v1.9.2 — Security Hardening Release

Security Fixes

Critical (🔴)

• C-1: Open Redirect Closure — Replaced baseUrl prefix-match with strict URL.origin equality in auth redirect callback
• C-2: Email Auto-Verify Protection — Production now throws email_service_unconfigured when email service is misconfigured, preventing account impersonation

High Priority (🟠)

• H-1: JWT Claim Refresh Hardening — Reduced claim refresh interval from 15 min to 60 sec (tunable via AUTH_CLAIM_REFRESH_MS), shrinking the deletion revocation window
• H-2: CF Header Spoofing Guard — Protected /api/auth/register and /api/demo with TRUST_CF_HEADERS flag to prevent IP spoofing on non-Cloudflare deployments
• H-3: Demo Quota DoS Prevention — Added per-IP rate limiting to /api/demo (default 20/hr, tunable) to protect shared API key quota

Medium Priority (🟡)

• M-1: Export Endpoint Optimization — Rate-limit check moved before heavy database pull
• M-2: Health Check Connection Leak Fix — /api/health now uses shared Prisma singleton instead of per-request instantiation
• M-3: Policy Route Protection — /api/policy added to proxy protectedPaths array
• M-4: Hosted Plan Prototype Guard — getHostedPlanConfig() now uses Object.hasOwn() to prevent prototype-walk attacks

Updated Environment Variables

• TRUST_CF_HEADERS — only honor CF headers when deployed behind Cloudflare (default: false)
• DEMO_RATE_LIMIT — requests per time window for demo endpoint (default: 20)
• DEMO_RATE_WINDOW_MS — time window for demo rate limiting (default: 3600000)
• AUTH_CLAIM_REFRESH_MS — JWT claim refresh interval (default: 60000, minimum: 10000)

Verification

✅ Frontend build: 48 routes compiled, no errors
✅ Backend test suite: 1114 tests passed, 16 skipped
✅ No regressions from prior release

Files Changed: 14
Insertions: +184
Deletions: -33