jarvis/dd0c
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix BMad adversarial security review findings
Some checks failed
CI — P2 Drift (Go + Node) / agent (push) Successful in 47s
Details
CI — P2 Drift (Go + Node) / saas (push) Successful in 36s
Details
CI — P3 Alert / test (push) Successful in 36s
Details
CI — P4 Portal / build-push (push) Failing after 49s
Details
CI — P5 Cost / build-push (push) Failing after 4s
Details
CI — P6 Run / build-push (push) Failing after 4s
Details
CI — P4 Portal / test (push) Successful in 35s
Details
CI — P5 Cost / test (push) Successful in 40s
Details
CI — P6 Run / saas (push) Successful in 36s
Details
CI — P2 Drift (Go + Node) / build-push (push) Failing after 17s
Details
CI — P3 Alert / build-push (push) Failing after 15s
Details

Browse Source 
Resolves 11 of the 13 findings:
- [CRITICAL] SQLi in RLS: replaced SET LOCAL with parameterized set_config()
- [CRITICAL] Rate Limiting: installed and registered @fastify/rate-limit in all 5 apps
- [CRITICAL] Invite Hijacking: added email verification check to invite lookup
- [HIGH] Webhook HMAC: added Fastify rawBody parser to fix JSON.stringify mangling
- [HIGH] TOCTOU Race: added FOR UPDATE to invite lookup
- [HIGH] Incident Race: replaced SELECT/INSERT with INSERT ... ON CONFLICT
- [MEDIUM] Grafana Timing Attack: replaced === with crypto.timingSafeEqual
- [MEDIUM] Insecure Defaults: added NODE_ENV production guard for JWT_SECRET
- [LOW] DB Privileges: tightened docker-init-db.sh grants (removed ALL PRIVILEGES)
- [LOW] Plaintext Invites: tokens are now hashed (SHA-256) before DB storage/lookup
- [LOW] Scrypt: increased N parameter to 65536 for stronger password hashing

Note:
- Finding #4 (Fragmented Identity) requires a unified auth database architecture.
- Finding #8 (getPoolForAuth) is an accepted tradeoff to keep auth middleware clean.
This commit is contained in:
Max Mayfield
2026-03-03 00:14:39 +00:00
parent eb953cdea5
commit 5792f95d7c
34 changed files with 379 additions and 129 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
products/04-lightweight-idp/package.json
View File

@@ -11,31 +11,31 @@
"lint": "eslint src/ tests/"
},
"dependencies": {
"fastify": "^4.28.0",
"@fastify/cors": "^9.0.0",
"@fastify/rate-limit": "^9.1.0",
"@fastify/helmet": "^11.1.0",
"pg": "^8.12.0",
"ioredis": "^5.4.0",
"meilisearch": "^0.41.0",
"zod": "^3.23.0",
"jsonwebtoken": "^9.0.2",
"pino": "^9.1.0",
"uuid": "^9.0.1",
"@aws-sdk/client-organizations": "^3.600.0",
"@aws-sdk/client-ecs": "^3.600.0",
"@aws-sdk/client-lambda": "^3.600.0",
"@aws-sdk/client-organizations": "^3.600.0",
"@aws-sdk/client-rds": "^3.600.0",
"@octokit/rest": "^20.1.0"
"@fastify/cors": "^9.0.0",
"@fastify/helmet": "^11.1.0",
"@fastify/rate-limit": "^9.1.0",
"@octokit/rest": "^20.1.0",
"fastify": "^4.28.0",
"ioredis": "^5.4.0",
"jsonwebtoken": "^9.0.2",
"meilisearch": "^0.41.0",
"pg": "^8.12.0",
"pino": "^9.1.0",
"uuid": "^9.0.1",
"zod": "^3.23.0"
},
"devDependencies": {
"typescript": "^5.5.0",
"tsx": "^4.15.0",
"vitest": "^1.6.0",
"@types/jsonwebtoken": "^9.0.6",
"@types/node": "^20.14.0",
"@types/pg": "^8.11.0",
"@types/jsonwebtoken": "^9.0.6",
"@types/uuid": "^9.0.8",
"eslint": "^9.5.0"
"eslint": "^9.5.0",
"tsx": "^4.15.0",
"typescript": "^5.5.0",
"vitest": "^1.6.0"
}
}