From 224a91f2f59656efbf58906998119f42f769db6d Mon Sep 17 00:00:00 2001
From: testvalue <wgordon@redhat.com>
Date: Wed, 1 Apr 2026 21:33:02 -0400
Subject: [PATCH 1/8] fix(security): hardens auth, XSS, rate limiting, and repo
 posture

Auth lifecycle:
- clears dashboard cache on token expiry (prevents data leak to next user)
- propagates 401 from allSettled to trigger re-auth (prevents zombie polling)
- adds cross-tab auth sync via storage event listener
- moves OAuth returnTo read to after CSRF check passes

XSS / injection:
- validates pr.htmlUrl with isSafeGitHubUrl before passing to StatusDot/SizeBadge
- replaces inline style label colors with adoptedStyleSheets registry
- removes style-src-attr unsafe-inline from CSP (zero unsafe-* directives)
- refactors UserAvatarBadge inline style to Tailwind class

Rate limiting / DoS:
- caps fetchRepos pagination at 1000 repos with warning notification
- serializes discoverUpstreamRepos to prevent TOCTOU race on repo cap
- adds length bounds to VALID_REPO_NAME regex (consistent with Zod schema)
- adds soft warning at 100+ repos in RepoSelector
- adds in-memory rate limiter to Worker token exchange endpoint
- adds HSTS to Worker SECURITY_HEADERS (matches static asset headers)

Stores / cache:
- adds .max(500) to ignoredItems with FIFO eviction
- adds pruneClosedIgnoredItems (30-day TTL) called on app startup
- wraps IndexedDB QuotaExceededError retry in try/catch (logs instead of crash)

Repo posture:
- adds SECURITY.md with responsible disclosure policy
- adds CODEOWNERS
- adds .npmrc with ignore-scripts=true
- pins happy-dom to exact version (removes caret range)
- adds CSP inline script hash verification to CI
- adds Sentry security token support to Worker tunnel
- documents Worker _dsnCache safety rationale
- fixes poll coordinator mount/unmount race
---
 .github/CODEOWNERS                            |  2 +
 .github/workflows/ci.yml                      | 12 +++-
 .npmrc                                        |  1 +
 SECURITY.md                                   | 44 ++++++++++++++
 package.json                                  |  2 +-
 public/_headers                               |  2 +-
 src/app/App.tsx                               |  3 +-
 .../components/dashboard/DashboardPage.tsx    | 10 ++--
 src/app/components/dashboard/ItemRow.tsx      | 23 +++-----
 .../components/dashboard/PullRequestsTab.tsx  |  5 +-
 .../components/onboarding/RepoSelector.tsx    |  9 ++-
 src/app/components/shared/UserAvatarBadge.tsx |  3 +-
 src/app/lib/label-colors.ts                   | 29 +++++++++
 src/app/pages/OAuthCallback.tsx               |  8 +--
 src/app/services/api.ts                       | 22 ++++++-
 src/app/services/poll.ts                      | 10 ++--
 src/app/stores/auth.ts                        | 13 +++-
 src/app/stores/cache.ts                       |  8 ++-
 src/app/stores/view.ts                        | 16 +++++
 src/worker/index.ts                           | 59 ++++++++++++++++++-
 tests/components/OAuthCallback.test.tsx       |  5 +-
 .../shared/UserAvatarBadge.test.tsx           |  4 +-
 tests/stores/auth.test.ts                     |  4 +-
 tests/stores/cache.test.ts                    | 11 ++--
 tests/worker/oauth.test.ts                    |  7 ++-
 25 files changed, 258 insertions(+), 54 deletions(-)
 create mode 100644 .github/CODEOWNERS
 create mode 100644 .npmrc
 create mode 100644 SECURITY.md
 create mode 100644 src/app/lib/label-colors.ts

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 00000000..a6339c0f
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,2 @@
+# Default owner for everything
+* @wgordon17
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c14fcbe3..10bcb75f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -14,10 +14,18 @@ jobs:
           node-version: 24
           cache: pnpm
       - run: pnpm install --frozen-lockfile
+      - name: Verify CSP inline script hash
+        run: |
+          SCRIPT=$(sed -n 's/.*<script>\(.*\)<\/script>.*/\1/p' index.html)
+          HASH=$(printf '%s' "$SCRIPT" | openssl dgst -sha256 -binary | base64)
+          if ! grep -q "sha256-$HASH" public/_headers; then
+            echo "::error::CSP hash mismatch! Inline script hash 'sha256-$HASH' not found in public/_headers"
+            echo "Update the sha256 hash in public/_headers to match the inline script in index.html"
+            exit 1
+          fi
+          echo "CSP hash verified: sha256-$HASH"
       - run: pnpm run typecheck
       - run: pnpm test
-      - name: Verify CSP hash
-        run: node scripts/verify-csp-hash.mjs
       - name: Install Playwright browsers
         run: npx playwright install chromium --with-deps
       - name: Run E2E tests
diff --git a/.npmrc b/.npmrc
new file mode 100644
index 00000000..97b895e2
--- /dev/null
+++ b/.npmrc
@@ -0,0 +1 @@
+ignore-scripts=true
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..4b28eb9f
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,44 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this project, please report it responsibly.
+
+**Do not open a public GitHub issue for security vulnerabilities.**
+
+Instead, please email **security@gordoncode.dev** with:
+
+- A description of the vulnerability
+- Steps to reproduce
+- Any relevant logs or screenshots
+- Your assessment of severity (if applicable)
+
+You should receive an acknowledgment within 48 hours. I will work with you to understand and address the issue before any public disclosure.
+
+## Scope
+
+This policy covers:
+
+- The github-tracker web application (`gh.gordoncode.dev`)
+- The Cloudflare Worker backend (`src/worker/`)
+- The OAuth authentication flow
+- Client-side data handling and storage
+
+## Out of Scope
+
+- Vulnerabilities in third-party dependencies (report these to the upstream project)
+- Issues requiring physical access to a user's device
+- Social engineering attacks
+- Denial of service attacks against GitHub's API (rate limits are GitHub's domain)
+
+## Security Controls
+
+This project implements the following security measures:
+
+- **CSP**: Strict Content-Security-Policy with `default-src 'none'` and no `unsafe-eval`
+- **CORS**: Strict origin equality matching on the Worker
+- **OAuth CSRF**: Cryptographically random state parameter with single-use enforcement
+- **Read-only API access**: Octokit hook blocks all write operations
+- **Input validation**: GraphQL query parameters validated against allowlisted patterns
+- **Sentry PII scrubbing**: Error reports strip auth tokens, headers, cookies, and user identity
+- **SHA-pinned CI**: All GitHub Actions pinned to full commit SHAs
diff --git a/package.json b/package.json
index 36abcd90..55ab11ac 100644
--- a/package.json
+++ b/package.json
@@ -37,7 +37,7 @@
     "@testing-library/user-event": "14.6.1",
     "daisyui": "5.5.19",
     "fake-indexeddb": "6.2.5",
-    "happy-dom": "^20.8.9",
+    "happy-dom": "20.8.9",
     "tailwindcss": "4.2.2",
     "typescript": "5.9.3",
     "vite": "8.0.1",
diff --git a/public/_headers b/public/_headers
index bd30cf47..e6dfeefa 100644
--- a/public/_headers
+++ b/public/_headers
@@ -1,5 +1,5 @@
 /*
-  Content-Security-Policy: default-src 'none'; script-src 'self' 'sha256-uEFqyYCMaNy1Su5VmWLZ1hOCRBjkhm4+ieHHxQW6d3Y='; style-src-elem 'self'; style-src-attr 'unsafe-inline'; img-src 'self' data: https://avatars.githubusercontent.com; connect-src 'self' https://api.github.com; font-src 'self'; worker-src 'self'; manifest-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'none'; upgrade-insecure-requests; report-uri /api/csp-report; report-to csp-endpoint
+  Content-Security-Policy: default-src 'none'; script-src 'self' 'sha256-uEFqyYCMaNy1Su5VmWLZ1hOCRBjkhm4+ieHHxQW6d3Y='; style-src-elem 'self'; img-src 'self' data: https://avatars.githubusercontent.com; connect-src 'self' https://api.github.com; font-src 'self'; worker-src 'self'; manifest-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'none'; upgrade-insecure-requests; report-uri /api/csp-report; report-to csp-endpoint
   Reporting-Endpoints: csp-endpoint="/api/csp-report"
   X-Content-Type-Options: nosniff
   Referrer-Policy: strict-origin-when-cross-origin
diff --git a/src/app/App.tsx b/src/app/App.tsx
index f6f5aa10..8cfd3579 100644
--- a/src/app/App.tsx
+++ b/src/app/App.tsx
@@ -2,7 +2,7 @@ import { createSignal, createEffect, onMount, Show, ErrorBoundary, Suspense, laz
 import { Router, Route, Navigate, useNavigate } from "@solidjs/router";
 import { isAuthenticated, validateToken, AUTH_STORAGE_KEY } from "./stores/auth";
 import { config, initConfigPersistence, resolveTheme } from "./stores/config";
-import { initViewPersistence } from "./stores/view";
+import { initViewPersistence, pruneClosedIgnoredItems } from "./stores/view";
 import { evictStaleEntries } from "./stores/cache";
 import { initClientWatcher } from "./services/github";
 import LoginPage from "./pages/LoginPage";
@@ -161,6 +161,7 @@ export default function App() {
     initConfigPersistence();
     initViewPersistence();
     initClientWatcher();
+    pruneClosedIgnoredItems();
     evictStaleEntries(24 * 60 * 60 * 1000).catch(() => {
       // Non-fatal — stale eviction failure is acceptable
     });
diff --git a/src/app/components/dashboard/DashboardPage.tsx b/src/app/components/dashboard/DashboardPage.tsx
index 3c6500a1..437961d9 100644
--- a/src/app/components/dashboard/DashboardPage.tsx
+++ b/src/app/components/dashboard/DashboardPage.tsx
@@ -312,10 +312,12 @@ export default function DashboardPage() {
     const clockInterval = setInterval(() => setClockTick((t) => t + 1), 60_000);
 
     onCleanup(() => {
-      _coordinator()?.destroy();
-      _setCoordinator(null);
-      _hotCoordinator()?.destroy();
-      _setHotCoordinator(null);
+      const coord = _coordinator();
+      const hotCoord = _hotCoordinator();
+      coord?.destroy();
+      if (_coordinator() === coord) _setCoordinator(null);
+      hotCoord?.destroy();
+      if (_hotCoordinator() === hotCoord) _setHotCoordinator(null);
       clearHotSets();
       clearInterval(clockInterval);
     });
diff --git a/src/app/components/dashboard/ItemRow.tsx b/src/app/components/dashboard/ItemRow.tsx
index 911e368c..9ab23107 100644
--- a/src/app/components/dashboard/ItemRow.tsx
+++ b/src/app/components/dashboard/ItemRow.tsx
@@ -1,7 +1,8 @@
 import { createMemo, For, JSX, Show } from "solid-js";
 import { isSafeGitHubUrl } from "../../lib/url";
-import { relativeTime, shortRelativeTime, labelTextColor, formatCount } from "../../lib/format";
+import { relativeTime, shortRelativeTime, formatCount } from "../../lib/format";
 import { expandEmoji } from "../../lib/emoji";
+import { labelColorClass } from "../../lib/label-colors";
 
 export interface ItemRowProps {
   repo: string;
@@ -102,19 +103,13 @@ export default function ItemRow(props: ItemRowProps) {
         <Show when={props.labels.length > 0}>
           <div class={`flex flex-wrap gap-1 ${isCompact() ? "mt-0.5" : "mt-1"}`}>
             <For each={props.labels}>
-              {(label) => {
-                const isValidHex = /^[0-9a-fA-F]{6}$/.test(label.color);
-                const bg = isValidHex ? `#${label.color}` : "#e5e7eb";
-                const fg = isValidHex ? labelTextColor(label.color) : "#374151";
-                return (
-                  <span
-                    class="inline-flex items-center rounded-full text-xs px-2 py-0.5 font-medium bg-[var(--lb)] text-[var(--lf)]"
-                    style={{ "--lb": bg, "--lf": fg }}
-                  >
-                    {expandEmoji(label.name)}
-                  </span>
-                );
-              }}
+              {(label) => (
+                <span
+                  class={`inline-flex items-center rounded-full text-xs px-2 py-0.5 font-medium ${labelColorClass(label.color)}`}
+                >
+                  {expandEmoji(label.name)}
+                </span>
+              )}
             </For>
           </div>
         </Show>
diff --git a/src/app/components/dashboard/PullRequestsTab.tsx b/src/app/components/dashboard/PullRequestsTab.tsx
index 08fc066f..f1ae9bb5 100644
--- a/src/app/components/dashboard/PullRequestsTab.tsx
+++ b/src/app/components/dashboard/PullRequestsTab.tsx
@@ -3,6 +3,7 @@ import { config, type TrackedUser } from "../../stores/config";
 import { viewState, setSortPreference, ignoreItem, unignoreItem, setTabFilter, resetTabFilter, resetAllTabFilters, toggleExpandedRepo, setAllExpanded, pruneExpandedRepos, pruneLockedRepos, type PullRequestFilterField } from "../../stores/view";
 import type { PullRequest, RepoRef } from "../../services/api";
 import { deriveInvolvementRoles, prSizeCategory } from "../../lib/format";
+import { isSafeGitHubUrl } from "../../lib/url";
 import ExpandCollapseButtons from "../shared/ExpandCollapseButtons";
 import ItemRow from "./ItemRow";
 import UserAvatarBadge, { buildSurfacedByUsers } from "../shared/UserAvatarBadge";
@@ -542,8 +543,8 @@ export default function PullRequestsTab(props: PullRequestsTabProps) {
                                   </Show>
                                   <ReviewBadge decision={pr.reviewDecision} />
                                   <Show when={pr.enriched !== false}>
-                                    <SizeBadge additions={pr.additions} deletions={pr.deletions} changedFiles={pr.changedFiles} category={prMeta().get(pr.id)?.sizeCategory} filesUrl={`${pr.htmlUrl}/files`} />
-                                    <StatusDot status={pr.checkStatus} href={`${pr.htmlUrl}/checks`} />
+                                    <SizeBadge additions={pr.additions} deletions={pr.deletions} changedFiles={pr.changedFiles} category={prMeta().get(pr.id)?.sizeCategory} filesUrl={isSafeGitHubUrl(pr.htmlUrl) ? `${pr.htmlUrl}/files` : undefined} />
+                                    <StatusDot status={pr.checkStatus} href={isSafeGitHubUrl(pr.htmlUrl) ? `${pr.htmlUrl}/checks` : undefined} />
                                     <Show when={pr.checkStatus === "conflict"}>
                                       <span class="badge badge-warning badge-sm gap-1">
                                         <svg xmlns="http://www.w3.org/2000/svg" class="h-3 w-3" viewBox="0 0 20 20" fill="currentColor" aria-hidden="true">
diff --git a/src/app/components/onboarding/RepoSelector.tsx b/src/app/components/onboarding/RepoSelector.tsx
index ab0e26de..451439ae 100644
--- a/src/app/components/onboarding/RepoSelector.tsx
+++ b/src/app/components/onboarding/RepoSelector.tsx
@@ -16,7 +16,7 @@ import LoadingSpinner from "../shared/LoadingSpinner";
 import FilterInput from "../shared/FilterInput";
 
 // Validates owner/repo format (both segments must be non-empty, no spaces)
-const VALID_REPO_NAME = /^[a-zA-Z0-9._-]+\/[a-zA-Z0-9._-]+$/;
+const VALID_REPO_NAME = /^[a-zA-Z0-9._-]{1,100}\/[a-zA-Z0-9._-]{1,100}$/;
 
 interface RepoSelectorProps {
   selectedOrgs: string[];
@@ -705,6 +705,13 @@ export default function RepoSelector(props: RepoSelectorProps) {
           {props.selected.length === 1 ? "repo" : "repos"} selected
         </p>
       </Show>
+
+      {/* Rate limit warning for large selections */}
+      <Show when={props.selected.length + (props.upstreamRepos ?? []).length > 100}>
+        <div role="alert" class="alert alert-warning text-sm">
+          Tracking 100+ repos may cause GitHub API rate limit issues. Consider reducing your selection.
+        </div>
+      </Show>
     </div>
   );
 }
diff --git a/src/app/components/shared/UserAvatarBadge.tsx b/src/app/components/shared/UserAvatarBadge.tsx
index 8aa0e3f0..280619e1 100644
--- a/src/app/components/shared/UserAvatarBadge.tsx
+++ b/src/app/components/shared/UserAvatarBadge.tsx
@@ -31,8 +31,7 @@ export default function UserAvatarBadge(props: UserAvatarBadgeProps) {
         <For each={trackedUsers()}>
           {(u, i) => (
             <div
-              class="avatar"
-              style={i() > 0 ? { "margin-left": "-6px" } : {}}
+              class={`avatar${i() > 0 ? " -ml-1.5" : ""}`}
             >
               <div class="w-5 rounded-full ring-1 ring-base-100">
                 <img
diff --git a/src/app/lib/label-colors.ts b/src/app/lib/label-colors.ts
new file mode 100644
index 00000000..d0b78937
--- /dev/null
+++ b/src/app/lib/label-colors.ts
@@ -0,0 +1,29 @@
+import { labelTextColor } from "./format";
+
+// Dynamic label color registry using adoptedStyleSheets.
+// This avoids inline style attributes, allowing removal of
+// style-src-attr 'unsafe-inline' from the CSP.
+const sheet = new CSSStyleSheet();
+document.adoptedStyleSheets = [...document.adoptedStyleSheets, sheet];
+
+const registered = new Set<string>();
+const FALLBACK_BG = "e5e7eb";
+const FALLBACK_FG = "#374151";
+
+/**
+ * Registers a label color in the adopted stylesheet and returns
+ * the CSS class name. Hex values are validated before use —
+ * only [0-9a-fA-F]{6} is accepted.
+ */
+export function labelColorClass(hex: string): string {
+  const isValid = /^[0-9a-fA-F]{6}$/.test(hex);
+  const safeHex = isValid ? hex.toLowerCase() : FALLBACK_BG;
+
+  if (!registered.has(safeHex)) {
+    const bg = `#${safeHex}`;
+    const fg = isValid ? labelTextColor(safeHex) : FALLBACK_FG;
+    sheet.insertRule(`.lb-${safeHex} { background-color: ${bg}; color: ${fg}; }`);
+    registered.add(safeHex);
+  }
+  return `lb-${safeHex}`;
+}
diff --git a/src/app/pages/OAuthCallback.tsx b/src/app/pages/OAuthCallback.tsx
index 09135405..56d7d6da 100644
--- a/src/app/pages/OAuthCallback.tsx
+++ b/src/app/pages/OAuthCallback.tsx
@@ -24,10 +24,6 @@ export default function OAuthCallback() {
     const storedState = sessionStorage.getItem(OAUTH_STATE_KEY);
     sessionStorage.removeItem(OAUTH_STATE_KEY);
 
-    // Read and clear returnTo before CSRF check — always consumed, even on failure
-    const returnTo = sessionStorage.getItem(OAUTH_RETURN_TO_KEY);
-    sessionStorage.removeItem(OAUTH_RETURN_TO_KEY);
-
     // Validate state before anything else (CSRF protection)
     if (!stateFromUrl || !storedState || stateFromUrl !== storedState) {
       setError("Invalid OAuth state. Please try signing in again.");
@@ -35,6 +31,10 @@ export default function OAuthCallback() {
       return;
     }
 
+    // Read and clear returnTo only after CSRF check passes
+    const returnTo = sessionStorage.getItem(OAUTH_RETURN_TO_KEY);
+    sessionStorage.removeItem(OAUTH_RETURN_TO_KEY);
+
     if (!code) {
       setError("No authorization code received from GitHub.");
       return;
diff --git a/src/app/services/api.ts b/src/app/services/api.ts
index a0726018..82714ba0 100644
--- a/src/app/services/api.ts
+++ b/src/app/services/api.ts
@@ -205,7 +205,7 @@ function extractSearchPartialData<T>(err: unknown): T | null {
   return null;
 }
 
-const VALID_REPO_NAME = /^[A-Za-z0-9._-]+\/[A-Za-z0-9._-]+$/;
+const VALID_REPO_NAME = /^[A-Za-z0-9._-]{1,100}\/[A-Za-z0-9._-]{1,100}$/;
 // Allows alphanumeric/hyphen base (1-39 chars) with optional literal [bot] suffix for GitHub
 // App bot accounts. Case-sensitive [bot] is intentional — GitHub always uses lowercase.
 const VALID_TRACKED_LOGIN = /^[A-Za-z0-9-]{1,39}(\[bot\])?$/;
@@ -1882,6 +1882,7 @@ export async function fetchRepos(
   if (!octokit) throw new Error("No GitHub client available");
 
   const repos: RepoEntry[] = [];
+  const REPO_CAP = 1000;
 
   if (type === "org") {
     for await (const response of octokit.paginate.iterator(`GET /orgs/{org}/repos`, {
@@ -1893,6 +1894,7 @@ export async function fetchRepos(
       for (const repo of response.data as RawRepo[]) {
         repos.push({ owner: repo.owner.login, name: repo.name, fullName: repo.full_name, pushedAt: repo.pushed_at ?? null });
       }
+      if (repos.length >= REPO_CAP) break;
     }
   } else {
     for await (const response of octokit.paginate.iterator(`GET /user/repos`, {
@@ -1904,9 +1906,18 @@ export async function fetchRepos(
       for (const repo of response.data as RawRepo[]) {
         repos.push({ owner: repo.owner.login, name: repo.name, fullName: repo.full_name, pushedAt: repo.pushed_at ?? null });
       }
+      if (repos.length >= REPO_CAP) break;
     }
   }
 
+  if (repos.length >= REPO_CAP) {
+    pushNotification(
+      "api",
+      `${orgOrUser} has 1000+ repos — showing the most recently active`,
+      "warning",
+    );
+  }
+
   return repos;
 }
 
@@ -2264,7 +2275,14 @@ export async function discoverUpstreamRepos(
   }
   if (logins.length === 0) return [];
 
-  await Promise.allSettled(logins.map((login) => discoverForUser(login)));
+  // Process users sequentially so the repoNames.size cap check is atomic
+  // across iterations (prevents TOCTOU race from parallel writes to the shared Set).
+  // Issues + PRs searches for each user still run in parallel — they write to
+  // the same Set within a single iteration, which is safe.
+  for (const login of logins) {
+    if (repoNames.size >= CAP) break;
+    await discoverForUser(login);
+  }
 
   if (errors.length > 0) {
     pushNotification(
diff --git a/src/app/services/poll.ts b/src/app/services/poll.ts
index 02ff9d42..79926454 100644
--- a/src/app/services/poll.ts
+++ b/src/app/services/poll.ts
@@ -267,11 +267,13 @@ export async function fetchAllData(
   ];
   for (const [result, label] of settled) {
     if (result.status === "rejected") {
-      const reason = result.reason;
-      const statusCode = typeof reason === "object" && reason !== null && typeof (reason as Record<string, unknown>).status === "number"
-        ? (reason as Record<string, unknown>).status as number
+      const err = result.reason;
+      // Propagate 401 to outer handler for re-auth (don't absorb as generic error)
+      if (err?.status === 401 || err?.response?.status === 401) throw err;
+      const statusCode = typeof err === "object" && err !== null && typeof (err as Record<string, unknown>).status === "number"
+        ? (err as Record<string, unknown>).status as number
         : null;
-      const message = reason instanceof Error ? reason.message : String(reason);
+      const message = err instanceof Error ? err.message : String(err);
       topLevelErrors.push({ repo: label, statusCode, message, retryable: statusCode === null || (statusCode !== null && statusCode >= 500) });
     }
   }
diff --git a/src/app/stores/auth.ts b/src/app/stores/auth.ts
index 98b1be7d..be4ef46b 100644
--- a/src/app/stores/auth.ts
+++ b/src/app/stores/auth.ts
@@ -105,9 +105,10 @@ export function clearAuth(): void {
  *  navigation handles teardown. Use clearAuth() if not navigating. */
 export function expireToken(): void {
   localStorage.removeItem(AUTH_STORAGE_KEY);
+  localStorage.removeItem(DASHBOARD_STORAGE_KEY);
   _setToken(null);
   setUser(null);
-  console.info("[auth] token expired (user data preserved)");
+  console.info("[auth] token expired (dashboard cache cleared)");
 }
 
 const VALIDATE_HEADERS = {
@@ -174,3 +175,13 @@ export async function validateToken(): Promise<boolean> {
     return false;
   }
 }
+
+// Cross-tab auth sync: if another tab clears the token, this tab should also clear
+if (typeof window !== "undefined") {
+  window.addEventListener("storage", (e: StorageEvent) => {
+    if (e.key === AUTH_STORAGE_KEY && e.newValue === null && _token()) {
+      clearAuth();
+      window.location.replace("/login");
+    }
+  });
+}
diff --git a/src/app/stores/cache.ts b/src/app/stores/cache.ts
index d1b46495..c2ced352 100644
--- a/src/app/stores/cache.ts
+++ b/src/app/stores/cache.ts
@@ -65,8 +65,12 @@ export async function setCacheEntry(
     ) {
       // Emergency eviction: delete oldest 50% of entries, then retry once
       await evictOldestPercent(50);
-      const db = await getDb();
-      await db.put("cache", entry);
+      try {
+        const db = await getDb();
+        await db.put("cache", entry);
+      } catch {
+        console.warn("[cache] Still over quota after emergency eviction — entry dropped");
+      }
     } else {
       throw err;
     }
diff --git a/src/app/stores/view.ts b/src/app/stores/view.ts
index cad1a4de..faccf78b 100644
--- a/src/app/stores/view.ts
+++ b/src/app/stores/view.ts
@@ -55,6 +55,7 @@ export const ViewStateSchema = z.object({
         ignoredAt: z.number(),
       })
     )
+    .max(500)
     .default([]),
   globalFilter: z
     .object({
@@ -146,6 +147,10 @@ export function ignoreItem(item: IgnoredItem): void {
     produce((draft) => {
       const already = draft.ignoredItems.some((i) => i.id === item.id);
       if (!already) {
+        // FIFO eviction: remove oldest if at cap
+        if (draft.ignoredItems.length >= 500) {
+          draft.ignoredItems.shift();
+        }
         draft.ignoredItems.push(item);
       }
     })
@@ -160,6 +165,17 @@ export function unignoreItem(id: string): void {
   );
 }
 
+export function pruneClosedIgnoredItems(): void {
+  const thirtyDaysAgo = Date.now() - 30 * 24 * 60 * 60 * 1000;
+  setViewState(
+    produce((draft) => {
+      draft.ignoredItems = draft.ignoredItems.filter(
+        (i) => new Date(i.ignoredAt).getTime() > thirtyDaysAgo
+      );
+    })
+  );
+}
+
 export function setSortPreference(
   tabId: string,
   field: string,
diff --git a/src/worker/index.ts b/src/worker/index.ts
index 2eed9bae..b9c7d95a 100644
--- a/src/worker/index.ts
+++ b/src/worker/index.ts
@@ -4,6 +4,7 @@ export interface Env {
   GITHUB_CLIENT_SECRET: string;
   ALLOWED_ORIGIN: string;
   SENTRY_DSN: string; // e.g. "https://key@o123456.ingest.sentry.io/7890123"
+  SENTRY_SECURITY_TOKEN?: string; // Optional: Sentry security token for Allowed Domains validation
 }
 
 // Predefined error strings only (SDR-006)
@@ -53,11 +54,38 @@ function errorResponse(
 }
 
 const SECURITY_HEADERS: Record<string, string> = {
+  "Strict-Transport-Security": "max-age=63072000; includeSubDomains; preload",
   "X-Content-Type-Options": "nosniff",
   "Referrer-Policy": "strict-origin-when-cross-origin",
   "X-Frame-Options": "DENY",
 };
 
+// Simple in-memory rate limiter for token exchange endpoint.
+// Not durable across isolate restarts, but catches burst abuse.
+const TOKEN_RATE_LIMIT = 10; // max requests per window
+const TOKEN_RATE_WINDOW_MS = 60_000; // 1 minute
+const _tokenRateMap = new Map<string, { count: number; resetAt: number }>();
+
+function checkTokenRateLimit(ip: string): boolean {
+  const now = Date.now();
+  const entry = _tokenRateMap.get(ip);
+  if (!entry || now >= entry.resetAt) {
+    _tokenRateMap.set(ip, { count: 1, resetAt: now + TOKEN_RATE_WINDOW_MS });
+    return true;
+  }
+  entry.count++;
+  if (entry.count > TOKEN_RATE_LIMIT) return false;
+  return true;
+}
+
+// Periodic cleanup to prevent unbounded map growth
+function pruneTokenRateMap(): void {
+  const now = Date.now();
+  for (const [ip, entry] of _tokenRateMap) {
+    if (now >= entry.resetAt) _tokenRateMap.delete(ip);
+  }
+}
+
 // CORS: strict equality only (SDR-004)
 function getCorsHeaders(
   requestOrigin: string | null,
@@ -82,6 +110,10 @@ const SENTRY_ENVELOPE_MAX_BYTES = 256 * 1024; // 256 KB — Sentry rejects >200K
 
 interface ParsedDsn { host: string; projectId: string; publicKey: string }
 
+// Module-level cache is safe here: value derived entirely from env.SENTRY_DSN
+// (a deployment constant, never user input). Shared across requests in the same
+// Worker isolate, which is intentional for performance. Do NOT follow this pattern
+// for request-scoped or user-controlled data.
 let _dsnCache: { dsn: string; parsed: ParsedDsn | null } | undefined;
 
 /** Parse host, project ID, and public key from a Sentry DSN URL. Returns null if invalid. */
@@ -171,9 +203,15 @@ async function handleSentryTunnel(
   // Forward to Sentry ingest endpoint
   const sentryUrl = `https://${allowedDsn.host}/api/${allowedDsn.projectId}/envelope/`;
   try {
+    const sentryHeaders: Record<string, string> = {
+      "Content-Type": "application/x-sentry-envelope",
+    };
+    if (env.SENTRY_SECURITY_TOKEN) {
+      sentryHeaders["X-Sentry-Token"] = env.SENTRY_SECURITY_TOKEN;
+    }
     const sentryResp = await fetch(sentryUrl, {
       method: "POST",
-      headers: { "Content-Type": "application/x-sentry-envelope" },
+      headers: sentryHeaders,
       body,
     });
 
@@ -279,7 +317,10 @@ async function handleCspReport(request: Request, env: Env): Promise<Response> {
     scrubbedPayloads.map((payload) =>
       fetch(sentryUrl, {
         method: "POST",
-        headers: { "Content-Type": "application/csp-report" },
+        headers: {
+          "Content-Type": "application/csp-report",
+          ...(env.SENTRY_SECURITY_TOKEN ? { "X-Sentry-Token": env.SENTRY_SECURITY_TOKEN } : {}),
+        },
         body: JSON.stringify(payload),
       }).catch(() => null)
     )
@@ -308,6 +349,20 @@ async function handleTokenExchange(
     return errorResponse("method_not_allowed", 405, cors);
   }
 
+  pruneTokenRateMap();
+  const ip = request.headers.get("CF-Connecting-IP") ?? "unknown";
+  if (!checkTokenRateLimit(ip)) {
+    log("warn", "token_exchange_rate_limited", { ip }, request);
+    return new Response(JSON.stringify({ error: "rate_limited" }), {
+      status: 429,
+      headers: {
+        "Content-Type": "application/json",
+        ...cors,
+        ...SECURITY_HEADERS,
+      },
+    });
+  }
+
   log("info", "token_exchange_started", {}, request);
 
   const contentType = request.headers.get("Content-Type") ?? "";
diff --git a/tests/components/OAuthCallback.test.tsx b/tests/components/OAuthCallback.test.tsx
index b6223d6c..9b42afc5 100644
--- a/tests/components/OAuthCallback.test.tsx
+++ b/tests/components/OAuthCallback.test.tsx
@@ -327,7 +327,7 @@ describe("OAuthCallback", () => {
     });
   });
 
-  it("OAUTH_RETURN_TO_KEY is cleared even when CSRF check fails (stale key protection)", async () => {
+  it("OAUTH_RETURN_TO_KEY is preserved when CSRF check fails (only consumed on success)", async () => {
     sessionStorage.setItem(OAUTH_RETURN_TO_KEY, "/settings");
     sessionStorage.setItem(OAUTH_STATE_KEY, "expected-state");
     setWindowSearch({ code: "fakecode", state: "wrong-state" });
@@ -337,7 +337,8 @@ describe("OAuthCallback", () => {
     await waitFor(() => {
       screen.getByText(/Invalid OAuth state/i);
     });
-    expect(sessionStorage.getItem(OAUTH_RETURN_TO_KEY)).toBeNull();
+    // returnTo is preserved for the user's next legitimate auth attempt
+    expect(sessionStorage.getItem(OAUTH_RETURN_TO_KEY)).toBe("/settings");
   });
 
   it("navigates to / when OAUTH_RETURN_TO_KEY is not set", async () => {
diff --git a/tests/components/shared/UserAvatarBadge.test.tsx b/tests/components/shared/UserAvatarBadge.test.tsx
index 49f408ff..4e7239fb 100644
--- a/tests/components/shared/UserAvatarBadge.test.tsx
+++ b/tests/components/shared/UserAvatarBadge.test.tsx
@@ -95,7 +95,7 @@ describe("UserAvatarBadge", () => {
     // Second avatar wrapper should have a negative margin-left style
     const avatarWrappers = container.querySelectorAll(".avatar");
     expect(avatarWrappers.length).toBe(2);
-    // First has no negative margin; second does
-    expect((avatarWrappers[1] as HTMLElement).style.marginLeft).toBe("-6px");
+    // First has no negative margin class; second does
+    expect(avatarWrappers[1].classList.contains("-ml-1.5")).toBe(true);
   });
 });
diff --git a/tests/stores/auth.test.ts b/tests/stores/auth.test.ts
index 9205d157..a83c5571 100644
--- a/tests/stores/auth.test.ts
+++ b/tests/stores/auth.test.ts
@@ -186,16 +186,16 @@ describe("expireToken", () => {
     expect(mod.user()).toBeNull();
   });
 
-  it("removes only auth token from localStorage — config, view, dashboard preserved", () => {
+  it("removes auth token and dashboard cache from localStorage — config, view preserved", () => {
     localStorageMock.setItem("github-tracker:config", '{"theme":"dark"}');
     localStorageMock.setItem("github-tracker:view", '{"lastActiveTab":"actions"}');
     localStorageMock.setItem("github-tracker:dashboard", '{"cached":true}');
     mod.setAuth({ access_token: "ghs_abc" });
     mod.expireToken();
     expect(localStorageMock.getItem("github-tracker:auth-token")).toBeNull();
+    expect(localStorageMock.getItem("github-tracker:dashboard")).toBeNull();
     expect(localStorageMock.getItem("github-tracker:config")).toBe('{"theme":"dark"}');
     expect(localStorageMock.getItem("github-tracker:view")).toBe('{"lastActiveTab":"actions"}');
-    expect(localStorageMock.getItem("github-tracker:dashboard")).toBe('{"cached":true}');
   });
 
   it("does NOT invoke onAuthCleared callbacks", () => {
diff --git a/tests/stores/cache.test.ts b/tests/stores/cache.test.ts
index b45083b3..a889da54 100644
--- a/tests/stores/cache.test.ts
+++ b/tests/stores/cache.test.ts
@@ -124,17 +124,20 @@ describe("setCacheEntry — QuotaExceededError eviction", () => {
     expect(stored!.data).toEqual({ new: true });
   });
 
-  it("propagates error when retry after eviction also fails", async () => {
+  it("logs warning and resolves when retry after eviction also fails", async () => {
     const db = await getDb();
+    const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
 
     // Throw QuotaExceededError on every put call
     vi.spyOn(db, "put").mockImplementation(async () => {
       throw new DOMException("QuotaExceededError", "QuotaExceededError");
     });
 
-    await expect(
-      setCacheEntry("quota-retry-fail:key", { data: true }, null)
-    ).rejects.toThrow();
+    // Should resolve (not throw) — entry is silently dropped
+    await setCacheEntry("quota-retry-fail:key", { data: true }, null);
+    expect(warnSpy).toHaveBeenCalledWith(
+      expect.stringContaining("Still over quota")
+    );
   });
 });
 
diff --git a/tests/worker/oauth.test.ts b/tests/worker/oauth.test.ts
index dbfe718d..446631f5 100644
--- a/tests/worker/oauth.test.ts
+++ b/tests/worker/oauth.test.ts
@@ -14,13 +14,18 @@ function makeEnv(overrides: Partial<Env> = {}): Env {
   };
 }
 
+let _requestCounter = 0;
+
 function makeRequest(
   method: string,
   path: string,
   options: { body?: unknown; origin?: string; contentType?: string } = {}
 ): Request {
   const url = `https://gh.gordoncode.dev${path}`;
-  const headers: Record<string, string> = {};
+  const headers: Record<string, string> = {
+    // Unique IP per request to avoid hitting the in-memory rate limiter across tests
+    "CF-Connecting-IP": `127.0.0.${++_requestCounter}`,
+  };
   if (options.origin !== undefined) {
     headers["Origin"] = options.origin;
   } else {

From 92506c8b48e942812356f040f3848242b3aa2d01 Mon Sep 17 00:00:00 2001
From: testvalue <wgordon@redhat.com>
Date: Wed, 1 Apr 2026 21:45:46 -0400
Subject: [PATCH 2/8] fix(security): addresses quality gate findings from
 domain review

---
 src/app/lib/label-colors.ts     | 21 ++++++++++++---
 src/app/pages/OAuthCallback.tsx |  8 +++---
 src/app/stores/auth.ts          |  2 ++
 src/app/stores/view.ts          |  2 +-
 src/worker/index.ts             |  3 +++
 tests/lib/label-colors.test.ts  | 35 +++++++++++++++++++++++++
 tests/stores/view.test.ts       | 45 +++++++++++++++++++++++++++++++++
 tests/worker/oauth.test.ts      | 39 ++++++++++++++++++++++++++++
 8 files changed, 147 insertions(+), 8 deletions(-)
 create mode 100644 tests/lib/label-colors.test.ts

diff --git a/src/app/lib/label-colors.ts b/src/app/lib/label-colors.ts
index d0b78937..f72ab88b 100644
--- a/src/app/lib/label-colors.ts
+++ b/src/app/lib/label-colors.ts
@@ -3,8 +3,15 @@ import { labelTextColor } from "./format";
 // Dynamic label color registry using adoptedStyleSheets.
 // This avoids inline style attributes, allowing removal of
 // style-src-attr 'unsafe-inline' from the CSP.
-const sheet = new CSSStyleSheet();
-document.adoptedStyleSheets = [...document.adoptedStyleSheets, sheet];
+let _sheet: CSSStyleSheet | null = null;
+
+function getSheet(): CSSStyleSheet {
+  if (!_sheet) {
+    _sheet = new CSSStyleSheet();
+    document.adoptedStyleSheets = [...document.adoptedStyleSheets, _sheet];
+  }
+  return _sheet;
+}
 
 const registered = new Set<string>();
 const FALLBACK_BG = "e5e7eb";
@@ -22,8 +29,16 @@ export function labelColorClass(hex: string): string {
   if (!registered.has(safeHex)) {
     const bg = `#${safeHex}`;
     const fg = isValid ? labelTextColor(safeHex) : FALLBACK_FG;
-    sheet.insertRule(`.lb-${safeHex} { background-color: ${bg}; color: ${fg}; }`);
+    getSheet().insertRule(`.lb-${safeHex} { background-color: ${bg}; color: ${fg}; }`);
     registered.add(safeHex);
   }
   return `lb-${safeHex}`;
 }
+
+/** Reset internal state — exposed for testing only. */
+export function _resetLabelColors(): void {
+  registered.clear();
+  if (_sheet) {
+    while (_sheet.cssRules.length > 0) _sheet.deleteRule(0);
+  }
+}
diff --git a/src/app/pages/OAuthCallback.tsx b/src/app/pages/OAuthCallback.tsx
index 56d7d6da..6063226a 100644
--- a/src/app/pages/OAuthCallback.tsx
+++ b/src/app/pages/OAuthCallback.tsx
@@ -31,15 +31,15 @@ export default function OAuthCallback() {
       return;
     }
 
-    // Read and clear returnTo only after CSRF check passes
-    const returnTo = sessionStorage.getItem(OAUTH_RETURN_TO_KEY);
-    sessionStorage.removeItem(OAUTH_RETURN_TO_KEY);
-
     if (!code) {
       setError("No authorization code received from GitHub.");
       return;
     }
 
+    // Read and clear returnTo only after all pre-exchange checks pass
+    const returnTo = sessionStorage.getItem(OAUTH_RETURN_TO_KEY);
+    sessionStorage.removeItem(OAUTH_RETURN_TO_KEY);
+
     try {
       const resp = await fetch("/api/oauth/token", {
         method: "POST",
diff --git a/src/app/stores/auth.ts b/src/app/stores/auth.ts
index be4ef46b..4ef20eff 100644
--- a/src/app/stores/auth.ts
+++ b/src/app/stores/auth.ts
@@ -180,6 +180,8 @@ export async function validateToken(): Promise<boolean> {
 if (typeof window !== "undefined") {
   window.addEventListener("storage", (e: StorageEvent) => {
     if (e.key === AUTH_STORAGE_KEY && e.newValue === null && _token()) {
+      // Re-check: a rapid sign-out/sign-in may have already replaced the token
+      if (localStorage.getItem(AUTH_STORAGE_KEY) !== null) return;
       clearAuth();
       window.location.replace("/login");
     }
diff --git a/src/app/stores/view.ts b/src/app/stores/view.ts
index faccf78b..bcfc77d1 100644
--- a/src/app/stores/view.ts
+++ b/src/app/stores/view.ts
@@ -170,7 +170,7 @@ export function pruneClosedIgnoredItems(): void {
   setViewState(
     produce((draft) => {
       draft.ignoredItems = draft.ignoredItems.filter(
-        (i) => new Date(i.ignoredAt).getTime() > thirtyDaysAgo
+        (i) => i.ignoredAt > thirtyDaysAgo
       );
     })
   );
diff --git a/src/worker/index.ts b/src/worker/index.ts
index b9c7d95a..94159b1b 100644
--- a/src/worker/index.ts
+++ b/src/worker/index.ts
@@ -62,6 +62,9 @@ const SECURITY_HEADERS: Record<string, string> = {
 
 // Simple in-memory rate limiter for token exchange endpoint.
 // Not durable across isolate restarts, but catches burst abuse.
+// Note: CF-Connecting-IP is set by Cloudflare's proxy layer; if the workers.dev
+// route is enabled, an attacker could spoof this header. Disable the workers.dev
+// route in the Cloudflare dashboard for production use.
 const TOKEN_RATE_LIMIT = 10; // max requests per window
 const TOKEN_RATE_WINDOW_MS = 60_000; // 1 minute
 const _tokenRateMap = new Map<string, { count: number; resetAt: number }>();
diff --git a/tests/lib/label-colors.test.ts b/tests/lib/label-colors.test.ts
new file mode 100644
index 00000000..2ca2e253
--- /dev/null
+++ b/tests/lib/label-colors.test.ts
@@ -0,0 +1,35 @@
+import { describe, it, expect, beforeEach } from "vitest";
+import { labelColorClass, _resetLabelColors } from "../../src/app/lib/label-colors";
+
+describe("labelColorClass", () => {
+  beforeEach(() => {
+    _resetLabelColors();
+  });
+
+  it("returns lb-<hex> class for valid 6-char hex", () => {
+    expect(labelColorClass("abc123")).toBe("lb-abc123");
+  });
+
+  it("lowercases hex for consistent class names", () => {
+    expect(labelColorClass("ABC123")).toBe("lb-abc123");
+  });
+
+  it("returns fallback class for invalid hex", () => {
+    expect(labelColorClass("gggggg")).toBe("lb-e5e7eb");
+    expect(labelColorClass("")).toBe("lb-e5e7eb");
+    expect(labelColorClass("abc")).toBe("lb-e5e7eb");
+    expect(labelColorClass("abc1234")).toBe("lb-e5e7eb");
+  });
+
+  it("returns fallback class for injection attempts", () => {
+    expect(labelColorClass("abc123; color: red")).toBe("lb-e5e7eb");
+    expect(labelColorClass("<script>")).toBe("lb-e5e7eb");
+  });
+
+  it("deduplicates — same hex returns same class without re-registering", () => {
+    const first = labelColorClass("ff0000");
+    const second = labelColorClass("FF0000");
+    expect(first).toBe(second);
+    expect(first).toBe("lb-ff0000");
+  });
+});
diff --git a/tests/stores/view.test.ts b/tests/stores/view.test.ts
index e00cc2c3..8208015b 100644
--- a/tests/stores/view.test.ts
+++ b/tests/stores/view.test.ts
@@ -6,6 +6,7 @@ import {
   resetViewState,
   ignoreItem,
   unignoreItem,
+  pruneClosedIgnoredItems,
   setSortPreference,
   setGlobalFilter,
   resetAllTabFilters,
@@ -156,6 +157,50 @@ describe("ignoreItem / unignoreItem", () => {
     unignoreItem("does-not-exist");
     expect(viewState.ignoredItems).toHaveLength(1);
   });
+
+  it("evicts oldest item when at 500 cap (FIFO)", () => {
+    // Fill to 500
+    for (let i = 0; i < 500; i++) {
+      ignoreItem({ id: `item-${i}`, type: "issue", repo: "o/r", title: `T${i}`, ignoredAt: 1000 + i });
+    }
+    expect(viewState.ignoredItems).toHaveLength(500);
+
+    // Adding 501st should evict item-0 (oldest)
+    ignoreItem({ id: "item-new", type: "issue", repo: "o/r", title: "New", ignoredAt: 2000 });
+    expect(viewState.ignoredItems).toHaveLength(500);
+    expect(viewState.ignoredItems[0].id).toBe("item-1"); // item-0 evicted
+    expect(viewState.ignoredItems[499].id).toBe("item-new");
+  });
+});
+
+describe("pruneClosedIgnoredItems", () => {
+  it("removes items older than 30 days", () => {
+    const now = Date.now();
+    const old = now - 31 * 24 * 60 * 60 * 1000;
+    const recent = now - 1 * 24 * 60 * 60 * 1000;
+
+    ignoreItem({ id: "old-1", type: "issue", repo: "o/r", title: "Old", ignoredAt: old });
+    ignoreItem({ id: "recent-1", type: "pullRequest", repo: "o/r", title: "Recent", ignoredAt: recent });
+    expect(viewState.ignoredItems).toHaveLength(2);
+
+    pruneClosedIgnoredItems();
+    expect(viewState.ignoredItems).toHaveLength(1);
+    expect(viewState.ignoredItems[0].id).toBe("recent-1");
+  });
+
+  it("is a no-op when ignoredItems is empty", () => {
+    pruneClosedIgnoredItems();
+    expect(viewState.ignoredItems).toHaveLength(0);
+  });
+
+  it("keeps items exactly at the 30-day boundary", () => {
+    const now = Date.now();
+    const exactly30 = now - 30 * 24 * 60 * 60 * 1000 + 1000;
+
+    ignoreItem({ id: "boundary", type: "issue", repo: "o/r", title: "Edge", ignoredAt: exactly30 });
+    pruneClosedIgnoredItems();
+    expect(viewState.ignoredItems).toHaveLength(1);
+  });
 });
 
 describe("initViewPersistence", () => {
diff --git a/tests/worker/oauth.test.ts b/tests/worker/oauth.test.ts
index 446631f5..e47829f2 100644
--- a/tests/worker/oauth.test.ts
+++ b/tests/worker/oauth.test.ts
@@ -96,6 +96,45 @@ describe("Worker OAuth endpoint", () => {
     vi.restoreAllMocks();
   });
 
+  // ── Rate limiting ────────────────────────────────────────────────────────
+
+  it("returns 429 after exceeding 10 requests per minute from the same IP", async () => {
+    const fixedIp = "10.0.0.99";
+    function makeRateLimitRequest() {
+      return new Request("https://gh.gordoncode.dev/api/oauth/token", {
+        method: "POST",
+        headers: {
+          Origin: ALLOWED_ORIGIN,
+          "Content-Type": "application/json",
+          "CF-Connecting-IP": fixedIp,
+        },
+        body: JSON.stringify({ code: VALID_CODE }),
+      });
+    }
+
+    // Mock successful GitHub response
+    globalThis.fetch = vi.fn().mockResolvedValue(
+      new Response(
+        JSON.stringify({ access_token: "tok", token_type: "bearer", scope: "repo" }),
+        { status: 200 }
+      )
+    );
+
+    const env = makeEnv();
+    // First 10 requests should succeed
+    for (let i = 0; i < 10; i++) {
+      const resp = await worker.fetch(makeRateLimitRequest(), env);
+      expect(resp.status).not.toBe(429);
+    }
+    // 11th request should be rate-limited
+    const resp = await worker.fetch(makeRateLimitRequest(), env);
+    expect(resp.status).toBe(429);
+    const body = await resp.json() as { error: string };
+    expect(body.error).toBe("rate_limited");
+    // Should include security headers
+    expect(resp.headers.get("X-Content-Type-Options")).toBe("nosniff");
+  });
+
   // ── Token exchange ─────────────────────────────────────────────────────────
 
   it("POST /api/oauth/token with valid code returns access_token, token_type, scope", async () => {

From d62bc62c680f75771acc7b151e6b62a5c98a0c65 Mon Sep 17 00:00:00 2001
From: testvalue <wgordon@redhat.com>
Date: Wed, 1 Apr 2026 21:56:15 -0400
Subject: [PATCH 3/8] fix(security): restores style-src-attr (corvu/kobalte
 need it), uses expireToken for cross-tab sync

---
 public/_headers           |  2 +-
 src/app/App.tsx           |  4 ++--
 src/app/stores/auth.ts    |  5 +++--
 src/app/stores/view.ts    |  2 +-
 tests/stores/view.test.ts | 10 +++++-----
 5 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/public/_headers b/public/_headers
index e6dfeefa..bd30cf47 100644
--- a/public/_headers
+++ b/public/_headers
@@ -1,5 +1,5 @@
 /*
-  Content-Security-Policy: default-src 'none'; script-src 'self' 'sha256-uEFqyYCMaNy1Su5VmWLZ1hOCRBjkhm4+ieHHxQW6d3Y='; style-src-elem 'self'; img-src 'self' data: https://avatars.githubusercontent.com; connect-src 'self' https://api.github.com; font-src 'self'; worker-src 'self'; manifest-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'none'; upgrade-insecure-requests; report-uri /api/csp-report; report-to csp-endpoint
+  Content-Security-Policy: default-src 'none'; script-src 'self' 'sha256-uEFqyYCMaNy1Su5VmWLZ1hOCRBjkhm4+ieHHxQW6d3Y='; style-src-elem 'self'; style-src-attr 'unsafe-inline'; img-src 'self' data: https://avatars.githubusercontent.com; connect-src 'self' https://api.github.com; font-src 'self'; worker-src 'self'; manifest-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'none'; upgrade-insecure-requests; report-uri /api/csp-report; report-to csp-endpoint
   Reporting-Endpoints: csp-endpoint="/api/csp-report"
   X-Content-Type-Options: nosniff
   Referrer-Policy: strict-origin-when-cross-origin
diff --git a/src/app/App.tsx b/src/app/App.tsx
index 8cfd3579..6d63ee16 100644
--- a/src/app/App.tsx
+++ b/src/app/App.tsx
@@ -2,7 +2,7 @@ import { createSignal, createEffect, onMount, Show, ErrorBoundary, Suspense, laz
 import { Router, Route, Navigate, useNavigate } from "@solidjs/router";
 import { isAuthenticated, validateToken, AUTH_STORAGE_KEY } from "./stores/auth";
 import { config, initConfigPersistence, resolveTheme } from "./stores/config";
-import { initViewPersistence, pruneClosedIgnoredItems } from "./stores/view";
+import { initViewPersistence, pruneStaleIgnoredItems } from "./stores/view";
 import { evictStaleEntries } from "./stores/cache";
 import { initClientWatcher } from "./services/github";
 import LoginPage from "./pages/LoginPage";
@@ -161,7 +161,7 @@ export default function App() {
     initConfigPersistence();
     initViewPersistence();
     initClientWatcher();
-    pruneClosedIgnoredItems();
+    pruneStaleIgnoredItems();
     evictStaleEntries(24 * 60 * 60 * 1000).catch(() => {
       // Non-fatal — stale eviction failure is acceptable
     });
diff --git a/src/app/stores/auth.ts b/src/app/stores/auth.ts
index 4ef20eff..ba3faf07 100644
--- a/src/app/stores/auth.ts
+++ b/src/app/stores/auth.ts
@@ -176,13 +176,14 @@ export async function validateToken(): Promise<boolean> {
   }
 }
 
-// Cross-tab auth sync: if another tab clears the token, this tab should also clear
+// Cross-tab auth sync: if another tab clears the token, this tab should also clear.
+// Uses expireToken() (not clearAuth()) to avoid wiping config/view that may still be valid.
 if (typeof window !== "undefined") {
   window.addEventListener("storage", (e: StorageEvent) => {
     if (e.key === AUTH_STORAGE_KEY && e.newValue === null && _token()) {
       // Re-check: a rapid sign-out/sign-in may have already replaced the token
       if (localStorage.getItem(AUTH_STORAGE_KEY) !== null) return;
-      clearAuth();
+      expireToken();
       window.location.replace("/login");
     }
   });
diff --git a/src/app/stores/view.ts b/src/app/stores/view.ts
index bcfc77d1..c91f6d4f 100644
--- a/src/app/stores/view.ts
+++ b/src/app/stores/view.ts
@@ -165,7 +165,7 @@ export function unignoreItem(id: string): void {
   );
 }
 
-export function pruneClosedIgnoredItems(): void {
+export function pruneStaleIgnoredItems(): void {
   const thirtyDaysAgo = Date.now() - 30 * 24 * 60 * 60 * 1000;
   setViewState(
     produce((draft) => {
diff --git a/tests/stores/view.test.ts b/tests/stores/view.test.ts
index 8208015b..088375ce 100644
--- a/tests/stores/view.test.ts
+++ b/tests/stores/view.test.ts
@@ -6,7 +6,7 @@ import {
   resetViewState,
   ignoreItem,
   unignoreItem,
-  pruneClosedIgnoredItems,
+  pruneStaleIgnoredItems,
   setSortPreference,
   setGlobalFilter,
   resetAllTabFilters,
@@ -173,7 +173,7 @@ describe("ignoreItem / unignoreItem", () => {
   });
 });
 
-describe("pruneClosedIgnoredItems", () => {
+describe("pruneStaleIgnoredItems", () => {
   it("removes items older than 30 days", () => {
     const now = Date.now();
     const old = now - 31 * 24 * 60 * 60 * 1000;
@@ -183,13 +183,13 @@ describe("pruneClosedIgnoredItems", () => {
     ignoreItem({ id: "recent-1", type: "pullRequest", repo: "o/r", title: "Recent", ignoredAt: recent });
     expect(viewState.ignoredItems).toHaveLength(2);
 
-    pruneClosedIgnoredItems();
+    pruneStaleIgnoredItems();
     expect(viewState.ignoredItems).toHaveLength(1);
     expect(viewState.ignoredItems[0].id).toBe("recent-1");
   });
 
   it("is a no-op when ignoredItems is empty", () => {
-    pruneClosedIgnoredItems();
+    pruneStaleIgnoredItems();
     expect(viewState.ignoredItems).toHaveLength(0);
   });
 
@@ -198,7 +198,7 @@ describe("pruneClosedIgnoredItems", () => {
     const exactly30 = now - 30 * 24 * 60 * 60 * 1000 + 1000;
 
     ignoreItem({ id: "boundary", type: "issue", repo: "o/r", title: "Edge", ignoredAt: exactly30 });
-    pruneClosedIgnoredItems();
+    pruneStaleIgnoredItems();
     expect(viewState.ignoredItems).toHaveLength(1);
   });
 });

From 18f4c32e4febfaad86bac0fbfa5f5a0597a155e5 Mon Sep 17 00:00:00 2001
From: testvalue <wgordon@redhat.com>
Date: Thu, 2 Apr 2026 08:42:50 -0400
Subject: [PATCH 4/8] fix(security): addresses PR review findings with tests

- removes IP from rate-limit log, adds prune threshold guard
- makes SENTRY_DSN optional in Env interface
- moves returnTo consumption after auth success in OAuthCallback
- adds race-safe coordinator guard to onAuthCleared + clearHotSets
- extracts IGNORED_ITEMS_CAP constant, fixes FALLBACK_FG consistency
- documents CSP style-src-attr requirement (Kobalte) in SECURITY.md
- adds 13 tests: cross-tab auth sync, 401 propagation, label-colors
  CSS rules, fetchRepos cap, rate-limit window reset, multi-user
  upstream discovery cap
---
 SECURITY.md                                   |  2 +-
 .../components/dashboard/DashboardPage.tsx    |  5 +-
 src/app/lib/label-colors.ts                   | 10 ++-
 src/app/pages/OAuthCallback.tsx               |  7 +-
 src/app/stores/view.ts                        |  5 +-
 src/worker/index.ts                           | 14 ++--
 tests/components/OAuthCallback.test.tsx       |  8 +-
 tests/lib/label-colors.test.ts                | 16 ++++
 tests/services/api-users.test.ts              | 33 ++++++++
 tests/services/api.test.ts                    | 36 ++++++++
 tests/services/poll-fetchAllData.test.ts      | 56 +++++++++++++
 tests/stores/auth.test.ts                     | 83 +++++++++++++++++++
 tests/worker/oauth.test.ts                    | 43 ++++++++++
 13 files changed, 296 insertions(+), 22 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 4b28eb9f..d3aa6014 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -35,7 +35,7 @@ This policy covers:
 
 This project implements the following security measures:
 
-- **CSP**: Strict Content-Security-Policy with `default-src 'none'` and no `unsafe-eval`
+- **CSP**: Strict Content-Security-Policy with `default-src 'none'`, no `unsafe-eval`, no `unsafe-inline` for scripts (`style-src-attr 'unsafe-inline'` required by Kobalte UI library)
 - **CORS**: Strict origin equality matching on the Worker
 - **OAuth CSRF**: Cryptographically random state parameter with single-use enforcement
 - **Read-only API access**: Octokit hook blocks all write operations
diff --git a/src/app/components/dashboard/DashboardPage.tsx b/src/app/components/dashboard/DashboardPage.tsx
index 437961d9..fe932933 100644
--- a/src/app/components/dashboard/DashboardPage.tsx
+++ b/src/app/components/dashboard/DashboardPage.tsx
@@ -84,13 +84,14 @@ onAuthCleared(() => {
   const coord = _coordinator();
   if (coord) {
     coord.destroy();
-    _setCoordinator(null);
+    if (_coordinator() === coord) _setCoordinator(null);
   }
   const hotCoord = _hotCoordinator();
   if (hotCoord) {
     hotCoord.destroy();
-    _setHotCoordinator(null);
+    if (_hotCoordinator() === hotCoord) _setHotCoordinator(null);
   }
+  clearHotSets();
 });
 
 async function pollFetch(): Promise<DashboardData> {
diff --git a/src/app/lib/label-colors.ts b/src/app/lib/label-colors.ts
index f72ab88b..b17289fe 100644
--- a/src/app/lib/label-colors.ts
+++ b/src/app/lib/label-colors.ts
@@ -1,8 +1,10 @@
 import { labelTextColor } from "./format";
 
 // Dynamic label color registry using adoptedStyleSheets.
-// This avoids inline style attributes, allowing removal of
-// style-src-attr 'unsafe-inline' from the CSP.
+// This avoids inline style attributes for labels — however
+// style-src-attr 'unsafe-inline' is still required in the CSP
+// because Kobalte sets inline styles for popper positioning,
+// collapsible height, and presence animations.
 let _sheet: CSSStyleSheet | null = null;
 
 function getSheet(): CSSStyleSheet {
@@ -15,7 +17,7 @@ function getSheet(): CSSStyleSheet {
 
 const registered = new Set<string>();
 const FALLBACK_BG = "e5e7eb";
-const FALLBACK_FG = "#374151";
+const FALLBACK_FG = "374151";
 
 /**
  * Registers a label color in the adopted stylesheet and returns
@@ -28,7 +30,7 @@ export function labelColorClass(hex: string): string {
 
   if (!registered.has(safeHex)) {
     const bg = `#${safeHex}`;
-    const fg = isValid ? labelTextColor(safeHex) : FALLBACK_FG;
+    const fg = isValid ? labelTextColor(safeHex) : `#${FALLBACK_FG}`;
     getSheet().insertRule(`.lb-${safeHex} { background-color: ${bg}; color: ${fg}; }`);
     registered.add(safeHex);
   }
diff --git a/src/app/pages/OAuthCallback.tsx b/src/app/pages/OAuthCallback.tsx
index 6063226a..335207ac 100644
--- a/src/app/pages/OAuthCallback.tsx
+++ b/src/app/pages/OAuthCallback.tsx
@@ -36,10 +36,6 @@ export default function OAuthCallback() {
       return;
     }
 
-    // Read and clear returnTo only after all pre-exchange checks pass
-    const returnTo = sessionStorage.getItem(OAUTH_RETURN_TO_KEY);
-    sessionStorage.removeItem(OAUTH_RETURN_TO_KEY);
-
     try {
       const resp = await fetch("/api/oauth/token", {
         method: "POST",
@@ -64,6 +60,9 @@ export default function OAuthCallback() {
         return;
       }
 
+      // Read and clear returnTo only after successful auth (preserves it for retry on failure)
+      const returnTo = sessionStorage.getItem(OAUTH_RETURN_TO_KEY);
+      sessionStorage.removeItem(OAUTH_RETURN_TO_KEY);
       navigate(sanitizeReturnTo(returnTo), { replace: true });
     } catch {
       setError("A network error occurred. Please try again.");
diff --git a/src/app/stores/view.ts b/src/app/stores/view.ts
index c91f6d4f..92fd6694 100644
--- a/src/app/stores/view.ts
+++ b/src/app/stores/view.ts
@@ -4,6 +4,7 @@ import { createEffect, onCleanup, untrack } from "solid-js";
 import { pushNotification } from "../lib/errors";
 
 export const VIEW_STORAGE_KEY = "github-tracker:view";
+const IGNORED_ITEMS_CAP = 500;
 
 const IssueFiltersSchema = z.object({
   role: z.enum(["all", "author", "assignee"]).default("all"),
@@ -55,7 +56,7 @@ export const ViewStateSchema = z.object({
         ignoredAt: z.number(),
       })
     )
-    .max(500)
+    .max(IGNORED_ITEMS_CAP)
     .default([]),
   globalFilter: z
     .object({
@@ -148,7 +149,7 @@ export function ignoreItem(item: IgnoredItem): void {
       const already = draft.ignoredItems.some((i) => i.id === item.id);
       if (!already) {
         // FIFO eviction: remove oldest if at cap
-        if (draft.ignoredItems.length >= 500) {
+        if (draft.ignoredItems.length >= IGNORED_ITEMS_CAP) {
           draft.ignoredItems.shift();
         }
         draft.ignoredItems.push(item);
diff --git a/src/worker/index.ts b/src/worker/index.ts
index 94159b1b..105fff0a 100644
--- a/src/worker/index.ts
+++ b/src/worker/index.ts
@@ -3,7 +3,7 @@ export interface Env {
   GITHUB_CLIENT_ID: string;
   GITHUB_CLIENT_SECRET: string;
   ALLOWED_ORIGIN: string;
-  SENTRY_DSN: string; // e.g. "https://key@o123456.ingest.sentry.io/7890123"
+  SENTRY_DSN?: string; // e.g. "https://key@o123456.ingest.sentry.io/7890123"
   SENTRY_SECURITY_TOKEN?: string; // Optional: Sentry security token for Allowed Domains validation
 }
 
@@ -81,8 +81,11 @@ function checkTokenRateLimit(ip: string): boolean {
   return true;
 }
 
-// Periodic cleanup to prevent unbounded map growth
+// Periodic cleanup to prevent unbounded map growth.
+// Only runs when the map exceeds a threshold to avoid O(N) scan on every request.
+const PRUNE_THRESHOLD = 100;
 function pruneTokenRateMap(): void {
+  if (_tokenRateMap.size < PRUNE_THRESHOLD) return;
   const now = Date.now();
   for (const [ip, entry] of _tokenRateMap) {
     if (now >= entry.resetAt) _tokenRateMap.delete(ip);
@@ -134,8 +137,9 @@ function parseSentryDsn(dsn: string): ParsedDsn | null {
 
 /** Get cached parsed DSN, re-parsing only when the DSN string changes. */
 function getOrCacheDsn(env: Env): ParsedDsn | null {
-  if (!_dsnCache || _dsnCache.dsn !== env.SENTRY_DSN) {
-    _dsnCache = { dsn: env.SENTRY_DSN, parsed: parseSentryDsn(env.SENTRY_DSN) };
+  const dsn = env.SENTRY_DSN ?? "";
+  if (!_dsnCache || _dsnCache.dsn !== dsn) {
+    _dsnCache = { dsn, parsed: parseSentryDsn(dsn) };
   }
   return _dsnCache.parsed;
 }
@@ -355,7 +359,7 @@ async function handleTokenExchange(
   pruneTokenRateMap();
   const ip = request.headers.get("CF-Connecting-IP") ?? "unknown";
   if (!checkTokenRateLimit(ip)) {
-    log("warn", "token_exchange_rate_limited", { ip }, request);
+    log("warn", "token_exchange_rate_limited", {}, request);
     return new Response(JSON.stringify({ error: "rate_limited" }), {
       status: 429,
       headers: {
diff --git a/tests/components/OAuthCallback.test.tsx b/tests/components/OAuthCallback.test.tsx
index 9b42afc5..9264a021 100644
--- a/tests/components/OAuthCallback.test.tsx
+++ b/tests/components/OAuthCallback.test.tsx
@@ -314,7 +314,7 @@ describe("OAuthCallback", () => {
     expect(sessionStorage.getItem(OAUTH_RETURN_TO_KEY)).toBeNull();
   });
 
-  it("OAUTH_RETURN_TO_KEY is removed from sessionStorage after reading", async () => {
+  it("OAUTH_RETURN_TO_KEY is preserved while token exchange is in flight", async () => {
     sessionStorage.setItem(OAUTH_RETURN_TO_KEY, "/settings");
     setupValidState();
     setWindowSearch({ code: "fakecode", state: "teststate" });
@@ -322,9 +322,9 @@ describe("OAuthCallback", () => {
 
     renderCallback();
 
-    await waitFor(() => {
-      expect(sessionStorage.getItem(OAUTH_RETURN_TO_KEY)).toBeNull();
-    });
+    // returnTo is not consumed until auth completes — preserved for retry on failure
+    await new Promise((r) => setTimeout(r, 50));
+    expect(sessionStorage.getItem(OAUTH_RETURN_TO_KEY)).toBe("/settings");
   });
 
   it("OAUTH_RETURN_TO_KEY is preserved when CSRF check fails (only consumed on success)", async () => {
diff --git a/tests/lib/label-colors.test.ts b/tests/lib/label-colors.test.ts
index 2ca2e253..666ef49f 100644
--- a/tests/lib/label-colors.test.ts
+++ b/tests/lib/label-colors.test.ts
@@ -32,4 +32,20 @@ describe("labelColorClass", () => {
     expect(first).toBe(second);
     expect(first).toBe("lb-ff0000");
   });
+
+  it("inserts CSS rule with correct background and foreground colors", () => {
+    labelColorClass("000000");
+    const sheet = document.adoptedStyleSheets[document.adoptedStyleSheets.length - 1];
+    const rule = sheet.cssRules[0].cssText;
+    expect(rule).toContain(".lb-000000");
+    expect(rule).toContain("background-color");
+    expect(rule).toContain("color");
+  });
+
+  it("does not insert duplicate rules for same hex", () => {
+    labelColorClass("ff0000");
+    labelColorClass("ff0000");
+    const sheet = document.adoptedStyleSheets[document.adoptedStyleSheets.length - 1];
+    expect(sheet.cssRules.length).toBe(1);
+  });
 });
diff --git a/tests/services/api-users.test.ts b/tests/services/api-users.test.ts
index 8ff0a8f3..98465afa 100644
--- a/tests/services/api-users.test.ts
+++ b/tests/services/api-users.test.ts
@@ -328,6 +328,39 @@ describe("discoverUpstreamRepos", () => {
     expect(result.length).toBeLessThanOrEqual(100);
   });
 
+  it("stops processing users when cap is reached across multiple tracked users", async () => {
+    // User A discovers 70 repos; user B would discover 70 more (overlapping names
+    // avoided by using distinct prefixes). The shared repoNames Set is capped at 100,
+    // so user B can only contribute at most 30 before the cap is hit.
+    const userARepos = Array.from({ length: 70 }, (_, i) => `user-a/repo-${i.toString().padStart(3, "0")}`);
+    const userBRepos = Array.from({ length: 70 }, (_, i) => `user-b/repo-${i.toString().padStart(3, "0")}`);
+
+    const octokit = makeOctokit(
+      async () => ({}),
+      async (_query: string, vars: unknown) => {
+        const v = vars as { q: string };
+        if (v.q.includes("involves:primary") && v.q.includes("is:issue")) {
+          return makeSearchPage(userARepos);
+        }
+        if (v.q.includes("involves:trackeduser") && v.q.includes("is:issue")) {
+          return makeSearchPage(userBRepos);
+        }
+        return makeSearchPage([]);
+      }
+    );
+
+    const trackedUsers = [makeTrackedUser("trackeduser")];
+    const result = await discoverUpstreamRepos(octokit as never, "primary", new Set(), trackedUsers);
+
+    // Total must not exceed the CAP of 100
+    expect(result.length).toBeLessThanOrEqual(100);
+    // User A's repos should all be present (70 < 100)
+    const names = result.map((r) => r.fullName);
+    expect(names.filter((n) => n.startsWith("user-a/")).length).toBe(70);
+    // User B's repos are partially included (capped at 30)
+    expect(names.filter((n) => n.startsWith("user-b/")).length).toBeLessThanOrEqual(30);
+  });
+
   it("returns results sorted alphabetically by fullName", async () => {
     const octokit = makeOctokit(
       async () => ({}),
diff --git a/tests/services/api.test.ts b/tests/services/api.test.ts
index 0eb6de64..399dc7df 100644
--- a/tests/services/api.test.ts
+++ b/tests/services/api.test.ts
@@ -168,6 +168,42 @@ describe("fetchRepos", () => {
       "No GitHub client available"
     );
   });
+
+  it("stops pagination at 1000 repos and emits warning notification", async () => {
+    vi.mocked(pushNotification).mockClear();
+
+    async function* mockPaginator() {
+      for (let page = 0; page < 20; page++) {
+        yield {
+          data: Array.from({ length: 100 }, (_, i) => ({
+            owner: { login: "org" },
+            name: `repo-${page * 100 + i}`,
+            full_name: `org/repo-${page * 100 + i}`,
+            pushed_at: "2026-01-01T00:00:00Z",
+          })),
+        };
+      }
+    }
+
+    const octokit = makeBasicOctokit();
+    octokit.paginate.iterator.mockImplementation((() => mockPaginator()) as never);
+
+    const result = await fetchRepos(octokit as never, "org", "org");
+
+    expect(result).toHaveLength(1000);
+    expect(pushNotification).toHaveBeenCalledWith(
+      "api",
+      expect.stringContaining("1000+"),
+      "warning"
+    );
+  });
+
+  // VALID_REPO_NAME is not exported. It is exercised indirectly via buildRepoQualifiers
+  // (called inside fetchIssues/fetchPullRequests). Invalid repo names are silently
+  // filtered from the GraphQL query qualifiers. Direct boundary tests for the regex
+  // itself would require exporting the constant; the existing fetchIssues tests
+  // already cover the valid-name path and the VALID_TRACKED_LOGIN boundary tests
+  // cover the analogous login regex. No additional test added here.
 });
 
 // ── fetchIssues (GraphQL search) ─────────────────────────────────────────────
diff --git a/tests/services/poll-fetchAllData.test.ts b/tests/services/poll-fetchAllData.test.ts
index 26ca5aaf..daa7679a 100644
--- a/tests/services/poll-fetchAllData.test.ts
+++ b/tests/services/poll-fetchAllData.test.ts
@@ -833,6 +833,62 @@ describe("DashboardPage pollFetch — fine-grained merge preserves surfacedBy",
   });
 });
 
+// ── 401 propagation from Promise.allSettled ───────────────────────────────────
+
+describe("fetchAllData — 401 propagation from allSettled", () => {
+  it("re-throws 401 from fetchIssuesAndPullRequests instead of absorbing it", async () => {
+    vi.resetModules();
+
+    const { getClient } = await import("../../src/app/services/github");
+    const { fetchIssuesAndPullRequests, fetchWorkflowRuns } = await import("../../src/app/services/api");
+    const mockOctokit = makeMockOctokit();
+    vi.mocked(getClient).mockReturnValue(mockOctokit as unknown as ReturnType<typeof getClient>);
+
+    vi.mocked(fetchIssuesAndPullRequests).mockRejectedValue({ status: 401, message: "Unauthorized" });
+    vi.mocked(fetchWorkflowRuns).mockResolvedValue(emptyRunResult);
+
+    const { fetchAllData } = await import("../../src/app/services/poll");
+
+    await expect(fetchAllData()).rejects.toMatchObject({ status: 401 });
+  });
+
+  it("re-throws 401 with response.status shape from fetchWorkflowRuns", async () => {
+    vi.resetModules();
+
+    const { getClient } = await import("../../src/app/services/github");
+    const { fetchIssuesAndPullRequests, fetchWorkflowRuns } = await import("../../src/app/services/api");
+    const mockOctokit = makeMockOctokit();
+    vi.mocked(getClient).mockReturnValue(mockOctokit as unknown as ReturnType<typeof getClient>);
+
+    vi.mocked(fetchIssuesAndPullRequests).mockResolvedValue(emptyIssuesAndPrsResult);
+    vi.mocked(fetchWorkflowRuns).mockRejectedValue({ response: { status: 401 }, message: "Bad credentials" });
+
+    const { fetchAllData } = await import("../../src/app/services/poll");
+
+    await expect(fetchAllData()).rejects.toMatchObject({ response: { status: 401 } });
+  });
+
+  it("does NOT re-throw non-401 errors (500 is absorbed)", async () => {
+    vi.resetModules();
+
+    const { getClient } = await import("../../src/app/services/github");
+    const { fetchIssuesAndPullRequests, fetchWorkflowRuns } = await import("../../src/app/services/api");
+    const mockOctokit = makeMockOctokit();
+    vi.mocked(getClient).mockReturnValue(mockOctokit as unknown as ReturnType<typeof getClient>);
+
+    vi.mocked(fetchIssuesAndPullRequests).mockRejectedValue(Object.assign(new Error("Internal Server Error"), { status: 500 }));
+    vi.mocked(fetchWorkflowRuns).mockResolvedValue(emptyRunResult);
+
+    const { fetchAllData } = await import("../../src/app/services/poll");
+
+    // Should resolve (not throw) — 500 is absorbed as a top-level error entry
+    const result = await fetchAllData();
+    expect(result.errors).toHaveLength(1);
+    expect(result.errors[0].repo).toBe("issues-and-prs");
+    expect(result.errors[0].statusCode).toBe(500);
+  });
+});
+
 // ── qa-4: Concurrency verification ────────────────────────────────────────────
 
 describe("fetchAllData — parallel execution", () => {
diff --git a/tests/stores/auth.test.ts b/tests/stores/auth.test.ts
index a83c5571..76dd2c15 100644
--- a/tests/stores/auth.test.ts
+++ b/tests/stores/auth.test.ts
@@ -457,6 +457,89 @@ describe("validateToken", () => {
   });
 });
 
+describe("cross-tab auth sync", () => {
+  let mod: typeof import("../../src/app/stores/auth");
+
+  beforeEach(async () => {
+    localStorageMock.clear();
+    vi.resetModules();
+    mod = await import("../../src/app/stores/auth");
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+    vi.unstubAllGlobals();
+  });
+
+  it("calls expireToken and redirects to /login when another tab clears the token", () => {
+    const replaceMock = vi.fn();
+    vi.stubGlobal("location", { ...window.location, replace: replaceMock });
+
+    mod.setAuth({ access_token: "ghs_abc" });
+    // Simulate another tab removing the token from localStorage
+    localStorageMock.removeItem("github-tracker:auth-token");
+
+    window.dispatchEvent(new StorageEvent("storage", {
+      key: "github-tracker:auth-token",
+      newValue: null,
+    }));
+
+    expect(mod.token()).toBeNull();
+    expect(replaceMock).toHaveBeenCalledWith("/login");
+  });
+
+  it("does not call expireToken when key does not match", () => {
+    mod.setAuth({ access_token: "ghs_abc" });
+    localStorageMock.removeItem("github-tracker:auth-token");
+
+    window.dispatchEvent(new StorageEvent("storage", {
+      key: "github-tracker:some-other-key",
+      newValue: null,
+    }));
+
+    // Token unchanged — wrong key means the listener is a no-op for this module
+    expect(mod.token()).toBe("ghs_abc");
+  });
+
+  it("does not call expireToken when newValue is not null", () => {
+    mod.setAuth({ access_token: "ghs_abc" });
+
+    window.dispatchEvent(new StorageEvent("storage", {
+      key: "github-tracker:auth-token",
+      newValue: "ghs_new-token",
+    }));
+
+    // Token unchanged — non-null newValue means no sign-out occurred
+    expect(mod.token()).toBe("ghs_abc");
+  });
+
+  it("does not call expireToken when no token is set in memory", () => {
+    // No setAuth call — token signal is null, guard `_token()` prevents action
+    localStorageMock.removeItem("github-tracker:auth-token");
+
+    window.dispatchEvent(new StorageEvent("storage", {
+      key: "github-tracker:auth-token",
+      newValue: null,
+    }));
+
+    expect(mod.token()).toBeNull();
+  });
+
+  it("skips expireToken if localStorage was repopulated (rapid sign-out/sign-in race)", () => {
+    mod.setAuth({ access_token: "ghs_abc" });
+    // Do NOT remove from localStorage — simulates another tab signing back in
+    // immediately after signing out, so getItem returns a value when the event fires
+
+    window.dispatchEvent(new StorageEvent("storage", {
+      key: "github-tracker:auth-token",
+      newValue: null,
+    }));
+
+    // The listener bails out because localStorage.getItem(AUTH_STORAGE_KEY) !== null
+    expect(mod.token()).toBe("ghs_abc");
+  });
+});
+
 describe("setAuthFromPat", () => {
   let mod: typeof import("../../src/app/stores/auth");
   let configMod: typeof import("../../src/app/stores/config");
diff --git a/tests/worker/oauth.test.ts b/tests/worker/oauth.test.ts
index e47829f2..e3bfd1b8 100644
--- a/tests/worker/oauth.test.ts
+++ b/tests/worker/oauth.test.ts
@@ -135,6 +135,49 @@ describe("Worker OAuth endpoint", () => {
     expect(resp.headers.get("X-Content-Type-Options")).toBe("nosniff");
   });
 
+  it("allows requests again after the rate-limit window expires", async () => {
+    const fixedIp = "10.0.0.100";
+    function makeRateLimitRequest() {
+      return new Request("https://gh.gordoncode.dev/api/oauth/token", {
+        method: "POST",
+        headers: {
+          Origin: ALLOWED_ORIGIN,
+          "Content-Type": "application/json",
+          "CF-Connecting-IP": fixedIp,
+        },
+        body: JSON.stringify({ code: VALID_CODE }),
+      });
+    }
+
+    vi.useFakeTimers();
+    try {
+      // Mock successful GitHub response
+      globalThis.fetch = vi.fn().mockResolvedValue(
+        new Response(
+          JSON.stringify({ access_token: "tok", token_type: "bearer", scope: "repo" }),
+          { status: 200 }
+        )
+      );
+
+      const env = makeEnv();
+      // Exhaust the 10-request limit — 11th triggers rate limit
+      for (let i = 0; i < 10; i++) {
+        await worker.fetch(makeRateLimitRequest(), env);
+      }
+      const limited = await worker.fetch(makeRateLimitRequest(), env);
+      expect(limited.status).toBe(429);
+
+      // Advance time past the 60-second window
+      vi.advanceTimersByTime(61_000);
+
+      // Next request should get a fresh window — not rate-limited
+      const afterReset = await worker.fetch(makeRateLimitRequest(), env);
+      expect(afterReset.status).not.toBe(429);
+    } finally {
+      vi.useRealTimers();
+    }
+  });
+
   // ── Token exchange ─────────────────────────────────────────────────────────
 
   it("POST /api/oauth/token with valid code returns access_token, token_type, scope", async () => {

From f710deea8b1d64296b2f935c044b5ad54e191a01 Mon Sep 17 00:00:00 2001
From: testvalue <wgordon@redhat.com>
Date: Thu, 2 Apr 2026 10:54:21 -0400
Subject: [PATCH 5/8] fix(security): removes dead script, adds remaining test
 coverage

- deletes orphaned scripts/verify-csp-hash.mjs (replaced by inline CI shell)
- updates prek.toml and deploy.yml to use inline CSP hash check
- adds tests for returnTo preserved on validateToken failure and
  token exchange failure
- adds test for SENTRY_DSN: undefined (optional field coverage)
---
 .github/workflows/deploy.yml            | 12 +++++-
 prek.toml                               |  2 +-
 scripts/verify-csp-hash.mjs             | 52 -------------------------
 tests/components/OAuthCallback.test.tsx | 41 +++++++++++++++++++
 tests/worker/oauth.test.ts              |  8 +++-
 5 files changed, 59 insertions(+), 56 deletions(-)
 delete mode 100644 scripts/verify-csp-hash.mjs

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 9399b6fe..68d500e2 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -18,8 +18,16 @@ jobs:
       - run: pnpm install --frozen-lockfile
       - run: pnpm run typecheck
       - run: pnpm test
-      - name: Verify CSP hash
-        run: node scripts/verify-csp-hash.mjs
+      - name: Verify CSP inline script hash
+        run: |
+          SCRIPT=$(sed -n 's/.*<script>\(.*\)<\/script>.*/\1/p' index.html)
+          HASH=$(printf '%s' "$SCRIPT" | openssl dgst -sha256 -binary | base64)
+          if ! grep -q "sha256-$HASH" public/_headers; then
+            echo "::error::CSP hash mismatch! Inline script hash 'sha256-$HASH' not found in public/_headers"
+            echo "Update the sha256 hash in public/_headers to match the inline script in index.html"
+            exit 1
+          fi
+          echo "CSP hash verified: sha256-$HASH"
       - name: WAF smoke tests
         run: pnpm test:waf
       - run: pnpm run build
diff --git a/prek.toml b/prek.toml
index d368da69..7da7feb1 100644
--- a/prek.toml
+++ b/prek.toml
@@ -35,7 +35,7 @@ priority = 0
 id = "csp-hash"
 name = "CSP hash verification"
 language = "system"
-entry = "node scripts/verify-csp-hash.mjs"
+entry = "bash -c 'SCRIPT=$(sed -n \"s/.*<script>\\(.*\\)<\\/script>.*/\\1/p\" index.html) && HASH=$(printf \"%s\" \"$SCRIPT\" | openssl dgst -sha256 -binary | base64) && grep -q \"sha256-$HASH\" public/_headers && echo \"CSP hash OK: sha256-$HASH\" || { echo \"CSP hash mismatch! sha256-$HASH not in public/_headers\"; exit 1; }'"
 pass_filenames = false
 always_run = true
 priority = 0
diff --git a/scripts/verify-csp-hash.mjs b/scripts/verify-csp-hash.mjs
deleted file mode 100644
index feadc909..00000000
--- a/scripts/verify-csp-hash.mjs
+++ /dev/null
@@ -1,52 +0,0 @@
-#!/usr/bin/env node
-/**
- * Verifies that the SHA-256 hash in public/_headers matches the inline
- * <script> content in index.html. Exits 1 if they diverge.
- */
-
-import { createHash } from "node:crypto";
-import { readFileSync } from "node:fs";
-import { resolve, dirname } from "node:path";
-import { fileURLToPath } from "node:url";
-
-const __dirname = dirname(fileURLToPath(import.meta.url));
-const root = resolve(__dirname, "..");
-
-// ── 1. Extract inline script content from index.html ─────────────────────────
-
-const html = readFileSync(resolve(root, "index.html"), "utf8");
-const scriptMatch = html.match(/<script>([\s\S]*?)<\/script>/);
-if (!scriptMatch) {
-  console.error("ERROR: No inline <script> found in index.html");
-  process.exit(1);
-}
-const scriptContent = scriptMatch[1];
-
-// ── 2. Compute SHA-256 of the script content ──────────────────────────────────
-
-const computed = createHash("sha256").update(scriptContent).digest("base64");
-
-// ── 3. Extract sha256- hash from public/_headers CSP ─────────────────────────
-
-const headers = readFileSync(resolve(root, "public/_headers"), "utf8");
-const hashMatch = headers.match(/sha256-([A-Za-z0-9+/=]+)/);
-if (!hashMatch) {
-  console.error("ERROR: No sha256- hash found in public/_headers CSP");
-  process.exit(1);
-}
-const recorded = hashMatch[1];
-
-// ── 4. Compare ────────────────────────────────────────────────────────────────
-
-if (computed === recorded) {
-  console.log(`CSP hash OK: sha256-${computed}`);
-  process.exit(0);
-} else {
-  console.error("ERROR: CSP hash mismatch!");
-  console.error(`  index.html script hash : sha256-${computed}`);
-  console.error(`  _headers recorded hash : sha256-${recorded}`);
-  console.error(
-    "Update the sha256- value in public/_headers to match the inline script."
-  );
-  process.exit(1);
-}
diff --git a/tests/components/OAuthCallback.test.tsx b/tests/components/OAuthCallback.test.tsx
index 9264a021..56854fb5 100644
--- a/tests/components/OAuthCallback.test.tsx
+++ b/tests/components/OAuthCallback.test.tsx
@@ -341,6 +341,47 @@ describe("OAuthCallback", () => {
     expect(sessionStorage.getItem(OAUTH_RETURN_TO_KEY)).toBe("/settings");
   });
 
+  it("OAUTH_RETURN_TO_KEY is preserved when validateToken returns false", async () => {
+    sessionStorage.setItem(OAUTH_RETURN_TO_KEY, "/settings");
+    setupValidState();
+    setWindowSearch({ code: "fakecode", state: "teststate" });
+    vi.stubGlobal(
+      "fetch",
+      vi.fn().mockResolvedValue({
+        ok: true,
+        json: async () => ({ access_token: "tok123" }),
+      })
+    );
+    vi.mocked(authStore.validateToken).mockResolvedValue(false);
+
+    renderCallback();
+
+    await waitFor(() => {
+      screen.getByText(/Could not verify token/i);
+    });
+    expect(sessionStorage.getItem(OAUTH_RETURN_TO_KEY)).toBe("/settings");
+  });
+
+  it("OAUTH_RETURN_TO_KEY is preserved when token exchange fails", async () => {
+    sessionStorage.setItem(OAUTH_RETURN_TO_KEY, "/settings");
+    setupValidState();
+    setWindowSearch({ code: "fakecode", state: "teststate" });
+    vi.stubGlobal(
+      "fetch",
+      vi.fn().mockResolvedValue({
+        ok: false,
+        json: async () => ({ error: "bad_verification_code" }),
+      })
+    );
+
+    renderCallback();
+
+    await waitFor(() => {
+      screen.getByText(/Failed to complete sign in/i);
+    });
+    expect(sessionStorage.getItem(OAUTH_RETURN_TO_KEY)).toBe("/settings");
+  });
+
   it("navigates to / when OAUTH_RETURN_TO_KEY is not set", async () => {
     setupSuccessfulCallback();
     renderCallback();
diff --git a/tests/worker/oauth.test.ts b/tests/worker/oauth.test.ts
index e3bfd1b8..e6975bd7 100644
--- a/tests/worker/oauth.test.ts
+++ b/tests/worker/oauth.test.ts
@@ -955,12 +955,18 @@ describe("Worker OAuth endpoint", () => {
       expect(log!.level).toBe("warn");
     });
 
-    it("returns 404 when SENTRY_DSN is not configured", async () => {
+    it("returns 404 when SENTRY_DSN is empty string", async () => {
       const req = makeTunnelRequest(makeEnvelope(VALID_DSN));
       const res = await worker.fetch(req, makeEnv({ SENTRY_DSN: "" }));
       expect(res.status).toBe(404);
     });
 
+    it("returns 404 when SENTRY_DSN is undefined", async () => {
+      const req = makeTunnelRequest(makeEnvelope(VALID_DSN));
+      const res = await worker.fetch(req, makeEnv({ SENTRY_DSN: undefined as unknown as string }));
+      expect(res.status).toBe(404);
+    });
+
     it("returns 502 when Sentry is unreachable", async () => {
       globalThis.fetch = vi.fn().mockRejectedValue(new Error("connection refused"));
 

From a005ceba3ca240da4e6bae9dd733d29764855a83 Mon Sep 17 00:00:00 2001
From: testvalue <wgordon@redhat.com>
Date: Thu, 2 Apr 2026 11:06:28 -0400
Subject: [PATCH 6/8] fix(deps): regenerates lockfile for pinned happy-dom,
 adds lockfile sync hook
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- pnpm-lock.yaml specifier was ^20.8.9, package.json was pinned to
  20.8.9 — CI frozen-lockfile install failed on the mismatch
- adds lockfile-sync pre-commit hook that runs pnpm install
  --frozen-lockfile when package.json or pnpm-lock.yaml changes
---
 pnpm-lock.yaml | 2 +-
 prek.toml      | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 6fc77624..517be871 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -67,7 +67,7 @@ importers:
         specifier: 6.2.5
         version: 6.2.5
       happy-dom:
-        specifier: ^20.8.9
+        specifier: 20.8.9
         version: 20.8.9
       tailwindcss:
         specifier: 4.2.2
diff --git a/prek.toml b/prek.toml
index 7da7feb1..08c07b86 100644
--- a/prek.toml
+++ b/prek.toml
@@ -13,6 +13,15 @@ hooks = [
 [[repos]]
 repo = "local"
 
+[[repos.hooks]]
+id = "lockfile-sync"
+name = "Lockfile in sync with package.json"
+language = "system"
+entry = "pnpm install --frozen-lockfile"
+pass_filenames = false
+files = "(package\\.json|pnpm-lock\\.yaml)$"
+priority = 0
+
 [[repos.hooks]]
 id = "typecheck"
 name = "TypeScript typecheck"

From 9222965e57f49ebd5091509f3f3973403b398360 Mon Sep 17 00:00:00 2001
From: testvalue <wgordon@redhat.com>
Date: Thu, 2 Apr 2026 12:53:35 -0400
Subject: [PATCH 7/8] refactor(security): extracts CSP hash verification into
 shared script

---
 .github/workflows/ci.yml     | 10 +---------
 .github/workflows/deploy.yml | 10 +---------
 prek.toml                    |  2 +-
 scripts/verify-csp-hash.sh   | 19 +++++++++++++++++++
 4 files changed, 22 insertions(+), 19 deletions(-)
 create mode 100755 scripts/verify-csp-hash.sh

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 10bcb75f..3e98e966 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -15,15 +15,7 @@ jobs:
           cache: pnpm
       - run: pnpm install --frozen-lockfile
       - name: Verify CSP inline script hash
-        run: |
-          SCRIPT=$(sed -n 's/.*<script>\(.*\)<\/script>.*/\1/p' index.html)
-          HASH=$(printf '%s' "$SCRIPT" | openssl dgst -sha256 -binary | base64)
-          if ! grep -q "sha256-$HASH" public/_headers; then
-            echo "::error::CSP hash mismatch! Inline script hash 'sha256-$HASH' not found in public/_headers"
-            echo "Update the sha256 hash in public/_headers to match the inline script in index.html"
-            exit 1
-          fi
-          echo "CSP hash verified: sha256-$HASH"
+        run: bash scripts/verify-csp-hash.sh
       - run: pnpm run typecheck
       - run: pnpm test
       - name: Install Playwright browsers
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 68d500e2..d8505edb 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -19,15 +19,7 @@ jobs:
       - run: pnpm run typecheck
       - run: pnpm test
       - name: Verify CSP inline script hash
-        run: |
-          SCRIPT=$(sed -n 's/.*<script>\(.*\)<\/script>.*/\1/p' index.html)
-          HASH=$(printf '%s' "$SCRIPT" | openssl dgst -sha256 -binary | base64)
-          if ! grep -q "sha256-$HASH" public/_headers; then
-            echo "::error::CSP hash mismatch! Inline script hash 'sha256-$HASH' not found in public/_headers"
-            echo "Update the sha256 hash in public/_headers to match the inline script in index.html"
-            exit 1
-          fi
-          echo "CSP hash verified: sha256-$HASH"
+        run: bash scripts/verify-csp-hash.sh
       - name: WAF smoke tests
         run: pnpm test:waf
       - run: pnpm run build
diff --git a/prek.toml b/prek.toml
index 08c07b86..6d37fc7e 100644
--- a/prek.toml
+++ b/prek.toml
@@ -44,7 +44,7 @@ priority = 0
 id = "csp-hash"
 name = "CSP hash verification"
 language = "system"
-entry = "bash -c 'SCRIPT=$(sed -n \"s/.*<script>\\(.*\\)<\\/script>.*/\\1/p\" index.html) && HASH=$(printf \"%s\" \"$SCRIPT\" | openssl dgst -sha256 -binary | base64) && grep -q \"sha256-$HASH\" public/_headers && echo \"CSP hash OK: sha256-$HASH\" || { echo \"CSP hash mismatch! sha256-$HASH not in public/_headers\"; exit 1; }'"
+entry = "bash scripts/verify-csp-hash.sh"
 pass_filenames = false
 always_run = true
 priority = 0
diff --git a/scripts/verify-csp-hash.sh b/scripts/verify-csp-hash.sh
new file mode 100755
index 00000000..81285f6f
--- /dev/null
+++ b/scripts/verify-csp-hash.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT=$(sed -n 's/.*<script>\([^<]*\)<\/script>.*/\1/p' index.html)
+if [[ -z "$SCRIPT" ]]; then
+  echo "No inline <script>...</script> found in index.html"
+  [[ -n "${GITHUB_ACTIONS:-}" ]] && echo "::error::No inline <script>...</script> found in index.html"
+  exit 1
+fi
+HASH=$(printf '%s' "$SCRIPT" | openssl dgst -sha256 -binary | base64)
+
+if ! grep -qF "sha256-$HASH" public/_headers; then
+  echo "CSP hash mismatch! Inline script hash 'sha256-$HASH' not found in public/_headers"
+  echo "Update the sha256 hash in public/_headers to match the inline script in index.html"
+  [[ -n "${GITHUB_ACTIONS:-}" ]] && echo "::error::CSP hash mismatch! Inline script hash 'sha256-$HASH' not found in public/_headers"
+  exit 1
+fi
+
+echo "CSP hash verified: sha256-$HASH"

From 3b69689bbb60527b9880588934428ebdbe8fb6e3 Mon Sep 17 00:00:00 2001
From: testvalue <wgordon@redhat.com>
Date: Thu, 2 Apr 2026 13:32:46 -0400
Subject: [PATCH 8/8] perf(waf): parallelizes smoke tests with GNU parallel

Replaces sequential curl loops (81s) with GNU parallel (-j10, ~2s).
Test specs become a pipe-delimited data array parsed by exported
functions. Adds --max-time 10 per curl, --timeout 15 per job,
command -v guard, and empty-output infrastructure failure detection.
---
 scripts/waf-smoke-test.sh | 177 +++++++++++++++++++++-----------------
 1 file changed, 98 insertions(+), 79 deletions(-)

diff --git a/scripts/waf-smoke-test.sh b/scripts/waf-smoke-test.sh
index 7017caf0..1524b50f 100755
--- a/scripts/waf-smoke-test.sh
+++ b/scripts/waf-smoke-test.sh
@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
 # WAF Smoke Tests — validates Cloudflare WAF rules for gh.gordoncode.dev
+# Requires: GNU parallel (brew install parallel / apt install parallel)
 #
 # Usage: pnpm test:waf
 #
@@ -10,94 +11,112 @@
 
 set -euo pipefail
 
+if ! command -v parallel &>/dev/null; then
+  printf 'Error: GNU parallel is required (brew install parallel / apt install parallel)\n' >&2
+  exit 1
+fi
+
 BASE="https://gh.gordoncode.dev"
-PASS=0
-FAIL=0
 
-assert_status() {
-  local expected="$1" actual="$2" label="$3"
+# --- Test runner (exported for GNU parallel) ---
+run_test() {
+  local expected="$1" label="$2"
+  shift 2
+  local actual
+  actual=$(curl -s -o /dev/null -w "%{http_code}" --connect-timeout 5 --max-time 10 "$@")
   if [[ "$actual" == "$expected" ]]; then
-    echo "  PASS  [${actual}] ${label}"
-    PASS=$((PASS + 1))
+    printf '  PASS  [%s] %s\n' "$actual" "$label"
   else
-    echo "  FAIL  [${actual}] ${label} (expected ${expected})"
-    FAIL=$((FAIL + 1))
+    printf '  FAIL  [%s] %s (expected %s)\n' "$actual" "$label" "$expected"
+    return 1
   fi
 }
-
-fetch() {
-  curl -s -o /dev/null -w "%{http_code}" "$@"
+export -f run_test
+
+# --- Test spec parser (exported for GNU parallel) ---
+# Splits pipe-delimited spec into: expected_status | label | curl_args...
+run_spec() {
+  local expected label
+  IFS='|' read -ra parts <<< "$1"
+  expected="${parts[0]}"
+  label="${parts[1]}"
+  run_test "$expected" "$label" "${parts[@]:2}"
 }
+export -f run_spec
+
+# --- Test specs: expected_status | label | curl args ... ---
+# Pipe-delimited. Fields after label are passed directly to curl.
+TESTS=(
+  # Rule 1: Path Allowlist — allowed paths
+  "200|GET /|${BASE}/"
+  "200|GET /login|${BASE}/login"
+  "200|GET /oauth/callback|${BASE}/oauth/callback"
+  "200|GET /onboarding|${BASE}/onboarding"
+  "200|GET /dashboard|${BASE}/dashboard"
+  "200|GET /settings|${BASE}/settings"
+  "200|GET /privacy|${BASE}/privacy"
+  "307|GET /index.html (html_handling redirect)|${BASE}/index.html"
+  "200|GET /assets/nonexistent.js|${BASE}/assets/nonexistent.js"
+  "200|GET /api/health|${BASE}/api/health"
+  "400|POST /api/oauth/token (no body)|-X|POST|${BASE}/api/oauth/token"
+  "404|GET /api/nonexistent|${BASE}/api/nonexistent"
+  # Rule 1: Path Allowlist — blocked paths
+  "403|GET /wp-admin|${BASE}/wp-admin"
+  "403|GET /wp-login.php|${BASE}/wp-login.php"
+  "403|GET /.env|${BASE}/.env"
+  "403|GET /.env.production|${BASE}/.env.production"
+  "403|GET /.git/config|${BASE}/.git/config"
+  "403|GET /.git/HEAD|${BASE}/.git/HEAD"
+  "403|GET /xmlrpc.php|${BASE}/xmlrpc.php"
+  "403|GET /phpmyadmin/|${BASE}/phpmyadmin/"
+  "403|GET /phpMyAdmin/|${BASE}/phpMyAdmin/"
+  "403|GET /.htaccess|${BASE}/.htaccess"
+  "403|GET /.htpasswd|${BASE}/.htpasswd"
+  "403|GET /cgi-bin/|${BASE}/cgi-bin/"
+  "403|GET /admin/|${BASE}/admin/"
+  "403|GET /wp-content/debug.log|${BASE}/wp-content/debug.log"
+  "403|GET /config.php|${BASE}/config.php"
+  "403|GET /backup.zip|${BASE}/backup.zip"
+  "403|GET /actuator/health|${BASE}/actuator/health"
+  "403|GET /manager/html|${BASE}/manager/html"
+  "403|GET /wp-config.php|${BASE}/wp-config.php"
+  "403|GET /eval-stdin.php|${BASE}/eval-stdin.php"
+  "403|GET /.aws/credentials|${BASE}/.aws/credentials"
+  "403|GET /.ssh/id_rsa|${BASE}/.ssh/id_rsa"
+  "403|GET /robots.txt|${BASE}/robots.txt"
+  "403|GET /sitemap.xml|${BASE}/sitemap.xml"
+  "403|GET /favicon.ico|${BASE}/favicon.ico"
+  "403|GET /random/garbage/path|${BASE}/random/garbage/path"
+  # Rule 2: Scanner User-Agents — normal UAs
+  "200|Normal browser UA|-H|User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36|${BASE}/"
+  "200|Default curl UA|${BASE}/"
+  # Rule 2: Scanner User-Agents — malicious UAs
+  "403|Empty User-Agent|-H|User-Agent:|${BASE}/"
+  "403|UA: sqlmap/1.7|-H|User-Agent: sqlmap/1.7|${BASE}/"
+  "403|UA: Nikto/2.1.6|-H|User-Agent: Nikto/2.1.6|${BASE}/"
+  "403|UA: Nmap Scripting Engine|-H|User-Agent: Nmap Scripting Engine|${BASE}/"
+  "403|UA: masscan/1.3|-H|User-Agent: masscan/1.3|${BASE}/"
+  "403|UA: Mozilla/5.0 zgrab/0.x|-H|User-Agent: Mozilla/5.0 zgrab/0.x|${BASE}/"
+)
+
+# --- Run in parallel (:::  passes array elements directly, avoiding stdin quoting issues) ---
+TOTAL=${#TESTS[@]}
+
+OUTPUT=$(parallel --will-cite -k -j10 --timeout 15 run_spec ::: "${TESTS[@]}") || true
+
+# Detect infrastructure failure (parallel crashed, no tests ran)
+if [[ -z "$OUTPUT" ]]; then
+  printf 'Error: test harness produced no output — parallel may have failed\n' >&2
+  exit 2
+fi
 
-# ============================================================
-# Rule 1: Path Allowlist
-# ============================================================
-echo "=== Rule 1: Path Allowlist ==="
-echo "--- Allowed paths (should pass) ---"
-
-for path in "/" "/login" "/oauth/callback" "/onboarding" "/dashboard" "/settings" "/privacy"; do
-  status=$(fetch "${BASE}${path}")
-  assert_status "200" "$status" "GET ${path}"
-done
-
-status=$(fetch "${BASE}/index.html")
-assert_status "307" "$status" "GET /index.html (html_handling redirect)"
-
-status=$(fetch "${BASE}/assets/nonexistent.js")
-assert_status "200" "$status" "GET /assets/nonexistent.js"
-
-status=$(fetch "${BASE}/api/health")
-assert_status "200" "$status" "GET /api/health"
-
-status=$(fetch -X POST "${BASE}/api/oauth/token")
-assert_status "400" "$status" "POST /api/oauth/token (no body)"
-
-status=$(fetch "${BASE}/api/nonexistent")
-assert_status "404" "$status" "GET /api/nonexistent"
-
-echo "--- Blocked paths (should be 403) ---"
-
-for path in "/wp-admin" "/wp-login.php" "/.env" "/.env.production" \
-            "/.git/config" "/.git/HEAD" "/xmlrpc.php" \
-            "/phpmyadmin/" "/phpMyAdmin/" "/.htaccess" "/.htpasswd" \
-            "/cgi-bin/" "/admin/" "/wp-content/debug.log" \
-            "/config.php" "/backup.zip" "/actuator/health" \
-            "/manager/html" "/wp-config.php" "/eval-stdin.php" \
-            "/.aws/credentials" "/.ssh/id_rsa" "/robots.txt" \
-            "/sitemap.xml" "/favicon.ico" "/random/garbage/path"; do
-  status=$(fetch "${BASE}${path}")
-  assert_status "403" "$status" "GET ${path}"
-done
-
-# ============================================================
-# Rule 2: Scanner User-Agents
-# ============================================================
-echo ""
-echo "=== Rule 2: Scanner User-Agents ==="
-echo "--- Normal UAs (should pass) ---"
-
-status=$(fetch -H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36" "${BASE}/")
-assert_status "200" "$status" "Normal browser UA"
-
-status=$(fetch "${BASE}/")
-assert_status "200" "$status" "Default curl UA"
-
-echo "--- Malicious UAs (should be 403 — managed challenge, no JS) ---"
-
-status=$(fetch -H "User-Agent:" "${BASE}/")
-assert_status "403" "$status" "Empty User-Agent"
-
-for ua in "sqlmap/1.7" "Nikto/2.1.6" "Nmap Scripting Engine" "masscan/1.3" "Mozilla/5.0 zgrab/0.x"; do
-  status=$(fetch -H "User-Agent: ${ua}" "${BASE}/")
-  assert_status "403" "$status" "UA: ${ua}"
-done
+# Count results from output
+PASS=$(grep -c "^  PASS" <<< "$OUTPUT" || true)
+FAIL=$((TOTAL - PASS))
 
-# ============================================================
-# Summary
-# ============================================================
-echo ""
-TOTAL=$((PASS + FAIL))
-echo "=== Results: ${PASS}/${TOTAL} passed, ${FAIL} failed ==="
+# Print results (preserving order from parallel -k)
+printf '%s\n' "$OUTPUT"
+printf '\n=== Results: %d/%d passed, %d failed ===\n' "$PASS" "$TOTAL" "$FAIL"
 if [[ $FAIL -gt 0 ]]; then
   exit 1
 fi