docs: sync from backend c0e80a7 — security audit closeout
This commit is contained in:
@@ -12,6 +12,16 @@ entries on top. Maintained by agents per the rule in `../AGENTS.md`.
|
||||
|
||||
---
|
||||
|
||||
### 2026-06-07 — backend@c0e80a7, frontend@38ff0db — security DB/performance audit closeout
|
||||
|
||||
**Commits:** `c0e80a7` `38ff0db`
|
||||
**Touched:** backend `src/shared/utils/identity.ts`, `src/shared/utils/pagination.ts`, dispute controllers/services/routes, delivery/file/template/payment/chat/points/user routes, `src/app.ts`, `src/services/auth/googleOAuthService.ts`, `__tests__/security-db-performance-logic-audit.test.ts`, `package.json`, `package-lock.json`; frontend `src/auth/services/google-oauth.ts`, `src/lib/axios.ts`, `src/utils/logger.ts`, `package.json`; docs `09 - Audits/Security DB Performance Logic Audit - 2026-06-07.md`, `09 - Audits/Activity Log.md`
|
||||
**Why:** Close all 10 findings from the fresh security, DB performance, and logic audit. The changes add canonical identity checks for dispute paths, remove delivery-code/token log leakage, confine generic file paths, cap template batches, make broad user listing admin-only, block private upload directories from static serving, and normalize audited pagination inputs.
|
||||
**Verification:** `task-master next` (no tasks available); backend `npx jest __tests__/security-db-performance-logic-audit.test.ts --runInBand` (7 tests); backend `npm run typecheck`; backend focused `npx eslint ...` (0 errors, existing warnings only); frontend focused `npx eslint src/auth/services/google-oauth.ts src/lib/axios.ts src/utils/logger.ts`; source grep checks for delivery-code/token log patterns and audited ad-hoc pagination patterns returned no matches; backend/frontend `git diff --cached --check`. Frontend full `npx tsc --noEmit --ignoreDeprecations 6.0` remains blocked by pre-existing dirty E2E test files outside this audit change.
|
||||
**Linked docs updated:** [[09 - Audits/Security DB Performance Logic Audit - 2026-06-07]]
|
||||
|
||||
---
|
||||
|
||||
### 2026-06-07 — backend@dedc5fe, frontend@9a5fa13 — DB audit remaining M/L closeout
|
||||
|
||||
**Commits:** `dedc5fe` `9a5fa13`
|
||||
|
||||
Reference in New Issue
Block a user