derekc 3022bc328b Security hardening: go-live review fixes ...

- TV tokens upgraded from 4 to 6 digits; Regen Token button in Admin
- Nginx rate limiting on TV dashboard and WebSocket endpoints
- Login lockout after 5 failed attempts (15 min); clears on admin password reset
- HSTS header added; CSP unsafe-inline removed from script-src; CORS restricted to explicit methods/headers
- Dependency CVE fixes: PyJWT 2.12.0, aiomysql 0.3.0, cryptography 46.0.5, python-multipart 0.0.22
- datetime.utcnow() replaced with datetime.now(timezone.utc) throughout
- SQL identifier whitelist for startup migration queries
- README updated: security notes section, lockout docs, token regen, NPM proxy guidance

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-22 00:00:14 -07:00

..

__init__.py

Add per-block agenda overrides for daily sessions

2026-03-19 07:58:30 -07:00

activity.py

Initial project scaffold

2026-02-27 22:56:56 -08:00

base.py

Initial project scaffold

2026-02-27 22:56:56 -08:00

break_activity.py

Add break time feature to schedule blocks

2026-03-03 08:40:49 -08:00

child.py

Add random 4-digit TV token per child for obfuscated TV URLs

2026-03-10 22:53:26 -07:00

morning_routine.py

Add Morning Routine to Admin and TV greeting state

2026-03-01 22:19:15 -08:00

rule.py

Add Rules & Expectations feature with TV overlay and dashboard layout updates

2026-03-19 07:21:50 -07:00

schedule.py

Remove school day hours from schedule templates

2026-03-03 13:45:05 -08:00

session_block_agenda.py

Add per-block agenda overrides for daily sessions

2026-03-19 07:58:30 -07:00

session.py

Initial project scaffold

2026-02-27 22:56:56 -08:00

strike.py

Add strike events to activity log

2026-03-01 22:07:41 -08:00

subject.py

Add Meeting system subject and notification system

2026-03-04 23:44:21 -08:00

user.py

Security hardening: go-live review fixes

2026-03-22 00:00:14 -07:00