johan
/
dealspace
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
21 Commits 1 Branch 0 Tags 133 MiB
Commit Graph

11 Commits

Author SHA1 Message Date
James b17af439a0 Fix CSP: allow Tailwind CDN and Google Fonts 2026-02-28 11:45:49 -05:00
James 4758bafdb7 Comprehensive test suite: orgs, requests import, RBAC super_admin, domain validation 
New tests added:
- lib/types_test.go: OrgData, DealOrgData, RequestData, WorkstreamData JSON marshal tests
- lib/rbac_test.go additions: TestSuperAdminBypassesCheckAccess, TestIsSuperAdmin, TestIsSuperAdminRevokedGrant, TestSuperAdminCanGrantAnyRole
- api/orgs_test.go: TestCreateOrg, TestCreateOrgEmptyDomains, TestCreateOrgMissingDomains, TestListOrgs, TestSuperAdminCanListAllOrgs, TestGetOrg, TestUpdateOrg, and more
- api/requests_test.go: TestImportRequestsCSV, TestImportRequestsXLSX, TestImportSmartHeaderDetection, TestImportModeReplace, TestImportModeAdd, TestListRequests, TestPriorityNormalization, and more
- api/integration_test.go additions: TestFullDealWorkflow, TestSuperAdminSeeAllProjects

Total: 33 new test functions, all passing
 2026-02-28 07:20:09 -05:00
James 03b75e8a7b Security audit 2026-02-28: fix critical/high findings 
CRITICAL fixes:
- OTP code comparison now uses constant-time compare (timing attack)
- Backdoor code comparison now uses constant-time compare (timing attack)

HIGH fixes:
- CORS policy restricted to allowlist (was wildcard *)
- Added security headers middleware (X-Frame-Options, X-Content-Type-Options, CSP, etc.)

See docs/SECURITY-AUDIT-2026-02-28.md for full audit report including
4 MEDIUM and 3 LOW/INFO findings documented for future work.
 2026-02-28 07:17:06 -05:00
James 45ee8d0e4b Port diligence request model + CSV/XLSX import from old dealroom 
- Add RequestData and WorkstreamData types to lib/types.go
- Add excelize/v2 dependency for XLSX parsing
- Add GET /api/projects/{projectID}/requests endpoint (lists requests grouped by section)
- Add POST /api/projects/{projectID}/requests/import endpoint with:
  - Smart header detection (scans first 12 rows for keyword matches)
  - CSV and XLSX support (detects by extension + magic bytes)
  - Priority mapping (high/critical/urgent→high, low/nice/optional→low)
  - Mode: add or replace existing requests
  - Optional section_filter parameter
  - Optional create_workstreams=true to create workstreams from sections
- Update project.html template:
  - Requests tab calls /api/projects/{id}/requests
  - Results grouped by section with collapsible headers
  - Shows item_number, title, priority badge (colored dot), status badge
  - Import button opens modal with file upload, mode selector, options
 2026-02-28 07:13:29 -05:00
James e6a68822c2 Add all missing app templates: projects, project, request, orgs, admin 2026-02-28 06:48:51 -05:00
James 3df2482a4d chore: auto-commit uncommitted changes 2026-02-28 06:01:21 -05:00
James 5ac277ce6f Add test suite: crypto, dbcore, rbac, auth middleware, integration 2026-02-28 05:46:47 -05:00
James 44dde159f6 Add ops: systemd service, deploy scripts, backup, healthcheck, README 2026-02-28 05:38:02 -05:00
James d3b6e5a377 Switch Aria chatbot from Anthropic to Fireworks (llama-v3p3-70b) 2026-02-28 04:55:32 -05:00
James 4e89f79a67 Add Aria chatbot 
- New POST /api/chat endpoint for AI-powered chat
- Calls Anthropic Claude Haiku 3.5 with embedded Dealspace knowledge
- Rate limiting: 20 requests/IP/hour
- Lead capture: emails detected and saved to /opt/dealspace/data/leads.jsonl
- Frontend chat widget (chat.js, chat.css) added to all HTML pages
- Navy/gold theme matching site design
- Mobile responsive
- CORS configured for muskepo.com
 2026-02-28 04:52:19 -05:00
James 202bac8693 Initial Go foundation 
Complete project structure with FIPS 140-3 crypto (AES-256-GCM + HKDF-SHA256),
entry-based data model, three RBAC choke points (EntryRead/EntryWrite/EntryDelete),
optimistic locking, soft delete, blind indexes for search, embedded website,
and deployed to muskepo.com.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-28 04:25:57 -05:00