Commit Graph

515 Commits

Author SHA1 Message Date
fs
d4978d1504 test(services): add 88 unit tests for 7 critical service classes
RateLimiterServiceTest (17): hit/isBlocked/reset/registerFailure, fail-open,
sliding window, scope normalization.
PermissionServiceTest (24): userHas, getUserPermissions, cache hit/miss/refresh,
clearUserCache, CRUD, system permission protection.
RoleServiceTest (9): createFromAdmin, updateFromAdmin, deleteByUuid,
Admin role protection, duplicate code rejection.
TenantServiceTest (8): CRUD, department-dependent deletion blocking.
DepartmentServiceTest (14): listPaged scope filtering, groupActiveByTenantIds,
createFromAdmin, deleteByUuid, syncTenants.
MailServiceTest (8): send logging, MailerException handling, template metadata.
UserLifecycleServiceTest (8): advisory locking, deactivation, deletion,
snapshot failure skip, privileged user exclusion, manual trigger type.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 13:57:54 +01:00
fs
f6777113ec test(gateways): add 27 unit tests for 3 security-critical gateway classes
AuthCryptoGatewayTest (10 tests): encrypt/decrypt round-trip, unique IVs,
Crypto payload format verification (GR-SEC-005), error handling.
SettingsCryptoGatewayTest (9 tests): interface compliance, round-trip,
AES-256-GCM format, tampered ciphertext handling.
OidcHttpGatewayTest (8 tests): success, 401/500, network error, malformed JSON.

Plan amended: PermissionGateway removed (does not exist in codebase).
SC-002 amended: payload format verification accepted as Crypto delegation proof.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 13:57:33 +01:00
fs
cf4a7ec9d5 test(access): finalize operations authorization policy coverage 2026-03-13 13:35:34 +01:00
fs
d28f85ac9e refactor(repository): deduplicate unwrap and id array helpers 2026-03-13 13:12:51 +01:00
fs
efa031ea5f plans doc and settings 2026-03-13 12:05:34 +01:00
fs
010690de19 refactor(actions): deduplicate audit metadata and grid user count enrichment 2026-03-13 12:05:11 +01:00
fs
892da0048d refactor(arch): enforce gateway compliance and remove service-wrapping gateways 2026-03-13 11:31:33 +01:00
fs
082fa4c9a5 empty states 2026-03-13 09:49:11 +01:00
fs
cb7256aebc variablen und empty states 2026-03-12 16:47:53 +01:00
fs
0b9014dcbf page update 2026-03-12 14:09:06 +01:00
fs
17a72af5f2 guard permission fix 2026-03-12 13:01:06 +01:00
fs
39a113c5fc fixed wrong warning with single tenant 2026-03-12 12:22:36 +01:00
fs
eb748b2fa4 setting UI/UX 2026-03-12 12:11:31 +01:00
fs
24a6b79f7a Fix tenant SSO status mode and refactor status UI tiles 2026-03-12 10:01:24 +01:00
fs
e9f73bc96a ui changes and role switch added 2026-03-12 09:41:18 +01:00
fs
2dc140b55a update mandant seed 2026-03-12 09:41:04 +01:00
fs
1cdd7e59c1 chore(ui): update shell layout and header/footer partials 2026-03-11 23:33:17 +01:00
fs
277168f7e8 feat(admin): preserve list return target for back and close actions 2026-03-11 23:32:11 +01:00
fs
bc9506866f Seed api_tokens.manage via init SQL 2026-03-11 22:18:54 +01:00
fs
71b2d4a696 Extend users detail empty states to remaining non-list areas 2026-03-11 22:05:03 +01:00
fs
4885135849 Adopt global empty-state for remaining user form empties 2026-03-11 21:42:43 +01:00
fs
a1c7c9cf7d Standardize global empty-state UI component 2026-03-11 21:38:15 +01:00
fs
51e9a5c19a Fill demo user address-book seed fields 2026-03-11 21:25:22 +01:00
fs
60b890d367 Finalize init defaults and auth flow UX improvements 2026-03-11 21:11:19 +01:00
fs
f27de98bed Improve seed defaults for tenant, departments, user role and generic DB names 2026-03-11 20:24:18 +01:00
fs
285d6edb2e Verify demo seed user and make init FK creation idempotent 2026-03-11 20:16:45 +01:00
fs
eefbad2318 Fix fresh DB init order for users current_tenant FK 2026-03-11 20:14:04 +01:00
fs
f94fa6ba2f Rename app branding from IMVS to CoreCore 2026-03-11 20:11:01 +01:00
fs
23bd0cbe2a spacing correction 2026-03-11 19:17:06 +01:00
fs
964c07a9de feat(auth): add microsoft auto-remember policy with tenant override and configurable remember TTL 2026-03-10 22:48:10 +01:00
fs
f403a6704f feat(tests): automate 5 remaining guards as contract tests
Extract findPatternMatchesIn*Files() to ProjectFileAssertionSupport
trait for reuse. Add contract tests for:
- GR-SEC-005: Encryption centralized in Crypto.php
- GR-SEC-006: File storage in storage/, not web/
- GR-SEC-002: No PII in error_log() calls
- GR-CORE-012: POST-Redirect-GET pattern enforcement
- GR-UI-015: i18n key completeness de ↔ en

Brings automated guard coverage from 24 to 29 test files.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-10 21:20:08 +01:00
fs
fd90065048 fix(security): add CSRF protection to all POST endpoints + contract tests (B2)
CSRF guards added to 16 admin pages that previously accepted POST requests
without token verification (GR-SEC-001): departments, permissions, roles,
settings, tenants, users (create/edit/bulk/tokens), and lang switch.

New contract tests:
- PostEndpointCsrfContractTest: scans all pages/ for POST handlers and
  verifies checkCsrfToken is present (API/data endpoints exempt).
- DatabaseUpdatesContractTest: validates db/updates/ scripts follow naming
  convention and use idempotent SQL patterns (GR-CORE-010).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-10 15:40:07 +01:00
fs
6286ec4179 settings ui/ux optimization 2026-03-09 22:29:45 +01:00
fs
1b872f145c added details card component 2026-03-09 21:57:52 +01:00
fs
af8ee10930 feat(auth): keep remember tokens on session timeout
- add timeout-specific logout path without remember-token revocation

- reset session timers after remember-me auto login

- compact session policy wording in admin settings (DE/EN)

- extend auth tests for timeout/manual logout behavior
2026-03-09 20:47:21 +01:00
fs
792af5a532 feat(settings): add admin session policy management 2026-03-09 20:07:55 +01:00
fs
7c75df51bb Erweiterung Contracts und Guards 2026-03-09 19:56:08 +01:00
fs
01c05d997f fix(security): enforce atomic role/permission writes and user assignment rollback 2026-03-09 19:54:58 +01:00
fs
11ca546eae feat(security): add session timeout + transaction wrapping (B1)
Session timeout: configurable idle (default 30min) and absolute (default 8h)
timeouts via DB settings, enforced in web/index.php on every request.
Timestamps set at login in action layer; graceful fallback for pre-existing
sessions.

Transaction wrapping: UserAccountService.createFromAdmin/register, roles
create/edit, and permissions edit now wrap multi-step DB operations in
transactions to guarantee atomicity.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-09 19:16:26 +01:00
fs
8d6cfa2fbc fix broken doc links 2026-03-09 18:30:52 +01:00
fs
7153fec05c feat(auth): harden login flows and finalize quality-check coverage 2026-03-07 22:54:33 +01:00
fs
aefe80457c fix(login): unify heading/subtitle and remove tracked cache 2026-03-07 21:24:32 +01:00
fs
9168730a8a further things around login 2026-03-07 21:21:47 +01:00
fs
fb6f87374f fix(theme): stabilize tenant switch theme propagation and toggle race handling
Task: REVIEW-USER-THEME-001
2026-03-07 20:14:29 +01:00
fs
e3a0c0eb37 ui/ux login optimization 2026-03-07 14:10:36 +01:00
fs
90a5126221 gitignore update 2026-03-06 22:02:09 +01:00
fs
5fb89485f4 login improvements 2026-03-06 21:59:41 +01:00
fs
dc6c135473 fix(auth): improve login accessibility semantics and add auth contract test
Task: AUTH-LOGIN-ACCESSIBILITY-001
2026-03-06 20:46:22 +01:00
fs
72886f4784 docs: restructure docs to diataxis and finalize DOCS-RESTRUCTURE-001 2026-03-06 12:25:18 +01:00
fs
9caa0a4f75 docs(agent): add SUPERGLOBAL-MIGRATION-001 run artifacts
Plan, execution report, guard review, acceptance review, and
finalize artifacts for the superglobal-to-abstraction migration
(87 pages migrated from $_SESSION/$_SERVER to
SessionStoreInterface/RequestRuntimeInterface).

Task: SUPERGLOBAL-MIGRATION-001

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-06 11:44:22 +01:00