Commit Graph

1 Commits

Author SHA1 Message Date
null aee23d6025 feat(security): CI secret-scan + dep-audit, SECURITY.md, auth-coverage test (Pillar C)
- CI now runs gitleaks (secret scanning, .gitleaks.toml allowlists
  fixtures/data/generated) and `npm audit --audit-level=critical`.
- SECURITY.md: disclosure policy, the controls in place, operational
  hardening, and the two assessed HIGH audit exceptions (nodemailer `raw`
  unused → not exploitable; xlsx confined to import w/ raw:false + limits).
- tests/securityCoverage.test.js: static invariant that every non-public
  router mount carries requireAuth (+ CSRF for authed, requireAdmin for
  admin) — a new unprotected route now fails CI. 4 tests; suite 236/236.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-06 14:40:17 -05:00