chore: production roadmap + P0 security hardening

[DevCalebR]

Summary

• Adds docs/PRODUCTION_ROADMAP.md with DoPR + P0/P1/P2 roadmap and verification steps.
• Implements P0 hardening:
  • /api/health endpoint
  • baseline security headers via middleware
  • same-origin checks for Stripe checkout/portal routes
  • correlation/error instrumentation
  • lightweight audit logs for key actions
• Adds tests:
  • tests/request-origin.test.ts
  • tests/security-headers.test.ts

Validation

• npm test
• npm run lint
• npm run typecheck
• npm run build

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
callbackcloser	Building	Preview, Comment	Mar 2, 2026 6:33pm

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 51796f76a9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Reject unparseable Origin headers

In isAllowedRequestOrigin, a present but unparseable Origin value (for example Origin: null, which browsers can send from sandboxed contexts) is treated as if no origin was provided and is therefore allowed. Since the Stripe checkout/portal POST handlers rely on this helper in production, that fallthrough can bypass the new same-origin protection and still run with authenticated cookies. Requests that include an invalid origin header should be rejected rather than accepted as "missing".

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Avoid exposing DB error details in health response

The new unauthenticated /api/health endpoint stores error.message from the DB probe and returns it to clients via checks.database.detail. Connection/library error strings commonly include internal diagnostics (hostnames, driver details, schema hints), so this leaks operational information to any caller. For a public health check, return a generic failure detail and keep the raw error only in server logs.

Useful? React with 👍 / 👎.