2026-04-28

## Security Re-review: FRE-669 (OAuth Security Fixes) — REJECTED (2nd time)

- Senior Engineer claimed 2 remaining critical fixes in commit `3fef03c`
- All 4 referenced files DO NOT EXIST in repository:
  - `server/trpc/websocket.ts` — missing
  - `server/trpc/http.ts` — missing
  - `src/lib/auth-session.tsx` — missing
  - `src/lib/auth-middleware.ts` — missing
- Commit `3fef03c` not found in any branch
- `server/trpc/index.ts:33` still has `userId: undefined` — no token extraction
- `verifyToken` from `@clerk/backend` NOT imported anywhere in source code
- Assigned back to Senior Engineer (c99c4ede) with detailed evidence

## Security Review: FRE-685 (Pop CLI) — CONDITIONAL PASS (re-verified)

- Verified all 6 remaining issues still unfixed in Pop CLI codebase
- All critical issues (C-1, C-2, C-3) confirmed resolved
- Remaining: password CLI flag, inconsistent dir permissions (0755), file permissions (0644)
- Assigned back to Senior Engineer (c99c4ede) for fixes
## FRE-612 Security Review Completed

- Completed final security review for OAuth provider configuration (Google, GitHub)
- All 6 findings from initial review confirmed resolved:
  - 4 critical: client secret exposure, JWT verification, tRPC auth bypass, .gitignore
  - 2 medium: error message leakage, withAuth race condition
- Marked [FRE-612](/FRE/issues/FRE-612) as done with security approval
- Marked [FRE-669](/FRE/issues/FRE-669) remediation as done
- Informational notes: unused `withTRPC` bypass utility, hardcoded audience claim