71 lines
3.4 KiB
Markdown
71 lines
3.4 KiB
Markdown
# CURRENT AI WORKING SESSION — HANDOVER
|
|
|
|
**Active AI:** Gemini (Antigravity)
|
|
**Last Updated:** 2026-04-12
|
|
**Current Version:** v1.4.0
|
|
**Branch:** dev
|
|
|
|
---
|
|
|
|
## STATUS: 🟢 STABLE — SECURITY HARDENING & PWA OPTIMIZATION COMPLETE
|
|
|
|
The TFM aInventory v1.4.0 is now fully hardened, tested, and optimized for mobile/enterprise use. All security vulnerabilities identified in the audit have been addressed, and the UI has been upgraded to a high-fidelity "Premium" standard.
|
|
|
|
---
|
|
|
|
## WHAT WAS DONE THIS SESSION
|
|
|
|
### 1. Security Hardening (Backend)
|
|
- **Rate Limiting** — Implemented `slowapi` on `/users/login` (5 req/min) to prevent brute-force attacks.
|
|
- **RBAC Enforcement** — Restricted `DELETE /items/` exclusively to the **Admin** role.
|
|
- **Sensitive Data** — Scrubbed `JWT_SECRET_KEY` and other sensitive snippets from debug logs.
|
|
- **REST API Testing** — Developed an automated Python test suite (`backend/tests/api_bench.py`) to verify Auth, RBAC, and Rate Limiting. Confirmed all **PASS**.
|
|
|
|
### 2. Admin & LDAP Integration
|
|
- **Dual Group Mapping** — Restored the UI fields for strictly mapping separated Admin and User groups in LDAP.
|
|
- **TLS Configuration** — Replaced the text link with a high-visibility **Switch Component** for TLS activation.
|
|
- **State Cleanup** — Fixed initialization bugs where the Enterprise card wouldn't load from disk correctly.
|
|
|
|
### 3. PWA & Mobile Expert Audit
|
|
- **Icon Assets** — Generated missing PWA icons (192, 512, maskable) from the source logo using `sips`.
|
|
- **Manifest Upgrade** — Added "Maskable" icon support, orientation lock, and app shortcuts.
|
|
- **iOS Support** — Added Apple-specific meta tags (`apple-mobile-web-app-capable`, status bar styles) for a native experience on iPhone.
|
|
|
|
### 4. Modern CSS & Visual Excellence
|
|
- **Glassmorphism** — Created and applied a custom `.glass-card` utility (backdrop-blur-xl + subtle gradients) to all primary UI sections.
|
|
- **Safe Areas** — Implemented `pb-safe` to ensure bottom navigation doesn't overlap with iOS home bars.
|
|
- **Fluid Typography** — Added `clamp()` based scaling for better readability across devices.
|
|
|
|
### 5. Production Export Cleanup
|
|
- **`export_prod.sh`** — Updated to explicitly exclude `tests/` folders and development benchmarking scripts.
|
|
- **New Bundle** — Generated a clean **`aInventory-PROD-v1.4.0.zip`**.
|
|
|
|
---
|
|
|
|
## WHAT THE NEXT AI MUST DO
|
|
|
|
1. **Database Encryption** — Consider implementing SQLite encryption at rest (SQLCipher) as per the security report.
|
|
2. **Persistent JWT** — If requested, move the `JWT_SECRET_KEY` to a `.env` file for session persistence across server restarts.
|
|
3. **LDAP Probe** — The "Test Connection" button may show "Partial Success" (handshake rejected) due to anonymous bind restrictions; login itself works fine.
|
|
4. **Monitoring** — If the rate limiter triggers too frequently for legitimate users, adjust the `slowapi` limit in `backend/routers/users.py`.
|
|
|
|
---
|
|
|
|
## SYSTEM STATE
|
|
|
|
**Active database:** `<project_root>/data/inventory.db`
|
|
**LDAP config:** `backend/config/ldap_config.json`
|
|
**Production Bundle:** `aInventory-PROD-v1.4.0.zip` (Clean)
|
|
|
|
**How to start:**
|
|
```bash
|
|
./start_server.sh
|
|
```
|
|
- Frontend: `https://<LOCAL_IP>:3003`
|
|
- Backend: `https://<LOCAL_IP>:3002`
|
|
|
|
**Environment variables set by start_server.sh:**
|
|
- `ALLOWED_ORIGINS` — auto-detected
|
|
- `DATA_DIR` — absolute path
|
|
- `JWT_SECRET_KEY` — ephemeral (regenerates on restart)
|