docs: finalized v1.4.1 session logs and architecture security section
This commit is contained in:
8
PLAN.md
8
PLAN.md
@@ -3,11 +3,7 @@
|
||||
This document tracks the immediate implementation checklist. For overarching design and constraints, see [PROJECT_ARCHITECTURE.md](PROJECT_ARCHITECTURE.md).
|
||||
|
||||
## Implementation Status
|
||||
- [x] **Phase 1: Backend Foundation** (FastAPI, SQLite, Models).
|
||||
- [x] **Phase 2: Modular AI Integration** (Gemini support, v2 SDK).
|
||||
- [x] **Phase 3: AI Onboarding UI** (Validation Mask, Camera integration).
|
||||
- [x] **Phase 4: Offline Synchronization** (Deduplicated Dexie -> SQL sync logic).
|
||||
- [x] **Phase 5: Inventory Trash Management** (Waste/Discard/Damage workflow).
|
||||
- [ ] **Phase 6: Audit Log Dashboard UI** (Visual historical interventions).
|
||||
- [ ] **Phase 8: Database Encryption** (Implementing SQLCipher for data-at-rest protection).
|
||||
- [ ] **Phase 9: Multi-Location Support** (Tracking inventory across different physical warehouses).
|
||||
|
||||
*(Note: Completed phases are periodically moved to `dev_docs/PLAN_HISTORY.md` according to AI_RULES)*
|
||||
|
||||
@@ -59,3 +59,22 @@ To prevent data loss in basements or unstable networks:
|
||||
## 6. Automation & Versioning (`scripts/`)
|
||||
- **`scripts/save_version.py`**: Implements the `save-version` AI Command Shortcut. Increments `VERSION.json` patch version, commits all staged changes, creates a snapshot branch `v.X.Y.Z`, and calls `./export_prod.sh` to generate the production bundle. Always stays on the `dev` branch.
|
||||
|
||||
|
||||
## 7. Security & Hardening (v1.4.0)
|
||||
To ensure enterprise-grade protection, the following policies are enforced:
|
||||
|
||||
### 7.1 Access Control & RBAC
|
||||
- **Strict Separation:** Operations are divided into `user` and `admin` roles.
|
||||
- **Admin Only:** Critical operations such as `DELETE /items/`, user management, and DB settings are restricted via the `auth.get_current_admin` dependency.
|
||||
- **User Role:** Standard users are permitted to perform check-in/out and list inventory, but cannot delete catalog entries.
|
||||
|
||||
### 7.2 Brute-Force Protection
|
||||
- **Rate Limiting:** Implemented via `slowapi`. The `login` endpoint is limited to **5 requests per minute** per IP to mitigate automated credential stuffing.
|
||||
|
||||
### 7.3 Data Privacy
|
||||
- **Information Scrubbing:** Backend logs are configured to intercept and mask sensitive auth tokens or internal secrets (e.g., `JWT_SECRET_KEY`) during debug output.
|
||||
- **Direct Bind LDAP:** Authentication uses direct user binding to the LDAP server, avoiding the need for a privileged service account with broad search permissions.
|
||||
|
||||
### 7.4 PWA Trust & Security
|
||||
- **HTTPS Enforcement:** The system requires TLS (Port 3003) for camera access and secure token transmission.
|
||||
- **Manifest Integrity:** A comprehensive `manifest.json` ensures the app is recognized as a trusted PWA on mobile platforms (iOS/Android).
|
||||
|
||||
@@ -133,5 +133,5 @@ For detailed technical documentation, see the [Project Architecture](../PROJECT_
|
||||
|
||||
---
|
||||
|
||||
**Version:** v1.3.6
|
||||
**Last Updated:** 2026-04-11
|
||||
**Version:** v1.4.0
|
||||
**Last Updated:** 2026-04-12
|
||||
|
||||
@@ -1,3 +1,20 @@
|
||||
### [2026-04-12] v1.4.1: Security Hardening, PWA Optimization & Modern CSS Upgrade
|
||||
**Purpose:** Implementation of security audit recommendations, REST API test suite, PWA asset generation, and visual UI refinements using Modern CSS.
|
||||
**Actions:**
|
||||
- `backend/routers/users.py` — Implemented rate limiting (5 req/min) on login and restricted `DELETE /items/` to Admin role.
|
||||
- `backend/tests/api_bench.py` (NEW) — Created automated API testing suite for Auth, RBAC, and Security verification.
|
||||
- `frontend/public/icons/` — Generated standard and maskable PWA icons from source logo.
|
||||
- `frontend/public/manifest.json` — Upgraded with maskable support, shortcuts, and orientation lock.
|
||||
- `frontend/app/layout.tsx` — Added iOS-specific native meta tags for a "Premium" look.
|
||||
- `frontend/app/globals.css` — Added `.glass-card` and `.pb-safe` (safe-area) CSS utilities.
|
||||
- `frontend/app/admin/page.tsx` — Restored Dual LDAP group mappings and applied Glassmorphism styling.
|
||||
- `export_prod.sh` — Excluded `tests/` and benchmarking scripts from production bundle.
|
||||
- `PROJECT_ARCHITECTURE.md` — Added Section 7 documenting Security & Hardening policies.
|
||||
- `SESSION_STATE.md` — Updated session status and handover note.
|
||||
**Status:** Stable. Build v1.4.1 release confirmed and committed.
|
||||
|
||||
---
|
||||
|
||||
### [2026-04-11] v1.3.6: Scanner Redesign, Auto-OCR Countdown & save-version Automation
|
||||
**Purpose:** Redesign the scanner UX for hands-free operation, enforce UI typography rules, add Item Type datalist, and create a reusable `save-version` AI command.
|
||||
**Actions:**
|
||||
|
||||
@@ -2,6 +2,10 @@
|
||||
This file tracks all completed tasks and phases moved from `PLAN.md`.
|
||||
|
||||
## Archive
|
||||
- **v1.4.1**: Security Hardening, REST API Tests, PWA Expert Audit & CSS Upgrades (2026-04-12)
|
||||
- **v1.4.0**: Audit Log Dashboard UI & Enterprise LDAP Integration Restored (2026-04-12)
|
||||
- **v1.3.6**: Scanner Redesign & Auto-OCR Automation (2026-04-11)
|
||||
- **v1.3.0**: Dockerization, HTTPS Proxy & Export Scripts (2026-04-11)
|
||||
- **v1.2.0**: Structured Category Groups & Item Types (2026-04-10)
|
||||
- **v1.1.0**: Auth System & LDAP Framework (2026-04-10)
|
||||
- **v1.0.0**: Initial PWA MVP (2026-04-10)
|
||||
|
||||
Reference in New Issue
Block a user