# Phase 14 Security Review ## Implemented controls - Strict allowlisted request and guard schemas with unknown-field rejection. - POST-only route handler with JSON content-type enforcement. - 16 KiB declared and measured request-size limits. - Same-origin or approved-origin validation. - Custom request marker to force non-simple cross-origin requests through browser preflight. - Server-side enum, length, locale, source, and UUID validation. - HTML rendering remains React-escaped; external errors are never rendered. - Adapter calls are bounded by `AbortController` timeout. - Duplicate transport is coalesced by idempotency key. - Production secrets have no public environment variable. - Local/test adapters are blocked in deployed production configuration. - No raw request body, form value, vendor response, or stack trace is logged or returned. - No external URL or redirect destination is active. ## Deliberately unresolved A production-grade distributed idempotency store, rate limiting, retry policy, CRM authentication, webhook verification, replay policy, vendor scopes, email-header defense, scheduler origin policy, and operational alerting depend on the selected service and architecture. They remain release gates rather than fake generic implementations. ## Residual risk The local in-memory idempotency coordinator is process-local and exists only to test the boundary. It is not suitable for horizontally scaled production. The honeypot is proportionate for local testing but is not a complete abuse control. Dynamic security testing, dependency audit, browser CSP validation, and penetration review remain open because dependencies and browsers could not be executed in this environment.