fix(audit): address security audit findings

- Translate German error/warn messages in auth.js to English - Add CODE_OF_CONDUCT.md (Contributor Covenant v2.1) - Remove docs/claude-md-migration.md (internal migration artifact) - Clarify README first-login instruction with credential hint
2026-04-04 01:13:50 +02:00
parent 7a2516153c
commit c1176de661
4 changed files with 57 additions and 51 deletions
@@ -0,0 +1,54 @@
 # Contributor Covenant Code of Conduct
 ## Our Pledge
 We as members, contributors, and leaders pledge to make participation in our
 community a harassment-free experience for everyone, regardless of age, body
 size, visible or invisible disability, ethnicity, sex characteristics, gender
 identity and expression, level of experience, education, socio-economic status,
 nationality, personal appearance, race, caste, color, religion, or sexual
 identity and orientation.
 We pledge to act and interact in ways that contribute to an open, welcoming,
 diverse, inclusive, and healthy community.
 ## Our Standards
 Examples of behavior that contributes to a positive environment:
 * Demonstrating empathy and kindness toward other people
 * Being respectful of differing opinions, viewpoints, and experiences
 * Giving and gracefully accepting constructive feedback
 * Accepting responsibility and apologizing to those affected by our mistakes
 * Focusing on what is best not just for us as individuals, but for the overall community
 Examples of unacceptable behavior:
 * The use of sexualized language or imagery, and sexual attention or advances of any kind
 * Trolling, insulting or derogatory comments, and personal or political attacks
 * Public or private harassment
 * Publishing others' private information without their explicit permission
 * Other conduct which could reasonably be considered inappropriate in a professional setting
 ## Enforcement Responsibilities
 Community leaders are responsible for clarifying and enforcing our standards of
 acceptable behavior and will take appropriate and fair corrective action in
 response to any behavior that they deem inappropriate, threatening, offensive,
 or harmful.
 ## Scope
 This Code of Conduct applies within all community spaces, and also applies when
 an individual is officially representing the community in public spaces.
 ## Enforcement
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
 reported to the community leaders responsible for enforcement. All complaints
 will be reviewed and investigated promptly and fairly.
 ## Attribution
 This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org),
 version 2.1, available at https://www.contributor-covenant.org/version/2/1/code_of_conduct.html.
@@ -72,7 +72,7 @@ docker compose up -d --build
 docker compose exec oikos node setup.js
 ```
-Then open `http://localhost:3000` and log in. Add family members from Settings.
+Then open `http://localhost:3000` and log in with the admin credentials you set in the previous step. Add family members from Settings.
 > **New to Docker?** The **[Installation Guide](docs/installation.md)** walks you through every step: From installing Docker to HTTPS setup, backups, and troubleshooting.
@@ -1,48 +0,0 @@
 # CLAUDE.md Migration Summary
 ## Result
 | | Lines |
 |---|---|
 | Before | 82 |
 | After | 50 |
 | Reduction | -39% (-32 lines) |
 ## What was removed and why
 | Removed | Reason |
 |---|---|
 | `## Quick Reference` commands block (6 lines) | `npm start`, `npm run dev`, `npm test` are all in `package.json scripts`. Claude reads `package.json` on demand. `docker compose up -d` is a deployment detail, not a development constraint. |
 | "These are non-negotiable. Every violation is a bug." intro | Moved to tighter one-liner before the list. |
 | Full directory tree (21 lines) | Claude navigates the filesystem directly. Listing every file adds no behavioral value. Only non-obvious locations were kept. |
 | "Pages are ES modules" standalone paragraph | Merged into Conventions. |
 | Semicolons | Inferrable from reading any source file. |
 | Header comment convention | Already documented in `CONTRIBUTING.md`. |
 | DB table column pattern (`id`, `created_at`, `updated_at`) | Already in `CONTRIBUTING.md`. |
 | Commit format and Changelog instructions (2 lines) | Already in `CONTRIBUTING.md`. Claude can read it when committing. |
 | `## Current State` paragraph | Describes finished features - zero behavioral value. Becomes stale immediately. |
 | "When to consult" column from Reference table | Padding. Claude decides when to read reference docs based on task context. |
 ## What moved to rules files
 None. The remaining content is either universal (applies to every file) or a short pointer. No subsystem-specific rules justify a separate file at this project size.
 ## What was kept and why
 | Kept | Why |
 |---|---|
 | All 8 Hard Constraints | Each prevents a class of wrong code that Claude would otherwise produce. The no-frameworks rule in particular would be violated without an explicit reminder. |
 | API response shape `{data}` / `{error, code}` | Not inferrable without reading multiple route files. Applies to every new route. |
 | `formatDate()`/`formatTime()` | Without this, Claude formats dates manually (e.g. `new Date().toLocaleDateString()`), producing inconsistent output. |
 | `pages/*.js` → `render()`, no side effects | Structural contract not obvious from reading one page file. |
 | `oikos-` prefix | Web Component naming convention. |
 | Non-obvious file locations (`i18n.js`, `api.js`, `router.js`) | These live at `public/` root, not in a subdirectory. Easy to miss when navigating. |
 | Request flow one-liner | Architectural orientation for new tasks. |
 | Reference table (trimmed) | On-demand pointers replace inline content for spec details. |
 ## Token delta estimate
 At ~4 chars/token average for this content:
 - Before: ~1,800 tokens loaded every session
 - After: ~1,100 tokens loaded every session
 - Savings: ~700 tokens per session
@@ -93,10 +93,10 @@ const sessionStore = new BetterSQLiteStore();
 */
 if (!process.env.SESSION_SECRET) {
  if (process.env.NODE_ENV === 'production') {
-    throw new Error('[Auth] SESSION_SECRET muss in der .env gesetzt sein (Produktion).');
+    throw new Error('[Auth] SESSION_SECRET must be set in .env (production).');
  }
  process.env.SESSION_SECRET = randomBytes(32).toString('hex');
-  log.warn('SESSION_SECRET nicht gesetzt - zufaelliges Einmal-Secret generiert (Sessions ueberleben keinen Neustart).');
+  log.warn('SESSION_SECRET not set - generated ephemeral random secret (sessions will not survive restarts).');
 }
 const sessionMiddleware = session({