Kyle Isom 30fc3470fa Fix SEC-10: add Permissions-Policy header ...

- Add Permissions-Policy header disabling camera, microphone,
  geolocation, and payment browser features
- Update assertSecurityHeaders test helper to verify the new header

Security: Permissions-Policy restricts browser APIs that this
application does not use, reducing attack surface from content
injection vulnerabilities. No crypto or auth flow changes.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-13 00:41:20 -07:00

..

auth

trusted proxy, TOTP replay protection, new tests

2026-03-12 17:44:01 -07:00

config

trusted proxy, TOTP replay protection, new tests

2026-03-12 17:44:01 -07:00

crypto

Implement dashboard and audit log templates, add paginated audit log support

2026-03-11 14:05:08 -07:00

db

trusted proxy, TOTP replay protection, new tests

2026-03-12 17:44:01 -07:00

grpcserver

Add granular role grant/revoke endpoints to REST and gRPC APIs

2026-03-12 20:55:49 -07:00

middleware

trusted proxy, TOTP replay protection, new tests

2026-03-12 17:44:01 -07:00

model

Add guest, viewer, editor, and commenter roles to compile-time allowlist

2026-03-12 21:03:24 -07:00

policy

UI: password change enforcement + migration recovery

2026-03-12 15:33:19 -07:00

server

Add granular role grant/revoke endpoints to REST and gRPC APIs

2026-03-12 20:55:49 -07:00

token

trusted proxy, TOTP replay protection, new tests

2026-03-12 17:44:01 -07:00

ui

Fix SEC-10: add Permissions-Policy header

2026-03-13 00:41:20 -07:00

validate

Fix F-08, F-12, F-13: Implement account lockout, username validation, and password minimum length enforcement

2026-03-11 20:59:26 -07:00