Epic: Security Hardening

[Snider]

Overview

Harden security across the framework: fix critical vulnerabilities, improve authentication, and prevent information leakage.

Phase 1 — Critical

• security(trees): fix race condition in PlantTreeWithTFTF job #77 — security(trees): fix race condition in PlantTreeWithTFTF job
• security(auth): replace LthnHash with bcrypt for password hashing #78 — security(auth): replace LthnHash with bcrypt for password hashing

Phase 2 — High

• security(helpers): fix SSRF in File.php via unvalidated Http::get #79 — security(helpers): fix SSRF in File.php via unvalidated Http::get
• security(tests): remove hardcoded API token from test file #82 — security(tests): remove hardcoded API token from test file
• security(api): prevent upstream body leakage in BuildsResponse #84 — security(api): prevent upstream body leakage in BuildsResponse
• security(auth): add session configuration file #85 — security(auth): add session configuration file

Previously Created (existing)

• Security: SafeWebhookUrl DNS rebinding vulnerability #17
• Security: ManagesTokens trait stores tokens in memory without protection #18
• Security: HadesEncrypt embeds hardcoded public key #21
• Configuration: ConfigValue encryption may cause issues during APP_KEY rotation #25

Exit Criteria

All child issues closed. No critical or high security findings remain open.