11 Commits

Author	SHA1	Message	Date
Yusuf Suleman	7a7286ac1c	fix(gateway,inventory): trust model hardening (#5) ... - Renamed SERVICE_LEVEL_AUTH to GATEWAY_KEY_SERVICES (clarifies intent) - Removed /debug-nocodb endpoint from inventory (exposed full table dump) - Hardened NocoDB search filter construction: strip (), ~, , chars to prevent filter injection. Reject queries under 2 chars. Files: gateway/dashboard.py, services/inventory/server.js	2026-03-29 13:48:18 -05:00
Yusuf Suleman	4ecd2336b5	fix: complete remaining remediation (#5, #8, #9) ... #5 Gateway Trust Model: - Token validation now uses protected endpoints, not health checks - Unknown services rejected (no fallback to unprotected endpoint) - Trust model documented in docs/trust-model.md #8 CI Enforcement: - Added .gitea/workflows/security.yml with: - Dependency audit (npm audit --audit-level=high for budget) - Secret scanning (checks for tracked .env/.db, hardcoded secrets) - Dockerfile lint (non-root USER, HEALTHCHECK presence) #9 Performance Hardening: - Budget /summary: 1-minute in-memory cache (avoids repeated account fan-out) - Gateway /api/dashboard: 30-second per-user cache (50x faster on repeat) - Inventory health endpoint added before auth middleware Closes #5, #8, #9	2026-03-29 10:13:00 -05:00
Yusuf Suleman	72747668f9	fix: remaining security and deployment hardening (#6 #7 #10) ... #7 Transport Security: - Removed legacy _ssl_ctx alias from config.py - proxy.py now uses _internal_ssl_ctx directly (explicitly scoped) - No global TLS bypass remains #10 Deployment Hardening: - Inventory Dockerfile: non-root (node user), health check, production deps - Budget Dockerfile: non-root (node user), health check, npm ci, multi-stage ready - Frontend-v2 Dockerfile: multi-stage build, non-root (node user), health check - Added /health endpoints to inventory and budget (before auth middleware) - All 6 containers now run as non-root with health checks All services verified: gateway, trips, fitness, inventory, budget, frontend	2026-03-29 09:35:39 -05:00
Yusuf Suleman	0ed8f1f83e	fix: deployment hardening — non-root containers and health checks (#10) ... - Gateway, Trips, Fitness Dockerfiles: run as non-root (appuser) - Added HEALTHCHECK to gateway, trips, fitness - Used --chown=appuser on COPY for correct file permissions - Created data dirs with proper ownership before USER switch - Trips Dockerfile no longer copies whole context (only server.py) Partial fix for #10 — Node services (inventory, budget, frontend) not yet hardened.	2026-03-29 09:18:42 -05:00
Yusuf Suleman	14c667bd5e	fix: resolve path-to-regexp ReDoS vulnerability in budget service (#8) ... - Ran npm audit fix on services/budget — updated path-to-regexp - npm audit now reports 0 vulnerabilities - CI enforcement deferred (no Gitea CI runner configured) Partial fix for #8 — vulnerability resolved, CI setup remaining.	2026-03-29 09:14:21 -05:00
Yusuf Suleman	79d2c3b4b6	fix: remove all default credentials (#2) ... - Gateway: admin user seeded from ADMIN_USERNAME/ADMIN_PASSWORD env vars (no more hardcoded admin/admin). Warns if not set. - Trips: USERNAME/PASSWORD env vars no longer default to admin/admin. Warns if not set. - Fitness: user seed requires USER{n}_USERNAME/PASSWORD env vars. No more "changeme" fallback. Skips seed if not set. - /api/auth/register remains disabled (403) Closes #2	2026-03-29 09:10:44 -05:00
Yusuf Suleman	fcb9383623	fix(gateway): enforce API key auth on inventory and budget services (#5) ... - Added X-API-Key middleware to inventory-service and budget-service - Services reject all requests without valid API key (401) - Gateway proxy injects service API keys for inventory and budget - Dashboard widget fetchers inject API keys - Generated unique API keys per service, stored in .env - Added SERVICE_API_KEY env var to docker-compose for both services Partial fix for #5 — internal services now require auth. Remaining: document trust model, validate service token semantics.	2026-03-29 09:06:41 -05:00
Yusuf Suleman	fb79f15f75	fix(fitness): eliminate cross-user data access (#4) ... - All user_id query params now enforced to authenticated user's own ID - /api/users restricted to return only current user (no user enumeration) - Wildcard CORS headers removed (service is internal-only via gateway) - Covers: entries, totals, goals, templates, favorites, goal setting Closes #4	2026-03-29 08:53:04 -05:00
Yusuf Suleman	d700ba7569	fix(trips): enforce password protection on shared trips (#3) ... - handle_share_api now checks X-Share-Password header against bcrypt hash before returning trip data. Returns 401 with {protected: true} if password required but not provided/incorrect - share_password now stored as bcrypt hash, not plaintext - All plaintext password logging removed from handle_share_verify - handle_share_verify uses bcrypt.checkpw instead of string equality - Migration invalidates existing plaintext share passwords (< 50 chars) - Removed dead hash_password function (used hashlib.sha256) - Added bcrypt to trips Dockerfile Closes #3	2026-03-29 08:50:45 -05:00
Yusuf Suleman	6bd23e7e8b	fix: security hardening across platform ... - Disable open /api/auth/register endpoint (gateway) - Require gateway session auth on Immich and Karakeep hooks proxies - Replace SHA-256 with bcrypt in fitness service (auth + seed) - Remove hardcoded Telegram user IDs from fitness seed - Add Secure flag to session cookie - Add domain allowlist and content-type validation to image proxy - Strengthen .gitignore (env variants, runtime data, test artifacts)	2026-03-29 08:25:50 -05:00
Yusuf Suleman	d3e250e361	Initial commit: Second Brain Platform ... Complete platform with unified design system and real API integration. Apps: Dashboard, Fitness, Budget, Inventory, Trips, Reader, Media, Settings Infrastructure: SvelteKit + Python gateway + Docker Compose	2026-03-28 23:20:40 -05:00