26c766cf43
- C1: Add authentication to file serving route + canonical path traversal check + nosniff header - C2: DEV_BYPASS_AUTH now only works when Entra ID credentials are not configured - H1: Add requireAuth() + assertOrgAccess() to 9 unprotected routes (upload, feedback, annotations, color-probes, reviews) - H2: Add org-scoping to 4 routes (automations, users, skills) - H3: SSRF protection on webhook URLs — HTTPS only, private/internal IPs blocked - H6: API key uses timingSafeEqual, phantom fallback removed, supports X-Org-Id header - M1: CRON_SECRET moved from query string to Authorization Bearer header - Extend assertOrgAccess() to support 10 model types (was 3) - npm audit fix: 17 vulnerabilities reduced to 4 - Add SECURITY-REVIEW.md with full findings report Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| migrations | ||
| schema.prisma | ||
| seed-tracker-data.ts | ||
| seed.ts | ||