johan
/
dealspace
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
120 Commits 1 Branch 0 Tags 133 MiB
Commit Graph

120 Commits

Author SHA1 Message Date
James dafe075dc6 Restore clean project.html from e6a6882 + add import modal properly 2026-02-28 11:40:50 -05:00
James 489c4cf78c Fix login: use inline display:none instead of Tailwind hidden class 2026-02-28 10:54:31 -05:00
James 4758bafdb7 Comprehensive test suite: orgs, requests import, RBAC super_admin, domain validation 
New tests added:
- lib/types_test.go: OrgData, DealOrgData, RequestData, WorkstreamData JSON marshal tests
- lib/rbac_test.go additions: TestSuperAdminBypassesCheckAccess, TestIsSuperAdmin, TestIsSuperAdminRevokedGrant, TestSuperAdminCanGrantAnyRole
- api/orgs_test.go: TestCreateOrg, TestCreateOrgEmptyDomains, TestCreateOrgMissingDomains, TestListOrgs, TestSuperAdminCanListAllOrgs, TestGetOrg, TestUpdateOrg, and more
- api/requests_test.go: TestImportRequestsCSV, TestImportRequestsXLSX, TestImportSmartHeaderDetection, TestImportModeReplace, TestImportModeAdd, TestListRequests, TestPriorityNormalization, and more
- api/integration_test.go additions: TestFullDealWorkflow, TestSuperAdminSeeAllProjects

Total: 33 new test functions, all passing
 2026-02-28 07:20:09 -05:00
James 4aa03a1e54 Add production smoke test script 
Comprehensive API smoke test for https://muskepo.com including:
- Auth flow (OTP challenge/verify with backdoor code)
- Projects CRUD (list, create)
- Organizations CRUD (list, create)
- Deal-org associations
- Requests CSV import
- Auth security (401 enforcement, enumeration protection)

Known missing endpoints documented:
- GET /api/projects/:id (returns 404)
- DELETE /api/projects/:id (returns 404)
- DELETE /api/orgs/:id (returns 405)

Test results: 14/14 passed, 1 skipped
 2026-02-28 07:17:46 -05:00
James 03b75e8a7b Security audit 2026-02-28: fix critical/high findings 
CRITICAL fixes:
- OTP code comparison now uses constant-time compare (timing attack)
- Backdoor code comparison now uses constant-time compare (timing attack)

HIGH fixes:
- CORS policy restricted to allowlist (was wildcard *)
- Added security headers middleware (X-Frame-Options, X-Content-Type-Options, CSP, etc.)

See docs/SECURITY-AUDIT-2026-02-28.md for full audit report including
4 MEDIUM and 3 LOW/INFO findings documented for future work.
 2026-02-28 07:17:06 -05:00
James 45ee8d0e4b Port diligence request model + CSV/XLSX import from old dealroom 
- Add RequestData and WorkstreamData types to lib/types.go
- Add excelize/v2 dependency for XLSX parsing
- Add GET /api/projects/{projectID}/requests endpoint (lists requests grouped by section)
- Add POST /api/projects/{projectID}/requests/import endpoint with:
  - Smart header detection (scans first 12 rows for keyword matches)
  - CSV and XLSX support (detects by extension + magic bytes)
  - Priority mapping (high/critical/urgent→high, low/nice/optional→low)
  - Mode: add or replace existing requests
  - Optional section_filter parameter
  - Optional create_workstreams=true to create workstreams from sections
- Update project.html template:
  - Requests tab calls /api/projects/{id}/requests
  - Results grouped by section with collapsible headers
  - Shows item_number, title, priority badge (colored dot), status badge
  - Import button opens modal with file upload, mode selector, options
 2026-02-28 07:13:29 -05:00
James e6a68822c2 Add all missing app templates: projects, project, request, orgs, admin 2026-02-28 06:48:51 -05:00
James 32964abb7c super_admin bypasses CheckAccess — full rwdm on all projects 2026-02-28 06:32:21 -05:00
James 3df2482a4d chore: auto-commit uncommitted changes 2026-02-28 06:01:21 -05:00
James 5ac277ce6f Add test suite: crypto, dbcore, rbac, auth middleware, integration 2026-02-28 05:46:47 -05:00
James 242e063855 Add email system: mailer + 7 transactional templates 2026-02-28 05:46:03 -05:00
James e3ec9bc277 Remove binary from tracking, add to .gitignore 2026-02-28 05:42:52 -05:00
James 4371b00035 Add watermark tests and update website content 2026-02-28 05:40:58 -05:00
James 44dde159f6 Add ops: systemd service, deploy scripts, backup, healthcheck, README 2026-02-28 05:38:02 -05:00
James 2e20135f0f Full footer on all pages 2026-02-28 05:26:44 -05:00
James d3b6e5a377 Switch Aria chatbot from Anthropic to Fireworks (llama-v3p3-70b) 2026-02-28 04:55:32 -05:00
James 4e89f79a67 Add Aria chatbot 
- New POST /api/chat endpoint for AI-powered chat
- Calls Anthropic Claude Haiku 3.5 with embedded Dealspace knowledge
- Rate limiting: 20 requests/IP/hour
- Lead capture: emails detected and saved to /opt/dealspace/data/leads.jsonl
- Frontend chat widget (chat.js, chat.css) added to all HTML pages
- Navy/gold theme matching site design
- Mobile responsive
- CORS configured for muskepo.com
 2026-02-28 04:52:19 -05:00
James a8379a2a0c Add WebMCP + agent-friendly enhancements 
- llms.txt: LLM-readable site description (llmstxt.org spec)
- mcp-manifest.json: WebMCP declarative API manifest
- robots.txt: Allow all AI crawlers + sitemap reference
- sitemap.xml: All 7 pages with priority/lastmod
- Schema.org SoftwareApplication markup in index.html
- OpenGraph + Twitter meta tags on all pages
- WebMCP form annotations on waitlist form
- aria-label on mobile menu buttons
 2026-02-28 04:39:38 -05:00
James 202bac8693 Initial Go foundation 
Complete project structure with FIPS 140-3 crypto (AES-256-GCM + HKDF-SHA256),
entry-based data model, three RBAC choke points (EntryRead/EntryWrite/EntryDelete),
optimistic locking, soft delete, blind indexes for search, embedded website,
and deployed to muskepo.com.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-28 04:25:57 -05:00
James 08996a1396 Initial spec 2026-02-28 03:21:44 -05:00