phase 16 implementation

This commit is contained in:
root
2026-06-25 20:08:39 -04:00
parent 5d017f533a
commit c43620a005
248 changed files with 18458 additions and 90 deletions
@@ -0,0 +1,25 @@
# Phase 14 Security Review
## Implemented controls
- Strict allowlisted request and guard schemas with unknown-field rejection.
- POST-only route handler with JSON content-type enforcement.
- 16 KiB declared and measured request-size limits.
- Same-origin or approved-origin validation.
- Custom request marker to force non-simple cross-origin requests through browser preflight.
- Server-side enum, length, locale, source, and UUID validation.
- HTML rendering remains React-escaped; external errors are never rendered.
- Adapter calls are bounded by `AbortController` timeout.
- Duplicate transport is coalesced by idempotency key.
- Production secrets have no public environment variable.
- Local/test adapters are blocked in deployed production configuration.
- No raw request body, form value, vendor response, or stack trace is logged or returned.
- No external URL or redirect destination is active.
## Deliberately unresolved
A production-grade distributed idempotency store, rate limiting, retry policy, CRM authentication, webhook verification, replay policy, vendor scopes, email-header defense, scheduler origin policy, and operational alerting depend on the selected service and architecture. They remain release gates rather than fake generic implementations.
## Residual risk
The local in-memory idempotency coordinator is process-local and exists only to test the boundary. It is not suitable for horizontally scaled production. The honeypot is proportionate for local testing but is not a complete abuse control. Dynamic security testing, dependency audit, browser CSP validation, and penetration review remain open because dependencies and browsers could not be executed in this environment.