security: 보안 강제 시스템 구축 + 하드코딩 비밀번호 제거

보안 감사 결과 CRITICAL 2건, HIGH 5건 발견 → 수정 완료 + 자동화 구축. [보안 수정] - issue-view.js: 하드코딩 비밀번호 → crypto.getRandomValues() 랜덤 생성 - pushSubscriptionController.js: ntfy 비밀번호 → process.env.NTFY_SUB_PASSWORD - DEPLOY-GUIDE.md/PROGRESS.md/migration SQL: 평문 비밀번호 → placeholder - docker-compose.yml/.env.example: NTFY_SUB_PASSWORD 환경변수 추가 [보안 강제 시스템 - 신규] - scripts/security-scan.sh: 8개 규칙 (CRITICAL 2, HIGH 4, MEDIUM 2) 3모드(staged/all/diff), severity, .securityignore, MEDIUM 임계값 - .githooks/pre-commit: 로컬 빠른 피드백 - .githooks/pre-receive-server.sh: Gitea 서버 최종 차단 bypass 거버넌스([SECURITY-BYPASS: 사유] + 사용자 제한 + 로그) - SECURITY-CHECKLIST.md: 10개 카테고리 자동/수동 구분 - docs/SECURITY-GUIDE.md: 운영자 가이드 (워크플로우, bypass, FAQ) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 09:44:21 +09:00
parent bbffa47a9d
commit ba9ef32808
257 changed files with 786 additions and 18 deletions
--- a/system3-nonconformance/web/public/ai-assistant.html
+++ b/system3-nonconformance/web/public/ai-assistant.html
--- a/system3-nonconformance/web/public/app.html
+++ b/system3-nonconformance/web/public/app.html
--- a/system3-nonconformance/web/public/favicon.ico
+++ b/system3-nonconformance/web/public/favicon.ico
--- a/system3-nonconformance/web/public/issue-view.html
+++ b/system3-nonconformance/web/public/issue-view.html
@@ -117,6 +117,6 @@
    <script src="/static/js/utils/photo-modal.js?v=2026031401"></script>
    <script src="/static/js/utils/toast.js?v=2026031401"></script>
    <script src="/static/js/components/mobile-bottom-nav.js?v=2026031401"></script>
-    <script src="/static/js/pages/issue-view.js?v=2026031401"></script>
+    <script src="/static/js/pages/issue-view.js?v=2026041001"></script>
 </body>
 </html>
--- a/system3-nonconformance/web/public/issues-archive.html
+++ b/system3-nonconformance/web/public/issues-archive.html
--- a/system3-nonconformance/web/public/issues-dashboard.html
+++ b/system3-nonconformance/web/public/issues-dashboard.html
--- a/system3-nonconformance/web/public/issues-inbox.html
+++ b/system3-nonconformance/web/public/issues-inbox.html
--- a/system3-nonconformance/web/public/issues-management.html
+++ b/system3-nonconformance/web/public/issues-management.html
--- a/system3-nonconformance/web/public/m/dashboard.html
+++ b/system3-nonconformance/web/public/m/dashboard.html
--- a/system3-nonconformance/web/public/m/inbox.html
+++ b/system3-nonconformance/web/public/m/inbox.html
--- a/system3-nonconformance/web/public/m/management.html
+++ b/system3-nonconformance/web/public/m/management.html
--- a/system3-nonconformance/web/public/push-sw.js
+++ b/system3-nonconformance/web/public/push-sw.js
--- a/system3-nonconformance/web/public/reports-daily.html
+++ b/system3-nonconformance/web/public/reports-daily.html
--- a/system3-nonconformance/web/public/reports-monthly.html
+++ b/system3-nonconformance/web/public/reports-monthly.html
--- a/system3-nonconformance/web/public/reports-weekly.html
+++ b/system3-nonconformance/web/public/reports-weekly.html
--- a/system3-nonconformance/web/public/reports.html
+++ b/system3-nonconformance/web/public/reports.html
--- a/system3-nonconformance/web/public/static/css/ai-assistant.css
+++ b/system3-nonconformance/web/public/static/css/ai-assistant.css
--- a/system3-nonconformance/web/public/static/css/issue-view.css
+++ b/system3-nonconformance/web/public/static/css/issue-view.css
--- a/system3-nonconformance/web/public/static/css/issues-archive.css
+++ b/system3-nonconformance/web/public/static/css/issues-archive.css
--- a/system3-nonconformance/web/public/static/css/issues-dashboard.css
+++ b/system3-nonconformance/web/public/static/css/issues-dashboard.css
--- a/system3-nonconformance/web/public/static/css/issues-inbox.css
+++ b/system3-nonconformance/web/public/static/css/issues-inbox.css
--- a/system3-nonconformance/web/public/static/css/issues-management.css
+++ b/system3-nonconformance/web/public/static/css/issues-management.css
--- a/system3-nonconformance/web/public/static/css/m-common.css
+++ b/system3-nonconformance/web/public/static/css/m-common.css
--- a/system3-nonconformance/web/public/static/css/mobile-calendar.css
+++ b/system3-nonconformance/web/public/static/css/mobile-calendar.css
--- a/system3-nonconformance/web/public/static/css/tkqc-common.css
+++ b/system3-nonconformance/web/public/static/css/tkqc-common.css
--- a/system3-nonconformance/web/public/static/js/api.js
+++ b/system3-nonconformance/web/public/static/js/api.js
--- a/system3-nonconformance/web/public/static/js/app.js
+++ b/system3-nonconformance/web/public/static/js/app.js
--- a/system3-nonconformance/web/public/static/js/components/common-header.js
+++ b/system3-nonconformance/web/public/static/js/components/common-header.js
--- a/system3-nonconformance/web/public/static/js/components/mobile-bottom-nav.js
+++ b/system3-nonconformance/web/public/static/js/components/mobile-bottom-nav.js
--- a/system3-nonconformance/web/public/static/js/components/mobile-calendar.js
+++ b/system3-nonconformance/web/public/static/js/components/mobile-calendar.js
--- a/system3-nonconformance/web/public/static/js/core/auth-manager.js
+++ b/system3-nonconformance/web/public/static/js/core/auth-manager.js
--- a/system3-nonconformance/web/public/static/js/core/keyboard-shortcuts.js
+++ b/system3-nonconformance/web/public/static/js/core/keyboard-shortcuts.js
--- a/system3-nonconformance/web/public/static/js/core/page-manager.js
+++ b/system3-nonconformance/web/public/static/js/core/page-manager.js
--- a/system3-nonconformance/web/public/static/js/core/page-preloader.js
+++ b/system3-nonconformance/web/public/static/js/core/page-preloader.js
--- a/system3-nonconformance/web/public/static/js/core/permissions.js
+++ b/system3-nonconformance/web/public/static/js/core/permissions.js
--- a/system3-nonconformance/web/public/static/js/date-utils.js
+++ b/system3-nonconformance/web/public/static/js/date-utils.js
--- a/system3-nonconformance/web/public/static/js/image-utils.js
+++ b/system3-nonconformance/web/public/static/js/image-utils.js
--- a/system3-nonconformance/web/public/static/js/lib/purify.min.js
+++ b/system3-nonconformance/web/public/static/js/lib/purify.min.js
--- a/system3-nonconformance/web/public/static/js/m/m-common.js
+++ b/system3-nonconformance/web/public/static/js/m/m-common.js
--- a/system3-nonconformance/web/public/static/js/m/m-dashboard.js
+++ b/system3-nonconformance/web/public/static/js/m/m-dashboard.js
--- a/system3-nonconformance/web/public/static/js/m/m-inbox.js
+++ b/system3-nonconformance/web/public/static/js/m/m-inbox.js
--- a/system3-nonconformance/web/public/static/js/m/m-management.js
+++ b/system3-nonconformance/web/public/static/js/m/m-management.js
--- a/system3-nonconformance/web/public/static/js/pages/ai-assistant.js
+++ b/system3-nonconformance/web/public/static/js/pages/ai-assistant.js
--- a/system3-nonconformance/web/public/static/js/pages/issue-view.js
+++ b/system3-nonconformance/web/public/static/js/pages/issue-view.js
@@ -673,13 +673,20 @@ async function handlePasswordChange(e) {
    // 현재 비밀번호 확인 (localStorage 기반)
    let users = JSON.parse(localStorage.getItem('work-report-users') || '[]');

+    // 임시 비밀번호 생성 (클라이언트에 하드코딩하지 않음)
+    function generateTempPassword() {
+        const arr = new Uint8Array(12);
+        crypto.getRandomValues(arr);
+        return Array.from(arr, b => b.toString(36).padStart(2, '0')).join('').slice(0, 16);
+    }
+
    // 기본 사용자가 없으면 생성
    if (users.length === 0) {
        users = [
            {
                username: 'hyungi',
                full_name: '관리자',
-                password: 'djg3-jj34-X3Q3',
+                password: generateTempPassword(),
                role: 'admin'
            }
        ];
@@ -694,7 +701,7 @@ async function handlePasswordChange(e) {
        user = {
            username: username,
            full_name: username === 'hyungi' ? '관리자' : username,
-            password: 'djg3-jj34-X3Q3',
+            password: generateTempPassword(),
            role: username === 'hyungi' ? 'admin' : 'user'
        };
        users.push(user);
--- a/system3-nonconformance/web/public/static/js/pages/issues-archive.js
+++ b/system3-nonconformance/web/public/static/js/pages/issues-archive.js
--- a/system3-nonconformance/web/public/static/js/pages/issues-dashboard.js
+++ b/system3-nonconformance/web/public/static/js/pages/issues-dashboard.js
--- a/system3-nonconformance/web/public/static/js/pages/issues-inbox.js
+++ b/system3-nonconformance/web/public/static/js/pages/issues-inbox.js
--- a/system3-nonconformance/web/public/static/js/pages/issues-management.js
+++ b/system3-nonconformance/web/public/static/js/pages/issues-management.js
--- a/system3-nonconformance/web/public/static/js/sso-relay.js
+++ b/system3-nonconformance/web/public/static/js/sso-relay.js
--- a/system3-nonconformance/web/public/static/js/utils/issue-helpers.js
+++ b/system3-nonconformance/web/public/static/js/utils/issue-helpers.js
--- a/system3-nonconformance/web/public/static/js/utils/photo-modal.js
+++ b/system3-nonconformance/web/public/static/js/utils/photo-modal.js
--- a/system3-nonconformance/web/public/static/js/utils/toast.js
+++ b/system3-nonconformance/web/public/static/js/utils/toast.js
--- a/system3-nonconformance/web/public/sw.js
+++ b/system3-nonconformance/web/public/sw.js