- Updated context key definitions in dns_provider_service_test.go to use string constants instead of custom types for user_id, client_ip, and user_agent.
- Ensured proper context values are set in audit logging tests to avoid defaulting to "system" or empty values.
- Enhanced in-memory SQLite database setup in credential_service_test.go to use WAL mode and busy timeout for better concurrency during tests.
- Implemented `useManualChallenge`, `useChallengePoll`, and `useManualChallengeMutations` hooks for managing manual DNS challenges.
- Created tests for the `useManualChallenge` hooks to ensure correct fetching and mutation behavior.
- Added `ManualDNSChallenge` component for displaying challenge details and actions.
- Developed end-to-end tests for the Manual DNS Provider feature, covering provider selection, challenge UI, and accessibility compliance.
- Included error handling tests for verification failures and network errors.
- Changed report title to reflect security audit focus
- Updated date and status to indicate approval for commit
- Enhanced executive summary with detailed validation results
- Included comprehensive test coverage results for backend and frontend
- Documented pre-commit hooks validation and known issues
- Added detailed security scan results, confirming absence of CVE-2025-68156
- Verified binary inspection for expr-lang dependency
- Provided risk assessment and recommendations for post-merge actions
- Updated compliance matrix and final assessment sections
- Improved overall report structure and clarity
- Updated current specification to reflect the integration of Staticcheck into pre-commit hooks.
- Added problem statement, success criteria, and implementation plan for Staticcheck integration.
- Enhanced QA validation report to confirm successful implementation of Staticcheck pre-commit blocking.
- Created new Playwright configuration and example test cases for frontend testing.
- Updated package.json and package-lock.json to include Playwright and related dependencies.
- Archived previous QA report for CI workflow documentation updates.
- Updated references from `CPMP_TOKEN` to `CHARON_TOKEN` in beta release draft PR body, beta release PR body, and GitHub setup documentation.
- Enhanced clarity in documentation regarding the use of `GITHUB_TOKEN` and fallback options.
- Removed outdated sections from the archived plan for the Docs-to-Issues workflow fix, streamlining the document.
- Initiated integration of Staticcheck into pre-commit hooks to improve code quality, including updates to Makefile, VS Code tasks, and documentation.
- Mark current specification as complete and ready for the next task.
- Document completed work on CI/CD workflow fixes, including implementation summary and QA report links.
- Archive previous planning documents related to GitHub security warnings.
- Revise QA report to reflect the successful validation of CI workflow documentation updates, with zero high/critical issues found.
- Add new QA report for Grype SBOM remediation implementation, detailing security scans, validation results, and recommendations.
- Removed outdated security remediation plan for DoD failures, indicating no active specifications.
- Documented recent completion of Grype SBOM remediation, including implementation summary and QA report.
- Updated QA report to reflect successful validation of security scans with zero HIGH/CRITICAL findings.
- Deleted the previous QA report file as its contents are now integrated into the current report.
- Moved the existing patch coverage remediation plan from `current_spec.md` to a new file `patch_coverage_spec.md` for better organization and focus on security remediation.
- Updated the goal to emphasize restoring Codecov patch coverage to green by ensuring 100% of modified lines are executed by tests.
- Defined two workstreams: one for fixing patch coverage in specific backend files and another for updating prevention measures in instructions and agent files.
- Added a detailed missing files table to track Codecov patch report line ranges and corresponding test strategies.
- Included guidance on handling partial patch lines and common patterns for missed coverage.
- Specified a remediation plan with a test-first approach and per-file testing strategies for targeted coverage improvements.
- Updated relevant instructions and agent files to enforce patch coverage requirements and improve validation processes.
- Add encryption key environment variable to docker-compose.yml,
docker-compose.dev.yml, docker-compose.local.yml, docker-compose.test.yml
- Update README.md Quick Start examples (compose and docker run)
- Include generation instructions: openssl rand -base64 32
Required for DNS provider and plugin features which encrypt sensitive data at rest.
- Updated package.json to include @types/node@25.0.3 for compatibility.
- Modified package-lock.json to reflect the new version of @types/node and updated cookie package to 1.1.1.
- Adjusted tsconfig.json to specify @testing-library/jest-dom/vitest for type definitions.
- Updated vite.config.ts to disable code splitting temporarily to diagnose React initialization issues, increasing chunk size warning limit.
- Updated DNSProviderForm to include multi-credential mode toggle.
- Integrated CredentialManager component for managing multiple credentials.
- Added hooks for enabling multi-credentials and managing credential operations.
- Implemented tests for CredentialManager and useCredentials hooks.
- Add API functions for fetching encryption status, rotating keys, retrieving rotation history, and validating key configuration.
- Create custom hooks for managing encryption status and key operations.
- Develop the EncryptionManagement page with UI components for displaying status, actions, and rotation history.
- Implement confirmation dialog for key rotation and handle loading states and error messages.
- Add tests for the EncryptionManagement component to ensure functionality and error handling.
- Implemented Audit Logs page with a detailed view for each log entry.
- Added API functions for fetching and exporting audit logs in CSV format.
- Created hooks for managing audit log data fetching and state.
- Integrated filtering options for audit logs based on various criteria.
- Added unit tests for the Audit Logs page to ensure functionality and correctness.
- Updated Security page to include a link to the Audit Logs page.
- Add gotestsum for real-time test progress visibility
- Parallelize 174 tests across 14 files for faster execution
- Add -short mode support skipping 21 heavy integration tests
- Create testutil/db.go helper for future transaction rollbacks
- Fix data race in notification_service_test.go
- Fix 4 CrowdSec LAPI test failures with permissive validator
Performance improvements:
- Tests now run in parallel (174 tests with t.Parallel())
- Quick feedback loop via -short mode
- Zero race conditions detected
- Coverage maintained at 87.7%
Closes test optimization initiative
- Verify backend test coverage at 85.2% (threshold: 85%)
- Verify frontend test coverage at 87.8% (threshold: 85%)
- Add Google Cloud DNS setup guide
- Add Azure DNS setup guide
- Pass all security scans (Trivy, govulncheck)
- Pass all pre-commit hooks
- Updated UsersPage tests to check for specific URL formats instead of regex patterns.
- Increased timeout for Go coverage report generation to handle larger repositories.
- Cleaned up generated artifacts before running CodeQL analysis to reduce false positives.
- Removed outdated QA testing report for authentication fixes on the certificates page.
- Added final report confirming successful resolution of authentication issues with certificate endpoints.
- Deleted previous test output files to maintain a clean test results directory.
- Updated the QA/Security Validation Report with new dates and status.
- Enhanced coverage verification metrics for backend and frontend tests.
- Improved TypeScript checks and security scans, ensuring all checks passed.
- Refactored ProxyHosts tests to utilize mock implementations for hooks and APIs.
- Added smoke test for login functionality using Playwright.
- Adjusted vitest configuration to use thread pooling for tests.
- Removed unnecessary peer dependency from package-lock.json.
- Filter IP addresses from HTTP challenge domains list
- Ensure IPs only get internal (self-signed) certificates
- Preserve IP addresses in DNS challenge domains for proper handling
- All 550+ backend tests passing with 85.8% coverage
Resolves certificate issuer assignment bug for IP-based proxy hosts
- Implement DNSProviderCard component for displaying individual DNS provider details.
- Create DNSProviderForm component for adding and editing DNS providers.
- Add DNSProviderSelector component for selecting DNS providers in forms.
- Introduce useDNSProviders hook for fetching and managing DNS provider data.
- Add DNSProviders page for listing and managing DNS providers.
- Update layout to include DNS Providers navigation.
- Enhance UI components with new badge styles and improved layouts.
- Add default provider schemas for various DNS providers.
- Integrate translation strings for DNS provider management.
- Update Vite configuration for improved chunking and performance.
- Added comprehensive QA report for CodeQL CI alignment implementation, detailing tests, results, and findings.
- Created CodeQL security scanning guide in documentation, outlining usage and common issues.
- Developed pre-commit hooks for CodeQL scans and findings checks, ensuring security issues are identified before commits.
- Implemented scripts for running CodeQL Go and JavaScript scans, aligned with CI configurations.
- Verified all tests passed, including backend and frontend coverage, TypeScript checks, and SARIF file generation.
- Apply URL validation using security.ValidateWebhookURL() to all webhook
HTTP request paths in notification_service.go
- Block private IPs (RFC 1918), cloud metadata endpoints, and loopback
- Add comprehensive SSRF test coverage
- Add CodeQL VS Code tasks for local security scanning
- Update Definition of Done to include CodeQL scans
- Clean up stale SARIF files from repo root
Resolves CI security gate failure for CWE-918.
- Add 16 comprehensive tests for user_handler.go covering PreviewInviteURL,
getAppName, email normalization, permission/role defaults, and edge cases
- Add 14 unit tests for url.go functions (GetBaseURL, ConstructURL, NormalizeURL)
- Refactor URL connectivity tests to use mock HTTP transport pattern
- Fix 21 test failures caused by SSRF protection blocking localhost
- Maintain full SSRF security - no production code security changes
- Coverage increased from 66.67% to 86.1% (exceeds 85% target)
- All security scans pass with zero Critical/High vulnerabilities
- 38 SSRF protection tests verified passing
Technical details:
- Added optional http.RoundTripper parameter to TestURLConnectivity()
- Created mockTransport for test isolation without network calls
- Changed settings handler test to use public URL for validation
- Verified no regressions in existing test suite
Closes: Coverage gap identified in Codecov report
See: docs/plans/user_handler_coverage_fix.md
See: docs/plans/qa_remediation.md
See: docs/reports/qa_report_final.md
Moves user registration/login before proxy host creation in the
Coraza integration test. The /api/v1/proxy-hosts endpoint requires
authentication, but the script was attempting to create the host
before logging in.
Changes:
- Move auth block after httpbin ready, before proxy host create
- Add -b ${TMP_COOKIE} to all proxy-host curl commands
- Remove duplicate auth block
Fixes CI failure in waf-integration.yml workflow.
