security: CORS hardening, path traversal fix, WebSocket auth + cleanup

- Restrict CORS to localhost origins (was allow_origins=[*])
- Require valid JWT on WebSocket /ws (anonymous no longer gets admin view)
- Fix path traversal in delete_cell(): resolve() + parent check
- Validate cell_id format in /charts/download-noaa/{cell_id}
- Exclude charts/ and Cartas/ from git (keep US1GC09M world overview)
- Add NOAA ENC Portal external link in charts catalog tab
- Untrack __pycache__/, .db, .claude/ session files

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-07-03 12:45:43 -04:00
parent 3e04c4113f
commit cfd94f905a
47 changed files with 1847 additions and 427 deletions
+52 -8
View File
@@ -227,6 +227,26 @@ body {
color: #fff;
}
/* Small select controls in the toolbar (trail window, vector mode/time) */
.tb-select {
background: var(--bg-base);
border: 1px solid var(--border);
color: var(--text-secondary);
border-radius: 2px;
font-size: 0.62rem;
font-family: var(--sans);
font-weight: 500;
letter-spacing: 0.5px;
padding: 2px 4px;
height: 24px;
cursor: pointer;
outline: none;
transition: border-color 0.15s;
}
.tb-select:hover { border-color: var(--border-light); color: var(--text-primary); }
.tb-select:focus { border-color: var(--accent); }
.tb-select option { background: var(--bg-panel2); color: var(--text-primary); }
#map { flex: 1; }
#map-coords {
@@ -413,7 +433,7 @@ body {
}
.field-label {
font-size: 0.54rem;
font-size: 0.68rem;
letter-spacing: 1.5px;
text-transform: uppercase;
color: var(--text-muted);
@@ -421,7 +441,7 @@ body {
}
.field-value {
font-size: 0.76rem;
font-size: 0.92rem;
color: var(--text-primary);
font-family: var(--mono);
}
@@ -430,19 +450,19 @@ body {
background: var(--bg-base);
border: 1px solid var(--border);
border-radius: 3px;
padding: 4px 8px;
padding: 6px 10px;
font-family: var(--mono);
font-size: 0.7rem;
font-size: 0.88rem;
color: var(--cyan);
line-height: 1.35;
margin-bottom: 6px;
line-height: 1.4;
margin-bottom: 8px;
}
.coords-block .label {
font-size: 0.54rem;
font-size: 0.68rem;
color: var(--text-muted);
letter-spacing: 1.5px;
text-transform: uppercase;
margin-bottom: 1px;
margin-bottom: 2px;
font-family: var(--sans);
}
@@ -1460,3 +1480,27 @@ html.night .ol-zoom button {
}
.aton-ok { color: var(--green); }
.aton-warn { color: var(--yellow); font-weight: 600; }
/* ── Battery history chart ───────────────────────────────────────────────── */
.batt-chart-hdr {
display: flex; align-items: center;
justify-content: space-between; margin-bottom: 6px;
}
.batt-range-btns { display: flex; gap: 4px; }
.batt-rb {
background: transparent; border: 1px solid var(--border);
color: var(--text-secondary); border-radius: 2px;
font-size: 0.6rem; font-family: var(--mono);
padding: 2px 6px; cursor: pointer; transition: all .15s;
}
.batt-rb:hover { border-color: var(--border-light); color: var(--text-primary); }
.batt-rb.active { background: var(--accent-dim); border-color: var(--accent); color: #fff; }
#batt-chart-wrap { margin-bottom: 8px; }
#batt-chart-svg { width: 100%; }
.batt-stats {
display: flex; flex-wrap: wrap; gap: 6px 12px;
font-size: 0.68rem; color: var(--text-muted);
margin-top: 4px; font-family: var(--mono);
}
.batt-stat { color: var(--text-secondary); }
.batt-stat-eta { color: var(--text-secondary); }