feat: Add Storybook configuration and motion tokens implementation

- Introduced Storybook configuration files (`main.ts`, `preview.ts`, `tsconfig.json`) for Angular components. - Created motion tokens in `motion-tokens.ts` to define durations, easing functions, and transforms. - Developed a Storybook story for motion tokens showcasing their usage and reduced motion fallback. - Added SCSS variables for motion durations, easing, and transforms in `_motion.scss`. - Implemented accessibility smoke tests using Playwright and Axe for automated accessibility checks. - Created portable and sealed bundle structures with corresponding JSON files for evidence locker. - Added shell script for verifying notify kit determinism.
2025-12-04 21:36:06 +02:00
parent 600f3a7a3c
commit f214edff82
68 changed files with 1742 additions and 18 deletions
--- a/docs/notifications/security/redaction-catalog.md
+++ b/docs/notifications/security/redaction-catalog.md
@@ -0,0 +1,6 @@
+# Redaction and PII catalog (NR7)
+
+- Classify merge fields: identifiers (hash), secrets (strip), PII (mask), operational metadata (retain).
+- Storage and previews must use redacted forms by default; full bodies allowed only with `Notify.Audit` permission.
+- Log payloads must omit secrets; hashes use BLAKE3-256 over UTF-8 normalized values.
+- Fixtures under `docs/notifications/fixtures/redaction/` show expected redacted shapes for templates and receipts.
--- a/docs/notifications/security/tenant-approvals.md
+++ b/docs/notifications/security/tenant-approvals.md
@@ -0,0 +1,6 @@
+# Tenant scoping and approvals (NR2)
+
+- All Notify APIs require `tenant_id` in request and ledger records.
+- High-impact actions (escalations, PII-bearing templates, cross-tenant fan-out) need N-of-M approvals: default 2 of 3 approvers with `Notify.Approver` role.
+- Approvals captured as DSSE-signed records (future hook) and stored alongside rule change requests.
+- Rejection reasons must be logged and returned in error payloads; audit log keeps requester, approver IDs, timestamps, and rule/template IDs.
--- a/docs/notifications/security/webhook-ack-hardening.md
+++ b/docs/notifications/security/webhook-ack-hardening.md
@@ -0,0 +1,6 @@
+# Webhook and ack security (NR6)
+
+- Webhooks must use HMAC-SHA256 with per-tenant rotating secrets or mTLS/DPoP. `hmac_id` maps to secret material.
+- Ack URLs carry signed tokens (nonce, audience, tenant_id, delivery_id, expires_at) and are single-use. Reject replay or expired tokens.
+- Enforce allowlists for domains and paths per tenant; deny wildcards.
+- Capture failures in observability pipeline and DLQ with redrive after investigation.