8601a02189
docs(02): update verification report after plan 06 gap closure — 2 security blockers flagged
2026-06-01 14:37:23 +02:00
a6c227cc7e
merge(06.2): integrate code review fixes from gsd-reviewfix/06.2-2490
2026-06-01 14:37:21 +02:00
1433273328
docs(06.2): update review status after fixes — all 15 CR/WR findings resolved
2026-06-01 14:33:41 +02:00
9e8f8d5bbc
fix(06.2): WR-06 use URLSearchParams in listShares for consistent encoding
2026-06-01 14:31:50 +02:00
683670afa1
fix(06.2): WR-02 constrain format parameter to Literal[csv] to reject unsupported formats
2026-06-01 14:31:32 +02:00
fdb18300d9
docs(02): add code review report for plan 06 gap closure
2026-06-01 14:31:21 +02:00
1cba903c34
fix(06.2): WR-01 replace fixed-suffix password generation with fully-random positional injection
2026-06-01 14:31:00 +02:00
2072c3ddcd
fix(06.2): WR-08 delete_document defers commit so audit log writes in same transaction
2026-06-01 14:30:31 +02:00
50b6e7fd06
fix(06.2): WR-07 document X-Forwarded-For trust boundary in all IP extraction code
2026-06-01 14:29:35 +02:00
2542c81602
fix(06.2): WR-03 WR-04 fix pagination off-by-one and surface daily exports load errors
2026-06-01 14:27:47 +02:00
1f2cec9ac3
fix(06.2): CR-07 add audit log entry for PATCH /shares/{share_id} permission change
2026-06-01 14:27:08 +02:00
1a34209bb0
fix(06.2): CR-06 RFC 5987-encode Content-Disposition filename to prevent header injection
2026-06-01 14:26:46 +02:00
653cb3a98b
fix(06.2): CR-05 remove UUID dash-stripping in quota SQL — PostgreSQL expects dashed UUID format
2026-06-01 14:26:24 +02:00
3fa7e8b866
fix(06.2): CR-04 WR-05 audit export functions use 401-refresh-retry and safe URL.revokeObjectURL
2026-06-01 14:26:05 +02:00
792d4639d1
fix(06.2): CR-03 serialize metadata_ with json.dumps in CSV export instead of Python repr
2026-06-01 14:25:29 +02:00
50859bb430
fix(06.2): CR-02 add MinIOBackend guard in download_daily_export before accessing _client
2026-06-01 14:25:06 +02:00
a3ad36cc82
fix(06.2): CR-01 event-type filter uses prefix LIKE match instead of exact equality
2026-06-01 14:24:50 +02:00
5093aa5630
docs(phase-02): update tracking after plan 06 gap closure — 6/6 plans complete
2026-06-01 14:24:46 +02:00
7e549b6312
docs(02-06): complete UAT gap closure plan summary
...
- SUMMARY.md for plan 02-06 (5 UAT gaps closed)
- Backend fix verified; frontend auth layout, admin guard, Account tab, QR code implemented
2026-05-31 20:41:36 +02:00
c08ea42b1b
feat(02-06): Account tab in SettingsView + QR code in TotpEnrollment (GAPs 3, 5)
...
- frontend/package.json: add qrcode@1.5.4 to runtime dependencies
- TotpEnrollment.vue: import QRCode; generate data URL in startSetup(); render img tag
- SettingsAccountTab.vue: new component with all AccountView content (2FA, password, sessions)
- SettingsView.vue: add Account tab rendering SettingsAccountTab; import SettingsAccountTab
2026-05-31 20:40:28 +02:00
97314ce486
docs(06.2): add code review report
2026-05-31 20:38:59 +02:00
aa957d6c50
feat(02-06): auth layout switching + admin role guard (GAPs 2, 3, 4)
...
- App.vue: conditionally renders AuthLayout for auth routes, app shell otherwise
- router/index.js: meta.layout='auth' on all four auth routes
- router/index.js: meta.requiresAdmin=true on /admin route
- router/index.js: beforeEach role check redirects non-admin to /
- router/index.js: /account redirects to /settings
2026-05-31 20:37:46 +02:00
579c8366e9
docs(06.2): update phase verification report after plan-05 gap closure
2026-05-31 20:30:43 +02:00
b2488c91c8
docs(02): add root causes from diagnosis
2026-05-31 20:28:57 +02:00
52d6efb8a2
docs(06.2): add code review report
2026-05-31 20:23:32 +02:00
33697f2713
test(02): complete UAT — 10 passed, 6 issues, 2 blocked
...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-31 20:21:16 +02:00
8cc46a8d8d
docs(phase-06.2): resolve UAT gaps after 06.2-05 gap closure
2026-05-31 20:16:43 +02:00
c3c7030e91
docs(phase-06.2): update tracking after wave 3 — all 5 plans complete
2026-05-31 20:16:08 +02:00
8a078e4040
chore: merge executor worktree (worktree-agent-ad4015e9fb03e9447)
2026-05-31 20:13:19 +02:00
e30401ddff
docs(06.2-05): complete plan summary — 4 UAT gaps closed
...
- Task 1: @handle in AccountView + AdminUsersTab
- Task 2: actionable cloud error (Settings link) + audit log @ prefix
- Task 3: clearFilters() + activeFilterCount + Clear filters button + filter count badge
2026-05-31 20:12:27 +02:00
5d457d68bf
feat(06.2-05): clear filters button and active filter count in AuditLogTab
...
- Add clearFilters() function that resets all filter fields and refetches
- Add activeFilterCount computed property (counts non-empty filter fields)
- Add "Clear filters" button (visible only when activeFilterCount > 0)
- Wrap Export CSV button with filter count indicator (amber text below button)
- Add computed to vue import
2026-05-31 20:11:02 +02:00
f5e111bfa2
feat(06.2-05): actionable cloud error + audit log @ prefix
...
- CloudFolderView: detect no-connection error and show actionable message
directing user to Settings; add router-link to /settings and Retry button
- AuditLogTab: prefix user handles with @ in the User column
2026-05-31 20:10:22 +02:00
045e723f7a
feat(06.2-05): show @handle in AccountView and AdminUsersTab
...
- Add Username row (@handle) to Account information section in AccountView.vue
- Add Handle column (th + td with @prefix) to users table in AdminUsersTab.vue
- Both use existing data already present in API responses (no backend changes)
2026-05-31 20:09:50 +02:00
6307d9dd86
test(06.2): update UAT with root cause diagnoses for all 4 gaps
2026-05-31 20:01:56 +02:00
1d8c7dba91
test(06.2): complete UAT — 3 passed, 4 issues, 2 skipped, 2 blocked
2026-05-31 16:10:54 +02:00
77263bd569
docs(phase-06.2): mark validation strategy nyquist-compliant
...
All 11 Wave 0 test stubs verified green (50 passed, 4 xfailed).
Updated per-task map, wave 0 checklist, sign-off, and audit trail.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-31 15:44:25 +02:00
73b180ac9d
docs(phase-06.2): add security threat verification report
...
16/16 threats CLOSED — mitigate dispositions verified in code with exact file:line citations.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-31 15:41:33 +02:00
f037d2be45
docs(06.2): add phase verification report
2026-05-31 15:36:08 +02:00
758d1a687e
docs(06.2): add code review report
2026-05-31 15:29:57 +02:00
abb964531f
docs(phase-06.2): update tracking after wave 2 — plan 06.2-04 complete
2026-05-31 15:24:44 +02:00
46f7505e36
chore: merge executor worktree (worktree-agent-af66944050628b0e4)
2026-05-31 15:23:36 +02:00
893da5b9ba
docs(06.2-04): complete ADMIN-06 audit enrichment + daily exports — 10 tests pass
...
- Handle-enriched audit log (user_handle, actor_handle via aliased double-JOIN)
- user_handle filter with handle-to-UUID resolution, empty result for unknown handles
- fetch+Blob CSV export replacing window.location.href (T-06.2-04-03)
- GET /audit-log/daily-exports and /daily-exports/{date} with date regex validation
- Daily exports section in AuditLogTab with date dropdown + Download button
- Full audit test suite: 10 passed; backend suite: 337 passed, 1 pre-existing failure
2026-05-31 15:22:46 +02:00
0647e6e9bf
feat(06.2-04): frontend — user_handle filter, fetch+Blob export, daily-export section
...
- adminListAuditLog: rename user_id param to user_handle (backend API change)
- adminExportAuditLogCsv(): fetch+Blob pattern — sends Bearer header (D-13, T-06.2-04-03)
- adminListDailyExports(): raw fetch returning JSON for daily export listing (D-17)
- adminDownloadDailyExport(date): fetch+Blob download with audit-{date}.csv filename (D-17)
- AuditLogTab: rename filters.user_id to filters.user_handle + label 'User handle' (D-12, C-5)
- AuditLogTab: exportCsv() replaced with async fetch+Blob call, exportingCsv loading state
- AuditLogTab: daily exports section below pagination — date dropdown + Download button (D-17, C-4)
- window.location.href removed from AuditLogTab (broken auth bypass closed)
- Build exits 0, full backend suite: 337 passed, 1 pre-existing failure
2026-05-31 15:21:23 +02:00
f176235ee8
docs(phase-04): update VALIDATION.md — Nyquist-compliant (all gaps resolved)
...
Mark nyquist_compliant: true. All 22 tasks now have automated coverage.
4 gaps resolved: FOLD-04 sort, FOLD-05 FTS, SEC-08 credentials_enc, SEC-09
MinIO cleanup. 1 impl bug logged and fixed (FTS try/except misplacement).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-31 15:21:08 +02:00
62daf0d750
test(phase-04): fill Nyquist validation gaps — FOLD-04, FOLD-05, SEC-08, SEC-09
...
Add 6 new tests covering document sort (name/size), FTS search cross-user
isolation, credentials_enc exclusion from all responses, and MinIO object
cleanup on user deletion.
Fix FTS try/except misplacement in api/documents.py — was wrapping the ORM
statement builder (never raises) instead of the execute call, causing HTTP 500
on SQLite test env. Now falls back to unfiltered results when @@ unsupported.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-31 15:21:02 +02:00
839bfe0ffe
feat(06.2-04): backend — handle enrichment, user_handle filter, two daily-export endpoints
...
- Add _audit_to_dict_with_handles() with user_handle + actor_handle fields
- Add _build_filtered_query_with_handles() with aliased User double-JOIN
- Change list_audit_log user_id param to user_handle string with handle→UUID resolution
- Change export_audit_log user_id param to user_handle (Pitfall 7 — both endpoints enriched)
- Add GET /audit-log/daily-exports — lists MinIO audit-logs bucket, asyncio.to_thread
- Add GET /audit-log/daily-exports/{date} — streams CSV, date regex validation (T-06.2-04-01)
- Move daily-export endpoints before viewer to ensure specific path registration order
- Update test_audit_log_export_csv to match enriched CSV header (user_handle, actor_handle)
- All 10 test_audit.py tests pass
2026-05-31 15:17:53 +02:00
d7cfc5ccee
test(06.2-04): add failing tests for handle enrichment, user_handle filter, daily exports
...
- test_audit_log_includes_user_handle: asserts user_handle/actor_handle in items
- test_audit_log_filter_by_handle: asserts filtering by handle works correctly
- test_audit_log_filter_unknown_handle: asserts 200+empty for unknown handle
- test_daily_exports_list: mocks MinIO list_objects, asserts sorted items
- test_daily_export_download: mocks MinIO get_object, asserts CSV response + 404 on bad date
2026-05-31 15:15:46 +02:00
eab5f124f6
docs(06.2-03): complete cloud-delete gap closure — 24 tests pass
...
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-31 15:11:51 +02:00
cce8586235
feat(06.2-03): frontend — CloudDeleteWarningModal + remove_only path in DocumentView
...
- api/client.js: deleteDocument gains removeOnly param; deleteDocumentRemoveOnly wrapper added
- DocumentView.vue: confirmDelete inspects response.cloud_delete_failed, shows modal on failure
- DocumentView.vue: inline CloudDeleteWarningModal (C-3 contract) with Remove from app / Cancel
- confirmRemoveOnly() calls DELETE ?remove_only=true and navigates to /
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-31 15:11:31 +02:00
95c7ed786a
feat(06.2-03): backend — cloud-aware delete routing + skip_quota + remove_only param
...
- storage.delete_document gains skip_quota=False param; quota decrement gated on it
- DELETE /api/documents/{id} gains remove_only=bool query param
- Cloud docs (storage_backend != minio): attempt cloud backend delete_object first
- On failure: return HTTP 200 {success: false, cloud_delete_failed: true} (not 4xx)
- On success or remove_only: delete DB row with skip_quota=True
- Cloud creds/exception message never included in response body (T-06.2-03-02)
- Promote 3 xfail stubs to real tests (propagates, failure, remove_only)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-31 15:09:44 +02:00
curo1305