docs: sync from backend c0e80a7 — security audit closeout

This commit is contained in:
Siavash Sameni
2026-06-07 21:46:14 +04:00
parent 0771b3d163
commit 727207d949
2 changed files with 44 additions and 19 deletions

View File

@@ -12,6 +12,16 @@ entries on top. Maintained by agents per the rule in `../AGENTS.md`.
---
### 2026-06-07 — backend@c0e80a7, frontend@38ff0db — security DB/performance audit closeout
**Commits:** `c0e80a7` `38ff0db`
**Touched:** backend `src/shared/utils/identity.ts`, `src/shared/utils/pagination.ts`, dispute controllers/services/routes, delivery/file/template/payment/chat/points/user routes, `src/app.ts`, `src/services/auth/googleOAuthService.ts`, `__tests__/security-db-performance-logic-audit.test.ts`, `package.json`, `package-lock.json`; frontend `src/auth/services/google-oauth.ts`, `src/lib/axios.ts`, `src/utils/logger.ts`, `package.json`; docs `09 - Audits/Security DB Performance Logic Audit - 2026-06-07.md`, `09 - Audits/Activity Log.md`
**Why:** Close all 10 findings from the fresh security, DB performance, and logic audit. The changes add canonical identity checks for dispute paths, remove delivery-code/token log leakage, confine generic file paths, cap template batches, make broad user listing admin-only, block private upload directories from static serving, and normalize audited pagination inputs.
**Verification:** `task-master next` (no tasks available); backend `npx jest __tests__/security-db-performance-logic-audit.test.ts --runInBand` (7 tests); backend `npm run typecheck`; backend focused `npx eslint ...` (0 errors, existing warnings only); frontend focused `npx eslint src/auth/services/google-oauth.ts src/lib/axios.ts src/utils/logger.ts`; source grep checks for delivery-code/token log patterns and audited ad-hoc pagination patterns returned no matches; backend/frontend `git diff --cached --check`. Frontend full `npx tsc --noEmit --ignoreDeprecations 6.0` remains blocked by pre-existing dirty E2E test files outside this audit change.
**Linked docs updated:** [[09 - Audits/Security DB Performance Logic Audit - 2026-06-07]]
---
### 2026-06-07 — backend@dedc5fe, frontend@9a5fa13 — DB audit remaining M/L closeout
**Commits:** `dedc5fe` `9a5fa13`