Projects Dashboard

TUM2026

Active

MSP IT admin dashboard for managing client tenants. Integrates Microsoft Graph API (Azure AD users/groups/licenses), NinjaOne RMM, and Sophos Central per tenant. Each tenant has its own Azure App Registration credentials stored in the DB. · Live · GitHub

✅

Done

🔄

In Progress

⛔

Blocked

📋

Backlog

📋 Backlog7

**\*\***CSP nonce for styles**\*\***

BLOCKED — Tailwind v4 has no nonce support yet. Monitor Tailwind v4 releases.

⛔ BLOCKED — Tailwind v4 has no nonce support yet. Monitor Tailwind v4 releases.

SecurityFrontend

**\*\***Configure AdAgentId for remaining tenants**\*\***

Operational DB action needed — set per-tenant AdAgentId values

opsDB

**\*\***Rotate Azure AD credentials**\*\***

BLOCKED — client dependency. Schedule rotation window with client.

⛔ BLOCKED — client dependency. Schedule rotation window with client.

Securityops

**\*\***NinjaOne device management integration**\*\***

Add device list + patch status per tenant via NinjaOne management scope

Featureninjaone

**\*\***Sophos threat dashboard**\*\***

Per-tenant threat event feed from Sophos Central Partner API

Featuresophos

**\*\***Expand rate limiting to all protected routes**\*\***

reportReadRatelimit applied to 6 routes — verify full coverage, add where missing

SecurityBackend

**\*\***Graph $batch for large tenant user lists**\*\***

Split >20 user/group fetches into multiple sequential $batch calls

performancegraph

🔄 In Progress0

Vacío

⛔ Blocked0

Vacío

✅ Done10

**\*\***Security audit report v10** (2026-05-12)\*\***

Securityshipped

**\*\***CI pipeline: typecheck + unit-tests stages**\*\***

ci-cdshipped

**\*\***GDPR AuditLog userId FK — ON DELETE SET NULL**\*\***

SecurityDBshipped

**\*\***middleware.ts → proxy.ts**\*\***

fixshipped

**\*\***RBAC: updateTenant / create / delete require ADMIN role**\*\***

SecurityAuthshipped

**\*\***reportReadRatelimit (50 req/min) on all 6 report/search/analytics routes**\*\***

Securityshipped

**\*\***Monolith architecture confirmed**\*\***

architectureshipped

**\*\***Turbopack + Prisma init-server + global + Proxy pattern**\*\***

fixshipped

**\*\***Microsoft Graph client credentials flow**\*\***

Featureshipped

**\*\***NinjaOne + Sophos API clients**\*\***

Featureshipped

📓 Daily Recaps

2026-05-272026-05-13 — TUM2026 — 🟡 UNCOMMITTED

▼

2026-05-142026-05-13 — TUM2026 — 🟡 UNCOMMITTED

▼

2026-05-132026-05-13 — TUM2026 — 🟡 UNCOMMITTED

▼

2026-04-15Docker VPS migration — MR !4 open for review

▼

2026-04-15CI/CD pipeline live: Vercel to Docker VPS migration complete

▼

2026-04-11MR !1 opened — V2026.04.11-001 — test fixes + security audit v9

▼

2026-04-08Security Audit v8 + Full Remediation + RBAC fixes

▼

2026-03-27Fix Remaining Findings — H2–H4, M1–M6, L1–L3 (12 findings closed)

▼

2026-03-27N8N Webhook → SystemAlerts + SSE + Notifications (new feature)

▼

2026-03-27Full Security Audit — 13 CRITICAL, 6 HIGH (IDOR in Sophos/NinjaOne)

▼

2026-03-30Post-Deploy Fixes — Dashboard error, FORBIDDEN on tasks, UPN in webhook

▼

2026-03-27Error Boundaries + Stability Fixes + Acknowledge Route

▼

2026-03-27DB Migration Neon → Supabase + Reference Cleanup

▼

2026-03-27Branding — Logo PNG + Hero Image on Dashboard

▼

2026-03-27Fix All 13 CRITICAL — Sophos/NinjaOne IDOR + Zod + Role Checks

▼

2026-03-30Security Audit v4 — Comparative Analysis 6 Versions (0C/8H/18M/6L)

▼

2026-04-01Security Audit v6 — Post-fixes re-scan (66 findings: 0C·15H·33M·18L)

▼

2026-04-01Security Fixes — 21 findings remediated (v5 report)

▼

2026-04-01Security Audit v5 — 81 findings + ISO 27001:2022 baseline

▼

2026-04-01Critical Production Bug Fix — tenant detail crash + security (Zod + auth)

▼

2026-04-01Security — Defensive syncTechPermissions + Zod on 13 routes

▼

2026-04-03Security & Exchange & Advanced Mailbox — 10 tasks implemented and merged

▼

2026-04-05Security Audit v7 — 30 findings (3C·9H·13M·5L), largest compliance improvement in the series

▼

2026-04-05Security Fixes v7 — 30/30 findings remediated, 25 files, 0 TS errors

▼

2026-03-13Run Task Feature — Technicians Can Execute AD Tasks via n8n

▼

2026-03-20Full Code Review — Dead Code, Deps, Git Hygiene

▼

2026-03-13Security Hardening — IDOR, Headers, RBAC, JWT + AD Cleanup

▼

2026-03-30Security Fixes v4 — 16 Findings Remediated (Wave 1+2, 12 Commits)

▼