Commit graph

3 commits

Author SHA1 Message Date
david kiania
a0022fbeaf fix(security): escape API strings, pin CDN scripts, add CSP (FO-SEC-01/02/03)
The tickets code escaped HTML, but the logistics + fuel renderers and the error
banners interpolated API strings straight into innerHTML. Fuel Log fields
(driver, department, fuel_type, plate) come from WhatsApp messages and
vehicle/driver names from the Tracksolid registry — both user-controlled — so
this was a stored-XSS path into every dispatcher's browser.

- Hoist escapeHtml into HELPERS + add esc(); route every logistics/fuel renderer
  and the three error banners through it (21 -> 37 escaped call sites).
- SRI integrity + crossorigin on Chart.js 4.4.1 and maplibre-gl 4.7.1 JS/CSS.
- Caddyfile: CSP (self + pinned CDNs + CARTO basemap + the two fleet APIs),
  X-Content-Type-Options, Referrer-Policy, frame-ancestors 'none', -Server.
  Validated with `caddy validate` inside the deployed image.
- loadLive(): check r.ok; pause the 15s live poll while hidden or off the Tickets
  tab, refresh immediately on return (FO-BUG-01/02).
- Missing-API_BASE fallback flipped staging -> prod, matching the documented
  design (FO-OPS-01).

Inline app script passes `node --check`. Audit + plan + work log in docs/260702_*.
Local only; not deployed.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-02 09:47:40 +03:00
david kiania
a6af4f5646 fix(caddy): evaluate {{env}} in env.js (templates mime)
Caddy `templates` only processes text/html + text/plain by default, so the
text/javascript env.js was served with {{env "API_BASE"}} unevaluated (a literal
that's also a JS parse error). Name the JS MIME types in the templates directive
so the API_BASE injection works — required for prod to point at the prod API
(staging worked only via the index.html fallback).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-10 13:23:26 +03:00
david kiania
ff5945a85d feat: FleetOps analytics SPA (Caddy) — initial scaffold
Fleet operations analytics (fuel · utilisation · distance · driver behaviour),
sibling to FleetNow. Self-contained src/index.html (inline CSS/JS + Chart.js CDN)
reusing FleetNow's warm-dark ops palette + header shell for a familiar look.

Reads dashboard_api /analytics/* (fleet-summary, utilisation, driver-behaviour,
fuel, filters). Panels: KPI strip, distance/idle daily-trend chart, per-vehicle
table, driver leaderboard, fuel (data-gated).

Served by Caddy on :80 (Traefik terminates TLS). Per-env API base injected at
runtime via Caddy `templates` -> /env.js ({{env "API_BASE"}}); falls back to the
staging API. Dockerfile runs `caddy validate` at build.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-10 13:00:31 +03:00