- The security config Upsert update path copied all rate limit fields
from the incoming request onto the existing database record except
RateLimitMode, so the seeded default value of "disabled" always
survived a POST regardless of what the caller sent
- This silently prevented the Caddy rate_limit handler from being
injected on any container with a pre-existing config record (i.e.,
every real deployment and every CI run after migration)
- Added the missing field assignment so RateLimitMode is correctly
persisted on update alongside all other rate limit settings
- Integration test payload now also sends rate_limit_enable alongside
rate_limit_mode so the handler sync logic fires via its explicit
first branch, providing belt-and-suspenders correctness independent
of which path the caller uses to express intent
- Replaced dialog-based user creation with API calls for better reliability and speed.
- Added functions for resetting security state and retrieving authentication tokens.
- Improved audit log checks by implementing polling for asynchronous data retrieval.
- Enhanced role assignment and user management tests to utilize API endpoints.
- Streamlined login processes and error handling for failed login attempts.
- Ensured unique user data generation for test isolation.
- Updated error variable names for clarity in DNS provider, import, logs, manual challenge, security, user, and other handlers.
- Improved error handling in services such as backup, credential, docker, mail, notification, security headers, and uptime services.
- Enhanced readability by using more descriptive variable names for errors in multiple locations across the codebase.
- Ensured consistent error handling practices throughout the application.
- Added cleanup functions to close database connections in various test setups to prevent resource leaks.
- Introduced new helper functions for creating test services with proper cleanup.
- Updated multiple test cases to utilize the new helper functions for better maintainability and readability.
- Improved error handling in tests to ensure proper assertions and resource management.
- Added a reset of the models.Setting struct before querying for settings in both the Manager and Cerberus components to avoid ID leakage from previous queries.
- Introduced new functions in Cerberus for checking admin authentication and admin whitelist status.
- Enhanced middleware logic to allow admin users to bypass ACL checks if their IP is whitelisted.
- Added tests to verify the behavior of the middleware with respect to ACLs and admin whitelisting.
- Created a new utility for checking if an IP is in a CIDR list.
- Updated various services to use `Where` clause for fetching records by ID instead of directly passing the ID to `First`, ensuring consistency in query patterns.
- Added comprehensive tests for settings queries to demonstrate and verify the fix for ID leakage issues.
Update skipped-tests-remediation.md to reflect completion of Phase 1 (Cerberus default enablement):
Verified Cerberus defaults to enabled:true when no env vars set
28 tests now passing (previously skipped due to Cerberus detection)
Total skipped reduced from 98 → 63 (36% reduction)
All real-time-logs tests (25) now executing and passing
Break-glass disable flow validated and working
Evidence includes:
Environment variable absence check (no CERBERUS_* vars)
Status endpoint verification (enabled:true by default)
Playwright test execution results (28 passed, 32 skipped)
Breakdown of remaining 7 skipped tests (toggle actions not impl)
Phase 1 and Phase 3 now complete. Remaining work: user management UI (22 tests), TestDataManager auth fix (8 tests), security toggles (8 tests).
- Add API functions for fetching encryption status, rotating keys, retrieving rotation history, and validating key configuration.
- Create custom hooks for managing encryption status and key operations.
- Develop the EncryptionManagement page with UI components for displaying status, actions, and rotation history.
- Implement confirmation dialog for key rotation and handle loading states and error messages.
- Add tests for the EncryptionManagement component to ensure functionality and error handling.
- Implemented Audit Logs page with a detailed view for each log entry.
- Added API functions for fetching and exporting audit logs in CSV format.
- Created hooks for managing audit log data fetching and state.
- Integrated filtering options for audit logs based on various criteria.
- Added unit tests for the Audit Logs page to ensure functionality and correctness.
- Updated Security page to include a link to the Audit Logs page.
- Implement GeoIPService for IP-to-country lookups with comprehensive error handling.
- Add tests for GeoIPService covering various scenarios including invalid IPs and database loading.
- Extend AccessListService to handle GeoIP service integration, including graceful degradation when GeoIP service is unavailable.
- Introduce new tests for AccessListService to validate geo ACL behavior and country code parsing.
- Update SecurityService to include new fields for WAF configuration and enhance decision logging functionality.
- Add extensive tests for SecurityService covering rule set management and decision logging.
- Create a detailed Security Coverage QA Plan to ensure 100% code coverage for security-related functionality.
- Created `qa-test-output-after-fix.txt` and `qa-test-output.txt` to log results of certificate page authentication tests.
- Added `build.sh` for deterministic backend builds in CI, utilizing `go list` for efficiency.
- Introduced `codeql_scan.sh` for CodeQL database creation and analysis for Go and JavaScript/TypeScript.
- Implemented `dockerfile_check.sh` to validate Dockerfiles for base image and package manager mismatches.
- Added `sourcery_precommit_wrapper.sh` to facilitate Sourcery CLI usage in pre-commit hooks.
- Refactored `SyncMonitors` method in `uptime_service.go` for better readability.
- Updated unit tests for `UptimeService` to ensure proper functionality.
- Introduced Playwright configuration for end-to-end testing.
- Added e2e tests for WAF blocking and monitoring functionality.
- Enhanced the Security page to include WAF mode and rule set selection.
- Implemented tests for WAF configuration changes and validation.
- Created a `.last-run.json` file to store test results.
- Updated SecurityConfig model to only support 'local' or 'disabled' modes for CrowdSec.
- Modified related logic in the manager and services to reject external mode.
- Adjusted tests to validate the new restrictions on CrowdSec modes.
- Updated frontend components to remove references to external mode and provide appropriate user feedback.
- Enhanced documentation to reflect the removal of external CrowdSec mode support.
- Added SecurityConfig model to manage Cerberus settings including admin whitelist and break-glass token.
- Introduced SecurityService for handling security configurations and token generation.
- Updated Manager to check for admin whitelist before applying configurations to prevent accidental lockouts.
- Enhanced frontend with hooks and API calls for managing security settings and generating break-glass tokens.
- Updated documentation to include self-lockout protection measures and best practices for using Cerberus.
