Current Baseline
pnpm audit --audit-level=highmust pass in CI- auth, sharing, and public endpoints are highest sensitivity
Critical Risk Areas
/server/middleware/auth.ts/server/routes/auth.ts/server/routes/public.ts/server/routes/shares.ts/server/routes/external-shares.ts- extension auth token sync logic
Hardening Rules
- never commit credentials or API keys
- validate and sanitize untrusted input
- keep extension permissions least-privilege
- enforce explicit authorization checks
- add negative tests for unauthorized access
- keep extension auth persistent across browser restart, refresh, temporary hydration gaps, 401 refresh attempts, and network failures; clear it only on explicit website logout or explicit extension logout
- run
pnpm run scan:secrets:trackedfor release-relevant secret scanning so ignored local-only stores such as.env,playwright/.auth, and generateddistare excluded from tracked-source readiness checks - keep real secret values out of docs, logs, tests, and chat; use redacted examples and scanner-safe test fixtures
Incident Readiness
For every high-risk merge, include:- potential failure mode
- user/data impact
- rollback command/path
- owner for post-release monitoring