Acts on the verified findings from the 2026-06 audit (docs/AUDIT_2026-06_
VERIFIED.md). The audit's #1 "middleware never runs" was a false positive
(verified in prod: /hq-command redirects to login). These are the genuine
gaps:
- SEC-04 (HIGH): /api/assets (GET/POST/PUT/DELETE/PATCH) and
/api/branding/favicon (POST) had NO auth. The middleware matcher excludes
/api, so they were world-reachable — anyone could list/upload/rename/
delete CMS files or regenerate the favicon. Added a new getAdminSession()
helper (src/lib/session.ts) and a requireAdmin() guard on every handler.
- DB-01 (HIGH): the ClientUser table (B2B client portal) was defined in the
schema but NEVER created by any migration, and OperationsSignal.clientId +
its FK were missing too. B2B register/login failed at runtime; the
dashboard silently showed 0 clients. New additive migration
20260609120000_add_client_user creates the table, the unique email index,
the clientId column (IF NOT EXISTS), and the FK (duplicate-object guarded).
- SEC-05 (MED-HIGH): operations.ts generateRichEmailHtml() interpolated
item.title/sku/quantity, clientName/Company/Email/Phone and the free-text
message straight into HTML — stored XSS into the team's internal inbox.
Now escaped via escapeHtml/escapeAttr/safeMailto; file links validated to
internal paths only.
- SEC-01 (MED): removed the hardcoded SESSION_SECRET fallback in src/proxy.ts;
it now validates lazily and throws if the secret is missing (mirrors
session.ts), so a runtime env failure can't fall back to a public key.
Verified: next build compiles with SESSION_SECRET unset (Docker parity),
TypeScript clean, prisma schema valid, golden tests 17/17.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
