null/BillTracker

Commit Graph

Author	SHA1	Message	Date
null	2ce5328fd2	v0.25.0: roadmap redesign, import CSRF fix, AdminDashboard removed - RoadmapPage: kanban-style priority lanes, shadcn Collapsible/Tabs, lazy-loaded activity log, admin-only /api/about/roadmap + /dev-log endpoints - Import CSRF fix: added x-csrf-token header to importAdminBackup, previewSpreadsheetImport, previewUserDbImport raw fetch() calls - Removed AdminDashboard.jsx, replaced by RoadmapPage - Added @radix-ui/react-collapsible + collapsible shadcn component - Security audit by Private_Hudson: PASS (CSRF fix verified, admin endpoints gated, path traversal mitigated, XSS safe)	2026-05-11 21:42:36 -05:00
null	852da29b4d	v0.20.0: admin dashboard with roadmap and activity log - New AdminDashboard component with Roadmap and Activity Log - Color-coded priority cards (🔴🟠🟡🔵💭) with collapsible sections - CRITICAL/HIGH expanded by default, others collapsed - Activity log shows DEVELOPMENT_LOG entries in reverse chronological order - Admin-only rendering, non-admins see standard About page - Custom scrollbar styles for admin panels - Version bumped to 0.20.0 (Bishop)	2026-05-09 21:14:21 -05:00
null	a9cdf846fe	v0.19.2: fix legacy DB migration login failure + security hardening CRITICAL fix: Users upgrading from pre-migration-tracking databases (now get 'invalid username/password' because schema_migrations table doesn't exist. Added handleLegacyDatabase() and reconcileLegacyMigrations() to detect and reconcile legacy DBs. Security fixes: - Path traversal: replaced sanitizePath() with ALLOWED_FILES allowlist - Public /about bypass: added admin route guard in App.jsx - Sensitive info exposure: expanded redactSensitiveContent() patterns - Error message path leaks: generic error messages only - Race condition: wrapped in db.transaction() in server.js - Password validation: INIT_REGULAR_PASS min 8 chars with process.exit(1) All verified by Bishop (build + runtime) and Private_Hudson (security).	2026-05-09 18:25:25 -05:00
null	6c7d481494	feat: add admin about page with security hardening - Add /api/about-admin endpoint (admin-only, path traversal protection, content redaction, error sanitization) - Add /admin/about route with RequireAuth admin guard - Add adminActionLimiter rate limiting on about-admin endpoint - Add rehype-sanitize XSS prevention in AboutPage.jsx - Add aboutAdmin API client endpoint - Create HISTORY.md with version bump convention (patch/minor/major) - Update Engineering Reference Manual with about-admin docs and security measures - Add INIT_REGULAR_USER/INIT_REGULAR_PASS env vars to docs - Update FUTURE.md with critical regular user env var item	2026-05-09 16:25:12 -05:00
kaspa	4d1709aea3	push	2026-05-09 13:03:36 -05:00
_null	d1efeece04	push	2026-05-04 20:12:57 -05:00

6 Commits