mission-control

Commit Graph

Author	SHA1	Message	Date
Nyk	afa8e9dacb	fix: security hardening from audit (closes #460 ) - Hash session tokens (SHA-256) before storing in DB; migration for existing tokens - Enforce 12-char password minimum on self-service change (was 8, creation was 12) - Increase scrypt cost N=16384→65536 with progressive rehash on login - Add MC_PROXY_AUTH_TRUSTED_IPS to restrict proxy auth header spoofing - Enable HSTS by default in production (opt-out via MC_DISABLE_HSTS=1) - Restrict debug endpoint to allowlisted gateway API paths (SSRF prevention) - Default session cookie secure=true in production - Gate MC_DISABLE_RATE_LIMIT on NODE_ENV !== 'production' - Remove password value from insecure-default log warning - chmod 600 generated secrets file in Docker entrypoint	2026-03-21 18:45:48 +07:00
Nyk	2802f53d53	feat: add first-time setup wizard and zero-config startup Eliminate friction for new users by adding a web-based setup wizard, auto-generating infrastructure secrets, and providing actionable feedback when no admin account exists. - Add /setup page with visual progress steps for admin account creation - Add /api/setup route (GET: check status, POST: create admin + auto-login) - Auto-generate AUTH_SECRET and API_KEY when not set (persisted to .data/) - Add docker-entrypoint.sh for zero-config Docker startup - Login page auto-redirects to /setup when no users exist - Login API returns NO_USERS error code with setup guidance - Remove insecure defaults from .env.example - Update README Quick Start for zero-config Docker and web setup - Add CLAUDE.md for AI agent discoverability	2026-03-13 14:09:44 +07:00

Author

SHA1

Message

Date

Nyk

afa8e9dacb

fix: security hardening from audit (closes #460 )

- Hash session tokens (SHA-256) before storing in DB; migration for existing tokens
- Enforce 12-char password minimum on self-service change (was 8, creation was 12)
- Increase scrypt cost N=16384→65536 with progressive rehash on login
- Add MC_PROXY_AUTH_TRUSTED_IPS to restrict proxy auth header spoofing
- Enable HSTS by default in production (opt-out via MC_DISABLE_HSTS=1)
- Restrict debug endpoint to allowlisted gateway API paths (SSRF prevention)
- Default session cookie secure=true in production
- Gate MC_DISABLE_RATE_LIMIT on NODE_ENV !== 'production'
- Remove password value from insecure-default log warning
- chmod 600 generated secrets file in Docker entrypoint

2026-03-21 18:45:48 +07:00

Nyk

2802f53d53

feat: add first-time setup wizard and zero-config startup

Eliminate friction for new users by adding a web-based setup wizard,
auto-generating infrastructure secrets, and providing actionable
feedback when no admin account exists.

- Add /setup page with visual progress steps for admin account creation
- Add /api/setup route (GET: check status, POST: create admin + auto-login)
- Auto-generate AUTH_SECRET and API_KEY when not set (persisted to .data/)
- Add docker-entrypoint.sh for zero-config Docker startup
- Login page auto-redirects to /setup when no users exist
- Login API returns NO_USERS error code with setup guidance
- Remove insecure defaults from .env.example
- Update README Quick Start for zero-config Docker and web setup
- Add CLAUDE.md for AI agent discoverability

2026-03-13 14:09:44 +07:00

2 Commits