BOHA
9f4b8a897a
feat(orders): issued-orders CRUD routes + audit entity type
...
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com >
2026-06-09 11:26:32 +02:00
BOHA
519edce373
fix: 2026-06-09 full-codebase audit hardening
...
Validation: shared NaN-guarded Zod coercion helpers in schemas/common.ts replace
the raw number|string transform idiom across every schema (the root-cause NaN bug
class); emailOrEmpty + lenient isoDateString/timeString.
Security: roles privilege-escalation closed; refresh-token family revocation on
reuse; TOTP uses config params; read endpoints permission-guarded; received-invoices
gross VAT on all paths; orders-pdf custom-items authz.
Concurrency: $queryRaw SELECT...FOR UPDATE locks in ascending-id order (warehouse
confirm/cancel, attendance lockUserRow); uniqueness checks moved into create
transactions (TOCTOU -> 409); deterministic id tiebreak on second-precision
timestamp ordering (plan resolveCell/resolveGrid, warehouse FIFO).
Frontend: Rules-of-Hooks fixed across ~14 pages + PlanCellModal; UTC-date persisted
fields; dashboard invalidation gaps; stale-closure confirm bugs.
Tooling/tests: ESLint flat config (react-hooks/rules-of-hooks = error) + Prettier;
tsconfig.test.json so tsc -b type-checks the tests; removed 3 dead deps; npm audit
fix (8 -> 3). Suite 195 -> 247 (happy-path auth, FIFO oldest-first, flakiness fixes),
isolated on app_test via .env.test with a hard-throw setup guard.
Gates: tsc 0 | build 0 | vitest 247/247 | eslint 0 errors.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com >
2026-06-09 06:45:26 +02:00
BOHA
744baec2ec
feat(security): audit-log session termination (single + all-others)
...
The two session-revocation endpoints wrote no audit entry. Added a 'session' EntityType (+ Czech label 'Relace') and logAudit on both deletes, so revoking sessions is recorded in the forensic trail.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com >
2026-06-06 02:40:41 +02:00
BOHA
c983747418
feat(plan): add plan category CRUD routes with audit
...
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com >
2026-06-06 00:38:25 +02:00
BOHA
d410e7433e
feat(plan): extend EntityType with work_plan_entry and work_plan_override
2026-06-05 12:07:48 +02:00
BOHA
d2d1cdbb92
feat(warehouse): add receipt, issue, reservation, inventory, and report routes
...
- Receipts: CRUD + confirm/cancel + multipart attachment upload/delete
- Issues: CRUD + confirm/cancel with auto-FIFO batch selection
- Reservations: list + create + cancel
- Inventory sessions: CRUD + confirm with auto system_qty calculation
- Reports: stock-status, project-consumption, movement-log, below-minimum
- Add confirm/cancel/upload audit actions and warehouse_receipt_attachment entity type
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com >
2026-05-29 14:17:33 +02:00
BOHA
2b1de583fd
feat(warehouse): add entity types, permissions, and number sequences
2026-05-29 14:08:35 +02:00
BOHA
d7c7fbad88
fix: security, validation, and data integrity fixes across 53 files
...
- Auth: HS256 algorithm restriction on JWT verify, timing-safe bcrypt
for inactive/locked users, locked_until check in loadAuthData, TOTP
fixes (async bcrypt, BigInt conversion, future-code counter fix)
- Validation: Zod enums for leave_type/status, numeric transforms on
foreign keys, VAT 0% coercion fix (Number(v)||21 → v!=null checks)
- Permissions: requirePermission on attendance PUT, attendance_users
and project_logs access checks, trips users filtered by trips.record
- Prisma queries: fixed roles.is:{OR} pattern (doesn't work on to-one
relations), attendance_users now filters by attendance.record only
- Transactions: wrapped deleteOrder, createOrder, updateUser, deleteUser,
duplicateOffer, bulkCreateAttendance, createLeave, scope-templates,
leave-requests, company-settings, profile updates
- Frontend: mountedRef reset in useListData, blob URL cleanup on unmount,
null checks on date fields, AdminDatePicker min/max for HH:mm
- Security headers: COOP, CORP, CSP frame-ancestors/form-action/base-uri
- Other: exchange-rate cache TTL, invoice-alert midnight comparison fix,
numbering.service releaseSequence no-op, nas-offers filename sanitize,
Content-Disposition header injection fix, mojibake Czech strings
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-04-28 08:40:38 +02:00
BOHA
528e55991b
security: fix all Critical and High findings from FLAWS_REPORT audit
...
- Auth: pessimistic locking on login tokens and refresh token rotation,
backup code attempt counter, rate limiting verification
- Schema: unique constraints on business numbers, FK relations,
unsigned/signed alignment, attendance duplicate prevention
- Invoices/PDFs: DOMPurify sanitization, bounded queries in stats
and alerts, VAT rounding, Puppeteer error handling
- Orders/Offers: transactional parent+child creation, Zod NaN
refinement, status enums, uniqueness checks
- Projects/Files: path traversal protection, streamed uploads,
permission guards, query param validation
- Attendance/HR: duplicate checks, ownership validation, GPS
restrictions, trip distance validation
- Frontend: modal lock reference counting, XSS escaping in print
HTML, ref mutation fixes, accessibility attributes
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-04-24 00:58:35 +02:00
BOHA
baceb88347
feat: NAS storage for invoices/offers, code cleanup, date/time fixes
...
- NAS storage for created invoices (PDF via puppeteer), received invoices,
and offers with auto-save on create/edit
- Deterministic file paths derived from DB fields (no file_path column needed)
- Separate NAS mount points: NAS_FINANCIALS_PATH, NAS_OFFERS_PATH
- Invoice language field (cs/en) stored per invoice, replaces lang modal
- Invoices list filtered by month/year matching KPI card selection
- Centralized date helpers (src/utils/date.ts) replacing all .toISOString()
calls that returned UTC instead of local time
- Attendance project switching uses exact time (not rounded)
- Comment cleanup: removed ~100 unnecessary/Czech comments
- Removed as-any casts in orders and attendance
- Prisma migrations: add invoice language, drop received_invoices BLOB columns
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-26 10:36:39 +01:00
BOHA
3c167cf5c4
style: run prettier on entire codebase
2026-03-24 19:59:14 +01:00
BOHA
456232cd82
fix: dashboard TOTP status always showing inactive
...
loadAuthData() didn't include totp_enabled or require_2fa in the
AuthData response. The frontend always saw undefined → false.
Now includes both fields from the database.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-23 20:31:06 +01:00
BOHA
49e668ee2a
feat: add project files REST endpoints with auth and audit logging
...
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-23 10:19:11 +01:00
BOHA
4608494a3f
initial commit
...
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-03-23 08:46:51 +01:00