Security hardening + support tickets, document expiry UI, admin notifications#17
Merged
Merged
Conversation
Enable RLS on 5 unprotected tables (ticket_messages, salesforce_connections, salesforce_sync_runs, salesforce_sync_run_accounts, integration_settings), tighten overly permissive policies on 6 tables from authenticated to admin-only, harden storage buckets with mime type and size restrictions, and lock down storage.buckets table itself with RLS. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…S fixes, server-side auth middleware - Add Zod validation middleware and schemas for document/auth routes - Add safePath utility to prevent path traversal in file operations - Replace error.message leakage with generic 500 responses across all routes - Add DOMPurify for XSS prevention in security updates page - Add escapeHtml() for email template injection prevention - Add Next.js middleware for server-side admin route protection via @supabase/ssr - Batch-optimize N+1 queries in admin requests route - Add non-root user to Docker container - Add env var validation at server startup - Add database indexes for frequently queried columns Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…l notifications Feature 1 - Support Tickets (optional): - Add support_tickets_enabled toggle to settings with Features tab - Create admin tickets page with status/priority filters, message threads, and reply - Conditionally show tickets in sidebar and dashboard based on setting - Add ContactSubmission and TicketMessage types Feature 2 - Document Expiry UI: - Add expiring documents widget to admin dashboard (color-coded by urgency) - Add expiry badges to document list (expired/expiring indicators) - Add expires_at date picker to document editor and upload pages Feature 3 - Admin Email Notifications: - Create adminNotifications utility with notifyAdminsOfNewRequest and notifyAdminsOfNewTicket - Wire notifications into document request and contact form submission routes - Add notify_on_new_request toggle and notification_emails config to settings - Migration 034 adds feature toggle columns to trust_center_settings Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The frontend was sending expires_at via FormData, but the backend POST and PUT /replace routes were not destructuring or persisting it. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The adduser command failed because node:20-alpine ships with a built-in node user. Use the existing node:node user/group instead. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
kutcode
added a commit
that referenced
this pull request
Mar 27, 2026
Security hardening + support tickets, document expiry UI, admin notifications
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
resolveUploadPath(), XSS fixes with DOMPurify +escapeHtml(), server-side admin auth middleware, generic 500 error responses, Docker non-root user, env var validation, N+1 query optimization, and database indexesexpires_atdate picker on editor and upload pagesMigrations
033_add_missing_indexes.sql— indexes on frequently queried columns034_feature_toggles.sql—support_tickets_enabled,notify_on_new_request,notification_emailscolumnsTest plan
cd backend && npm test— all 28 tests passcd frontend && npm run build— builds clean🤖 Generated with Claude Code