portal

liderra/portal

Fork 0

Commit Graph

Author	SHA1	Message	Date
Дмитрий	0a641ba44f	docs(audit): RLS dev↔prod gap discovery — Phase A of hole #7 20 cron/job classes analyzed against RLS-protected tables. 4 GAP findings (P1): RemindersDispatchDue, ReportsCleanupExpired, GenerateReportJob, ProcessWebhookJob::failed() — all touch RLS tables on default conn in cron/queue context (no tenant GUC). Fail/silent on prod (crm_app_user), hidden on dev (postgres superuser). Phase B fixes follow.	2026-05-23 10:03:14 +03:00
Дмитрий	ded07d3a6b	docs(d3): correct Security Guidance #40 — blocking hook, not warn-only SG #40 was characterised across all D3 docs as warn-only / does not block. Verified end-to-end: security_reminder_hook.py does sys.exit(2) — a BLOCKING PreToolUse hook (one-time speed-bump per file+rule per session, the retry passes). SG2: on this Windows host the bundled hooks.json hardcodes python3, absent from PATH — the hook never spawned (inert). Fixed with a python3.exe shim in the Python install dir (env-only, not in repo). Normative sync: Tooling v2.5, PSR_v1 v3.5, Pravila v1.19, CLAUDE.md v2.5; ADR-003 amended; automation-graph sec_guidance nd(). Tool counts unchanged (40 positions). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-17 07:29:42 +03:00
Дмитрий	83a831c46d	docs(audit): toolchain attack-surface procedure + audit/ home (D3 #5 )	2026-05-17 06:15:29 +03:00

Author

SHA1

Message

Date

Дмитрий

0a641ba44f

docs(audit): RLS dev↔prod gap discovery — Phase A of hole #7

20 cron/job classes analyzed against RLS-protected tables. 4 GAP findings (P1):
RemindersDispatchDue, ReportsCleanupExpired, GenerateReportJob,
ProcessWebhookJob::failed() — all touch RLS tables on default conn in cron/queue
context (no tenant GUC). Fail/silent on prod (crm_app_user), hidden on dev
(postgres superuser). Phase B fixes follow.

2026-05-23 10:03:14 +03:00

Дмитрий

ded07d3a6b

docs(d3): correct Security Guidance #40 — blocking hook, not warn-only

SG #40 was characterised across all D3 docs as warn-only / does not block. Verified end-to-end: security_reminder_hook.py does sys.exit(2) — a BLOCKING PreToolUse hook (one-time speed-bump per file+rule per session, the retry passes).

SG2: on this Windows host the bundled hooks.json hardcodes python3, absent from PATH — the hook never spawned (inert). Fixed with a python3.exe shim in the Python install dir (env-only, not in repo).

Normative sync: Tooling v2.5, PSR_v1 v3.5, Pravila v1.19, CLAUDE.md v2.5; ADR-003 amended; automation-graph sec_guidance nd(). Tool counts unchanged (40 positions).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-17 07:29:42 +03:00

Дмитрий

83a831c46d

docs(audit): toolchain attack-surface procedure + audit/ home (D3 #5 )

2026-05-17 06:15:29 +03:00

3 Commits