Commit graph

6 commits

Author SHA1 Message Date
3cdd14c345 fix(security): CVE mitigations — path traversal, SSRF, dep upgrades, npm audit
Path traversal (cloud middleware):
- Add _VALID_USER_ID_RE UUID regex; reject non-UUID user_id before
  constructing db path from CLOUD_DATA_ROOT / user_id / ...
- Non-UUID values log a warning and fall through to unauthenticated path

SSRF (test_email IMAP endpoint):
- Add _is_ssrf_host() using ipaddress + socket.gethostbyname()
- Checks resolved IP against RFC-1918, loopback, and link-local ranges
- Fails closed on DNS resolution errors (returns True = blocked)

Dependency security pins in environment.yml (transitive CVEs):
- starlette>=1.0.1 (PYSEC-2026-161), python-multipart>=0.0.27 (CVE-2026-40347),
  aiohttp>=3.14.0, tornado>=6.5.5, cryptography>=46.0.7, langsmith>=0.8.0,
  gitpython>=3.1.50, lxml>=6.1.0, idna>=3.15, markdownify>=0.14.1
- Direct dep upgrades: requests>=2.33.0, pypdf>=6.12.0, python-dotenv>=1.2.2,
  PyJWT>=2.13.0, curl_cffi>=0.15.0

npm audit (web/package-lock.json):
- Resolved 7 of 9 CVEs; 2 remaining esbuild CVEs require vite 8 upgrade
  (tracked as issue #123 — breaking change, deferred)
2026-06-14 12:16:00 -07:00
15dc4b2646 chore: rename conda env job-seeker to cf; update README
Some checks failed
CI / test (pull_request) Failing after 22s
2026-03-31 10:39:25 -07:00
37d151725e feat: push interview events to connected calendar integrations (#19)
Implements idempotent calendar push for Apple Calendar (CalDAV) and
Google Calendar from the Interviews kanban.

- db: add calendar_event_id column (migration) + set_calendar_event_id helper
- integrations/apple_calendar: create_event / update_event via caldav + icalendar
- integrations/google_calendar: create_event / update_event via google-api-python-client;
  test() now makes a real API call instead of checking file existence
- scripts/calendar_push: orchestrates push/update, builds event title from stage +
  job title + company, attaches job URL and company brief to description,
  defaults to noon UTC / 1hr duration
- app/pages/5_Interviews: "Add to Calendar" / "Update Calendar" button shown
  when interview date is set and a calendar integration is configured
- environment.yml: pin caldav, icalendar, google-api-python-client, google-auth
- tests/test_calendar_push: 9 tests covering create, update, error handling,
  event timing, idempotency, and missing job/date guards
2026-03-16 21:31:22 -07:00
db127848a1 fix: resume CID glyphs, resume YAML path, PyJWT dep, candidate voice & mission UI
- resume_parser: add _clean_cid() to strip (cid:NNN) glyph refs from ATS PDFs;
  CIDs 127/149/183 become bullets, unknowns are stripped; applied to PDF/DOCX/ODT
- resume YAML: canonicalize plain_text_resume.yaml path to config/ across all
  references (Settings, Apply, Setup, company_research, migrate); was pointing at
  unmounted aihawk/data_folder/ in Docker
- requirements/environment: add PyJWT>=2.8 (was missing; broke Settings page)
- user_profile: add candidate_voice field
- generate_cover_letter: inject candidate_voice into SYSTEM_CONTEXT; add
  social_impact mission signal category (nonprofit, community, equity, etc.)
- Settings: add Voice & Personality textarea to Identity expander; add
  Mission & Values expander with editable fields for all 4 mission categories
- .gitignore: exclude CLAUDE.md, config/plain_text_resume.yaml,
  config/user.yaml.working
- search_profiles: add default profile
2026-02-26 12:32:28 -08:00
f45dae202b chore: mkdocs deps, CHANGELOG, remove dead Resume Editor page, backlog gap items 2026-02-25 13:51:13 -08:00
1dc1ca89d7 chore: seed Peregrine from personal job-seeker (pre-generalization)
App: Peregrine
Company: Circuit Forge LLC
Source: github.com/pyr0ball/job-seeker (personal fork, not linked)
2026-02-24 18:25:39 -08:00