Drives the work that closes the v1.1.0 production-readiness audit
findings: username + password + role auth on the web app, gated
SSE / QR endpoints, robots/noindex, env hygiene, container non-
root, and rate limits on the four currently-naked Server Actions.
Auth design highlights:
* Roll-our-own session cookie (no NextAuth) — bcrypt password +
HMAC-SHA256 signed cookie; edge-runtime middleware verifies on
every request; defense-in-depth requireUser / requireAdmin in
every Server Action.
* Username + password + 2-role model (admin / user). Schema
migration adds username + password_hash to existing operators
table.
* CLI bootstrap (scripts/set-password.sh) sets the first admin's
password before going live; user management UI gates everything
else.
* OPERATOR_TOKEN_VERSION env var as a global session-invalidation
lever.
* 38 unit tests covering brute-force / cookie tampering / replay /
expiry / fixation / open redirect / timing leak / rate limit /
origin-allowlist / unauth API regression / role gates / self-
demote and last-admin guards.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
yiekheng
feffe419db