np-dms/lcbp3
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b5960ba24cddecdec2d0adbfcd4b0bcaada0002a
lcbp3/.windsurf/rules/02-security.md
T
admin 1c6fec6c65
CI / CD Pipeline / build (push) Successful in 22m17s
Details
CI / CD Pipeline / deploy (push) Successful in 7m49s
Details
690329:2252 Fixing refactor Correspondence GPT-5.3-Codex #05
2026-03-29 22:52:42 +07:00

1.1 KiB
Raw Blame History

always_on
always_on
true

Security Rules (Non-Negotiable)

Mandatory Security Requirements

  1. Idempotency: All critical POST/PUT/PATCH MUST validate Idempotency-Key header
  2. Two-Phase File Upload: Upload → Temp → Commit → Permanent
  3. Race Conditions: Redis Redlock + TypeORM @VersionColumn for Document Numbering
  4. Validation: Zod (frontend) + class-validator (backend DTO)
  5. Password: bcrypt 12 salt rounds, min 8 chars, rotate every 90 days
  6. Rate Limiting: ThrottlerGuard on all auth endpoints
  7. File Upload: Whitelist PDF/DWG/DOCX/XLSX/ZIP, max 50MB, ClamAV scan
  8. AI Isolation (ADR-018): Ollama on Admin Desktop ONLY — NO direct DB/storage access

Full Documentation

specs/06-Decision-Records/ADR-016-security-authentication.md

Security Checklist (Before Every Commit)

  • Input validation implemented (Zod/class-validator)
  • RBAC/CASL permissions checked
  • No SQL injection vulnerabilities
  • File upload validation (whitelist + ClamAV)
  • Rate limiting applied to auth endpoints
  • OWASP Top 10 review passed
Reference in New Issue View Git Blame Copy Permalink