.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-31 15:21:02 +02:00
curo1305 839bfe0ffe feat(06.2-04): backend — handle enrichment, user_handle filter, two daily-export endpoints 
- Add _audit_to_dict_with_handles() with user_handle + actor_handle fields
- Add _build_filtered_query_with_handles() with aliased User double-JOIN
- Change list_audit_log user_id param to user_handle string with handle→UUID resolution
- Change export_audit_log user_id param to user_handle (Pitfall 7 — both endpoints enriched)
- Add GET /audit-log/daily-exports — lists MinIO audit-logs bucket, asyncio.to_thread
- Add GET /audit-log/daily-exports/{date} — streams CSV, date regex validation (T-06.2-04-01)
- Move daily-export endpoints before viewer to ensure specific path registration order
- Update test_audit_log_export_csv to match enriched CSV header (user_handle, actor_handle)
- All 10 test_audit.py tests pass
 2026-05-31 15:17:53 +02:00
curo1305 d7cfc5ccee test(06.2-04): add failing tests for handle enrichment, user_handle filter, daily exports 
- test_audit_log_includes_user_handle: asserts user_handle/actor_handle in items
- test_audit_log_filter_by_handle: asserts filtering by handle works correctly
- test_audit_log_filter_unknown_handle: asserts 200+empty for unknown handle
- test_daily_exports_list: mocks MinIO list_objects, asserts sorted items
- test_daily_export_download: mocks MinIO get_object, asserts CSV response + 404 on bad date
 2026-05-31 15:15:46 +02:00
curo1305 eab5f124f6 docs(06.2-03): complete cloud-delete gap closure — 24 tests pass 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-31 15:11:51 +02:00
curo1305 cce8586235 feat(06.2-03): frontend — CloudDeleteWarningModal + remove_only path in DocumentView 
- api/client.js: deleteDocument gains removeOnly param; deleteDocumentRemoveOnly wrapper added
- DocumentView.vue: confirmDelete inspects response.cloud_delete_failed, shows modal on failure
- DocumentView.vue: inline CloudDeleteWarningModal (C-3 contract) with Remove from app / Cancel
- confirmRemoveOnly() calls DELETE ?remove_only=true and navigates to /

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-31 15:11:31 +02:00
curo1305 95c7ed786a feat(06.2-03): backend — cloud-aware delete routing + skip_quota + remove_only param 
- storage.delete_document gains skip_quota=False param; quota decrement gated on it
- DELETE /api/documents/{id} gains remove_only=bool query param
- Cloud docs (storage_backend != minio): attempt cloud backend delete_object first
  - On failure: return HTTP 200 {success: false, cloud_delete_failed: true} (not 4xx)
  - On success or remove_only: delete DB row with skip_quota=True
- Cloud creds/exception message never included in response body (T-06.2-03-02)
- Promote 3 xfail stubs to real tests (propagates, failure, remove_only)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-31 15:09:44 +02:00
curo1305 e812922a26 docs(06.2-02): complete SHARE-05 + SHARE-03 gap closure — 12 tests pass 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-31 15:07:26 +02:00
curo1305 3cc4a5335d docs(phase-03): update VALIDATION.md — Nyquist-compliant (partial) 
15 automated tests green, 4 manual-only (PostgreSQL/migration infra).
Added 4 previously unlisted passing tests to task map (D-15, D-16, D-09×2).
Audit trail appended. Status: nyquist_compliant: true, status: partial.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-31 15:07:23 +02:00
curo1305 1ee27da332 test(phase-03): remove stale xfail markers from quota tests 
test_quota_increment_atomic and test_quota_exceeded_response were marked
xfail for PostgreSQL but pass on SQLite — markers removed, tests now PASSED.
Concurrent race and delete decrement keep xfail; they require real PG locking.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-31 15:07:18 +02:00
curo1305 34b18a9f08 feat(06.2-02): frontend — is_shared badge fix + permission dropdown + View/Edit toggle 
- DocumentCard.vue: fix Shared pill to read doc.is_shared (was doc.share_count > 0)
- ShareModal.vue: add permission select between handle input and submit button
- ShareModal.vue: replace static "view" span with View/Edit toggle group per share row
- ShareModal.vue: add handlePermissionChange with optimistic update + rollback on error
- documents.js: update shareDocument(docId, handle, permission='view') signature
- documents.js: add updateSharePermission(shareId, permission) action
- api/client.js: pass permission in createShare POST body
- api/client.js: add updateSharePermission PATCH helper

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-31 15:07:04 +02:00
curo1305 ea231853e9 feat(06.2-02): backend — ShareCreate.permission field + PATCH /{share_id} endpoint 
- Add permission field (default "view") with field_validator to ShareCreate
- Add SharePermissionPatch model with same validator
- Wire body.permission into grant_share() Share constructor
- Add PATCH /{share_id} endpoint with IDOR protection (T-06.2-02-01)
- Promote 3 xfail stubs to real tests (create_with_permission, patch_permission, patch_idor)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-31 15:04:53 +02:00
curo1305 7e62868fea docs(phase-02): add VALIDATION.md — Nyquist-compliant, all 24 tasks mapped, 4 manual-only 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-31 12:04:28 +02:00
curo1305 d98e3ab7a1 test(phase-02): add Nyquist validation tests — fill SEC-05, AUTH-08, SEC-03 and frontend gaps 
8 test files, 60 new tests (14 backend + 46 frontend). All green.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-31 12:04:21 +02:00
curo1305 6c79f92d70 chore: merge executor worktree (worktree-agent-a3dd74026d1efb9af) 2026-05-31 12:01:28 +02:00
curo1305 21fde406e7 docs(06.2-01): complete Wave 0 Nyquist scaffold — 11 xfail stubs across 3 test files 
- 3 stubs in test_shares.py (SHARE-03 permission field, PATCH, IDOR)
- 3 stubs in test_documents.py (cloud delete propagation, failure, remove_only)
- 5 stubs in test_audit.py (handle enrichment, handle filter x2, daily exports x2)
- All 11 reported as XFAIL; full 3-file suite: 35 passed, 15 xfailed, exits 0
 2026-05-31 11:58:58 +02:00
curo1305 7271eeb53c test(06.2-01): add xfail stubs for ADMIN-06 audit enrichment + daily exports (Task 3) 
- test_audit_log_includes_user_handle: user_handle and actor_handle in audit items (D-11)
- test_audit_log_filter_by_handle: user_handle query param filters entries (D-12)
- test_audit_log_filter_unknown_handle: unknown handle returns empty list, not 422 (D-12)
- test_daily_exports_list: daily-exports listing endpoint returns {items} (D-15)
- test_daily_export_download: daily export download returns CSV bytes with Content-Disposition (D-16)
 2026-05-31 11:58:05 +02:00
curo1305 bbf5355edb test(06.2-01): add xfail stubs for cloud-delete document tests (Task 2) 
- test_delete_cloud_document_propagates: cloud backend delete_object called for non-minio docs (D-01)
- test_delete_cloud_document_failure: structured JSON error when provider raises (D-03)
- test_delete_cloud_remove_only: remove_only=true skips cloud delete, removes DB row only (D-02)
 2026-05-31 11:57:55 +02:00
curo1305 ecdeffb63d test(06.2-01): add xfail stubs for SHARE-03 permission tests (Task 1) 
- test_share_create_with_permission: POST /api/shares permission field (SHARE-03, D-08, D-10)
- test_share_patch_permission: PATCH /api/shares/{id} permission change (SHARE-03, D-09)
- test_share_patch_idor: PATCH by non-owner returns 404 IDOR protection (SHARE-03, T-IDOR)
 2026-05-31 11:54:52 +02:00