till/cards
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
cards/apps/web
History
Till JS 5a29dd9a8c
Some checks are pending
CI / validate (push) Waiting to run
Details
security(cards): CSP report-only + service-key rotation playbook 
Folge-Hardening zu e1ddbf3, Cluster A2+A3 aus FEATURE_IDEAS.

* hooks.server.ts: restriktive CSP im Report-Only-Modus
  (default-src 'self', script-src 'self', connect-src whitelist
  auf cardecky-api/auth.mana.how/share/mcp). CARDS_CSP_ENFORCE=true
  flippt auf den scharfen Header.
* docs/playbooks/SERVICE_KEY_ROTATION.md: 5-Schritt-Rotation für
  CARDS_DSGVO_SERVICE_KEY bis Phase F-1 (mana-auth-managed Keys).

Forensik der Bypass-Periode 2026-05-08 → 2026-05-12 ist abgeschlossen:
nur 2 user_ids in der Cards-DB, beide legitim (tills95@gmail.com +
Smoke-Test-Sentinel c1a5, letztere via DSGVO-Endpoint aufgeräumt).
Kein ausgenutzter Bypass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 18:40:29 +02:00
..
src security(cards): CSP report-only + service-key rotation playbook 2026-05-12 18:40:29 +02:00
static Phase 8c: Anki-Import via portiertem Parser 2026-05-08 17:43:12 +02:00
tests Phase 9k: Media-Upload via MinIO-Container 2026-05-08 18:42:56 +02:00
Dockerfile fix(dockerfiles): copy tsconfig.base.json into build context 2026-05-08 20:12:01 +02:00
package.json feat(decks): Deck-Kategorien über den ganzen Stack 2026-05-09 20:24:47 +02:00
svelte.config.js Phase 0+1: Repo-Skelett für Cards-Greenfield 2026-05-08 14:08:41 +02:00
tsconfig.json Phase 3 follow-up: type-check + tests grün, ts-fsrs v5 API 2026-05-08 14:41:04 +02:00
vite.config.ts dev: dev:full + cards-dev-Alias + lokale mana-auth-Pipeline 2026-05-09 12:38:51 +02:00