Commit Graph

19 Commits

Author SHA1 Message Date
nogueiraguh
856e3b6674 feat: password change 3-step modal with strength meter, default admin/admin123 2026-04-02 18:09:44 -03:00
nogueiraguh
f22bb54e25 feat: Oracle IAM OIDC, force password change, security hardening
- OIDC: authorization code flow, JWKS validation, JIT provisioning, group-to-role mapping, dual auth (local/oidc/both)
- Force password change: random admin password on first install, modal blocks UI until changed
- APP_SECRET required in docker-compose (fail if missing), .env.example improved
- Login page: Oracle IAM button (conditional), hide form in oidc-only mode
- OracleIamPage: test connection via backend, masked client_secret handling
- UsersPage: OIDC badge, auth_provider in list
- i18n: login.oidcButton, login.or (pt/en/es)
- README v3.1: Terminal, User Management, Security, OIDC endpoints, versioning
2026-04-02 10:26:00 -03:00
nogueiraguh
60596e790f feat: state persistence — Terminal + Explorer survive navigation (Zustand stores) 2026-04-02 09:13:25 -03:00
nogueiraguh
8caa032055 feat: OCI CLI Terminal, Spanish i18n, language in My Settings
Terminal:
- New /terminal page with Linux-style terminal UI (dark theme, title bar, prompt)
- OCI Config selector — isolated per user (ownership check)
- Tab autocomplete: parses oci --help dynamically, caches results, commands first
- Command history (↑/↓) persisted in DB per user
- Security: only 'oci' commands, blocks pipes/redirects/shell injection
- Built-in commands: clear, history, help
- Timeout 60s per command

i18n:
- Spanish (es.ts): 748+ keys, Latin American formal
- Language selector moved from sidebar to My Settings (🇧🇷/🇺🇸/🇪🇸)
- Auto-detect browser language (pt/es/en)

Backend:
- POST /api/terminal/execute — run OCI CLI with selected config
- GET /api/terminal/completions — dynamic autocomplete from oci --help
- GET /api/terminal/history — per-user command history
- terminal_history table in SQLite
2026-04-01 17:45:25 -03:00
nogueiraguh
62f2a3d1ab feat: My Settings — password change (local only), timezone, MFA, auth_provider field
- MySettingsPage: timezone, password change (local users), MFA setup/disable
- Password change hidden for federated users (auth_provider != local)
- Federated users see info message: "managed by Oracle IAM"
- Backend: auth_provider + oidc_subject columns in users table (migration)
- /users/me returns auth_provider field
- User interface updated with auth_provider
- i18n: 12 new keys (pt/en) for password change
2026-04-01 15:20:16 -03:00
nogueiraguh
c3035abf81 feat: User Management menu — My Settings, Oracle IAM page, sidebar restructure
- Sidebar: "User Management" expandable group with sub-items (Users, My Settings, Oracle IAM)
- MySettingsPage: self-service timezone + MFA setup/disable (any user)
- OracleIamPage: admin-only OIDC config (auth mode, issuer, client ID/secret, group→role mapping, test connection)
- UsersPage: removed timezone card (moved to My Settings)
- i18n: 35+ new keys (pt/en) for settings and IAM pages
- Routes: /admin/user-settings, /admin/iam registered with code splitting
2026-04-01 15:00:23 -03:00
nogueiraguh
bc7024c95d feat: user isolation — ownership checks, is_global, per-user embeddings, private reports
- Add is_global column to adb_vector_configs and mcp_servers (schema + migration)
- Add _verify_config_access() and _verify_report_access() helpers
- Apply ownership checks to ~70 endpoints (OCI explore, actions, GenAI, MCP, ADB, reports, embeddings, terraform)
- Reports are 100% private (even admin can't see others')
- Add user_id to embedding metadata + filter in _vector_search/_vector_search_multi
- Remove cross-user ADB fallback in _get_active_adb_configs
- Add auth (token query param) to report HTML and compliance report iframes
- Audit log: admin sees all, user/viewer sees only own
- Embedding task status mapped to user
- Frontend: GLOBAL badge on ADB/MCP configs, hide edit/delete for non-admin on global resources
- Export/import includes is_global field
2026-04-01 01:05:54 -03:00
nogueiraguh
1b3c02d10b feat: v3.0 — CIS PDF chunker, DOCX professional, RAG complete, progress bar, code cleanup
- CIS PDF chunker: segments by recommendation (54/54 complete with desc+rationale+rem), 7000 chars target, 500 overlap
- RAG: 60s timeout + retry, direct SQL fetch by recommendationNumber, concatenate all chunks
- Auto-detect embedding dimension from DDL (empty tables), auto-detect model per dimension
- DOCX: camo strip (Pillow), A4 centered cover, code blocks (Consolas), lists with hanging indent
- Compliance report: progress bar (RAG X/35 percentage), Audit/Verification bold
- Code cleanup: removed redundant imports (io, base64, time, Response, HTMLResponse), duplicate DB query
- EmbeddingsPage: auto-select ADB config fix
- ReportsPage: removed DOCX preview (docx-preview lib)
- README updated to v3.0 with all new features
2026-03-31 10:44:13 -03:00
nogueiraguh
35a2bf786b feat: OCI Services page, compliance report v3, DOCX with camo strip, timezone per-user
- New OCI Services page with Service Status (auto-detect + overrides) and OCI Health (real-time Oracle status) tabs
- Compliance report: OCI Services section with Cloud Guard recommendations table, back page with Connect with us
- DOCX generation: professional styling with Pillow camouflage strip, green header tables, result boxes
- Separate Download DOCX button in reports page
- Timezone now per-user (not global) — each user configures their own timezone
- ADB connection pre-check before report generation (fail fast 503)
- Compliance report iframe shows friendly HTML instead of JSON 404 during generation
- OCI Health dashboard: proxies ocistatus.oraclecloud.com with search, geo filters, expandable region cards
2026-03-29 00:43:20 -03:00
nogueiraguh
c6b7cd75a9 feat: CIS number in embeddings, tenancy dropdown in consult, text filter for exact CIS search
- Chunk findings CSV: includes CIS Recommendation number, Section, Status in document header
- Consult embeddings: tenancy dropdown (OCI config selector) for filtered search
- CIS number detection: regex extracts "cis X.Y" from query → TEXT LIKE filter for exact match
- Dynamic top_k: 10 per table when CIS filter active (vs 3 default), 15 global results
- Vector search text_filter: combined vector similarity + TEXT LIKE for precise results
- Purged 121174 legacy docs without tenancy metadata from all CIS tables
- Re-embedded 4364 docs across 7 tables with full CIS metadata
- GPT-5.2 for consult (was GPT-4.1), max_tokens 8000
2026-03-24 22:12:15 -03:00
nogueiraguh
8db3e42d31 feat: detailed embed progress — current section, global bar, queue display
- Backend: tracks current_table, current_inserted, current_total, queue per embed task
- Frontend: dual progress bars (section + global), queue of upcoming sections
- Section bar shows table name + individual progress
- Global bar shows inserted/skipped/total with green/red segments
- Queue shows remaining sections with doc counts
2026-03-21 12:48:31 -03:00
nogueiraguh
dcc202ff9f fix: embedding background persistence, polling timeout, Error section hidden
- Embed task_id persisted in Zustand store (survives page navigation)
- Resume polling on page mount if active task exists
- Polling timeout increased to 30min (was 5min, too short for large sections)
- Embed button hidden for Error and Other sections
- Shared file-based status for multi-worker visibility
2026-03-21 12:04:29 -03:00
nogueiraguh
ab2d0a3e9b fix: embedding reliability - chunking, truncation, progress bar, shared status
- Text chunking: max 8000 chars per document, large CSV rows split with context header
- Text truncation: _embed_text truncates at 8000 chars before sending to model (prevents 400 errors)
- Purge before re-embed: deletes old docs by tenancy+date before inserting new ones
- Shared embedding status: file-based status (/data/.embed_status/) instead of in-memory dict (fixes multi-worker visibility)
- Progress bar: shows green (OK) + red (failures) segments, percentage, processed/total count
- Better error logging: extracts readable error message from OCI API errors
2026-03-21 10:48:21 -03:00
nogueiraguh
73c60212f7 feat: auto-mapped CIS report embedding, section embed, ADB RAW(16) fix
- Auto-embed report: maps each CSV to its ADB table (summaryreportcsvvector, identityandaccess, networking, etc.)
- Section embed: new endpoint POST /api/embeddings/report/{rid}/section with per-section button in UI
- Table validation: checks registered ADB tables before embedding, reports missing tables
- Auto-detect embedding dimension: reads table dim and selects correct model (3072→large, 1536→small)
- ADB RAW(16) ID fix: all vector inserts use HEXTORAW() for UUID (fixes ORA-01465)
- Float32 vectors: all inserts use array.array('f') for FLOAT32 compatibility
- Embedding status: real-time progress polling (Embedding X/Y — table: Z)
- Loading per section: spinner only on the section being embedded, not all
- Removed individual file embed buttons (only section + full report)
- Summary CSV chunking: groups by CIS section with tenancy + extract_date metadata
- Findings CSV chunking: each row becomes a document with structured content
- README: documented all 11 required ADB vector tables with descriptions
2026-03-21 00:10:50 -03:00
nogueiraguh
2c5f0f2e1c fix: compliance report iframe, findings tables, PDF fonts, delete session, orphan markers
- Compliance report iframe: removed auth requirement (UUIDs are non-guessable), fixed X-Frame-Options SAMEORIGIN on /api/
- Findings resource tables: compact HTML tables (max 4 cols, 10 rows) per non-compliant finding with affected resources from CSV
- PDF fonts: installed Liberation + DejaVu fonts in container, standardized font-family to Arial/Liberation Sans
- Delete session fix: terraform.ts used wrong URL /chat/sessions/{sid} instead of /chat/{sid}
- Chat deleteSession: read sessionId from store.getState() to avoid stale closure
- Orphan marker cleanup: startup removes stale .compliance_generating markers, status endpoint auto-expires after 10min
- Generate endpoint rejects duplicate requests while already generating
- Compliance iframe condition: only renders when ready AND not generating, prevents 404 flash
- Dockerfile: added fonts-liberation fonts-dejavu-core fontconfig packages
2026-03-20 17:17:42 -03:00
nogueiraguh
fbcb1966d5 feat: comprehensive security, performance, UX and deployment audit
Security:
- CORS restricted to explicit methods/headers, configurable via CORS_ORIGINS env
- Auth added to /reports/{rid}/html and /compliance-report endpoints
- Ownership check on report downloads
- Rate limiting on login (10 attempts/5min per IP with threading.Lock)
- Non-root container user (agent via gosu entrypoint)
- Nginx security headers (X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy)
- .gitignore and .dockerignore for secret leak prevention
- .env.example with documentation

Performance:
- 16 SQLite indexes on foreign keys and frequently queried columns
- Pagination on chat messages (100), reports (50), audit log (100)
- subprocess.run wrapped in run_in_executor (3 async handlers)
- asyncio.wait_for timeouts on GenAI calls (300s) and Chromium PDF (120s)
- Thread pool reduced to 10 workers
- Code splitting with React.lazy (bundle: 1.3MB -> ~550KB initial)
- React.memo on TreeItem (recursive compartment tree)

Error handling:
- 13 bare except clauses replaced with logged Exception handlers
- Graceful shutdown handler (terminates subprocesses + executor)
- File upload validation (50MB max, extension whitelist per endpoint)
- Health check expanded (version, uptime, db_ok)
- Cache-Control on /api/genai/models (1h)
- Auto-cleanup audit_log > 30 days

Dead code removed:
- DownloadsPage.tsx, StubPage.tsx, MfaPage.tsx (moved to UsersPage)
- Legacy frontend/ directory
- 19 unused i18n keys, dist/ removed from git tracking

UX & i18n:
- 8 alert() calls replaced with styled error states (TerraformPage)
- 50+ hardcoded Portuguese strings localized to i18n (pt/en) across 11 files
- aria-label on all icon-only buttons (Chat, Explorer, Sidebar)
- focus-visible CSS for keyboard navigation
- Responsive grid fix (360px -> 280px for mobile)
- aria-hidden on decorative SVGs

Deployment:
- Docker resource limits (backend 4G, frontend 512M)
- Log rotation (json-file, 10MB x 3)
- Terraform version parameterized via ARG
2026-03-20 13:48:30 -03:00
nogueiraguh
61fbb3861d feat: remove legacy frontend, root routing, compliance ZIP with Chromium PDF, chat markdown styling
- Legacy frontend removed: React SPA served at / (no /app/ prefix)
- Compliance report ZIP: Chromium headless --print-to-pdf (identical to browser) + CSV findings
- Server-side generation state: .compliance_generating marker survives page navigation
- RAG enriched: Description + Rationale + Remediation + Audit extracted from CIS vector chunks
- Chat markdown: syntax highlighting (Catppuccin), styled headings/lists/tables/blockquotes/code
- Default model auto-selected on Chat Agent load
2026-03-20 07:21:41 -03:00
nogueiraguh
5028f632a6 fix: compliance report Oracle design, polling robustness, print margins
- Oracle PDF style: decorative left strip, ORACLE brand header, red section titles, green table headers
- Cover page: removed rectangle, clean layout matching Oracle reference PDF
- Print: @page margin:0 + thead/tfoot table trick for per-page header/footer spacing without browser URL/date
- RAG remediation: fixed fallback dumping entire CIS chunk instead of just remediation section
- Findings: removed break-inside:avoid that caused empty pages, emoji replaced with [CSV] text
- Tables: break-inside:avoid on rows, section headers break-after:avoid, thead repeats on page break
- Compliance polling: useEffect-based with cleanup, auto-expand on ready, re-check on section toggle
- Explorer: silent polling during start/stop (no flickering)
- HTML report starts minimized, auto-expands on fresh generation
- Include dist/ in git for deployment
2026-03-19 11:34:31 -03:00
nogueiraguh
442e710b9f feat: LAD A-Team CIS Compliance Report, React SPA, i18n, report management, explorer UX fixes
- Professional Oracle-format compliance report with RAG remediation from ADB vector store
- React 19 SPA at /app/ (16 pages, TypeScript, Vite, Zustand, i18n pt/en 625 keys)
- Report delete endpoint, embed individual report files into vector store
- Terraform ZIP download (client-side, pure JS)
- Explorer silent polling during start/stop (no flickering)
- HTML report and compliance report sections start minimized
- Token auth fix for compliance report CSV download links
2026-03-19 07:34:06 -03:00