Release v1.7.17: Alpine.js CSP build, O365 API window clamping

2026-05-29 06:44:36 +02:00
parent ad5816dc2d
commit 79647d8962
4 changed files with 53 additions and 3 deletions
@@ -0,0 +1,38 @@
+# AOC v1.7.17 Release Notes
+
+**Release Date:** 2026-05-29
+
+## Security & Hardening
+
+### Alpine.js CSP Build
+
+The frontend now loads the **Alpine.js CSP build** (`@alpinejs/csp@3.15.12`) instead of the standard distribution. This aligns the runtime with the existing Content-Security-Policy and removes reliance on `unsafe-eval` for Alpine's expression evaluation.
+
+- **File:** `backend/frontend/index.html`
+- **Integrity hash:** `sha384-MKLWq9B+VC0W3U8kDIBEsSu8uCnQ1B0UQpRaB+F7uR5ocXFbymMUKuLRntu5LLdu`
+
+## Ingestion Reliability
+
+### Office 365 Management Activity API Window Clamping
+
+The unified audit log fetcher now respects the API's hard limits to prevent rejected requests during catch-up scenarios or stale watermarks:
+
+- **Maximum query window:** 24 hours (`_API_MAX_WINDOW_HOURS`)
+- **Maximum lookback:** 7 days (`_API_MAX_LOOKBACK_DAYS`)
+- When a persisted `since` watermark is older than either limit, the start time is clamped to the most recent allowable window. Subsequent fetches continue catching up normally.
+
+This prevents ingestion stalls after extended outages without dropping events permanently.
+
+## Files Changed
+
+| File | Change |
+|------|--------|
+| `backend/frontend/index.html` | Switched Alpine.js to CSP build with updated SRI hash |
+| `backend/sources/unified_audit.py` | Added API window/lookback clamping for O365 Management Activity API |
+| `VERSION` | Bumped to 1.7.17 |
+
+## Docker Image
+
+```
+git.cqre.net/cqrenet/aoc-backend:v1.7.17
+```