docs: finalized v1.4.1 session logs and architecture security section
This commit is contained in:
@@ -59,3 +59,22 @@ To prevent data loss in basements or unstable networks:
|
||||
## 6. Automation & Versioning (`scripts/`)
|
||||
- **`scripts/save_version.py`**: Implements the `save-version` AI Command Shortcut. Increments `VERSION.json` patch version, commits all staged changes, creates a snapshot branch `v.X.Y.Z`, and calls `./export_prod.sh` to generate the production bundle. Always stays on the `dev` branch.
|
||||
|
||||
|
||||
## 7. Security & Hardening (v1.4.0)
|
||||
To ensure enterprise-grade protection, the following policies are enforced:
|
||||
|
||||
### 7.1 Access Control & RBAC
|
||||
- **Strict Separation:** Operations are divided into `user` and `admin` roles.
|
||||
- **Admin Only:** Critical operations such as `DELETE /items/`, user management, and DB settings are restricted via the `auth.get_current_admin` dependency.
|
||||
- **User Role:** Standard users are permitted to perform check-in/out and list inventory, but cannot delete catalog entries.
|
||||
|
||||
### 7.2 Brute-Force Protection
|
||||
- **Rate Limiting:** Implemented via `slowapi`. The `login` endpoint is limited to **5 requests per minute** per IP to mitigate automated credential stuffing.
|
||||
|
||||
### 7.3 Data Privacy
|
||||
- **Information Scrubbing:** Backend logs are configured to intercept and mask sensitive auth tokens or internal secrets (e.g., `JWT_SECRET_KEY`) during debug output.
|
||||
- **Direct Bind LDAP:** Authentication uses direct user binding to the LDAP server, avoiding the need for a privileged service account with broad search permissions.
|
||||
|
||||
### 7.4 PWA Trust & Security
|
||||
- **HTTPS Enforcement:** The system requires TLS (Port 3003) for camera access and secure token transmission.
|
||||
- **Manifest Integrity:** A comprehensive `manifest.json` ensures the app is recognized as a trusted PWA on mobile platforms (iOS/Android).
|
||||
|
||||
Reference in New Issue
Block a user