john/tractatus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
381 commits 1 branch 0 tags 128 MiB
Commit graph

4 commits

Author SHA1 Message Date
TheFlow
2298d36bed fix(submissions): restructure Economist package and fix article display 
- Create Economist SubmissionTracking package correctly:
  * mainArticle = full blog post content
  * coverLetter = 216-word SIR— letter
  * Links to blog post via blogPostId
- Archive 'Letter to The Economist' from blog posts (it's the cover letter)
- Fix date display on article cards (use published_at)
- Target publication already displaying via blue badge

Database changes:
- Make blogPostId optional in SubmissionTracking model
- Economist package ID: 68fa85ae49d4900e7f2ecd83
- Le Monde package ID: 68fa2abd2e6acd5691932150

Next: Enhanced modal with tabs, validation, export

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-10-24 08:47:42 +13:00
TheFlow
aab23e8c33 refactor: deep cleanup - remove all website code from framework repo 
REMOVED: 77 website-specific files from src/ and public/

Website Models (9):
- Blog, CaseSubmission, Document, Donation, MediaInquiry,
  ModerationQueue, NewsletterSubscription, Resource, User

Website Services (6):
- BlogCuration, MediaTriage, Koha, ClaudeAPI, ClaudeMdAnalyzer,
  AdaptiveCommunicationOrchestrator

Website Controllers (9):
- blog, cases, documents, koha, media, newsletter, auth, admin, variables

Website Routes (10):
- blog, cases, documents, koha, media, newsletter, auth, admin, test, demo

Website Middleware (4):
- auth, csrf-protection, file-security, response-sanitization

Website Utils (3):
- document-section-parser, jwt, markdown

Website JS (36):
- Website components, docs viewers, page features, i18n, Koha

RETAINED Framework Code:
- 6 core services (Boundary, ContextPressure, CrossReference,
  InstructionPersistence, Metacognitive, PluralisticDeliberation)
- 4 support services (AnthropicMemoryClient, MemoryProxy,
  RuleOptimizer, VariableSubstitution)
- 9 framework models (governance, audit, deliberation, project state)
- 3 framework controllers (rules, projects, audit)
- 7 framework routes (rules, governance, projects, audit, hooks, sync)
- 6 framework middleware (error, validation, security, governance)
- Minimal admin UI (rule manager, dashboard, hooks dashboard)
- Framework demos and documentation

PURPOSE: Tractatus-framework repo is now PURELY framework code.
All website/project code remains in internal repo only.

🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
 2025-10-21 21:22:40 +13:00
TheFlow
2856c5ef65 fix: CSRF cookie secure flag for reverse proxy environments 
Check X-Forwarded-Proto header to determine if request is HTTPS
This ensures CSRF cookies work correctly when nginx terminates SSL
 2025-10-14 15:37:49 +13:00
TheFlow
059dd43b72 security: complete Phase 0 Quick Wins implementation 
Phase 0 Complete (QW-1 through QW-8):
 Enhanced input validation with HTML sanitization
 Form rate limiting (5 req/min on all submission endpoints)
 Modern CSRF protection (SameSite cookies + double-submit pattern)
 Security audit logging (CSRF violations captured)
 Applied to all public form endpoints:
   - /api/cases/submit (case studies)
   - /api/media/inquiries (media inquiries)
   - /api/newsletter/subscribe (newsletter)

New Middleware:
- csrf-protection.middleware.js (replaces deprecated csurf package)
- Enhanced input-validation.middleware.js applied to all forms

Security Features Active:
- Security headers (CSP, HSTS, X-Frame-Options, etc.)
- Rate limiting (100 req/15min public, 5 req/min forms)
- CSRF protection (double-submit cookie pattern)
- HTML sanitization (XSS prevention)
- Response sanitization (hide stack traces)
- Security event logging

Implements: inst_041, inst_042, inst_043, inst_044, inst_045, inst_046
Refs: docs/plans/security-implementation-roadmap.md Phase 0
 2025-10-14 15:32:54 +13:00