feat: add unified code quality dashboard with multiple validators

- Add validator_type field to scans and violations (architecture, security, performance) - Create security validator with SEC-xxx rules - Create performance validator with PERF-xxx rules - Add base validator class for shared functionality - Add validate_all.py script to run all validators - Update code quality service with validator type filtering - Add validator type tabs to dashboard UI - Add validator type filter to violations list - Update stats response with per-validator breakdown - Add security and performance rules documentation - Add chat-bubble icons to icon library 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-21 20:57:47 +01:00
parent 6a903e16c6
commit 26b3dc9e3b
27 changed files with 5270 additions and 119 deletions
--- a/.security-rules/authentication.yaml
+++ b/.security-rules/authentication.yaml
@@ -0,0 +1,70 @@
+# Authentication Security Rules
+# =============================
+
+authentication_rules:
+  - id: SEC-001
+    name: No hardcoded credentials
+    severity: error
+    description: >
+      Credentials must never be hardcoded in source code.
+      Use environment variables or secret management.
+
+  - id: SEC-002
+    name: JWT expiry enforcement
+    severity: error
+    description: >
+      All JWT tokens must have expiration claims.
+      Access tokens should expire in 15-60 minutes.
+
+  - id: SEC-003
+    name: Password hashing required
+    severity: error
+    description: >
+      Passwords must be hashed using bcrypt, argon2, or scrypt.
+      Never store or compare passwords in plain text.
+
+  - id: SEC-004
+    name: Session regeneration after auth
+    severity: warning
+    description: >
+      Session IDs should be regenerated after authentication
+      to prevent session fixation attacks.
+
+  - id: SEC-005
+    name: Brute force protection
+    severity: warning
+    description: >
+      Login endpoints should implement rate limiting
+      or account lockout after failed attempts.
+
+  - id: SEC-006
+    name: Secure password reset
+    severity: warning
+    description: >
+      Password reset tokens must be cryptographically random,
+      expire within 1 hour, and be single-use.
+
+  - id: SEC-007
+    name: Authentication on sensitive endpoints
+    severity: error
+    description: >
+      All endpoints except public ones must require authentication.
+
+  - id: SEC-008
+    name: Token in Authorization header
+    severity: warning
+    description: >
+      JWT tokens should be sent in Authorization header,
+      not in URL parameters.
+
+  - id: SEC-009
+    name: Logout invalidates tokens
+    severity: warning
+    description: >
+      Logout should invalidate or blacklist tokens.
+
+  - id: SEC-010
+    name: Multi-factor authentication support
+    severity: info
+    description: >
+      Consider implementing MFA for sensitive operations.