Skip to content

Tags: penguintechinc/current

Tags

v1.0.1

Toggle v1.0.1's commit message

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode 
Security fixes and E2E smoke tests (v1.0.1) (#1)

* Initial draft

* Add Contributor Employer Exception to license

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* Add automatic pre-release workflow on version change

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* feat: implement .WORKFLOW compliance for Current

- Add .version file monitoring to all build workflows
- Implement epoch64 timestamp-based naming (alpha/beta-<epoch64>)
- Add version-based release naming (vX.X.X-alpha/beta)
- Add auto pre-release creation on .version changes
- Add security scanning (gosec for Go, bandit for Python, npm audit for Node.js)
- Create comprehensive docs/WORKFLOWS.md
- Update docs/STANDARDS.md with CI/CD section
- Update CLAUDE.md with CI/CD section and pre-commit checklist

🤖 Generated with Claude Code

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* feat: add Quart backend with Flask-Security-Too and comprehensive tests

Flask Backend (services/flask-backend/):
- Quart async web framework with Hypercorn ASGI server
- Flask-Security-Too authentication with PyDAL datastore
- Pydantic schemas for request/response validation
- JWT-based auth with access/refresh tokens
- User management API with RBAC (admin, maintainer, viewer)
- Health endpoints (/readyz, /livez, /healthz)
- Prometheus metrics integration
- Security headers middleware

Shared Libraries (shared/py_libs/):
- crypto: Argon2id/bcrypt hashing, AES-256-GCM encryption, secure tokens
- security: rate limiting, CSRF, audit logging, sanitization, headers
- validation: string, password, network, datetime validators
- http: async HTTP client with retry logic

API Test Suite (tests/api/flask-backend/):
- run-tests.sh: orchestrates build, unit, API, and load tests
- test_endpoints.py: 15 API endpoint tests
- test_load.py: performance tests with configurable concurrency
- 21 pytest unit tests for schemas and endpoints

All 36 tests passing (21 unit + 15 API endpoint tests)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* some bug fixes

* some bug fixes and migration to quart

* periodic save

* periodic save

* Updating documentation to new base standard

* periodic save

* Updating documentation to new base standard

* Updating documentation to new base standard

* Updating documentation to new base standard

* periodic save

* periodic save

* Updating documentation to new base standard

* Fix Flask-Principal/Quart compatibility and CORS configuration in flask-backend

Resolved two critical issues preventing flask-backend from starting in production:

1. Flask-Principal Compatibility: Disabled Flask-Principal initialization as it
   conflicts with Quart's async context model. Flask-Principal's synchronous
   before_request handlers cause "Working outside of application context" errors.
   The app now runs with JWT-based authentication only.

2. CORS Configuration: Fixed "Cannot allow credentials with wildcard allowed origins"
   error by conditionally disabling credentials when using wildcard CORS origins,
   as required by CORS security specifications.

These fixes enable flask-backend to successfully deploy to Kubernetes and pass
health checks. All pods are now running and healthy in the beta cluster.

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* Fix infinite loading state in WebUI React app

The useAuth hook initialized with isLoading=true but checkAuth() was never
called on app mount, causing the app to show "Loading..." indefinitely.

Added useEffect in App.tsx to call checkAuth() on mount, which checks for
existing auth tokens and sets isLoading=false, allowing the app to proceed
to the login page or dashboard.

This fixes the issue where users saw an infinite loading screen at
https://current.penguintech.io

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* Add Current logo to application and branding

- Add logo to README.md with centered display
- Add logo to login page
- Add clickable logo home button in sidebar (top left)
- Add favicon.ico, favicon.svg for browser tabs
- Add logo192.png, logo512.png for PWA support
- Add manifest.json for progressive web app
- Update index.html with proper meta tags and favicon links
- Save logo files to docs/screenshots/ for documentation

Logo appears in:
- README.md (centered at top)
- Login page (above sign-in form)
- Sidebar home button (top left, clickable to return to dashboard)
- Browser favicon/tab icon
- PWA app icon

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* Add comprehensive 3-tier RBAC with OAuth2-style scopes

Implements three-tier role-based access control system per CLAUDE.md
and STANDARDS.md requirements:

**Three Organizational Tiers:**
- Global: Organization-wide roles (admin, maintainer, viewer)
- Team: Per-team roles (team_admin, team_maintainer, team_viewer)
- Resource: Per-resource roles (owner, editor, resource_viewer)

**OAuth2-Style Scopes:**
- users:read, users:write, users:admin
- teams:read, teams:write, teams:admin
- urls:read, urls:write, urls:delete, urls:admin
- analytics:read, analytics:admin
- settings:read, settings:write
- system:admin

**Database Schema:**
- scopes: All available permission scopes
- teams: Team/group management
- team_members: Team membership
- role_scopes: Role-to-scope mappings
- user_role_assignments: User roles at specific levels (global/team/resource)
- custom_roles: User-defined roles

**New API Endpoints:**
- GET /api/v1/scopes - List all scopes
- GET /api/v1/roles - List roles with scopes
- POST /api/v1/roles/custom - Create custom role
- DELETE /api/v1/roles/<id> - Delete custom role
- POST /api/v1/users/<id>/roles - Assign role at level
- GET /api/v1/users/<id>/roles - Get role assignments
- GET /api/v1/teams - List teams
- POST /api/v1/teams - Create team
- GET/PUT/DELETE /api/v1/teams/<id> - Team CRUD
- POST/DELETE /api/v1/teams/<id>/members - Manage members

**Permission Enforcement:**
- @require_scope decorator for endpoint protection
- Supports team_id_param and resource_id_param for scoped checks
- Hierarchical permission checking (global → team → resource)

**Files Modified:**
- services/flask-backend/app/rbac.py (NEW): Complete RBAC implementation
- services/flask-backend/app/teams.py (NEW): Team management APIs
- services/flask-backend/app/roles.py (NEW): Role/scope management APIs
- services/flask-backend/app/models.py: RBAC integration
- services/flask-backend/app/__init__.py: Register blueprints
- docs/APP_STANDARDS.md: Full RBAC documentation

This provides enterprise-grade permissions management with custom
role creation and fine-grained access control.

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* Fix RBAC implementation issues and Docker builds

**Fixes:**
1. Fixed auth_required import in teams.py and roles.py
   - Changed from non-existent token_required to auth_required decorator

2. Fixed WebUI Dockerfile for project root context
   - Updated paths to services/webui/* when building from project root
   - Ensures correct file copying during multi-stage build

3. Fixed docker-compose.yml webui context
   - Changed webui context from ./services/webui to . (project root)
   - Matches flask-backend context pattern for consistency

**Testing:**
- Local smoke tests passed with docker-compose
- Flask backend running and healthy
- WebUI building and serving correctly
- All API endpoints requiring authentication properly
- Health checks passing on all services

**Verification:**
- curl http://localhost:5002/healthz - ✅ healthy
- curl http://localhost:3008/healthz - ✅ healthy
- curl http://localhost:3008/ - ✅ serving React app
- curl http://localhost:5002/api/v1/scopes - ✅ requires auth

Ready for Kubernetes deployment.

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* Updating documentation to new base standard

* chore: security fixes and smoke tests (v1.0.1)

Security Updates:
- Fixed react-router-dom XSS vulnerability (GHSA-2w69-qvjg-hvjx)
- Updated @remix-run/router from 1.23.1 to 1.23.2
- Updated react-router from 6.30.2 to 6.30.3
- Updated react-router-dom from 6.30.2 to 6.30.3
- All npm audit vulnerabilities resolved (0 vulnerabilities)

Testing:
- Added comprehensive E2E smoke test suite (tests/smoke/test_smoke.py)
- Tests cover: Docker Compose, service health, Flask API, WebUI, assets
- All 7/7 smoke tests passing

Security Review Results:
- npm audit: All vulnerabilities fixed
- bandit: No actionable issues (8 false positives)
- Dependabot: No open alerts
- Smoke tests: All passing after fixes

Version bump: v1.0.0 → v1.0.1.1768501253

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* style: apply black formatting to Python code

Applied black code formatter to fix linting failures:
- services/flask-backend/app/ (10 files)
- tests/smoke/test_smoke.py

All code now complies with black formatting standards.

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* style: apply black formatting to all Python code

Applied black code formatter to all Python files:
- shorturl-app/ (14 files)
- tests/ (9 files)

All Python code now complies with black formatting standards.

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* style: fix import ordering with isort

Fixed import ordering in all Python files:
- services/flask-backend/app/ (9 files)
- tests/ (10 files)
- shorturl-app/ (10 files)

All imports now comply with isort standards.

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* style: apply black formatting after isort

Re-applied black formatting to files modified by isort.
isort and black are now both satisfied.

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* chore: add pyproject.toml with isort/black compatibility

Added pyproject.toml with isort configuration using black profile.
This ensures isort and black work together without conflicts.

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* ci: add --profile black to isort check

Updated CI workflow to use isort with black profile for compatibility.
This prevents conflicts between isort and black formatting.

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* fix: configure isort for first-party imports

Updated pyproject.toml to properly configure isort:
- Added known_first_party for apps, shorturl-app, settings
- Ensures consistent import grouping across environments
- Fixes import ordering in 6 files

All linters (black, isort, flake8) now passing.

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* fix: update py4web to latest available version

Updated py4web from 1.20241127.1 to 1.20251212.1.
The old version is no longer available on PyPI.

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* fix: update pydal to latest available version

Updated pydal from 20241031.1 to 20260110.1.
The old version is no longer available on PyPI.

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* fix: update structlog to latest available version

Updated structlog from 24.5.0 to 25.5.0.
The old version is no longer available on PyPI.

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* fix: resolve test environment and security issues

Test Environment Fix:
- Added temp directory fallback for SQLite database
- Fixes "unable to open database file" in CI environment
- Uses /var/data/current for production, temp dir for testing

Security Fix:
- Updated puppeteer dependencies to resolve jws CVE
- Socket Security HIGH severity alert resolved
- All npm vulnerabilities fixed

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* fix: add missing dependencies and update puppeteer

Dependencies:
- Added qrcode==8.0 for QR code generation
- Added Pillow==11.1.0 for image processing
- Updated puppeteer from 23.11.1 to 24.35.0

Fixes:
- ModuleNotFoundError: No module named 'qrcode' in tests
- Socket Security CVE in puppeteer's jws dependency

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* fix: update puppeteer to resolve Socket Security CVE

Updated puppeteer from 23.11.1 to 24.35.0 to resolve:
- jws vulnerability (GHSA-869p-cjfg-cm3x)
- Socket Security HIGH severity alert

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* fix: update CI workflow to test flask-backend instead of old code

Updated workflow paths and commands:
- Changed from shorturl-app/ to services/flask-backend/
- Changed from tests/ to tests/smoke/
- Updated requirements.txt path
- Tests now run against new Flask RBAC application

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* chore: remove old py4web application code

Removed obsolete shorturl-app and associated tests.
Project now uses Flask backend with RBAC (services/flask-backend).

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* fix: remove invalid editable requirement from flask requirements

Removed -e /shared/py_libs which doesn't exist in CI environment.
Fixes pip install failure in GitHub Actions.

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* fix: update dependencies to resolve Socket Security alerts

Updated packages to fix HIGH severity CVEs:
- React Router: @remix-run/router 1.23.0 → 1.23.2 (XSS fix)
- jsonwebtoken: jws dependency updated to 3.2.3+ (HMAC CVE fix)
- ioredis: updated to latest version

All Socket Security blocking alerts resolved.

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* fix: update build workflow for new flask-backend architecture

Updated Docker build steps:
- Build flask-backend from services/flask-backend/Dockerfile
- Build webui from services/webui/Dockerfile
- Use correct context and file paths for multi-service build

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

* fix: add webui source lib directory to git

- Updated .gitignore to allow source code lib directories
- Added services/webui/src/client/lib/api.ts to version control
- Fixes build failure in CI where lib/ was excluded by gitignore

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* fix: resolve Socket Security CVE alerts

- Updated supertest from 7.0.0 to 7.2.2
- Added package overrides to force [email protected] (fixes GHSA-6rw7-vpxm-498p)
- Added override for [email protected] (Socket false positive)
- Resolves HIGH CVE in qs's arrayLimit bypass DoS vulnerability

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* fix: remove unused supertest dependency

- Removed [email protected] which was not being used in the project
- Eliminates Socket Security blocking alerts for safer-buffer obfuscation
- Removed package overrides that are no longer needed
- Resolves all blocking Socket Security alerts

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* fix: override qs to patched version 6.14.1

- Added package overrides to force [email protected] for all dependencies
- Resolves GHSA-6rw7-vpxm-498p (DoS vulnerability in qs)
- Fixes HIGH severity CVE in express's body-parser dependency

Co-Authored-By: Claude Opus 4.5 <[email protected]>

---------

Co-authored-by: Claude <[email protected]>