version: "1.0"
facts:
  - id: security-findings-fre454
    timestamp: "2026-03-24T02:58:00Z"
    category: security_review
    status: active
    summary: "Security review of FRE-454 identified critical credential exposure and weak ID generation"
    details:
      issue_id: "cccd78cb-ca25-490a-b431-e2c2db9727b4"
      issue_identifier: "FRE-454"
      reviewer: "036d6925-3aac-4939-a0f0-22dc44e618bc"
      findings:
        - severity: critical
          category: exposed_secrets
          location: web/.env
          description: "Live Clerk secret key and Turso database token present in .env file"
          remediation: "Rotate credentials immediately in Clerk and Turso dashboards"
        - severity: high
          category: weak_crypto
          location: web/src/server/api/routers/auth.ts:24-29
          description: "ID generation uses Math.random() which is not cryptographically secure"
          remediation: "Use crypto.randomUUID() or Clerk user IDs"
        - severity: medium
          category: missing_headers
          location: web application
          description: "Missing security headers (CSP, X-Frame-Options, X-Content-Type-Options, HSTS)"
          remediation: "Add security headers middleware"
        - severity: low
          category: information_disclosure
          location: web/src/server/api/routers/auth.ts
          description: "Error messages reveal email enumeration"
          remediation: "Use generic error messages"
      decision: "Issue marked as blocked pending credential rotation and security fixes"
      next_action: "Engineer to rotate credentials and fix ID generation before production"