backend/.env.example

# Backend Configuration
PORT=3001
API_HOST=localhost
CORS_ORIGINS=http://localhost:3000

# Session secret — REQUIRED. Server will not start without this.
# Generate with: openssl rand -base64 32
SESSION_SECRET=

# NVD API Key (optional - increases rate limit from 5 to 50 requests per 30s)
# Request one at https://nvd.nist.gov/developers/request-an-api-key
NVD_API_KEY=

# Ivanti / RiskSense API (platform4.risksense.com)
# API key from your profile settings — does not expire like session cookies
IVANTI_API_KEY=
IVANTI_CLIENT_ID=1550
IVANTI_FIRST_NAME=
IVANTI_LAST_NAME=
# Comma-separated list of BU values to sync from Ivanti.
# Broadening this pulls findings for additional BUs into the local cache.
# Users see only their assigned teams' findings (filtered at query time).
# Default if unset: NTS-AEO-ACCESS-ENG,NTS-AEO-STEAM
IVANTI_BU_FILTER=NTS-AEO-ACCESS-ENG,NTS-AEO-STEAM
# Comma-separated list of BUs considered "managed" for drift classification.
# Findings leaving these BUs are classified as bu_reassignment in the archive.
# Default if unset: NTS-AEO-ACCESS-ENG,NTS-AEO-STEAM
IVANTI_MANAGED_BUS=NTS-AEO-ACCESS-ENG,NTS-AEO-STEAM
# Set to true if behind Charter's SSL inspection proxy (replicates Python verify=False)
IVANTI_SKIP_TLS=false

# Atlas InfoSec API (atlas-infosec.caas.charterlab.com)
# Service account credentials for Basic Auth — used to sync and manage action plans
ATLAS_API_URL=
ATLAS_API_USER=
ATLAS_API_PASS=
# Set to true if behind Charter's SSL inspection proxy (disables TLS cert verification)
ATLAS_SKIP_TLS=false

# Jira Data Center REST API
# VPN or Charter Network connection required for all Jira instances.
# Service accounts use Basic Auth (JIRA_API_USER + JIRA_API_TOKEN).
# PATs require ATLSUP approval and naming convention: Function - Team - ATLSUP-XXXXX
# Rate limits: 1440 requests/day, burst of 60/minute.
JIRA_BASE_URL=
JIRA_AUTH_METHOD=basic
# Basic Auth — service account credentials
JIRA_API_USER=
JIRA_API_TOKEN=
# PAT Auth — set JIRA_AUTH_METHOD=pat to use
JIRA_PAT=
# Default project key and issue type for creating issues from the dashboard
JIRA_PROJECT_KEY=
JIRA_ISSUE_TYPE=Task
# Set to true if behind Charter's SSL inspection proxy
JIRA_SKIP_TLS=false

# CARD Asset Ownership API (card.charter.com / card.caas.stage.charterlab.com)
# OAuth Bearer token auth — service account must be onboarded with the CARD team.
# Tokens are acquired automatically via Basic Auth and cached for 1 hour.
CARD_API_URL=
CARD_API_USER=
CARD_API_PASS=
# Set to true if behind Charter's SSL inspection proxy
CARD_SKIP_TLS=false

# PostgreSQL Database (Docker container steam-postgres)
# If set, the backend uses Postgres instead of SQLite.
# Format: postgresql://user:password@host:port/database
DATABASE_URL=postgresql://steam:<password>@localhost:5433/cve_dashboard

# GitLab Feedback Integration (bug reports and feature requests from the dashboard)
# PAT needs 'api' scope. Project ID is the numeric ID from GitLab project settings.
GITLAB_URL=http://steam-gitlab.charterlab.com
GITLAB_PROJECT_ID=
GITLAB_PAT=
Added .env configuration to remove hardcoded IP issues 2026-01-28 09:23:30 -07:00			`# Backend Configuration`
			`PORT=3001`
			`API_HOST=localhost`
			`CORS_ORIGINS=http://localhost:3000`
Added NVD lookup features and optional NVD API key in .env file 2026-02-02 10:50:38 -07:00
release: v1.0.0 — clean README, changelog, full reference manual, dead code removal, package metadata 2026-05-01 21:11:47 +00:00			`# Session secret — REQUIRED. Server will not start without this.`
			`# Generate with: openssl rand -base64 32`
			`SESSION_SECRET=`

Added NVD lookup features and optional NVD API key in .env file 2026-02-02 10:50:38 -07:00			`# NVD API Key (optional - increases rate limit from 5 to 50 requests per 30s)`
			`# Request one at https://nvd.nist.gov/developers/request-an-api-key`
			`NVD_API_KEY=`
Add Ivanti Workflows panel with API key auth and SQLite cache - New panel below Archer tickets showing workflow count and list - Backend proxies platform4.risksense.com workflowBatch/search via x-api-key - SQLite cache table (ivanti_sync_state) stores latest sync result - Auto-syncs on server startup if >24h stale, then every 24h via setInterval - POST /api/ivanti/workflows/sync for on-demand sync with spinner feedback - GET /api/ivanti/workflows returns cached data instantly (no live API call) - Displays id.value, name, currentState, type, createdOn per workflow - Shows last-synced timestamp and error messages inline - IVANTI_SKIP_TLS flag for Charter SSL proxy environments Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-03-10 15:29:33 -06:00
			`# Ivanti / RiskSense API (platform4.risksense.com)`
			`# API key from your profile settings — does not expire like session cookies`
			`IVANTI_API_KEY=`
			`IVANTI_CLIENT_ID=1550`
			`IVANTI_FIRST_NAME=`
			`IVANTI_LAST_NAME=`
feat: add multi-BU tenancy with per-user team scoping (Option B) - Add bu_teams column to users table (migration + fresh schema) - Create shared KNOWN_TEAMS constant and validateTeams helper - Expose user teams in auth middleware, login, and /me responses - Add bu_teams CRUD to user management routes with audit logging - Make Ivanti FINDINGS_FILTERS configurable via IVANTI_BU_FILTER env var - Add query-time team filtering to GET /findings and /findings/counts - Update AuthContext with teams helpers and admin scope toggle - Create AdminScopeToggle component (My Teams / All BUs) - Scope ReportingPage findings fetch by user teams - Scope CompliancePage team selector by user teams - Scope ExportsPage findings exports by user teams - Add BU teams multi-select to UserManagement create/edit forms - Display team badges in user list table 2026-05-05 11:04:53 -06:00			`# Comma-separated list of BU values to sync from Ivanti.`
			`# Broadening this pulls findings for additional BUs into the local cache.`
			`# Users see only their assigned teams' findings (filtered at query time).`
			`# Default if unset: NTS-AEO-ACCESS-ENG,NTS-AEO-STEAM`
			`IVANTI_BU_FILTER=NTS-AEO-ACCESS-ENG,NTS-AEO-STEAM`
Document IVANTI_MANAGED_BUS env var in .env.example, reference manual, and API docs 2026-05-13 07:56:03 -06:00			`# Comma-separated list of BUs considered "managed" for drift classification.`
			`# Findings leaving these BUs are classified as bu_reassignment in the archive.`
			`# Default if unset: NTS-AEO-ACCESS-ENG,NTS-AEO-STEAM`
			`IVANTI_MANAGED_BUS=NTS-AEO-ACCESS-ENG,NTS-AEO-STEAM`
Add Ivanti Workflows panel with API key auth and SQLite cache - New panel below Archer tickets showing workflow count and list - Backend proxies platform4.risksense.com workflowBatch/search via x-api-key - SQLite cache table (ivanti_sync_state) stores latest sync result - Auto-syncs on server startup if >24h stale, then every 24h via setInterval - POST /api/ivanti/workflows/sync for on-demand sync with spinner feedback - GET /api/ivanti/workflows returns cached data instantly (no live API call) - Displays id.value, name, currentState, type, createdOn per workflow - Shows last-synced timestamp and error messages inline - IVANTI_SKIP_TLS flag for Charter SSL proxy environments Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-03-10 15:29:33 -06:00			`# Set to true if behind Charter's SSL inspection proxy (replicates Python verify=False)`
			`IVANTI_SKIP_TLS=false`
Add Atlas InfoSec action plans integration Integrate Atlas InfoSec API to manage compliance action plans directly from the ReportingPage. Users can view, create, and update action plans for host findings without switching to the Atlas web tool. Backend: - Add atlasApi.js helper with Basic Auth, TLS skip, GET/PUT/PATCH/POST - Add atlas_action_plans_cache migration for SQLite cache table - Add atlas.js router with sync, status, and proxy CRUD endpoints - Mount Atlas router at /api/atlas in server.js - Extract hostId from Ivanti host findings during sync Frontend: - Add AtlasBadge component (amber=needs plan, green=has plan) - Add AtlasSlideOutPanel with plan list, create form, edit capability - Separate active plans from inactive history in collapsible section - Custom dark-themed plan type dropdown - Optimistic local state shows pending plans immediately after creation - Atlas sync button on ReportingPage toolbar - Prepopulate finding ID in create form from clicked row Environment: - Add ATLAS_API_URL, ATLAS_API_USER, ATLAS_API_PASS, ATLAS_SKIP_TLS to .env.example 2026-04-23 21:52:53 +00:00
			`# Atlas InfoSec API (atlas-infosec.caas.charterlab.com)`
			`# Service account credentials for Basic Auth — used to sync and manage action plans`
			`ATLAS_API_URL=`
			`ATLAS_API_USER=`
			`ATLAS_API_PASS=`
			`# Set to true if behind Charter's SSL inspection proxy (disables TLS cert verification)`
			`ATLAS_SKIP_TLS=false`
Add Jira Data Center integration with UAT test script and use case docs 2026-04-28 16:36:54 +00:00
			`# Jira Data Center REST API`
			`# VPN or Charter Network connection required for all Jira instances.`
			`# Service accounts use Basic Auth (JIRA_API_USER + JIRA_API_TOKEN).`
			`# PATs require ATLSUP approval and naming convention: Function - Team - ATLSUP-XXXXX`
			`# Rate limits: 1440 requests/day, burst of 60/minute.`
			`JIRA_BASE_URL=`
			`JIRA_AUTH_METHOD=basic`
			`# Basic Auth — service account credentials`
			`JIRA_API_USER=`
			`JIRA_API_TOKEN=`
			`# PAT Auth — set JIRA_AUTH_METHOD=pat to use`
			`JIRA_PAT=`
			`# Default project key and issue type for creating issues from the dashboard`
			`JIRA_PROJECT_KEY=`
			`JIRA_ISSUE_TYPE=Task`
			`# Set to true if behind Charter's SSL inspection proxy`
			`JIRA_SKIP_TLS=false`
feat: add return classification for archive chart, CARD API integration, compliance charts, systemd services 2026-05-01 17:15:41 +00:00
			`# CARD Asset Ownership API (card.charter.com / card.caas.stage.charterlab.com)`
			`# OAuth Bearer token auth — service account must be onboarded with the CARD team.`
			`# Tokens are acquired automatically via Basic Auth and cached for 1 hour.`
			`CARD_API_URL=`
			`CARD_API_USER=`
			`CARD_API_PASS=`
			`# Set to true if behind Charter's SSL inspection proxy`
			`CARD_SKIP_TLS=false`
feat: add multi-BU tenancy with per-user team scoping (Option B) - Add bu_teams column to users table (migration + fresh schema) - Create shared KNOWN_TEAMS constant and validateTeams helper - Expose user teams in auth middleware, login, and /me responses - Add bu_teams CRUD to user management routes with audit logging - Make Ivanti FINDINGS_FILTERS configurable via IVANTI_BU_FILTER env var - Add query-time team filtering to GET /findings and /findings/counts - Update AuthContext with teams helpers and admin scope toggle - Create AdminScopeToggle component (My Teams / All BUs) - Scope ReportingPage findings fetch by user teams - Scope CompliancePage team selector by user teams - Scope ExportsPage findings exports by user teams - Add BU teams multi-select to UserManagement create/edit forms - Display team badges in user list table 2026-05-05 11:04:53 -06:00
feat(postgres): infrastructure setup and schema creation (tasks 1-2) - Install pg (node-postgres) dependency - Create backend/db.js connection pool module (max 10, auto-reconnect) - Install Docker and spin up steam-postgres container on port 5433 - Create backend/db-schema.sql with complete Postgres DDL (24 tables) - Replace findings_json blob with ivanti_findings table (individual rows) - Merge notes/overrides into findings table columns - Add proper indexes: state, bu_ownership, severity, composite - Create backend/setup-postgres.js for idempotent schema initialization - Add DATABASE_URL to .env and .env.example - Update migration plan docs with Docker setup commands - Verify: schema executes cleanly, pool connects, 24 tables created 2026-05-05 15:47:09 -06:00			`# PostgreSQL Database (Docker container steam-postgres)`
			`# If set, the backend uses Postgres instead of SQLite.`
			`# Format: postgresql://user:password@host:port/database`
			`DATABASE_URL=postgresql://steam:<password>@localhost:5433/cve_dashboard`

feat: add multi-BU tenancy with per-user team scoping (Option B) - Add bu_teams column to users table (migration + fresh schema) - Create shared KNOWN_TEAMS constant and validateTeams helper - Expose user teams in auth middleware, login, and /me responses - Add bu_teams CRUD to user management routes with audit logging - Make Ivanti FINDINGS_FILTERS configurable via IVANTI_BU_FILTER env var - Add query-time team filtering to GET /findings and /findings/counts - Update AuthContext with teams helpers and admin scope toggle - Create AdminScopeToggle component (My Teams / All BUs) - Scope ReportingPage findings fetch by user teams - Scope CompliancePage team selector by user teams - Scope ExportsPage findings exports by user teams - Add BU teams multi-select to UserManagement create/edit forms - Display team badges in user list table 2026-05-05 11:04:53 -06:00			`# GitLab Feedback Integration (bug reports and feature requests from the dashboard)`
			`# PAT needs 'api' scope. Project ID is the numeric ID from GitLab project settings.`
			`GITLAB_URL=http://steam-gitlab.charterlab.com`
			`GITLAB_PROJECT_ID=`
			`GITLAB_PAT=`