DashDescomplicar

Author SHA1 Message Date

Author	SHA1	Message	Date
Emanuel Almeida	1c941785e1	feat: rebuild Monitor page for Proxmox cluster architecture + activate WP monitoring - Rewrite Monitor.tsx with hierarchical cluster view (host + 4 VMs grid) - Add ProgressBar inverted prop for container health (100% = green) - Add per-site WordPress updates breakdown in WP Updates section - Fix wpMonitorSchema validation to accept plugin data (passthrough, flexible types) - All 8 WordPress sites now sending monitoring data via descomplicar-monitor plugin	2026-02-23 14:55:00 +00:00
Emanuel Almeida	36a26dac53	security: complete Fase 3 - all medium-severity vulnerabilities fixed MEDIUM-SEVERITY FIXES (Fase 3 complete): 1. Mock Data em Produção (Vulnerabilidade 3.2) ✅ - Mock data apenas em desenvolvimento (import.meta.env.DEV) - Produção mostra erro claro com retry button - Estado de erro com UI profissional 2. Connection Pool Timeouts (Vulnerabilidade 3.3) ✅ - JÁ CORRIGIDO em commit anterior (`20c16ab`) - connectTimeout: 10s, acquireTimeout: 15s, timeout: 30s 3. Tipo 'any' em Catch Blocks (Vulnerabilidade 3.4) ✅ - TODOS os ficheiros corrigidos (10/10) - catch (error: unknown) em vez de catch (error) - Type guards: error instanceof Error - Mensagens seguras sem vazamento de stack trace - Ficheiros: routes/.ts, services/.ts, middleware/validation.ts 4. APIs Sem Autenticação Backend (Vulnerabilidade 3.5) ✅ - JÁ IMPLEMENTADO em commit anterior (`f175682`) - OIDC opcional via OIDC_ENABLED=true 5. Algoritmos SSH Legacy (Vulnerabilidade 3.6) ✅ - Adicionados: curve25519-sha256, curve25519-sha256@libssh.org - Removidos: diffie-hellman-group14-sha1 (legacy) - Removidos: diffie-hellman-group1-sha1 (INSEGURO) - Apenas SHA256+ algorithms mantidos 6. Configuração OIDC (Vulnerabilidade 3.1) ✅ - JÁ IMPLEMENTADO em commit anterior (`f175682`) - OIDC completamente funcional (opcional) FILES CHANGED: - src/App.tsx - Error state + mock data apenas em dev - api/routes/.ts - Tipos unknown em todos os catch blocks - api/services/.ts - Tipos unknown em todos os catch blocks - api/middleware/validation.ts - Tipo correto (error.issues) - api/services/server-metrics.ts - Algoritmos SSH modernos BUILD STATUS: - TypeScript: ✅ PASSED - npm run build: ✅ SUCCESS - npm audit: ✅ 0 vulnerabilities PROGRESS: - Phase 1 (Critical): 3/3 ✅ COMPLETE - Phase 2 (High): 6/6 ✅ COMPLETE - Phase 3 (Medium): 6/6 ✅ COMPLETE - Phase 4 (Low): 0/5 - Next Related: AUDIT-REPORT.md vulnerabilities 3.1, 3.2, 3.3, 3.4, 3.5, 3.6 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-02-14 04:20:37 +00:00
Emanuel Almeida	f1756829af	security: implement 6 high-severity vulnerability fixes HIGH-SEVERITY FIXES (Fase 2): 1. Rate Limiting (Vulnerabilidade 2.1) - express-rate-limit: 100 req/15min (prod), 1000 req/15min (dev) - Applied to all /api/* routes - Standard headers for retry-after 2. CORS Restrictions (Vulnerabilidade 2.2) - Whitelist: dashboard.descomplicar.pt, desk.descomplicar.pt - Localhost only in development - CORS blocking logs 3. Input Validation with Zod (Vulnerabilidade 2.4) - Generic validateRequest() middleware - Schemas: WordPress Monitor, server metrics, dashboard, financial - Applied to api/routes/wp-monitor.ts POST endpoint - Detailed field-level error messages 4. Backend Authentication OIDC (Vulnerabilidade 2.5 - OPTIONAL) - Enabled via OIDC_ENABLED=true - Bearer token validation on all APIs - Backward compatible (disabled by default) 5. SSH Key-Based Auth Migration (Vulnerabilidade 2.6) - Script: /media/ealmeida/Dados/Dev/ClaudeDev/migrate-ssh-keys.sh - Generates ed25519 key, copies to 6 servers - Instructions to remove passwords from .env - .env.example updated with SSH_PRIVATE_KEY_PATH 6. Improved Error Handling (Vulnerabilidade 2.5) - Unique error IDs (UUID) for tracking - Structured JSON logs in production - Stack traces blocked in production - Generic messages to client FILES CHANGED: - api/server.ts - Complete refactor with all security improvements - api/middleware/validation.ts - NEW: Zod middleware and schemas - api/routes/wp-monitor.ts - Added Zod validation on POST - .env.example - Complete security documentation - CHANGELOG.md - Full documentation of 9 fixes (3 critical + 6 high) - package.json + package-lock.json - New dependencies DEPENDENCIES ADDED: - express-rate-limit@7.x - zod@3.x - express-openid-connect@2.x AUDIT STATUS: - npm audit: 0 vulnerabilities - Hook Regra #47: PASSED PROGRESS: - Phase 1 (Critical): 3/3 ✅ COMPLETE - Phase 2 (High): 6/6 ✅ COMPLETE - Phase 3 (Medium): 0/6 - Next - Phase 4 (Low): 0/5 - Next Related: AUDIT-REPORT.md vulnerabilities 2.1, 2.2, 2.4, 2.5, 2.6 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-02-14 04:09:50 +00:00

1c941785e1

feat: rebuild Monitor page for Proxmox cluster architecture + activate WP monitoring

- Rewrite Monitor.tsx with hierarchical cluster view (host + 4 VMs grid)
- Add ProgressBar inverted prop for container health (100% = green)
- Add per-site WordPress updates breakdown in WP Updates section
- Fix wpMonitorSchema validation to accept plugin data (passthrough, flexible types)
- All 8 WordPress sites now sending monitoring data via descomplicar-monitor plugin

2026-02-23 14:55:00 +00:00

Emanuel Almeida

36a26dac53

security: complete Fase 3 - all medium-severity vulnerabilities fixed

MEDIUM-SEVERITY FIXES (Fase 3 complete):

1. Mock Data em Produção (Vulnerabilidade 3.2) ✅
   - Mock data apenas em desenvolvimento (import.meta.env.DEV)
   - Produção mostra erro claro com retry button
   - Estado de erro com UI profissional

2. Connection Pool Timeouts (Vulnerabilidade 3.3) ✅
   - JÁ CORRIGIDO em commit anterior (20c16ab)
   - connectTimeout: 10s, acquireTimeout: 15s, timeout: 30s

3. Tipo 'any' em Catch Blocks (Vulnerabilidade 3.4) ✅
   - TODOS os ficheiros corrigidos (10/10)
   - catch (error: unknown) em vez de catch (error)
   - Type guards: error instanceof Error
   - Mensagens seguras sem vazamento de stack trace
   - Ficheiros: routes/*.ts, services/*.ts, middleware/validation.ts

4. APIs Sem Autenticação Backend (Vulnerabilidade 3.5) ✅
   - JÁ IMPLEMENTADO em commit anterior (f175682)
   - OIDC opcional via OIDC_ENABLED=true

5. Algoritmos SSH Legacy (Vulnerabilidade 3.6) ✅
   - Adicionados: curve25519-sha256, curve25519-sha256@libssh.org
   - Removidos: diffie-hellman-group14-sha1 (legacy)
   - Removidos: diffie-hellman-group1-sha1 (INSEGURO)
   - Apenas SHA256+ algorithms mantidos

6. Configuração OIDC (Vulnerabilidade 3.1) ✅
   - JÁ IMPLEMENTADO em commit anterior (f175682)
   - OIDC completamente funcional (opcional)

FILES CHANGED:
- src/App.tsx - Error state + mock data apenas em dev
- api/routes/*.ts - Tipos unknown em todos os catch blocks
- api/services/*.ts - Tipos unknown em todos os catch blocks
- api/middleware/validation.ts - Tipo correto (error.issues)
- api/services/server-metrics.ts - Algoritmos SSH modernos

BUILD STATUS:
- TypeScript: ✅ PASSED
- npm run build: ✅ SUCCESS
- npm audit: ✅ 0 vulnerabilities

PROGRESS:
- Phase 1 (Critical): 3/3 ✅ COMPLETE
- Phase 2 (High): 6/6 ✅ COMPLETE
- Phase 3 (Medium): 6/6 ✅ COMPLETE
- Phase 4 (Low): 0/5 - Next

Related: AUDIT-REPORT.md vulnerabilities 3.1, 3.2, 3.3, 3.4, 3.5, 3.6

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-14 04:20:37 +00:00

Emanuel Almeida

f1756829af

security: implement 6 high-severity vulnerability fixes

HIGH-SEVERITY FIXES (Fase 2):

1. Rate Limiting (Vulnerabilidade 2.1)
   - express-rate-limit: 100 req/15min (prod), 1000 req/15min (dev)
   - Applied to all /api/* routes
   - Standard headers for retry-after

2. CORS Restrictions (Vulnerabilidade 2.2)
   - Whitelist: dashboard.descomplicar.pt, desk.descomplicar.pt
   - Localhost only in development
   - CORS blocking logs

3. Input Validation with Zod (Vulnerabilidade 2.4)
   - Generic validateRequest() middleware
   - Schemas: WordPress Monitor, server metrics, dashboard, financial
   - Applied to api/routes/wp-monitor.ts POST endpoint
   - Detailed field-level error messages

4. Backend Authentication OIDC (Vulnerabilidade 2.5 - OPTIONAL)
   - Enabled via OIDC_ENABLED=true
   - Bearer token validation on all APIs
   - Backward compatible (disabled by default)

5. SSH Key-Based Auth Migration (Vulnerabilidade 2.6)
   - Script: /media/ealmeida/Dados/Dev/ClaudeDev/migrate-ssh-keys.sh
   - Generates ed25519 key, copies to 6 servers
   - Instructions to remove passwords from .env
   - .env.example updated with SSH_PRIVATE_KEY_PATH

6. Improved Error Handling (Vulnerabilidade 2.5)
   - Unique error IDs (UUID) for tracking
   - Structured JSON logs in production
   - Stack traces blocked in production
   - Generic messages to client

FILES CHANGED:
- api/server.ts - Complete refactor with all security improvements
- api/middleware/validation.ts - NEW: Zod middleware and schemas
- api/routes/wp-monitor.ts - Added Zod validation on POST
- .env.example - Complete security documentation
- CHANGELOG.md - Full documentation of 9 fixes (3 critical + 6 high)
- package.json + package-lock.json - New dependencies

DEPENDENCIES ADDED:
- express-rate-limit@7.x
- zod@3.x
- express-openid-connect@2.x

AUDIT STATUS:
- npm audit: 0 vulnerabilities
- Hook Regra #47: PASSED

PROGRESS:
- Phase 1 (Critical): 3/3 ✅ COMPLETE
- Phase 2 (High): 6/6 ✅ COMPLETE
- Phase 3 (Medium): 0/6 - Next
- Phase 4 (Low): 0/5 - Next

Related: AUDIT-REPORT.md vulnerabilities 2.1, 2.2, 2.4, 2.5, 2.6

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-14 04:09:50 +00:00

3 Commits