6 commits

Author	SHA1	Message	Date
Martin Porwoll	eb48088887	fix(ci): use process.env directly for BYPASS_CSRF setting ... vi.stubEnv doesn't work reliably with dynamically imported modules. Using direct process.env assignment instead. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2025-12-15 13:42:19 +00:00
Martin Porwoll	97ede2ceb9	fix(ci): add BYPASS_CSRF control for security tests ... - CSRF bypass in CI can be disabled with BYPASS_CSRF=false - Security integration tests set BYPASS_CSRF=false to test CSRF validation 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2025-12-15 13:36:16 +00:00
Martin Porwoll	fdc6876207	fix(ci): add CI stub to security integration tests ... Ensure CSRF validation works normally during security API tests. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2025-12-15 13:27:44 +00:00
Martin Porwoll	6ccb50c5f4	docs: consolidate and update documentation ... - Remove obsolete instruction documents (PROMPT_*.md, SECURITY_FIXES.md) - Update CLAUDE.md with security features, test suite, audit logs - Merge Techstack_Dokumentation into INFRASTRUCTURE.md - Update SECURITY.md with custom login route documentation - Add changelog to TODO.md - Update email service and data masking for SMTP error handling - Extend test coverage for CSRF and data masking 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-12-09 09:25:00 +00:00
Martin Porwoll	53f26e7349	feat: admin UX improvements with tenant switcher and email config ... Tenant-Wechsel UI: - Add TenantBreadcrumb component showing active tenant in admin header - Add German translations for multi-tenant plugin selector - Integrate with existing plugin TenantSelector dropdown Email-Konfiguration UX: - Add SMTP field validation (host format, port range, required fields) - Add EmailDeliverabilityInfo component with SPF/DKIM/DMARC guidance - Add TestEmailButton component for SMTP configuration testing - Create /api/test-email endpoint with full security: - CSRF protection (double-submit cookie) - IP allowlist (same rules as /api/send-email) - Rate limiting (10/min per user) - Tenant access control with proper object normalization Security: - Add comprehensive integration tests for /api/test-email - Tests cover CSRF, IP blocking, auth, tenant access, input validation 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-12-08 16:33:39 +00:00
Martin Porwoll	0cdc25c4f0	feat: comprehensive security test suite ... Add 143 security tests covering all security modules: Unit Tests (125 tests): - rate-limiter.unit.spec.ts: limiter creation, request tracking, blocking, window reset, IP extraction, header generation - csrf.unit.spec.ts: token generation/validation, origin checking, double submit cookie pattern, referer validation - ip-allowlist.unit.spec.ts: CIDR matching, wildcards, endpoint- specific allowlist/blocklist rules, IP extraction - data-masking.unit.spec.ts: field detection, pattern matching, recursive masking, JWT/connection string/private key handling API Integration Tests (18 tests): - security-api.int.spec.ts: rate limiting responses, IP blocking, CSRF protection on state-changing endpoints Test Infrastructure: - tests/helpers/security-test-utils.ts: CSRF token generators, mock request builders, environment setup utilities - vitest.config.mts: updated to include unit tests - package.json: added test:unit and test:security scripts - .github/workflows/security.yml: added security-tests CI job Also updated detect-secrets.sh to ignore .spec.ts and .test.ts files which may contain example secrets for testing purposes. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-12-08 00:20:47 +00:00