b6b046c90b
fix: harden startup security — require strong secrets, restrict CORS
...
- decnet/env.py: DECNET_JWT_SECRET and DECNET_ADMIN_PASSWORD are now
required env vars; startup raises ValueError if unset or set to a
known-bad default ("admin", "password", etc.)
- decnet/env.py: add DECNET_CORS_ORIGINS (comma-separated, defaults to
http://localhost:8080 ) replacing the previous allow_origins=["*"]
- decnet/web/api.py: use DECNET_CORS_ORIGINS and tighten allow_methods
and allow_headers to explicit lists
- tests/conftest.py: set required env vars at module level so test
collection works without real credentials
- tests/test_web_api.py, test_web_api_fuzz.py: use DECNET_ADMIN_PASSWORD
from env instead of hardcoded "admin"
Closes DEBT-001, DEBT-002, DEBT-004
2026-04-09 12:13:22 -04:00
29a2cf2738
refactor: modularize API routes into separate files and clean up dependencies
2026-04-09 11:58:57 -04:00
551664bc43
fix: stabilize test suite by ensuring proper test DB isolation and initialization
2026-04-09 02:31:14 -04:00
a3b92d4dd6
docs: tag API endpoints for better organization
2026-04-09 01:58:54 -04:00
30edf9a55d
feat: add DECNET_DEVELOPER toggle for API documentation
2026-04-09 01:55:31 -04:00
69626d705d
feat: implement Bounty Vault for captured credentials and artifacts
2026-04-09 01:52:50 -04:00
0f86f883fe
fix: resolve remaining bandit warnings and stabilize lifespan
2026-04-09 01:35:08 -04:00
13f3d15a36
fix: stabilize tests with synchronous DB init and handle Bandit security findings
2026-04-09 01:33:15 -04:00
8c7ec2953e
fix: handle bcrypt 72-byte limit and increase JWT secret length
2026-04-09 01:11:32 -04:00
6c2478ede3
fix: restore missing API endpoints, fix chart rendering, and update date filter formatting
2026-04-08 21:25:59 -04:00
532a4e2dc5
fix: resolve SSE CORS issues and fix date filter format mismatch
2026-04-08 21:15:26 -04:00
ec503b9ec6
feat: implement advanced live logs with KQL search, histogram, and live/historical modes
2026-04-08 21:01:05 -04:00
32b06afef6
feat: add .env based configuration for API, Web, and Auth options
2026-04-08 01:27:11 -04:00
31e0c5151b
fix: ensure API-deployed deckies inherit the correct log ingestion path
2026-04-08 01:09:48 -04:00
cc3d434c02
feat: add server-side validation for web-based INI deployments
2026-04-08 01:04:59 -04:00
168ecf14ab
feat: add API-only mode and web-based INI deployment
2026-04-08 00:56:25 -04:00
c544964f57
feat: migrate dashboard live logs to Server-Sent Events (SSE)
2026-04-08 00:30:31 -04:00
18de381a43
feat: implement dynamic decky mutation and fix dot-separated INI sections
2026-04-08 00:16:57 -04:00
eb4be44c9a
feat: add dedicated Decoy Fleet inventory page and API
2026-04-07 23:15:20 -04:00
ba2faba5d5
chore: enforce strict typing and internal naming conventions across web components
2026-04-07 19:56:15 -04:00
bad90dfb75
feat: implement background log ingestion from local file
2026-04-07 15:30:44 -04:00
52c26a2891
feat: backend support for mandatory password change on first login
2026-04-07 15:15:03 -04:00
697929a127
feat: implement Stats endpoints for web dashboard
2026-04-07 14:58:09 -04:00
b46934db46
feat: implement Logs endpoints for web dashboard
2026-04-07 14:56:25 -04:00
5b990743db
feat: implement Auth endpoints for web dashboard
2026-04-07 14:54:36 -04:00
