fix: high-severity security hardening (Phase B permissions audit)

Phase B addresses 7 high-severity gaps from the permissions audit:

- B1: Enforce tree access check on session start via can_access_tree
- B2: Replace all inline permission helpers with centralized permissions.py
- B3: Fix require_engineer_or_admin to check is_team_admin before role
- B4: Add is_active field on User with enforcement in get_current_active_user
- B5: Add admin user management endpoints (list, get, role, team-admin, deactivate, activate)
- B6: Add rate limiting on auth/invite endpoints via slowapi (disabled in DEBUG)
- B7: Implement refresh token rotation with JTI-based revocation and meaningful logout

Also reduces access token TTL from 15 to 5 minutes and updates CLAUDE.md
with SaaS/MSP context for future planning sessions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

This commit is contained in:

chihlasm

2026-02-05 22:44:05 -05:00

parent 3e0fb92012

commit 71ba0b95a5

27 changed files with 743 additions and 229 deletions

									
										6

backend/app/core/rate_limit.py
									
										Normal file
									
												View File
												
				@@ -0,0 +1,6 @@

				from slowapi import Limiter

				from slowapi.util import get_remote_address

				from app.core.config import settings

				limiter = Limiter(key_func=get_remote_address, enabled=not settings.DEBUG)

fix: high-severity security hardening (Phase B permissions audit)

6 backend/app/core/rate_limit.py Normal file Unescape Escape View File

6

backend/app/core/rate_limit.py Normal file

View File