- Max-length guard (256 chars) on incoming request IDs to prevent log bloat
- Format whitelist (alphanumeric, hyphen, underscore) to prevent log injection
- Replace Math.random() with crypto.randomBytes in fallback for CSPRNG
Create MixpanelService that uses FieldEncryptionService.hashPhoneNumber()
to SHA-256 hash phone numbers before sending to Mixpanel analytics.
- Implement spamBlocked() method with phone number hashing
- Add 16 unit tests verifying hash correctness and API behavior
- Export service from package index
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Create regex-validation utility with ReDoS detection (nested quantifiers,
overlapping alternations, complexity limits)
- Add @db.VarChar(500) constraint on pattern field in Prisma schema
- Integrate validation in rule-engine at load time and evaluation time
- Add 46 unit tests covering syntax, ReDoS patterns, complexity, edge cases
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Add runtime flag evaluation from FLAG_<KEY> environment variables
- Add enableCallAnalysis flag check to analyzeCall() and interceptCall()
- Add enableFeedbackLoop flag check to recordFeedback()
- Add 19 tests for feature flag behavior (checkFeatureFlag, getters, service integration)
- Add vitest config and test script to spamshield package
- Document all 4 Medium and 2 Low severity fixes
- Note that issue is now in_review for Code Reviewer
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Fix HTML injection vulnerability with proper entity encoding
- Fix rate limit cleanup bug (count vs timestamp confusion)
- Add URL validation to prevent open redirect attacks
- Add expiration to in-memory deduplication entries
- Use Zod schema for config validation
- Add email format validation
All 29 tests passing. Ready for Code Reviewer final review.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Created decision-engine.constants.ts with all scoring weights, thresholds, and behavioral scores
- Updated decision-engine.ts to import and use constants instead of inline values
- All 12 hardcoded values now have named, documented constants
- Pre-existing type errors are unrelated to this change
- Add ioredis dependency for Redis connection pooling
- Create RedisService singleton with connection management
- Add Redis config (url, dedupWindowSeconds) to notification.config.ts
- Implement NotificationService.checkRateLimit using Redis INCR+EXPIRE
- Implement NotificationService.deduplicateNotification using Redis SET/NX
- Add configurable rate limit windows and thresholds via env vars
- Add 29 unit tests covering Redis operations, rate limiting, and dedup
- All tests pass, TypeScript compiles cleanly for new files
- Implement CircuitBreaker class with CLOSED/OPEN/HALF_OPEN states
- Configurable failure threshold, success threshold, and timeout
- Fallback behavior when circuit opens (returns neutral 0.5 score)
- State change callbacks for monitoring and logging
- Comprehensive metrics tracking (executions, failures, successes, timestamps)
- Update SpamShieldService to use circuit breakers for both Hiya and Truecaller
- Add parallel API calls with graceful degradation
- Export circuit breaker types and service interfaces
- 32 unit tests covering circuit transitions, fallback, and service integration
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Defined 3-tier product structure (Basic/Plus/Premium)
- Product name: ShieldAI
- Features: Voice cloning protection, dark web scans, spam blocking, home title protection
- Created child issues FRE-4459 (CTO) and FRE-4460 (CMO) for execution
