TUM2026
SOC2 ComplianceMulti-tenant IT Admin Dashboard · tum2026.vercel.app · Next.js 16 + Prisma + Graph + NinjaOne + Sophos · Live
✅
36
Done
🔄
0
In Progress
⛔
1
Blocked
📋
8
Backlog
📋 Backlog8
H2 — Add session maxAge: 28800 (8h) to auth.config.ts
v4 Audit H2. NextAuth defaults to 30-day JWT lifetime. MSP admin tool must have max 8h session (SOC2 CC6.4). One-liner fix in auth.config.ts.
SecurityAuth
H1 — Fix JWT role refresh (remove if (user) guard in auth.ts)
v4 Audit H1. syncTechPermissions runs only at sign-in. Permission revocations take up to 30 days to take effect. Remove the guard or set short maxAge (H2 covers this).
SecurityAuth
H4/H5/H6 — Add ADMIN role check on 3 analytics routes
v4 Audit H4-H6. analytics/health-overview, analytics/licenses, analytics/task-runs expose all-tenant data to any authenticated user. Add hasMinRole(role, 'ADMIN') after session guard.
SecurityBackend
H7 — Rate Limiting (Upstash Ratelimit) — v4 Audit confirmed absent
v4 Audit H7. Still no rate limiting in package.json. Install @upstash/ratelimit + @upstash/redis. Apply to /api/webhooks/n8n (20/min), /api/tech/tasks/run (10/min/user), auth routes.
SecurityInfra
H3/H8 — Timing-safe webhook + task permission fix
H3: Replace === with crypto.timingSafeEqual() on N8N_CALLBACK_SECRET. H8: Deny-by-default when taskPermissions.length === 0 in tech/tasks/run (empty perms = block, not allow-all).
SecurityBackend
M17 — AuditLog GDPR FK + M18 Retention Policy
M17: Add tenantId FK to AuditLog (onDelete: SetNull) — enables GDPR erasure. M18: Add /api/cron/prune-audit-logs monthly cron (7yr retention threshold). Both confirmed missing in v4 audit.
SOC2DB
L5 — CSP Nonce-based (unsafe-inline/unsafe-eval removal)
TODO comment in next.config.ts. Full nonce-based CSP requires proxy.ts nonce injection. Deferred (v4 confirmed LOW).
SecurityInfra
Configure AdAgentId for Remaining Tenants
Only KTC configured. Need agent IDs from remaining 14 tenants for AD operations.
ADInfra
🔄 In Progress0
Vacío
⛔ Blocked1
Rotate Azure AD Credentials
AUTH_MICROSOFT_ENTRA_ID_SECRET + GRAPH_CLIENT_SECRET were exposed in git history before purge.
⛔ Requires Azure Portal access. Secrets must be rotated manually by tenant admin.
SecurityAuth
✅ Done36
Security Fixes v7 — 30/30 findings remediados (3C·9H·13M·5L)
SecuritySOC2Backend
Security Audit v7 — 3C·9H·13M·5L (30 findings, −36 vs v6)
SecuritySOC2Docs
Security Fixes — 21 findings remediated (v5 report)
SecuritySOC2Backend
Security Audit v5 + ISO 27001:2022 Baseline
SecuritySOC2Docs
H4/H5 — syncTechPermissions Defensivo + Zod Validation (13 rutas)
SecurityBackendAuth
Security Fixes Wave 1+2 — 16 Findings Remediated (v4 Audit)
SecuritySOC2Backend
Security Audit v4 — 0 CRITICAL, 8 HIGH, 18 MEDIUM, 6 LOW
SecuritySOC2Docs
Error Boundaries + Stability Fixes
BugFeature
N8N Webhook Receiver → SystemAlerts
FeatureBackend
Task Run SSE + Notifications + SystemAlert on Failure
FeatureBackend
HIGH H2–H4 + M6 — RBAC Admin Route Checks
SecurityAuth
M1–M5 + L1–L3 — Zod, Sanitización, Hygiene
SecuritySOC2
CRITICAL — Fix Sophos IDOR C1–C7 + /endpoints
Security
CRITICAL — Fix NinjaOne IDOR C8–C11
Security
CRITICAL C12 + HIGH H5–H6 — Zod + EDITOR role checks
Security
DB Migration Neon → Supabase
DBInfra
Phase 1 — Secrets via Vercel Env Vars
SOC2
Security Audit Report
Security
IDOR Fix — NinjaOne Device Routes
Security
HTTP Security Headers
Security
RBAC Consistency (hasMinRole)
Auth
Middleware JWT Validation
Auth
AD Integration + Sync
AD
AD Group Management
AD
Run Task Feature (n8n webhook)
Feature
User Detail Panel + Page
Frontend
Microsoft SSO Auth
Auth
Multi-tenant Graph API
Backend
NinjaOne RMM Integration
Backend
Sophos Central Integration
Backend
GitHub Actions Deploy (Vercel)
Infra
SentinelAgent API Client
Backend
AdGroupMember String Keys Migration
DB
console.log Security Cleanup
Security
Code Cleanup — 0 TS errors
Backend
Full Code Review — Dead Code & Git Hygiene
BackendInfra
📓 Daily Recaps
2026-04-05Security Fixes v7 — 30/30 findings remediados, 25 archivos, 0 errores TS
▼2026-04-05Security Audit v7 — 30 findings (3C·9H·13M·5L), mayor mejora compliance de la serie
▼2026-04-03Security & Exchange & Advanced Mailbox — 10 tareas implementadas y mergeadas
▼2026-04-01Security Audit v6 — Post-fixes re-scan (66 findings: 0C·15H·33M·18L)
▼2026-04-01Security Fixes — 21 findings remediated (v5 report)
▼2026-04-01Security Audit v5 — 81 findings + ISO 27001:2022 baseline
▼2026-04-01Security — syncTechPermissions Defensivo + Zod en 13 rutas
▼2026-03-30Post-Deploy Fixes — Dashboard error, FORBIDDEN en tasks, UPN en webhook
▼2026-03-30Security Fixes v4 — 16 Hallazgos Remediados (Wave 1+2, 12 Commits)
▼2026-03-30Security Audit v4 — Comparative Analysis 6 Versiones (0C/8H/18M/6L)
▼2026-04-01Bug fix crítico producción — crash en tenant detail + seguridad (Zod + auth)
▼2026-03-27Branding — Logo PNG + Hero Image en Dashboard
▼2026-03-27Error Boundaries + Stability Fixes + Acknowledge Route
▼2026-03-27N8N Webhook → SystemAlerts + SSE + Notificaciones (nueva feature)
▼2026-03-27Fix Remaining Findings — H2–H4, M1–M6, L1–L3 (12 findings cerrados)
▼2026-03-27Fix All 13 CRITICAL — Sophos/NinjaOne IDOR + Zod + Role Checks
▼2026-03-27Full Security Audit — 13 CRITICAL, 6 HIGH (IDOR en Sophos/NinjaOne)
▼2026-03-27DB Migration Neon → Supabase + Limpieza de Referencias
▼2026-03-20Full Code Review — Dead Code, Deps, Git Hygiene
▼2026-03-13Security Hardening — IDOR, Headers, RBAC, JWT + AD Cleanup
▼2026-03-13Run Task Feature — Technicians Can Execute AD Tasks via n8n
▼