ealmeida
80a5f3bf42
feat(observabilidade): watcher chokidar incremental
2026-04-23 01:19:21 +01:00
ealmeida
7a13d21caa
fix(observabilidade): stub watcher sai limpo com exit 0 para Task 9 systemd
2026-04-23 01:01:42 +01:00
ealmeida
cdadc89cb0
fix(observabilidade): indexer CLI sai com código 1 se failed>0
2026-04-23 00:59:22 +01:00
ealmeida
296819df63
feat(observabilidade): indexer full scan + CLI + stub watcher
2026-04-23 00:57:46 +01:00
ealmeida
f1756829af
security: implement 6 high-severity vulnerability fixes
...
HIGH-SEVERITY FIXES (Fase 2):
1. Rate Limiting (Vulnerabilidade 2.1)
- express-rate-limit: 100 req/15min (prod), 1000 req/15min (dev)
- Applied to all /api/* routes
- Standard headers for retry-after
2. CORS Restrictions (Vulnerabilidade 2.2)
- Whitelist: dashboard.descomplicar.pt, desk.descomplicar.pt
- Localhost only in development
- CORS blocking logs
3. Input Validation with Zod (Vulnerabilidade 2.4)
- Generic validateRequest() middleware
- Schemas: WordPress Monitor, server metrics, dashboard, financial
- Applied to api/routes/wp-monitor.ts POST endpoint
- Detailed field-level error messages
4. Backend Authentication OIDC (Vulnerabilidade 2.5 - OPTIONAL)
- Enabled via OIDC_ENABLED=true
- Bearer token validation on all APIs
- Backward compatible (disabled by default)
5. SSH Key-Based Auth Migration (Vulnerabilidade 2.6)
- Script: /media/ealmeida/Dados/Dev/ClaudeDev/migrate-ssh-keys.sh
- Generates ed25519 key, copies to 6 servers
- Instructions to remove passwords from .env
- .env.example updated with SSH_PRIVATE_KEY_PATH
6. Improved Error Handling (Vulnerabilidade 2.5)
- Unique error IDs (UUID) for tracking
- Structured JSON logs in production
- Stack traces blocked in production
- Generic messages to client
FILES CHANGED:
- api/server.ts - Complete refactor with all security improvements
- api/middleware/validation.ts - NEW: Zod middleware and schemas
- api/routes/wp-monitor.ts - Added Zod validation on POST
- .env.example - Complete security documentation
- CHANGELOG.md - Full documentation of 9 fixes (3 critical + 6 high)
- package.json + package-lock.json - New dependencies
DEPENDENCIES ADDED:
- express-rate-limit@7.x
- zod@3.x
- express-openid-connect@2.x
AUDIT STATUS:
- npm audit: 0 vulnerabilities
- Hook Regra #47 : PASSED
PROGRESS:
- Phase 1 (Critical): 3/3 ✅ COMPLETE
- Phase 2 (High): 6/6 ✅ COMPLETE
- Phase 3 (Medium): 0/6 - Next
- Phase 4 (Low): 0/5 - Next
Related: AUDIT-REPORT.md vulnerabilities 2.1, 2.2, 2.4, 2.5, 2.6
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
2026-02-14 04:09:50 +00:00
ealmeida
a19e07d83c
fix: remove HEAD-based site checker that caused false DOWN status
...
The checkAllSitesAvailability() function did HEAD requests from EasyPanel
to check sites. Many WordPress sites block HEAD or return errors, causing
all sites to show as DOWN while keeping valid response times from the
CWP collector. The CWP collector (collect-sites.sh) is the single source
of truth for site status.
Removed:
- checkSiteAvailability() and checkAllSitesAvailability() from monitoring service
- POST /api/monitor/check-sites endpoint
- api/scripts/check-sites.ts cron script
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-02-10 17:48:41 +00:00
ealmeida
1972937841
fix: Escape cron syntax in JSDoc comments to prevent early termination
2026-02-04 23:16:55 +00:00
ealmeida
1b05c051da
fix: Remove special characters from scripts for TypeScript compilation
2026-02-04 23:15:45 +00:00
ealmeida
13608a69bf
feat: WordPress Monitor API + Site Availability Checker
...
- Add POST /api/wp-monitor endpoint for WP plugin data
- Add GET /api/wp-monitor for listing monitored sites
- Add checkSiteAvailability() function for HTTP health checks
- Add checkAllSitesAvailability() for batch checking
- Add /api/scripts/check-sites.ts for cron execution
- Add POST /api/monitor/check-sites for manual trigger
DeskCRM Task: #1556
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com >
2026-02-04 23:12:32 +00:00
ealmeida