CRITICAL fixes:
- Restrict X-View-Tenant impersonation to global admin only (was any admin)
- Add authorization to subscription endpoints (was open to any user)
- Make webhook signature verification mandatory (was skippable)
- Remove databaseName from JWT payload (resolve server-side with cache)
- Reduce body size limit from 1GB to 10MB (50MB for bulk CFDI)
- Restrict .env file permissions to 600
HIGH fixes:
- Add authorization to SAT cron endpoints (global admin only)
- Add Content-Security-Policy and Permissions-Policy headers
- Centralize isGlobalAdmin() utility with caching
- Add rate limiting on auth endpoints (express-rate-limit)
- Require authentication on logout endpoint
MEDIUM fixes:
- Replace Math.random() with crypto.randomBytes for temp passwords
- Remove console.log of temporary passwords in production
- Remove DB credentials from admin notification email
- Add escapeHtml() to email templates (prevent HTML injection)
- Add file size validation on FIEL upload (50KB max)
- Require TLS for SMTP connections
- Normalize email to lowercase before uniqueness check
- Remove hardcoded default for FIEL_ENCRYPTION_KEY
Also includes:
- Complete production deployment documentation
- API reference documentation
- Security audit report with remediation details
- Updated README with v0.5.0 changelog
- New client admin email template
- Utility scripts (create-carlos, test-emails)
- PM2 ecosystem config updates
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Fix metadata.json shown as unencrypted in tree (now .enc)
- Fix admin bypass order in checkPlanLimits (moved before status check)
- Add PM2 cross-worker cache invalidation via process messaging
- Fix fiel_credentials "no changes" contradiction with per-component IV
- Backup all tenant DBs regardless of active status
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Detailed step-by-step implementation plan for:
- PDF-like invoice visualization
- PDF download via html2pdf.js
- XML download endpoint
- Modal integration in CFDI page
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Design for PDF-like invoice visualization with:
- Modal viewer with invoice preview
- PDF download via html2pdf.js
- XML download from stored data
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Document current implementation status
- Add pending items to verify after SAT rate limit resets
- Include test tenant info and verification commands
- List known issues and workarounds
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add custom date range support for SAT synchronization
- Fix UUID cast in SQL queries for sat_sync_job_id
- Fix processInitialSync to respect custom dateFrom/dateTo parameters
- Add date picker UI for custom period sync
- Add comprehensive documentation for SAT sync implementation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Detailed implementation plan with 9 phases:
1. Database models and migrations
2. Cryptography and FIEL services
3. SAT communication services
4. CFDI XML parser
5. Main orchestrator service
6. Scheduled cron job
7. API endpoints
8. Frontend components
9. Testing and validation
Includes:
- 16 new files to create
- 5 files to modify
- Dependencies list
- Implementation order
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Design document for automatic CFDI synchronization with SAT:
- FIEL (e.firma) authentication
- Download emitted and received CFDIs
- Daily automated sync at 3:00 AM
- Initial extraction of last 10 years
- Encrypted credential storage (AES-256-GCM)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Detailed step-by-step plan covering:
- Monorepo setup with Turborepo + pnpm
- Shared package with types and constants
- Express API with JWT authentication
- Prisma with PostgreSQL multi-tenant (schema per tenant)
- Next.js 14 frontend
- 4-theme system (Light, Vibrant, Corporate, Dark)
- Login/Register pages with auth store
- Demo data seed
- Docker Compose configuration
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Complete design document with architecture, data models, and API specs
- Database schema (Prisma) for multi-tenant PostgreSQL
- README with project overview and plans
- Support for 4 visual themes (Light, Vibrant, Corporate, Dark)
- Comprehensive module specifications:
- Dashboard with KPIs
- CFDI management
- IVA/ISR tax control
- Bank reconciliation
- Fiscal calendar
- User management with roles
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
