fix(audit): address security audit findings
- Translate German error/warn messages in auth.js to English - Add CODE_OF_CONDUCT.md (Contributor Covenant v2.1) - Remove docs/claude-md-migration.md (internal migration artifact) - Clarify README first-login instruction with credential hint
This commit is contained in:
Ulas
@@ -0,0 +1,54 @@
|
||||
# Contributor Covenant Code of Conduct
|
||||
|
||||
## Our Pledge
|
||||
|
||||
We as members, contributors, and leaders pledge to make participation in our
|
||||
community a harassment-free experience for everyone, regardless of age, body
|
||||
size, visible or invisible disability, ethnicity, sex characteristics, gender
|
||||
identity and expression, level of experience, education, socio-economic status,
|
||||
nationality, personal appearance, race, caste, color, religion, or sexual
|
||||
identity and orientation.
|
||||
|
||||
We pledge to act and interact in ways that contribute to an open, welcoming,
|
||||
diverse, inclusive, and healthy community.
|
||||
|
||||
## Our Standards
|
||||
|
||||
Examples of behavior that contributes to a positive environment:
|
||||
|
||||
* Demonstrating empathy and kindness toward other people
|
||||
* Being respectful of differing opinions, viewpoints, and experiences
|
||||
* Giving and gracefully accepting constructive feedback
|
||||
* Accepting responsibility and apologizing to those affected by our mistakes
|
||||
* Focusing on what is best not just for us as individuals, but for the overall community
|
||||
|
||||
Examples of unacceptable behavior:
|
||||
|
||||
* The use of sexualized language or imagery, and sexual attention or advances of any kind
|
||||
* Trolling, insulting or derogatory comments, and personal or political attacks
|
||||
* Public or private harassment
|
||||
* Publishing others' private information without their explicit permission
|
||||
* Other conduct which could reasonably be considered inappropriate in a professional setting
|
||||
|
||||
## Enforcement Responsibilities
|
||||
|
||||
Community leaders are responsible for clarifying and enforcing our standards of
|
||||
acceptable behavior and will take appropriate and fair corrective action in
|
||||
response to any behavior that they deem inappropriate, threatening, offensive,
|
||||
or harmful.
|
||||
|
||||
## Scope
|
||||
|
||||
This Code of Conduct applies within all community spaces, and also applies when
|
||||
an individual is officially representing the community in public spaces.
|
||||
|
||||
## Enforcement
|
||||
|
||||
Instances of abusive, harassing, or otherwise unacceptable behavior may be
|
||||
reported to the community leaders responsible for enforcement. All complaints
|
||||
will be reviewed and investigated promptly and fairly.
|
||||
|
||||
## Attribution
|
||||
|
||||
This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org),
|
||||
version 2.1, available at https://www.contributor-covenant.org/version/2/1/code_of_conduct.html.
|
||||
@@ -72,7 +72,7 @@ docker compose up -d --build
|
||||
docker compose exec oikos node setup.js
|
||||
```
|
||||
|
||||
Then open `http://localhost:3000` and log in. Add family members from Settings.
|
||||
Then open `http://localhost:3000` and log in with the admin credentials you set in the previous step. Add family members from Settings.
|
||||
|
||||
> **New to Docker?** The **[Installation Guide](docs/installation.md)** walks you through every step: From installing Docker to HTTPS setup, backups, and troubleshooting.
|
||||
|
||||
|
||||
@@ -1,48 +0,0 @@
|
||||
# CLAUDE.md Migration Summary
|
||||
|
||||
## Result
|
||||
|
||||
| | Lines |
|
||||
|---|---|
|
||||
| Before | 82 |
|
||||
| After | 50 |
|
||||
| Reduction | -39% (-32 lines) |
|
||||
|
||||
## What was removed and why
|
||||
|
||||
| Removed | Reason |
|
||||
|---|---|
|
||||
| `## Quick Reference` commands block (6 lines) | `npm start`, `npm run dev`, `npm test` are all in `package.json scripts`. Claude reads `package.json` on demand. `docker compose up -d` is a deployment detail, not a development constraint. |
|
||||
| "These are non-negotiable. Every violation is a bug." intro | Moved to tighter one-liner before the list. |
|
||||
| Full directory tree (21 lines) | Claude navigates the filesystem directly. Listing every file adds no behavioral value. Only non-obvious locations were kept. |
|
||||
| "Pages are ES modules" standalone paragraph | Merged into Conventions. |
|
||||
| Semicolons | Inferrable from reading any source file. |
|
||||
| Header comment convention | Already documented in `CONTRIBUTING.md`. |
|
||||
| DB table column pattern (`id`, `created_at`, `updated_at`) | Already in `CONTRIBUTING.md`. |
|
||||
| Commit format and Changelog instructions (2 lines) | Already in `CONTRIBUTING.md`. Claude can read it when committing. |
|
||||
| `## Current State` paragraph | Describes finished features - zero behavioral value. Becomes stale immediately. |
|
||||
| "When to consult" column from Reference table | Padding. Claude decides when to read reference docs based on task context. |
|
||||
|
||||
## What moved to rules files
|
||||
|
||||
None. The remaining content is either universal (applies to every file) or a short pointer. No subsystem-specific rules justify a separate file at this project size.
|
||||
|
||||
## What was kept and why
|
||||
|
||||
| Kept | Why |
|
||||
|---|---|
|
||||
| All 8 Hard Constraints | Each prevents a class of wrong code that Claude would otherwise produce. The no-frameworks rule in particular would be violated without an explicit reminder. |
|
||||
| API response shape `{data}` / `{error, code}` | Not inferrable without reading multiple route files. Applies to every new route. |
|
||||
| `formatDate()`/`formatTime()` | Without this, Claude formats dates manually (e.g. `new Date().toLocaleDateString()`), producing inconsistent output. |
|
||||
| `pages/*.js` → `render()`, no side effects | Structural contract not obvious from reading one page file. |
|
||||
| `oikos-` prefix | Web Component naming convention. |
|
||||
| Non-obvious file locations (`i18n.js`, `api.js`, `router.js`) | These live at `public/` root, not in a subdirectory. Easy to miss when navigating. |
|
||||
| Request flow one-liner | Architectural orientation for new tasks. |
|
||||
| Reference table (trimmed) | On-demand pointers replace inline content for spec details. |
|
||||
|
||||
## Token delta estimate
|
||||
|
||||
At ~4 chars/token average for this content:
|
||||
- Before: ~1,800 tokens loaded every session
|
||||
- After: ~1,100 tokens loaded every session
|
||||
- Savings: ~700 tokens per session
|
||||
+2
-2
@@ -93,10 +93,10 @@ const sessionStore = new BetterSQLiteStore();
|
||||
*/
|
||||
if (!process.env.SESSION_SECRET) {
|
||||
if (process.env.NODE_ENV === 'production') {
|
||||
throw new Error('[Auth] SESSION_SECRET muss in der .env gesetzt sein (Produktion).');
|
||||
throw new Error('[Auth] SESSION_SECRET must be set in .env (production).');
|
||||
}
|
||||
process.env.SESSION_SECRET = randomBytes(32).toString('hex');
|
||||
log.warn('SESSION_SECRET nicht gesetzt - zufaelliges Einmal-Secret generiert (Sessions ueberleben keinen Neustart).');
|
||||
log.warn('SESSION_SECRET not set - generated ephemeral random secret (sessions will not survive restarts).');
|
||||
}
|
||||
|
||||
const sessionMiddleware = session({
|
||||
|
||||
Reference in New Issue
Block a user