fix: remediate deep-audit security and integrity findings#36
Conversation
Public report APIs now return only verified reports, hide pending content with 404, and expose separate public schemas without internal reporter identifiers.
Centralize score eligibility on verified reports, block duplicate active submissions, add report rate limits, and add database-backed duplicate protection.
Reject duplicate employer responses per account, count distinct eligible reports in scoring, and hide responses for non-public reports.
Sync verification_votes from persisted upvotes and restrict voting to publicly visible reports.
Rotate refresh tokens atomically, normalize identity for case-insensitive uniqueness, and enforce bcrypt UTF-8 byte limits.
Store refresh tokens in session state, call backend logout on sign out, and await App Router searchParams in page components.
Require reviewer and reviewed_at for import-ready rows, expand PII scanning, and avoid shared ATS hosts as company domains.
Map supported ATS providers to company_site and extract tenant identity without using shared platform hosts as company domains.
Keep /health lightweight and add /health/ready with PostgreSQL and Redis checks for Docker health probes.
Set COPYFILE_DISABLE during archive creation and add packaging regression coverage for AppleDouble filenames.
Record moderation, scoring, session, health, and sheet-import behavior aligned with the planned remediation release.
Use injected settings and Redis client for /health/ready so CI and local integration tests probe the same database and Redis URLs as the test suite.
|
Repository owner authorization: temporarily relaxing the required CODEOWNERS review and approval-count settings solely to merge this completed security remediation. All required CI checks are green and the final diff has been reviewed. The exact original review-protection configuration will be restored immediately after the squash merge. No status checks, administrator enforcement, CODEOWNERS file, rulesets, or other branch protections will be changed. |
|
Controlled merge completed. PR #36 was squash-merged after the repository owner temporarily set the CODEOWNERS review requirement off and the required approval count to zero. The exact original pull-request review protection was restored immediately after merge and verified against the pre-change snapshot. Required status checks, administrator enforcement, CODEOWNERS, repository rulesets, and all other branch protections remained unchanged. |
Summary
This pull request remediates confirmed findings from the independent Ghost Sweep deep audit without rewriting published history or touching
v0.1.0/v0.1.1.High-Severity Fixes
verifiedreports.409 Conflictand report-specific rate limiting.Secondary Fixes
verification_votesfrom persisted upvotes.searchParams.reviewerandreviewed_at, expand PII scanning, and avoid shared ATS hosts as company domains.company_site./healthremains liveness-only;/health/readychecks PostgreSQL and Redis.._*metadata.Schema and Migration Impact
003_audit_remediationusers.emailandusers.usernameemployer_responses (report_id, user_id)API Impact
PublicReportResponsewithoutreporter_id.404to unauthenticated callers.409./health/readyadded for dependency readiness.Testing
Dependency PR Interaction
No dependency manifest or lockfile changes in this branch. Open PRs #21, #22, #32, and #35 remain the path for grouped dependency updates and advisories already covered there.
Release
v0.1.0unchanged.v0.1.1unchanged.v0.1.2.Rollback
Revert the PR normally. If
003_audit_remediationhas been applied, run Alembic downgrade to restore prior user uniqueness constraints and remove the new integrity indexes before redeploying older application code.Test plan