docs: finalized v1.4.1 session logs and architecture security section

This commit is contained in:
Daniel Bedeleanu
2026-04-12 10:49:48 +03:00
parent 50ae3671c9
commit e383b97d44
5 changed files with 44 additions and 8 deletions

View File

@@ -59,3 +59,22 @@ To prevent data loss in basements or unstable networks:
## 6. Automation & Versioning (`scripts/`)
- **`scripts/save_version.py`**: Implements the `save-version` AI Command Shortcut. Increments `VERSION.json` patch version, commits all staged changes, creates a snapshot branch `v.X.Y.Z`, and calls `./export_prod.sh` to generate the production bundle. Always stays on the `dev` branch.
## 7. Security & Hardening (v1.4.0)
To ensure enterprise-grade protection, the following policies are enforced:
### 7.1 Access Control & RBAC
- **Strict Separation:** Operations are divided into `user` and `admin` roles.
- **Admin Only:** Critical operations such as `DELETE /items/`, user management, and DB settings are restricted via the `auth.get_current_admin` dependency.
- **User Role:** Standard users are permitted to perform check-in/out and list inventory, but cannot delete catalog entries.
### 7.2 Brute-Force Protection
- **Rate Limiting:** Implemented via `slowapi`. The `login` endpoint is limited to **5 requests per minute** per IP to mitigate automated credential stuffing.
### 7.3 Data Privacy
- **Information Scrubbing:** Backend logs are configured to intercept and mask sensitive auth tokens or internal secrets (e.g., `JWT_SECRET_KEY`) during debug output.
- **Direct Bind LDAP:** Authentication uses direct user binding to the LDAP server, avoiding the need for a privileged service account with broad search permissions.
### 7.4 PWA Trust & Security
- **HTTPS Enforcement:** The system requires TLS (Port 3003) for camera access and secure token transmission.
- **Manifest Integrity:** A comprehensive `manifest.json` ensures the app is recognized as a trusted PWA on mobile platforms (iOS/Android).