Claude Code integration as the first Wraith plugin: terminal I/O, SFTP
file access, CodeMirror handoff, and session context awareness. Proves
the plugin architecture and serves as the reference implementation.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
C-2: JWT moved from localStorage to httpOnly cookie (eliminates XSS token theft)
C-3: WebSocket auth via short-lived single-use tickets (JWT no longer in URLs)
H-1: JWT expiry reduced from 7 days to 4 hours
H-3: TOTP secrets encrypted at rest with vault EncryptionService (auto-migrates plaintext)
H-6: Rate limiting via @nestjs/throttler (60 req/min global, tighten on auth)
H-8: Constant-time login — Argon2id verify runs against dummy hash for non-existent users
H-9: Password hashing upgraded from bcrypt(10) to Argon2id (auto-upgrades on login)
H-10: Credential list API no longer returns encrypted blobs
H-16: Admin pages use Nuxt route middleware instead of client-side guard
Plus: auth bootstrap plugin, cookie-parser middleware, all frontend Authorization headers removed
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
BREAKING CHANGE (forward-only): New credentials/keys encrypted with v2
(Argon2id-derived AES-256-GCM). Existing v1 records decrypt transparently.
- Argon2id params: 64 MiB memory, 3 iterations, 4 parallelism (OWASP)
- Per-record 16-byte salt stored in ciphertext format
- v2 format: v2:<salt>:<iv>:<authTag>:<ciphertext>
- Backwards compatible: v1 records still decrypt with raw key
- Admin endpoint POST /api/credentials/migrate-v2 upgrades all v1→v2
- Added docs/FUTURE-FEATURES.md with remaining spec gaps
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
