Release v2.3.1: Feature release with security hardening and DRY refactors

.dockerignore

@@ -1 +1,98 @@
-spec
+# See https://docs.docker.com/engine/reference/builder/#dockerignore-file for more about ignoring files.
+
+# Ignore git directory.
+/.git/
+/.gitignore
+
+# Ignore bundler config.
+/.bundle
+
+# Ignore all environment files.
+/.env*
+
+# Ignore all default key files.
+/config/master.key
+/config/credentials/*.key
+
+# Ignore all logfiles and tempfiles.
+/log/*
+/tmp/*
+!/log/.keep
+!/tmp/.keep
+
+# Ignore pidfiles, but keep the directory.
+/tmp/pids/*
+!/tmp/pids/.keep
+
+# Ignore storage (uploaded files in development and any SQLite databases).
+/storage/*
+!/storage/.keep
+/tmp/storage/*
+!/tmp/storage/.keep
+
+# Ignore assets.
+/node_modules/
+/app/assets/builds/*
+!/app/assets/builds/.keep
+/public/assets
+
+# Ignore CI service files.
+/.github
+
+# Ignore development files
+/.devcontainer
+
+# Ignore Docker-related files
+/.dockerignore
+/Dockerfile*
+
+# Ignore test files
+/spec
+
+# Ignore documentation site (has its own node_modules)
+/docs
+
+# Ignore development downloads and test artifacts
+/downloads
+/coverage
+
+# Ignore development-only files
+/.beads
+/.overcommit.yml
+/lefthook.yml
+/.rubocop.yml
+/.eslintrc.js
+/.prettierrc
+/vitest.config.js
+/babel.config.js
+/jsconfig.json
+/sonar-project.properties
+/postcss.config.js
+
+# Ignore non-Linux binaries
+/bin/vulcan
+
+# Ignore compose and bake files (not needed inside image)
+/docker-compose*.yml
+/docker-bake.hcl
+/Caddyfile*
+/nginx.conf*
+/setup-docker-secrets.sh
+
+# Ignore markdown files not needed at runtime
+/CHANGELOG.md
+/CODE_OF_CONDUCT.md
+/CONTRIBUTING.md
+/LICENSE.md
+/NOTICE.md
+/README.md
+/RELEASE_NOTES.md
+/SECURITY.md
+/ROADMAP.md
+/BENCHMARK-VIEWER-DESIGN.md
+/AGENT-STATUS
+/ENVIRONMENT_VARIABLES.md
+/CLAUDE.md
+/_config.yml
+/CNAME
+/create_admin.rb

.env.example

@@ -6,9 +6,23 @@
 # =============================================================================
 # DATABASE
 # =============================================================================
-# Development database URL (for local Rails development)
-# DATABASE_URL commented out - let database.yml handle dev/test separation
-# DATABASE_URL=postgres://postgres:postgres@127.0.0.1:5432/vulcan_vue_development
+# Defaults (port 5432, host 127.0.0.1) work for single-project development.
+# Running multiple projects simultaneously? Assign unique ports per project.
+# See docs/development/port-registry.md for recommended port assignments.
+#
+# DATABASE_PORT=5432
+# DATABASE_HOST=127.0.0.1
+# POSTGRES_PORT=5432
+#
+# macOS with Kerberos/GSSAPI connection errors (corporate networks):
+# DATABASE_GSSENCMODE=disable
+#
+# Worktree isolation: suffix appended to database names in database.yml
+# Each worktree gets its own database (e.g., vulcan_vue_development_v2)
+# DB_SUFFIX=_v2
+#
+# App server port (Puma):
+# PORT=3000
 
 # Docker database password (used by docker-compose)
 POSTGRES_PASSWORD=postgres
@@ -22,15 +36,27 @@ SECRET_KEY_BASE=development_secret_key_base_not_for_production_use
 CIPHER_PASSWORD=development_cipher_password_not_for_production_use
 CIPHER_SALT=development_cipher_salt_not_for_production_use
 
+# =============================================================================
+# SSL/TLS CONFIGURATION
+# =============================================================================
+# Force HTTPS redirects. Defaults to true (secure by default).
+# Set to false ONLY for Docker quickstart without SSL termination or local testing.
+# When behind a reverse proxy (nginx, traefik), the proxy handles SSL termination
+# and sets X-Forwarded-Proto header, so keep this true.
+# RAILS_FORCE_SSL=true
+# For local Docker testing without SSL:
+# RAILS_FORCE_SSL=false
+
 # =============================================================================
 # TEST OKTA CONFIGURATION (Development/Testing)
 # =============================================================================
-# This is a test Okta instance for development
-VULCAN_ENABLE_OIDC=true
-VULCAN_OIDC_PROVIDER_TITLE=Okta (Test)
-VULCAN_OIDC_ISSUER_URL=https://trial-8371755.okta.com
-VULCAN_OIDC_CLIENT_ID=0oas3uve5k2VeT8KV697
-VULCAN_OIDC_CLIENT_SECRET=aqfejOc97hxqtp5xZmn46yZ-m00Mx_xs3KIOzrlJuSM_UY_qx8BwhSaWYhvuOEnH
+# OIDC authentication (Okta, Auth0, Keycloak, Azure AD)
+# See docs/deployment/auth/ for provider-specific setup guides
+VULCAN_ENABLE_OIDC=false
+VULCAN_OIDC_PROVIDER_TITLE=Okta
+VULCAN_OIDC_ISSUER_URL=https://your-domain.okta.com
+VULCAN_OIDC_CLIENT_ID=your_oidc_client_id
+VULCAN_OIDC_CLIENT_SECRET=your_oidc_client_secret
 VULCAN_OIDC_REDIRECT_URI=http://localhost:3000/users/auth/oidc/callback
 
 # With auto-discovery enabled (default), these endpoints are discovered automatically
@@ -43,7 +69,21 @@ VULCAN_OIDC_REDIRECT_URI=http://localhost:3000/users/auth/oidc/callback
 # Enable local username/password login (useful for development)
 VULCAN_ENABLE_LOCAL_LOGIN=true
 VULCAN_ENABLE_USER_REGISTRATION=true
-VULCAN_SESSION_TIMEOUT=60
+# Session timeout: plain seconds (900), or with suffix: 30s, 15m, 1h
+# Plain numbers: 1-9=hours, 10-299=minutes, 300+=seconds
+# Default: 3600 (1 hour). DoD standard: 900 (15 min)
+VULCAN_SESSION_TIMEOUT=1h
+# Remember Me: keep user logged in across browser restarts
+# When enabled + checked, session persists for remember_me_duration instead of session_timeout
+VULCAN_ENABLE_REMEMBER_ME=true
+# VULCAN_REMEMBER_ME_DURATION=8h
+
+# Admin Bootstrap (choose one method):
+# Method 1: First user becomes admin (default, great for dev)
+VULCAN_FIRST_USER_ADMIN=true
+# Method 2: Create specific admin from env vars (runs on db:prepare)
+# VULCAN_ADMIN_EMAIL=admin@example.com
+# VULCAN_ADMIN_PASSWORD=SecurePassword123!
 
 # LDAP (disabled by default)
 VULCAN_ENABLE_LDAP=false
@@ -61,7 +101,7 @@ VULCAN_CONTACT_EMAIL=admin@example.com
 VULCAN_WELCOME_TEXT=Welcome to Vulcan Development
 
 # Project permissions
-VULCAN_PROJECT_CREATE_PERMISSION_ENABLED=false
+VULCAN_PROJECT_CREATE_PERMISSION_ENABLED=true
 
 # =============================================================================
 # EMAIL/SMTP (Optional)
@@ -73,6 +113,52 @@ VULCAN_ENABLE_SMTP=false
 # VULCAN_SMTP_SERVER_USERNAME=notifications@example.com  # Defaults to VULCAN_CONTACT_EMAIL if not set
 # VULCAN_SMTP_SERVER_PASSWORD=smtp_password
 
+# =============================================================================
+# ACCOUNT LOCKOUT (STIG AC-07 — enabled by default)
+# =============================================================================
+# Lock accounts after consecutive failed login attempts.
+# Accounts auto-unlock after unlock_in_minutes OR via admin unlock on Users page.
+# Set VULCAN_LOCKOUT_ENABLED=false to disable entirely.
+# unlock_strategy: email (sends unlock email), time (auto-unlock), both (default)
+# VULCAN_LOCKOUT_ENABLED=true
+# VULCAN_LOCKOUT_MAX_ATTEMPTS=3
+# VULCAN_LOCKOUT_UNLOCK_IN_MINUTES=15
+# VULCAN_LOCKOUT_UNLOCK_STRATEGY=both
+# VULCAN_LOCKOUT_LAST_ATTEMPT_WARNING=true
+
+# =============================================================================
+# CLASSIFICATION BANNER & CONSENT (Optional)
+# =============================================================================
+# Display a colored classification banner at top and bottom of every page
+# DoD standard colors: UNCLASSIFIED=#007a33, CUI=#502b85, CONFIDENTIAL=#0033a0,
+# SECRET=#c8102e, TOP SECRET=#ff671f, TS/SCI=#f7ea48 (text: #000000)
+VULCAN_BANNER_ENABLED=false
+# VULCAN_BANNER_TEXT=UNCLASSIFIED
+# VULCAN_BANNER_BACKGROUND_COLOR=#007a33
+# VULCAN_BANNER_TEXT_COLOR=#ffffff
+
+# Consent/terms-of-use modal — blocks access until user clicks "I Agree"
+# Acknowledgment is tracked server-side in the Rails session (AC-8 compliant).
+# Increment VULCAN_CONSENT_VERSION to re-prompt all users.
+# Content supports Markdown formatting (bold, lists, links, etc.)
+VULCAN_CONSENT_ENABLED=false
+# VULCAN_CONSENT_VERSION=1
+# VULCAN_CONSENT_TITLE=Terms of Use
+# VULCAN_CONSENT_CONTENT=By using this system you agree to the **acceptable use policy**.
+# How long consent remains valid: 0 = per-session (DoD default), or e.g. 24h, 12h, 30m
+VULCAN_CONSENT_TTL=0
+
+# =============================================================================
+# PASSWORD POLICY (Optional — DoD-aligned defaults)
+# =============================================================================
+# All settings default to DoD "2222" values when unset (15 chars, 2 of each type).
+# Set any count to 0 to disable that requirement.
+# VULCAN_PASSWORD_MIN_LENGTH=15
+# VULCAN_PASSWORD_MIN_UPPERCASE=2
+# VULCAN_PASSWORD_MIN_LOWERCASE=2
+# VULCAN_PASSWORD_MIN_NUMBER=2
+# VULCAN_PASSWORD_MIN_SPECIAL=2
+
 # =============================================================================
 # SLACK INTEGRATION (Optional)
 # =============================================================================
@@ -83,6 +169,7 @@ VULCAN_ENABLE_SLACK_COMMS=false
 # =============================================================================
 # DEVELOPMENT NOTES
 # =============================================================================
-# Default admin login (after seeding): admin@example.com / 1234567ab!
+# Default admin login (after seeding): admin@example.com with default password
+# Override seed password: VULCAN_SEED_ADMIN_PASSWORD=YourPassword123!
 # To seed the database: bundle exec rake db:seed
 # To reset and reseed: bundle exec rake db:reset

.env.production.example

@@ -47,7 +47,22 @@ VULCAN_ENABLE_LDAP=false
 # --- Option 3: Local Login (Not recommended for production) ---
 VULCAN_ENABLE_LOCAL_LOGIN=false
 VULCAN_ENABLE_USER_REGISTRATION=false
-VULCAN_SESSION_TIMEOUT=60
+# Session timeout: plain seconds (900), or with suffix: 30s, 15m, 1h
+# Plain numbers: 1-9=hours, 10-299=minutes, 300+=seconds
+# DoD standard: 900 (15 min) for non-privileged, 600 (10 min) for admin
+VULCAN_SESSION_TIMEOUT=15m
+# Remember Me: keep user logged in across browser restarts
+# Disable for DoD/high-security environments
+VULCAN_ENABLE_REMEMBER_ME=false
+# VULCAN_REMEMBER_ME_DURATION=8h
+
+# --- Admin Bootstrap (Production) ---
+# Disable first-user-admin for production (security best practice)
+VULCAN_FIRST_USER_ADMIN=false
+# Create admin via environment variables instead (recommended):
+# VULCAN_ADMIN_EMAIL=admin@your-org.com
+# VULCAN_ADMIN_PASSWORD=your_secure_password_here
+# If password is omitted, a secure random password will be generated and logged
 
 # =============================================================================
 # REQUIRED: Application Settings
@@ -74,6 +89,48 @@ VULCAN_SMTP_SERVER_PASSWORD=secure_smtp_password
 # Optional: Email confirmation for new users
 VULCAN_ENABLE_EMAIL_CONFIRMATION=false
 
+# =============================================================================
+# OPTIONAL: Account Lockout (STIG AC-07 — enabled by default)
+# =============================================================================
+# Lock accounts after consecutive failed login attempts.
+# Defaults are STIG AC-07 compliant (3 attempts, 15 min unlock).
+# VULCAN_LOCKOUT_ENABLED=true
+# VULCAN_LOCKOUT_MAX_ATTEMPTS=3
+# VULCAN_LOCKOUT_UNLOCK_IN_MINUTES=15
+# VULCAN_LOCKOUT_UNLOCK_STRATEGY=both
+# VULCAN_LOCKOUT_LAST_ATTEMPT_WARNING=true
+
+# =============================================================================
+# OPTIONAL: Classification Banner & Consent
+# =============================================================================
+# Display a colored classification banner at top and bottom of every page
+# DoD standard colors: UNCLASSIFIED=#007a33, CUI=#502b85, CONFIDENTIAL=#0033a0,
+# SECRET=#c8102e, TOP SECRET=#ff671f, TS/SCI=#f7ea48 (text: #000000)
+VULCAN_BANNER_ENABLED=false
+# VULCAN_BANNER_TEXT=UNCLASSIFIED
+# VULCAN_BANNER_BACKGROUND_COLOR=#007a33
+# VULCAN_BANNER_TEXT_COLOR=#ffffff
+
+# Consent/terms-of-use modal — blocks access until user clicks "I Agree"
+# Acknowledgment is tracked server-side in the Rails session (AC-8 compliant).
+# Increment VULCAN_CONSENT_VERSION to re-prompt all users.
+# Content supports Markdown formatting (bold, lists, links, etc.)
+VULCAN_CONSENT_ENABLED=false
+# VULCAN_CONSENT_VERSION=1
+# VULCAN_CONSENT_TITLE=Terms of Use
+# VULCAN_CONSENT_CONTENT=By using this system you agree to the **acceptable use policy**.
+# How long consent remains valid: 0 = per-session (DoD default), or e.g. 24h, 12h, 30m
+VULCAN_CONSENT_TTL=0
+
+# =============================================================================
+# OPTIONAL: Password Policy (DoD-aligned defaults — usually no changes needed)
+# =============================================================================
+# VULCAN_PASSWORD_MIN_LENGTH=15
+# VULCAN_PASSWORD_MIN_UPPERCASE=2
+# VULCAN_PASSWORD_MIN_LOWERCASE=2
+# VULCAN_PASSWORD_MIN_NUMBER=2
+# VULCAN_PASSWORD_MIN_SPECIAL=2
+
 # =============================================================================
 # OPTIONAL: Slack Integration
 # =============================================================================
@@ -95,8 +152,11 @@ STRUCTURED_LOGGING=true
 RAILS_MAX_THREADS=5
 WEB_CONCURRENCY=2
 
-# Force SSL in production
-FORCE_SSL=true
+# Force HTTPS redirects. Defaults to true (secure by default).
+# Set to false ONLY for Docker quickstart without SSL termination.
+# When behind a reverse proxy (nginx, traefik), keep this true as the
+# proxy handles SSL termination and sets X-Forwarded-Proto header.
+RAILS_FORCE_SSL=true
 
 # Serve static files (required for Docker)
 RAILS_SERVE_STATIC_FILES=true

.foreman

@@ -0,0 +1 @@
+port: 3000

.gitguardian.yml

@@ -0,0 +1,18 @@
+# GitGuardian Configuration
+# https://docs.gitguardian.com/ggshield-docs/configuration
+version: 2
+
+secret:
+  # Exclude backup/archive files from scanning
+  ignored_paths:
+    - '**/*.backup'
+    - 'archive/**'
+
+  # Known non-secret test credentials
+  # GoodNewsEveryone is the documented public default password for rroemhild/test-openldap
+  # See: https://github.com/rroemhild/docker-test-openldap
+  ignored_matches:
+    - name: rroemhild/test-openldap public default LDAP admin password
+      match: GoodNewsEveryone
+    - name: Dev seed admin default password (overridable via VULCAN_SEED_ADMIN_PASSWORD)
+      match: 12qwaszx!@QWASZX