Kyle Isom 1121b7d4fd Harden deployment and fix PEN-01 ...

- Fix Bearer token extraction to validate prefix (PEN-01)
- Add TestExtractBearerFromRequest covering PEN-01 edge cases
- Fix flaky TestRenewToken timing (2s → 4s lifetime)
- Move default config/install paths to /srv/mcias
- Add RUNBOOK.md for operational procedures
- Update AUDIT.md with penetration test round 4

Security: extractBearerFromRequest now uses case-insensitive prefix
validation instead of fixed-offset slicing, rejecting non-Bearer
Authorization schemes that were previously accepted.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-14 22:33:24 -07:00

..

audit

Fix SEC-11: use json.Marshal for audit details

2026-03-13 00:46:00 -07:00

auth

trusted proxy, TOTP replay protection, new tests

2026-03-12 17:44:01 -07:00

config

Harden deployment and fix PEN-01

2026-03-14 22:33:24 -07:00

crypto

Implement dashboard and audit log templates, add paginated audit log support

2026-03-11 14:05:08 -07:00

db

Fix SEC-08: make system token issuance atomic

2026-03-13 00:43:13 -07:00

grpcserver

Fix flaky gRPC renewal test timing

2026-03-13 01:08:44 -07:00

middleware

trusted proxy, TOTP replay protection, new tests

2026-03-12 17:44:01 -07:00

model

Add guest, viewer, editor, and commenter roles to compile-time allowlist

2026-03-12 21:03:24 -07:00

policy

UI: password change enforcement + migration recovery

2026-03-12 15:33:19 -07:00

server

Harden deployment and fix PEN-01

2026-03-14 22:33:24 -07:00

token

trusted proxy, TOTP replay protection, new tests

2026-03-12 17:44:01 -07:00

ui

Merge SEC-11: use json.Marshal for audit details

2026-03-13 01:06:55 -07:00

validate

Fix SEC-05: add body size limit to REST API and max password length

2026-03-13 00:42:11 -07:00