security: CORS hardening, path traversal fix, WebSocket auth + cleanup

- Restrict CORS to localhost origins (was allow_origins=[*])
- Require valid JWT on WebSocket /ws (anonymous no longer gets admin view)
- Fix path traversal in delete_cell(): resolve() + parent check
- Validate cell_id format in /charts/download-noaa/{cell_id}
- Exclude charts/ and Cartas/ from git (keep US1GC09M world overview)
- Add NOAA ENC Portal external link in charts catalog tab
- Untrack __pycache__/, .db, .claude/ session files

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-07-03 12:45:43 -04:00
parent 3e04c4113f
commit cfd94f905a
47 changed files with 1847 additions and 427 deletions
+6
View File
@@ -18,6 +18,12 @@ class Lamp(Base):
lamp_count = Column(Integer, default=1)
voltage_min = Column(Float, nullable=False) # discharged threshold (V)
voltage_max = Column(Float, nullable=False) # fully-charged nominal (V)
# Battery alert thresholds as % of usable voltage range.
# warn_pct=20 means: alert when remaining capacity ≤ 20% of (maxmin).
# Defaults match the original hardcoded values (20% / 10%).
# Override per lamp model — e.g. Sabik recommends 30%/15%.
warn_pct = Column(Float, default=20.0) # % of range → warning
alarm_pct = Column(Float, default=10.0) # % of range → alarm
notes = Column(Text, nullable=True)
creado_en = Column(DateTime, server_default=func.now())
modificado_en = Column(DateTime, onupdate=func.now())