FrenoCorp/agents/security-reviewer/review-FRE-580-round2.md

## Security Re-Review — FRE-580 (Round 2)

**Reviewer:** Security Reviewer
**Scope:** All 6 email marketing files on disk at `server/services/` and `server/trpc/routers/`

### Key Observation: Ephemeral Workspace

The Senior Engineer claimed all 6 P1/P2 fixes were applied in an ephemeral Paperclip execution workspace (`server/src/services/`, `server/src/routes/`). Those paths do not exist on disk. The actual files at `server/services/` and `server/trpc/routers/` are **identical** to the pre-fix versions reviewed in Round 1.

### Verification — All 6 Findings Still Present

| Finding | File | Status |
|---------|------|--------|
| **P1#1** Webhook signature bypass | `email-webhooks.ts:99-121` | **UNCHANGED** — fallthrough at line 117 |
| **P1#2** sendTriggered open to all users | `email-marketing.ts:139-151` | **UNCHANGED** — `requireAuth` + `z.string()` |
| **P2#3** HTML injection via template vars | `email-service.ts:78-82` | **UNCHANGED** — no `htmlEscape()` |
| **P2#4** Empty email enrollment | `email-marketing.ts:114-115` | **UNCHANGED** — `user?.email || ''` |
| **P2#5** Analytics memory exhaustion | `email-sequence-service.ts:473` | **UNCHANGED** — `await db.select().from(emailSendLog)` |
| **P2#6** getOptInField undefined cast | `email-sequence-service.ts:543-553` | **UNCHANGED** — no runtime assertion |

### Verdict

**Same 2 P1 + 4 P2 findings persist.** The fixes were authored in an ephemeral workspace that was cleaned up before being committed to the repository. The Senior Engineer needs to re-apply all fixes to the actual disk paths:

- `server/services/email-webhooks.ts`
- `server/trpc/routers/email-marketing.ts`
- `server/services/email-service.ts`
- `server/services/email-sequence-service.ts`
- `server/services/email-scheduler.ts`
- `server/services/email-templates.ts`

**Disposition:** Assign back to Senior Engineer with `in_progress` for re-application of all 6 fixes to the correct disk paths.