Fix review findings: offline assets, security, audit logging

- Bundle Bootstrap CSS/JS/icons locally for air-gapped operation - Add path traversal validation on image import source - Disable Flask debug mode in production - Fix file handle leaks, remove unused import - Add python3-pip, python3-venv, p7zip-full to offline packages - Add pip wheel download/bundling for offline Flask install - Change UFW default policy from allow to deny - Fix wrong path displayed in unattend editor template - Dynamic sidebar image lists from all_image_types - Add audit logging for all write operations - Audit log viewer page with activity history Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-06 16:50:20 -05:00
parent ef7583920b
commit 92c9b0f762
13 changed files with 187 additions and 37 deletions
--- a/build-usb.sh
+++ b/build-usb.sh
@@ -185,6 +185,15 @@ if [ -d "$WEBAPP_DIR" ]; then
    echo "    Copied webapp/"
 fi

+# Copy pip wheels for offline Flask install
+PIP_WHEELS_DIR="$SCRIPT_DIR/pip-wheels"
+if [ -d "$PIP_WHEELS_DIR" ]; then
+    cp -r "$PIP_WHEELS_DIR" "$MOUNT_POINT/pip-wheels"
+    echo "    Copied pip-wheels/"
+else
+    echo "    No pip-wheels/ found (run download-packages.sh first)"
+fi
+
 # Copy boot tools (Clonezilla, Blancco, Memtest) if prepared
 BOOT_TOOLS_DIR="$SCRIPT_DIR/boot-tools"
 if [ -d "$BOOT_TOOLS_DIR" ]; then