fix(security): hardens auth, XSS, rate limiting, and repo posture (#43)

* fix(security): hardens auth, XSS, rate limiting, and repo posture

Auth lifecycle:
- clears dashboard cache on token expiry (prevents data leak to next user)
- propagates 401 from allSettled to trigger re-auth (prevents zombie polling)
- adds cross-tab auth sync via storage event listener
- moves OAuth returnTo read to after CSRF check passes

XSS / injection:
- validates pr.htmlUrl with isSafeGitHubUrl before passing to StatusDot/SizeBadge
- replaces inline style label colors with adoptedStyleSheets registry
- removes style-src-attr unsafe-inline from CSP (zero unsafe-* directives)
- refactors UserAvatarBadge inline style to Tailwind class

Rate limiting / DoS:
- caps fetchRepos pagination at 1000 repos with warning notification
- serializes discoverUpstreamRepos to prevent TOCTOU race on repo cap
- adds length bounds to VALID_REPO_NAME regex (consistent with Zod schema)
- adds soft warning at 100+ repos in RepoSelector
- adds in-memory rate limiter to Worker token exchange endpoint
- adds HSTS to Worker SECURITY_HEADERS (matches static asset headers)

Stores / cache:
- adds .max(500) to ignoredItems with FIFO eviction
- adds pruneClosedIgnoredItems (30-day TTL) called on app startup
- wraps IndexedDB QuotaExceededError retry in try/catch (logs instead of crash)

Repo posture:
- adds SECURITY.md with responsible disclosure policy
- adds CODEOWNERS
- adds .npmrc with ignore-scripts=true
- pins happy-dom to exact version (removes caret range)
- adds CSP inline script hash verification to CI
- adds Sentry security token support to Worker tunnel
- documents Worker _dsnCache safety rationale
- fixes poll coordinator mount/unmount race

* fix(security): addresses quality gate findings from domain review

* fix(security): restores style-src-attr (corvu/kobalte need it), uses expireToken for cross-tab sync

* fix(security): addresses PR review findings with tests

- removes IP from rate-limit log, adds prune threshold guard
- makes SENTRY_DSN optional in Env interface
- moves returnTo consumption after auth success in OAuthCallback
- adds race-safe coordinator guard to onAuthCleared + clearHotSets
- extracts IGNORED_ITEMS_CAP constant, fixes FALLBACK_FG consistency
- documents CSP style-src-attr requirement (Kobalte) in SECURITY.md
- adds 13 tests: cross-tab auth sync, 401 propagation, label-colors
  CSS rules, fetchRepos cap, rate-limit window reset, multi-user
  upstream discovery cap

* fix(security): removes dead script, adds remaining test coverage

- deletes orphaned scripts/verify-csp-hash.mjs (replaced by inline CI shell)
- updates prek.toml and deploy.yml to use inline CSP hash check
- adds tests for returnTo preserved on validateToken failure and
  token exchange failure
- adds test for SENTRY_DSN: undefined (optional field coverage)

* fix(deps): regenerates lockfile for pinned happy-dom, adds lockfile sync hook

- pnpm-lock.yaml specifier was ^20.8.9, package.json was pinned to
  20.8.9 — CI frozen-lockfile install failed on the mismatch
- adds lockfile-sync pre-commit hook that runs pnpm install
  --frozen-lockfile when package.json or pnpm-lock.yaml changes

* refactor(security): extracts CSP hash verification into shared script

* perf(waf): parallelizes smoke tests with GNU parallel

Replaces sequential curl loops (81s) with GNU parallel (-j10, ~2s).
Test specs become a pipe-delimited data array parsed by exported
functions. Adds --max-time 10 per curl, --timeout 15 per job,
command -v guard, and empty-output infrastructure failure detection.

Author: wgordon17

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# Default owner for everything
+* @wgordon17

.github/workflows/ci.yml

@@ -14,10 +14,10 @@ jobs:
           node-version: 24
           cache: pnpm
       - run: pnpm install --frozen-lockfile
+      - name: Verify CSP inline script hash
+        run: bash scripts/verify-csp-hash.sh
       - run: pnpm run typecheck
       - run: pnpm test
-      - name: Verify CSP hash
-        run: node scripts/verify-csp-hash.mjs
       - name: Install Playwright browsers
         run: npx playwright install chromium --with-deps
       - name: Run E2E tests

.github/workflows/deploy.yml

@@ -18,8 +18,8 @@ jobs:
       - run: pnpm install --frozen-lockfile
       - run: pnpm run typecheck
       - run: pnpm test
-      - name: Verify CSP hash
-        run: node scripts/verify-csp-hash.mjs
+      - name: Verify CSP inline script hash
+        run: bash scripts/verify-csp-hash.sh
       - name: WAF smoke tests
         run: pnpm test:waf
       - run: pnpm run build

.npmrc

@@ -0,0 +1 @@
+ignore-scripts=true

SECURITY.md

@@ -0,0 +1,44 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this project, please report it responsibly.
+
+**Do not open a public GitHub issue for security vulnerabilities.**
+
+Instead, please email **security@gordoncode.dev** with:
+
+- A description of the vulnerability
+- Steps to reproduce
+- Any relevant logs or screenshots
+- Your assessment of severity (if applicable)
+
+You should receive an acknowledgment within 48 hours. I will work with you to understand and address the issue before any public disclosure.
+
+## Scope
+
+This policy covers:
+
+- The github-tracker web application (`gh.gordoncode.dev`)
+- The Cloudflare Worker backend (`src/worker/`)
+- The OAuth authentication flow
+- Client-side data handling and storage
+
+## Out of Scope
+
+- Vulnerabilities in third-party dependencies (report these to the upstream project)
+- Issues requiring physical access to a user's device
+- Social engineering attacks
+- Denial of service attacks against GitHub's API (rate limits are GitHub's domain)
+
+## Security Controls
+
+This project implements the following security measures:
+
+- **CSP**: Strict Content-Security-Policy with `default-src 'none'`, no `unsafe-eval`, no `unsafe-inline` for scripts (`style-src-attr 'unsafe-inline'` required by Kobalte UI library)
+- **CORS**: Strict origin equality matching on the Worker
+- **OAuth CSRF**: Cryptographically random state parameter with single-use enforcement
+- **Read-only API access**: Octokit hook blocks all write operations
+- **Input validation**: GraphQL query parameters validated against allowlisted patterns
+- **Sentry PII scrubbing**: Error reports strip auth tokens, headers, cookies, and user identity
+- **SHA-pinned CI**: All GitHub Actions pinned to full commit SHAs

package.json

@@ -37,7 +37,7 @@
     "@testing-library/user-event": "14.6.1",
     "daisyui": "5.5.19",
     "fake-indexeddb": "6.2.5",
-    "happy-dom": "^20.8.9",
+    "happy-dom": "20.8.9",
     "tailwindcss": "4.2.2",
     "typescript": "5.9.3",
     "vite": "8.0.1",

pnpm-lock.yaml

@@ -13,6 +13,15 @@ hooks = [
 [[repos]]
 repo = "local"
 
+[[repos.hooks]]
+id = "lockfile-sync"
+name = "Lockfile in sync with package.json"
+language = "system"
+entry = "pnpm install --frozen-lockfile"
+pass_filenames = false
+files = "(package\\.json|pnpm-lock\\.yaml)$"
+priority = 0
+
 [[repos.hooks]]
 id = "typecheck"
 name = "TypeScript typecheck"
@@ -35,7 +44,7 @@ priority = 0
 id = "csp-hash"
 name = "CSP hash verification"
 language = "system"
-entry = "node scripts/verify-csp-hash.mjs"
+entry = "bash scripts/verify-csp-hash.sh"
 pass_filenames = false
 always_run = true
 priority = 0

prek.toml

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT=$(sed -n 's/.*<script>\([^<]*\)<\/script>.*/\1/p' index.html)
+if [[ -z "$SCRIPT" ]]; then
+  echo "No inline <script>...</script> found in index.html"
+  [[ -n "${GITHUB_ACTIONS:-}" ]] && echo "::error::No inline <script>...</script> found in index.html"
+  exit 1
+fi
+HASH=$(printf '%s' "$SCRIPT" | openssl dgst -sha256 -binary | base64)
+
+if ! grep -qF "sha256-$HASH" public/_headers; then
+  echo "CSP hash mismatch! Inline script hash 'sha256-$HASH' not found in public/_headers"
+  echo "Update the sha256 hash in public/_headers to match the inline script in index.html"
+  [[ -n "${GITHUB_ACTIONS:-}" ]] && echo "::error::CSP hash mismatch! Inline script hash 'sha256-$HASH' not found in public/_headers"
+  exit 1
+fi
+
+echo "CSP hash verified: sha256-$HASH"