Open
Conversation
🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
- Add .version file monitoring to all build workflows - Implement epoch64 timestamp-based naming (alpha/beta-<epoch64>) - Add version-based release naming (vX.X.X-alpha/beta) - Add auto pre-release creation on .version changes - Add security scanning (gosec for Go, bandit for Python, npm audit for Node.js) - Create comprehensive docs/WORKFLOWS.md - Update docs/STANDARDS.md with CI/CD section - Update CLAUDE.md with CI/CD section and pre-commit checklist 🤖 Generated with Claude Code Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Flask Backend (services/flask-backend/): - Quart async web framework with Hypercorn ASGI server - Flask-Security-Too authentication with PyDAL datastore - Pydantic schemas for request/response validation - JWT-based auth with access/refresh tokens - User management API with RBAC (admin, maintainer, viewer) - Health endpoints (/readyz, /livez, /healthz) - Prometheus metrics integration - Security headers middleware Shared Libraries (shared/py_libs/): - crypto: Argon2id/bcrypt hashing, AES-256-GCM encryption, secure tokens - security: rate limiting, CSRF, audit logging, sanitization, headers - validation: string, password, network, datetime validators - http: async HTTP client with retry logic API Test Suite (tests/api/flask-backend/): - run-tests.sh: orchestrates build, unit, API, and load tests - test_endpoints.py: 15 API endpoint tests - test_load.py: performance tests with configurable concurrency - 21 pytest unit tests for schemas and endpoints All 36 tests passing (21 unit + 15 API endpoint tests) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…sk-backend Resolved two critical issues preventing flask-backend from starting in production: 1. Flask-Principal Compatibility: Disabled Flask-Principal initialization as it conflicts with Quart's async context model. Flask-Principal's synchronous before_request handlers cause "Working outside of application context" errors. The app now runs with JWT-based authentication only. 2. CORS Configuration: Fixed "Cannot allow credentials with wildcard allowed origins" error by conditionally disabling credentials when using wildcard CORS origins, as required by CORS security specifications. These fixes enable flask-backend to successfully deploy to Kubernetes and pass health checks. All pods are now running and healthy in the beta cluster. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The useAuth hook initialized with isLoading=true but checkAuth() was never called on app mount, causing the app to show "Loading..." indefinitely. Added useEffect in App.tsx to call checkAuth() on mount, which checks for existing auth tokens and sets isLoading=false, allowing the app to proceed to the login page or dashboard. This fixes the issue where users saw an infinite loading screen at https://current.penguintech.io Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add logo to README.md with centered display - Add logo to login page - Add clickable logo home button in sidebar (top left) - Add favicon.ico, favicon.svg for browser tabs - Add logo192.png, logo512.png for PWA support - Add manifest.json for progressive web app - Update index.html with proper meta tags and favicon links - Save logo files to docs/screenshots/ for documentation Logo appears in: - README.md (centered at top) - Login page (above sign-in form) - Sidebar home button (top left, clickable to return to dashboard) - Browser favicon/tab icon - PWA app icon Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implements three-tier role-based access control system per CLAUDE.md and STANDARDS.md requirements: **Three Organizational Tiers:** - Global: Organization-wide roles (admin, maintainer, viewer) - Team: Per-team roles (team_admin, team_maintainer, team_viewer) - Resource: Per-resource roles (owner, editor, resource_viewer) **OAuth2-Style Scopes:** - users:read, users:write, users:admin - teams:read, teams:write, teams:admin - urls:read, urls:write, urls:delete, urls:admin - analytics:read, analytics:admin - settings:read, settings:write - system:admin **Database Schema:** - scopes: All available permission scopes - teams: Team/group management - team_members: Team membership - role_scopes: Role-to-scope mappings - user_role_assignments: User roles at specific levels (global/team/resource) - custom_roles: User-defined roles **New API Endpoints:** - GET /api/v1/scopes - List all scopes - GET /api/v1/roles - List roles with scopes - POST /api/v1/roles/custom - Create custom role - DELETE /api/v1/roles/<id> - Delete custom role - POST /api/v1/users/<id>/roles - Assign role at level - GET /api/v1/users/<id>/roles - Get role assignments - GET /api/v1/teams - List teams - POST /api/v1/teams - Create team - GET/PUT/DELETE /api/v1/teams/<id> - Team CRUD - POST/DELETE /api/v1/teams/<id>/members - Manage members **Permission Enforcement:** - @require_scope decorator for endpoint protection - Supports team_id_param and resource_id_param for scoped checks - Hierarchical permission checking (global → team → resource) **Files Modified:** - services/flask-backend/app/rbac.py (NEW): Complete RBAC implementation - services/flask-backend/app/teams.py (NEW): Team management APIs - services/flask-backend/app/roles.py (NEW): Role/scope management APIs - services/flask-backend/app/models.py: RBAC integration - services/flask-backend/app/__init__.py: Register blueprints - docs/APP_STANDARDS.md: Full RBAC documentation This provides enterprise-grade permissions management with custom role creation and fine-grained access control. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
**Fixes:** 1. Fixed auth_required import in teams.py and roles.py - Changed from non-existent token_required to auth_required decorator 2. Fixed WebUI Dockerfile for project root context - Updated paths to services/webui/* when building from project root - Ensures correct file copying during multi-stage build 3. Fixed docker-compose.yml webui context - Changed webui context from ./services/webui to . (project root) - Matches flask-backend context pattern for consistency **Testing:** - Local smoke tests passed with docker-compose - Flask backend running and healthy - WebUI building and serving correctly - All API endpoints requiring authentication properly - Health checks passing on all services **Verification:** - curl http://localhost:5002/healthz - ✅ healthy - curl http://localhost:3008/healthz - ✅ healthy - curl http://localhost:3008/ - ✅ serving React app - curl http://localhost:5002/api/v1/scopes - ✅ requires auth Ready for Kubernetes deployment. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Security Updates: - Fixed react-router-dom XSS vulnerability (GHSA-2w69-qvjg-hvjx) - Updated @remix-run/router from 1.23.1 to 1.23.2 - Updated react-router from 6.30.2 to 6.30.3 - Updated react-router-dom from 6.30.2 to 6.30.3 - All npm audit vulnerabilities resolved (0 vulnerabilities) Testing: - Added comprehensive E2E smoke test suite (tests/smoke/test_smoke.py) - Tests cover: Docker Compose, service health, Flask API, WebUI, assets - All 7/7 smoke tests passing Security Review Results: - npm audit: All vulnerabilities fixed - bandit: No actionable issues (8 false positives) - Dependabot: No open alerts - Smoke tests: All passing after fixes Version bump: v1.0.0 → v1.0.1.1768501253 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Applied black code formatter to fix linting failures: - services/flask-backend/app/ (10 files) - tests/smoke/test_smoke.py All code now complies with black formatting standards. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Applied black code formatter to all Python files: - shorturl-app/ (14 files) - tests/ (9 files) All Python code now complies with black formatting standards. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Fixed import ordering in all Python files: - services/flask-backend/app/ (9 files) - tests/ (10 files) - shorturl-app/ (10 files) All imports now comply with isort standards. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Re-applied black formatting to files modified by isort. isort and black are now both satisfied. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Added pyproject.toml with isort configuration using black profile. This ensures isort and black work together without conflicts. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Updated CI workflow to use isort with black profile for compatibility. This prevents conflicts between isort and black formatting. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Updated pyproject.toml to properly configure isort: - Added known_first_party for apps, shorturl-app, settings - Ensures consistent import grouping across environments - Fixes import ordering in 6 files All linters (black, isort, flake8) now passing. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Updated py4web from 1.20241127.1 to 1.20251212.1. The old version is no longer available on PyPI. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Updated pydal from 20241031.1 to 20260110.1. The old version is no longer available on PyPI. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Updated structlog from 24.5.0 to 25.5.0. The old version is no longer available on PyPI. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Test Environment Fix: - Added temp directory fallback for SQLite database - Fixes "unable to open database file" in CI environment - Uses /var/data/current for production, temp dir for testing Security Fix: - Updated puppeteer dependencies to resolve jws CVE - Socket Security HIGH severity alert resolved - All npm vulnerabilities fixed Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Dependencies: - Added qrcode==8.0 for QR code generation - Added Pillow==11.1.0 for image processing - Updated puppeteer from 23.11.1 to 24.35.0 Fixes: - ModuleNotFoundError: No module named 'qrcode' in tests - Socket Security CVE in puppeteer's jws dependency Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Updated puppeteer from 23.11.1 to 24.35.0 to resolve: - jws vulnerability (GHSA-869p-cjfg-cm3x) - Socket Security HIGH severity alert Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Updated workflow paths and commands: - Changed from shorturl-app/ to services/flask-backend/ - Changed from tests/ to tests/smoke/ - Updated requirements.txt path - Tests now run against new Flask RBAC application Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Removed obsolete shorturl-app and associated tests. Project now uses Flask backend with RBAC (services/flask-backend). Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Removed -e /shared/py_libs which doesn't exist in CI environment. Fixes pip install failure in GitHub Actions. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Updated packages to fix HIGH severity CVEs: - React Router: @remix-run/router 1.23.0 → 1.23.2 (XSS fix) - jsonwebtoken: jws dependency updated to 3.2.3+ (HMAC CVE fix) - ioredis: updated to latest version All Socket Security blocking alerts resolved. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Updated Docker build steps: - Build flask-backend from services/flask-backend/Dockerfile - Build webui from services/webui/Dockerfile - Use correct context and file paths for multi-service build Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Updated .gitignore to allow source code lib directories - Added services/webui/src/client/lib/api.ts to version control - Fixes build failure in CI where lib/ was excluded by gitignore Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Updated supertest from 7.0.0 to 7.2.2 - Added package overrides to force qs@6.14.1 (fixes GHSA-6rw7-vpxm-498p) - Added override for safer-buffer@2.1.2 (Socket false positive) - Resolves HIGH CVE in qs's arrayLimit bypass DoS vulnerability Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Removed supertest@7.2.2 which was not being used in the project - Eliminates Socket Security blocking alerts for safer-buffer obfuscation - Removed package overrides that are no longer needed - Resolves all blocking Socket Security alerts Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Added package overrides to force qs@6.14.1 for all dependencies - Resolves GHSA-6rw7-vpxm-498p (DoS vulnerability in qs) - Fixes HIGH severity CVE in express's body-parser dependency Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hi @PenguinzTech! 👋
Your private repo does not have access to Sourcery.
Please upgrade to continue using Sourcery ✨
…, and E2E testing - Add tenant tier to RBAC (Global → Tenant → Team → Resource) with default "Public" tenant, tenant roles/scopes, and tenant-scoped teams - Add OAuth2-compliant token endpoints (RFC 6749/7662/7009): /oauth/token, /oauth/introspect, /oauth/revoke - Add OIDC consumer/SSO with provider CRUD, authorize/callback flow, and identity linking via authlib - Migrate Python schemas to penguin-libs (RequestModel, ImmutableModel) - Migrate WebUI Login to LoginPageBuilder and Sidebar to SidebarMenu from @penguintechinc/react-libs - Integrate penguin-licensing with domain-bypass @require_premium decorator - Integrate penguin-utils sanitized logging - Add JWT tenant_id, tenant slug, and scope claims - Update production domain to currenturl.app across Helm values - Add comprehensive Playwright E2E test suite (100+ tests across API, UI, and smoke categories) - Add seed-mock-data.sh for idempotent test data seeding - Add Makefile targets: test-e2e, test-e2e-api, test-e2e-ui, smoke-test - Add E2E job to CI workflow with Playwright - Update K8s manifests and Helm values for alpha/beta/prod environments - Update APP_STANDARDS.md with 4-tier RBAC, OIDC, OAuth2, penguin-libs docs Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
… packages Replace all py_libs imports with published penguin-libs equivalents: - Password validation: py_libs.validation → penguin_libs.validation - Password hashing: py_libs.crypto → bcrypt directly (already a dep) - Security headers: py_libs.security.headers → inlined (5 standard headers) - Audit logging: py_libs.security.audit → removed (not yet in penguin-libs) Remove shared/ directory (63 files): py_libs, node_libs, go_libs, licensing client, and react_libs are all replaced by published PyPI/npm packages. Update Dockerfile to remove shared/py_libs COPY and PYTHONPATH reference. Remove docs/shared-libraries/ documentation (replaced by APP_STANDARDS.md penguin-libs section). Update remaining doc references. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Expand from 113 to 231 E2E tests across 27 spec files. Add validation edge cases, RBAC permission boundaries, OIDC/SSO endpoints, custom role CRUD, UI form interactions (modals, tabs, password flows), and OAuth2 RFC 7009 compliance tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.