- Add category selection (feature_request, bug, question, announcement)
- Add status tracking (new, in_progress, resolved, rejected) with admin controls
- Add file attachments support (JPG, PNG, GIF up to 5MB)
- Multi-file upload (up to 10 files per reply) with drag & drop and paste
- New FileUploadService with EXIF stripping for privacy
- Admin panel with status statistics and change modal
- Grid display for multiple attachments
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Document Auto Claude state files that should never be committed
- Add pre-commit hook that automatically unstages Auto Claude files
- Include troubleshooting steps for merge conflicts
- Document worktree management commands
This prevents future merge conflicts caused by .auto-claude-* files.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Security fix: Remove hardcoded database credentials from shell scripts and source code.
Changes:
- Scripts now use environment variables ($DATABASE_URL, $PGPASSWORD)
- Safe fallback values with CHANGE_ME placeholder
- Added .env.example template
- Added docs/SECURITY.md documentation
- Updated CLAUDE.md with credential management guidelines
Resolves conflict by removing Auto Claude state files (already in .gitignore).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Created TEST_RESULTS_SHELL_SCRIPTS.md with comprehensive test verification
- Verified script properly validates PGPASSWORD environment variable
- Confirmed clear error message and exit code 1 when PGPASSWORD not set
- All validation checks pass successfully
- Created test_database_url_validation.py for static code analysis
- Created test_runtime_errors.py for runtime error verification
- Created TEST_RESULTS.md with comprehensive test documentation
- All 7 Python scripts verified to use safe 'CHANGE_ME' fallback
- Confirmed no hardcoded production credentials remain in code
- Scripts properly fail with clear authentication errors
- Test coverage: 7/7 scripts passed (100%)
Security validation complete for CWE-798 remediation.
Created comprehensive docs/SECURITY.md with:
- Database credentials management guide (CWE-798 security)
- Complete environment variables reference
- Development and production setup instructions
- Shell script configuration (.pgpass, PGPASSWORD)
- Security best practices (never hardcode credentials)
- Verification and testing procedures
- Troubleshooting guide for common issues
- Incident response procedures for compromised credentials
- Links to official documentation and security standards
This completes Phase 4 (Documentation) of the credential security cleanup task.
- Added PGPASSWORD environment variable check at script start
- Replaced 3 instances of hardcoded 'NordaBiz2025Secure' with $PGPASSWORD
- Added usage instructions and security warning (CWE-798)
- Script now exits with error if PGPASSWORD is not set
- Removed hardcoded DATABASE_URL assignment with 'NordaBiz2025Secure' password
- Added comprehensive warning comment about CWE-798 security vulnerability
- Script now relies on DATABASE_URL environment variable or safe fallback from database.py
- Follows same security pattern as other updated scripts (run_migration.py, etc.)
- Replaced hardcoded password 'NordaBiz2025Secure' with placeholder 'CHANGE_ME'
- Added comprehensive warning comment about CWE-798 (Use of Hard-coded Credentials)
- Production credentials must now be set via DATABASE_URL environment variable
Fixed 2 minor inaccuracies found during verification:
- Company logos count: 82 → 80 images
- Python packages count: 13 → 16 packages
Comprehensive verification completed:
✅ No static HTML references
✅ All files exist
✅ Technology versions correct
✅ Commands verified
✅ Production details accurate
See technical-verification-report.md for full details.
Completed comprehensive key features inventory for README.md update.
Created key-features-inventory.md (19KB) documenting 20 features:
- 5 user-facing features (Company Directory, Search, AI Chat, Auth, Notifications)
- 8 admin features (News, Social Media, SEO, GBP/IT Audits, Forum, Calendar, Users)
- 7 technical features (API, Deployment, Security, Database, Verification, External APIs, Testing)
All features categorized by priority (top/high/medium) and documented with:
- Implementation status (all LIVE)
- Technology stack
- Endpoints/scripts
- Database tables
- Source references
Acceptance criteria met:
✓ Complete feature list from CLAUDE.md
✓ User-facing vs admin features categorized
✓ All features documented with details and sources
Files created in .auto-claude/specs/:
- key-features-inventory.md (19KB)
- Updated build-progress.txt
- Updated implementation_plan.json
- Add dark admin bar below main navigation (visible only for admins)
- Group admin functions into 3 dropdowns: Zarządzanie, Audyty, Analityka
- Remove admin links from user dropdown menu
- Keep user menu clean with only personal items
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add POST /api/admin/users/ai-parse endpoint for text/image parsing
- Add POST /api/admin/users/bulk-create for batch user creation
- Add "Dodaj z AI" button with purple gradient in admin users panel
- Add 3-step modal flow (Input → Review → Results)
- Support text paste from any source (email, Excel, CRM, Slack)
- Support screenshot upload and clipboard paste (Ctrl+V / Cmd+V)
- AI extracts emails, names, matches companies, detects admin roles
- Display generated passwords with copy functionality
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Zmiana lazy='joined' dla relationship w modelu User
aby uniknąć błędu podczas dostępu do current_user.company w szablonach
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add /admin/users panel for managing users (toggle admin, toggle verified, assign company, reset password, delete)
- Add link to admin menu in base.html
- Replace native confirm()/alert() with styled modals and toast notifications
- Add confirmation modal for password reset with warning icon
- Add styled reset URL modal with copy functionality
- Add danger-styled confirmation modal for user deletion
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove sensitive tokens from logs (show only 8-char preview)
- Enforce SECRET_KEY minimum 32 characters (no default value)
- Reduce login rate limit from 100/hour to 5/hour
- Remove exposed PageSpeed API key from CLAUDE.md
BREAKING: Application requires SECRET_KEY >= 32 chars in .env
Author: Maciej Pienczyn z wykorzystaniem AI i Claude Opus
