marcel
0 Followers · 0 Following
  • Joined on 2026-03-17
Repositories
3
 Projects Packages Public Activity Starred Repositories
marcel pushed to feat/issue-459-ocr-non-root at marcel/familienarchiv 2026-05-17 17:33:58 +02:00
74ca5ee35f docs(adr): ADR-019 — container hardening baseline (non-root + read-only)
38973a014e docs: add XDG_CACHE_HOME/TORCH_HOME to OCR env table and upgrade notes for PR #611
fc8b4b164b security(ocr): redirect XDG cache and Torch home away from read-only HOME
eb63df2000 test(ocr): add startup root canary tests for main.py lifespan
53bd574660 test(ocr): replace vacuous startswith assertion with equality check
Compare 5 commits »
marcel commented on pull request marcel/familienarchiv#611 2026-05-17 17:03:20 +02:00
security(ocr): run OCR container as non-root user (CIS Docker §4.1)

🎨 Leonie Voss — UX Designer & Accessibility Strategist

Verdict: Approved

No .svelte files, no CSS, no frontend components, no routes, no i18n strings. This PR touches only the OCR…

marcel commented on pull request marcel/familienarchiv#611 2026-05-17 17:03:17 +02:00
security(ocr): run OCR container as non-root user (CIS Docker §4.1)

🧪 Sara Holt — Senior QA Engineer

Verdict: ⚠️ Approved with concerns

Tests are present, isolation is correct, cleanup reloads are in place. One test assertion is functionally broken and…

marcel commented on pull request marcel/familienarchiv#611 2026-05-17 17:03:05 +02:00
security(ocr): run OCR container as non-root user (CIS Docker §4.1)

🔐 Nora "NullX" Steiner — Application Security Engineer

Verdict: ⚠️ Approved with concerns

This is textbook CIS Docker §4.1 hardening — non-root user, read-only filesystem, dropped…

marcel commented on pull request marcel/familienarchiv#611 2026-05-17 17:02:49 +02:00
security(ocr): run OCR container as non-root user (CIS Docker §4.1)

📋 Elicit — Requirements Engineer

Verdict: ⚠️ Approved with concerns

Issue #459 (non-root OCR container) is fully addressed. The implementation covers the stated requirements. One…

marcel commented on pull request marcel/familienarchiv#611 2026-05-17 17:02:39 +02:00
security(ocr): run OCR container as non-root user (CIS Docker §4.1)

🛠️ Tobias Wendt — DevOps & Platform Engineer

Verdict: ⚠️ Approved with concerns

The hardening work is solid and the config is production-grade. One ops documentation gap needs fixing…

marcel commented on pull request marcel/familienarchiv#611 2026-05-17 17:02:28 +02:00
security(ocr): run OCR container as non-root user (CIS Docker §4.1)

👨‍💻 Felix Brandt — Senior Fullstack Developer

Verdict: ⚠️ Approved with concerns

TDD evidence is present — two tests for the HTRMOPO_DIR change landed before (or alongside) the…

marcel commented on pull request marcel/familienarchiv#611 2026-05-17 17:02:18 +02:00
security(ocr): run OCR container as non-root user (CIS Docker §4.1)

🏗️ Markus Keller — Senior Application Architect

Verdict: ⚠️ Approved with concerns

No layer violations, no new services, no domain boundary issues — this is a self-contained hardening…

marcel created pull request marcel/familienarchiv#611 2026-05-17 16:58:02 +02:00
security(ocr): run OCR container as non-root user (CIS Docker §4.1)
marcel pushed to feat/issue-459-ocr-non-root at marcel/familienarchiv 2026-05-17 16:57:48 +02:00
581ba01d8d security(ocr): log warning on startup when running as root
9db42d6cc1 fix(ocr): resolve HTRMOPO_DIR from env var, not ~ expansion
ab24786d2a security(ocr): harden compose — fix cache volume path, add read_only + cap_drop
1aca4c4a41 security(ocr): add non-root user and set HOME/HF_HOME in Dockerfile
Compare 4 commits »
marcel created branch feat/issue-459-ocr-non-root in marcel/familienarchiv 2026-05-17 16:57:48 +02:00
marcel commented on issue marcel/familienarchiv#459 2026-05-17 16:52:01 +02:00
security(ocr): run OCR container as non-root user (CIS Docker §4.1)

Implementation complete — branch feat/issue-459-ocr-non-root

What was done

4 commits, all tests green:

marcel deleted branch feat/issue-528-xxe-hardening from marcel/familienarchiv 2026-05-17 16:42:13 +02:00
marcel pushed to main at marcel/familienarchiv 2026-05-17 16:42:12 +02:00
669eaa7c65 fix(ci): pin semgrep version, add pip cache, harden rule severity
f15ea031d1 ci(security): add Semgrep XXE rule and CI scan job
25a39fca9c security(import): harden DocumentBuilderFactory against XXE in MassImportService
Compare 3 commits »
marcel closed issue marcel/familienarchiv#528 2026-05-17 16:42:11 +02:00
security(import): harden DocumentBuilderFactory against XXE in MassImportService
marcel merged pull request marcel/familienarchiv#610 2026-05-17 16:42:11 +02:00
security(import): harden DocumentBuilderFactory against XXE (#528)
marcel commented on pull request marcel/familienarchiv#610 2026-05-17 16:20:48 +02:00
security(import): harden DocumentBuilderFactory against XXE (#528)

🎨 Leonie Voss (@leonievoss) — UI/UX Design Lead

Verdict: Approved

This PR is entirely backend and CI — no frontend components, no routes, no UI changes, no Svelte files, no Tailwind…

marcel commented on pull request marcel/familienarchiv#610 2026-05-17 16:20:42 +02:00
security(import): harden DocumentBuilderFactory against XXE (#528)

📋 Elicit — Requirements Engineer & Business Analyst

Verdict: Approved

This PR directly closes issue #528. The implemented scope matches the stated requirements precisely, with no…

marcel commented on pull request marcel/familienarchiv#610 2026-05-17 16:20:27 +02:00
security(import): harden DocumentBuilderFactory against XXE (#528)

🧪 Sara Holt (@saraholt) — QA Engineer & Test Strategist

Verdict: Approved

Both tests are well-structured, correctly placed in the test pyramid, and the regression test is permanently…

marcel commented on pull request marcel/familienarchiv#610 2026-05-17 16:20:07 +02:00
security(import): harden DocumentBuilderFactory against XXE (#528)

🚀 Tobias Wendt (@tobiwendt) — DevOps & Platform Engineer

Verdict: Approved

The CI job is clean, minimal, and fits the existing pipeline structure. A few observations, nothing…