ShieldAI

Mike/ShieldAI

Fork 0

Commit Graph

Author	SHA1	Message	Date
Senior Engineer	91e4985a8e	FRE-4474 Phase 5: Verify and resolve security review findings for SpamShield and Cross-Service Correlation - FRE-4499 (SpamShield): Verified 6 security fixes (2 High, 4 Medium) - S01: Pre-compiled regex in RuleEngine (ReDoS fix) - S02: SmsClassifier accepts senderPhoneNumber context - S03: AlertServer JWT auth + origin validation - S04: SHA-256 phone hashing (PII protection) - S05: DecisionEngine timeout enforcement via Promise.race - S06: CarrierFactory.getAllCarriers properly async/await - FRE-4500 (Correlation): Verified 7 security fixes (2 Critical, 2 High, 2 Medium, 1 Low) - C1: Ingest endpoints auth via request.user.id - C2: IDOR protection on group endpoints (userId filter) - H3: JWT middleware registered in server.ts - H4: Fastify schema validation on all routes - M6: Payload sanitization with depth limit and circular ref detection - L7: CORS origin restricted to env var - Resolved liveness incidents FRE-4652 and FRE-4654 - All Phase 5 child issues now complete	2026-05-02 18:36:29 -04:00
Michael Freno	0afdf8b6e8	FRE-4500: Fix security review findings (Critical/High/Medium/Low) - Critical #1: Add auth check to ingest endpoints (use request.user.id) - Critical #2: Add IDOR protection on group endpoints (userId ownership) - High #3: Register auth middleware in server.ts (populates request.user) - High #4: Add Fastify schema validation to all route handlers - Medium #5: Add NormalizedAlert/CorrelationGroup models to Prisma schema - Medium #6: Sanitize payload storage in normalizer (depth limit, circular ref) - Low #7: Restrict CORS origins (use CORS_ORIGIN env var) Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-02 16:40:01 -04:00
Michael Freno	1e42c4a5c2	FRE-4529: Transfer ShieldAI code from FrenoCorp repo Transferred ShieldAI-related files mistakenly placed in ~/code/FrenoCorp: - Services: spamshield (feature-flags, audit-logger, error-handler), voiceprint (config, service, feature-flags), darkwatch (pipeline, scan, scheduler, watchlist, webhook) - Packages: shared-analytics, shared-auth, shared-ui, shared-utils (new); shared-billing, jobs supplemented with unique FC files - Server: alerts (FC version newer), routes (spamshield, darkwatch, voiceprint) - Config: turbo.json, tsconfig.base.json, vite/vitest configs, drizzle, Dockerfile - VoicePrint ML service - Examples Pending: apps/{api,web,mobile}/ structured merge, shared-db/db mapping Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-02 10:13:13 -04:00

Author

SHA1

Message

Date

Senior Engineer

91e4985a8e

FRE-4474 Phase 5: Verify and resolve security review findings for SpamShield and Cross-Service Correlation

- FRE-4499 (SpamShield): Verified 6 security fixes (2 High, 4 Medium)
  - S01: Pre-compiled regex in RuleEngine (ReDoS fix)
  - S02: SmsClassifier accepts senderPhoneNumber context
  - S03: AlertServer JWT auth + origin validation
  - S04: SHA-256 phone hashing (PII protection)
  - S05: DecisionEngine timeout enforcement via Promise.race
  - S06: CarrierFactory.getAllCarriers properly async/await

- FRE-4500 (Correlation): Verified 7 security fixes (2 Critical, 2 High, 2 Medium, 1 Low)
  - C1: Ingest endpoints auth via request.user.id
  - C2: IDOR protection on group endpoints (userId filter)
  - H3: JWT middleware registered in server.ts
  - H4: Fastify schema validation on all routes
  - M6: Payload sanitization with depth limit and circular ref detection
  - L7: CORS origin restricted to env var

- Resolved liveness incidents FRE-4652 and FRE-4654
- All Phase 5 child issues now complete

2026-05-02 18:36:29 -04:00

Michael Freno

0afdf8b6e8

FRE-4500: Fix security review findings (Critical/High/Medium/Low)

- Critical #1: Add auth check to ingest endpoints (use request.user.id)
- Critical #2: Add IDOR protection on group endpoints (userId ownership)
- High #3: Register auth middleware in server.ts (populates request.user)
- High #4: Add Fastify schema validation to all route handlers
- Medium #5: Add NormalizedAlert/CorrelationGroup models to Prisma schema
- Medium #6: Sanitize payload storage in normalizer (depth limit, circular ref)
- Low #7: Restrict CORS origins (use CORS_ORIGIN env var)
Co-Authored-By: Paperclip <noreply@paperclip.ing>

2026-05-02 16:40:01 -04:00

Michael Freno

1e42c4a5c2

FRE-4529: Transfer ShieldAI code from FrenoCorp repo

Transferred ShieldAI-related files mistakenly placed in ~/code/FrenoCorp:
- Services: spamshield (feature-flags, audit-logger, error-handler), voiceprint (config, service, feature-flags), darkwatch (pipeline, scan, scheduler, watchlist, webhook)
- Packages: shared-analytics, shared-auth, shared-ui, shared-utils (new); shared-billing, jobs supplemented with unique FC files
- Server: alerts (FC version newer), routes (spamshield, darkwatch, voiceprint)
- Config: turbo.json, tsconfig.base.json, vite/vitest configs, drizzle, Dockerfile
- VoicePrint ML service
- Examples

Pending: apps/{api,web,mobile}/ structured merge, shared-db/db mapping

Co-Authored-By: Paperclip <noreply@paperclip.ing>

2026-05-02 10:13:13 -04:00

3 Commits