feat: add unified code quality dashboard with multiple validators

- Add validator_type field to scans and violations (architecture, security, performance) - Create security validator with SEC-xxx rules - Create performance validator with PERF-xxx rules - Add base validator class for shared functionality - Add validate_all.py script to run all validators - Update code quality service with validator type filtering - Add validator type tabs to dashboard UI - Add validator type filter to violations list - Update stats response with per-validator breakdown - Add security and performance rules documentation - Add chat-bubble icons to icon library 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-21 20:57:47 +01:00
parent 6a903e16c6
commit 26b3dc9e3b
27 changed files with 5270 additions and 119 deletions
--- a/.security-rules/api_security.yaml
+++ b/.security-rules/api_security.yaml
@@ -0,0 +1,66 @@
+# API Security Rules
+# ==================
+
+api_security_rules:
+  - id: SEC-031
+    name: CORS origin validation
+    severity: error
+    description: >
+      CORS must not allow all origins in production.
+      Specify allowed origins explicitly.
+
+  - id: SEC-032
+    name: Rate limiting on sensitive endpoints
+    severity: warning
+    description: >
+      Auth, password reset, and payment endpoints need rate limiting.
+
+  - id: SEC-033
+    name: Security headers
+    severity: warning
+    description: >
+      Configure security headers like X-Content-Type-Options,
+      X-Frame-Options, Content-Security-Policy.
+
+  - id: SEC-034
+    name: HTTPS enforcement
+    severity: error
+    description: >
+      External URLs must use HTTPS.
+      HTTP is only acceptable for localhost.
+
+  - id: SEC-035
+    name: Request size limits
+    severity: warning
+    description: >
+      Limit request body size to prevent DoS attacks.
+
+  - id: SEC-036
+    name: Input validation with Pydantic
+    severity: warning
+    description: >
+      All API inputs should be validated using Pydantic models.
+
+  - id: SEC-037
+    name: API versioning
+    severity: info
+    description: >
+      APIs should be versioned for security update isolation.
+
+  - id: SEC-038
+    name: Method restrictions
+    severity: warning
+    description: >
+      Endpoints should only allow necessary HTTP methods.
+
+  - id: SEC-039
+    name: Authentication bypass prevention
+    severity: error
+    description: >
+      Ensure authentication cannot be bypassed.
+
+  - id: SEC-040
+    name: Timeout configuration
+    severity: warning
+    description: >
+      All external calls must have timeouts configured.