apunkt/gomcp
1
0
Fork 0
mirror of https://github.com/syntrex-lab/gomcp.git synced 2026-04-27 21:36:21 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
55 commits 1 branch 1 tag 898 KiB
Commit graph

24 commits

Author SHA1 Message Date
DmitrL-dev
d1f844235e chore: add copyright headers, CI tests, and sanitize gitignore 2026-03-31 22:13:34 +10:00
DmitrL-dev
5cbb3d89d3 chore: migrate module path to syntrex-lab and prepare open source release 2026-03-31 22:01:51 +10:00
DmitrL-dev
a54c892736 security: deep audit fixes — error leak prevention, DOMPurify XSS guard, mutex race fix, i18n parity, HMAC warning 
- [C-1] Fix sync.Mutex copy in guard.GuardStats (go vet race condition)
- [C-2] Replace 3x raw err.Error() HTTP leaks with generic messages (tenant_handlers, ws_transport, immune)
- [M-1] Add isomorphic-dompurify to LegalPage and AIAssistant (XSS defense-in-depth)
- [M-4] Add swaggo/swag dependency for Swagger docs
- [L-4] Add slog.Warn for hardcoded dev HMAC key in tpmaudit
- [L-5] Add 2 missing i18n keys (nav.contacts, nav.start_free) — 365/365 parity
 2026-03-31 19:52:21 +10:00
DmitrL-dev
fe9415ab74 feat(ci): implement SDD-107 GitHub Actions automation 2026-03-31 11:19:46 +10:00
DmitrL-dev
4d6aeedccd fix(auth): whitelist /api/auth/demo in JWT middleware to fix demo login 2026-03-31 08:38:46 +10:00
DmitrL-dev
06e5c81dd7 feat: align landing page pricing with billing dashboard and fix Free tier limits 2026-03-31 08:29:25 +10:00
DmitrL-dev
dc90f209fa feat: implement interactive demo mode and soc generator 2026-03-31 08:22:35 +10:00
DmitrL-dev
d0a02b1506 feat: Superadmin impersonation and env password override 2026-03-31 07:41:07 +10:00
DmitrL-dev
f833602145 fix(auth): remove hardcoded admin password and use env var / random generation fallback 2026-03-30 20:34:24 +10:00
DmitrL-dev
2a3ed1c319 feat(security): enforce plan-based access, add Free tier API keys UI 2026-03-27 20:33:46 +10:00
DmitrL-dev
dd977b7d46 fix(sec): critical tenant isolation - pgx placeholders, requireSOC hardening, plan upgrade guard 
- Fix pgx/v5 SQL placeholder bug (? -> /) in tenant_handlers.go
- tenant_id was silently failing to write/read, causing empty TenantID in JWT
- Harden requireSOC middleware to BLOCK when TenantID is empty (was pass-through)
- Block paid plan upgrades without Stripe payment verification
- Add in-memory cache update for tenant_id on registration
- Add fallback tenant_id read from User object in HandleVerifyEmail
 2026-03-27 19:11:55 +10:00
DmitrL-dev
577fa9400a fix(auth): comprehensive sync of cookie-based sessions across register, verify, and middleware 2026-03-27 18:42:54 +10:00
DmitrL-dev
9abdd86540 fix: open registration by default and handle slug collision gracefully 2026-03-27 18:13:17 +10:00
DmitrL-dev
5ddfa74771 chore: Apply dashboard audit remediations, sync engine counts, update APIs 2026-03-27 16:54:18 +10:00
DmitrL-dev
b8097d3f1b feat: SOC ghost sinkhole, rate limiter, RBAC, demo seed 2026-03-27 12:45:11 +10:00
DmitrL-dev
ab55fe2b58 fix: make SOC ingest JWT-exempt for sensor access + battle script JWT login 2026-03-25 20:14:43 +10:00
DmitrL-dev
9b2b05dfce fix: persistUser preserves tenant_id (prevents overwrite on login) 2026-03-24 12:10:40 +10:00
DmitrL-dev
62ecc1c7a3 sec: fix C4/C5/M4/M5 + domain migration to syntrex.pro 
C4: Remove localhost:9100 fallback from 27 dashboard files (use relative URLs)
C5: JWT token_type differentiation (access vs refresh) - middleware rejects refresh as Bearer
M4: Server-side registration gate via SOC_REGISTRATION_OPEN env var
M5: HTML tag stripping on name/org_name fields (XSS prevention)

Domain migration:
- users.go: admin@syntrex.pro
- zerotrust.go: SPIFFE trust domain
- sbom.go: namespace URL
- .env.production.example: all URLs updated
- identity_test.go: test email
 2026-03-24 11:49:33 +10:00
DmitrL-dev
4a1bd09a13 fix: loadFromDB missing email_verified column in SELECT/Scan 2026-03-24 10:55:44 +10:00
DmitrL-dev
4ce94e9c77 SEC: Fix 3 CRITICAL + 3 MEDIUM red team findings 
C1: Remove verification_code_dev from API response (CVSS 9.8)
    - Code now logged server-side only when email service not configured
C2: Tenant isolation on /api/auth/users (CVSS 9.1)
    - HandleListUsers filters by claims.TenantID
    - TenantID added to User struct, DB migration, persistUser, loadFromDB
C3: Include TenantID in JWT tokens (CVSS 8.8)
    - Login handler now uses Sign() with full Claims including TenantID
    - Enables downstream RBAC tenant filtering

M1: nginx server_tokens off (hide version fingerprint)
M2: syntrex.pro added to server_name
M3: CORS multi-origin support (SOC_CORS_ORIGIN=origin1,origin2)
 2026-03-24 10:32:50 +10:00
DmitrL-dev
8d87c453b0 feat: add free starter plan with 1000 scans/month quota tracking 2026-03-24 09:37:09 +10:00
DmitrL-dev
a120aa2750 fix: add /api/v1/scan to JWT public paths (demo scanner bypass auth) 2026-03-23 20:32:11 +10:00
DmitrL-dev
4a0f17873a fix: convert auth users/tenants SQL from SQLite to PostgreSQL (BOOLEAN, ON CONFLICT, params, TIMESTAMPTZ) 2026-03-23 20:11:59 +10:00
DmitrL-dev
41cbfd6e0a Release prep: 54 engines, self-hosted signatures, i18n, dashboard updates 2026-03-23 16:45:40 +10:00