feat: close 4 more security compliance gaps (46/63 OK, 73%)

Error-Page Headers (3.3.1.3.03 → OK):
- Cache-Control no-store on ALL routes (API, auth, catch-all)

Proactive Monitoring (3.2.1.04 → OK):
- /api/cron/health-check: DB + Redis check with latency, ADMIN alerts on failure

Security Scanning (3.2.2.7 → improved):
- /api/cron/security-audit: package version check against minimum safe versions

Server Hardening (3.3.1.4 → OK):
- docs/nginx-hardening.conf: complete template (rate limits, SSL, headers)

Database Security (3.3.3 → OK):
- docs/security-architecture.md Section 12: DB auth, isolation, SSL/audit recommendations

Compliance: 46 OK / 5 PARTIAL / 8 TODO / 4 N/A (was 42/9/8/4)

Co-Authored-By: claude-flow <ruv@ruv.net>

apps/web/src/app/api/cron/security-audit/route.ts

@@ -0,0 +1,158 @@
+import { NextResponse } from "next/server";
+import { prisma } from "@capakraken/db";
+import { createNotificationsForUsers } from "@capakraken/api";
+import { readFileSync } from "fs";
+import { join } from "path";
+
+export const dynamic = "force-dynamic";
+export const runtime = "nodejs";
+
+/**
+ * Known CVEs / minimum safe versions for critical dependencies.
+ * Update this map when new advisories are published.
+ */
+const MINIMUM_SAFE_VERSIONS: Record<string, { minVersion: string; advisory?: string }> = {
+  next: { minVersion: "15.0.0", advisory: "Keep Next.js on latest 15.x" },
+  prisma: { minVersion: "6.0.0", advisory: "Prisma 6.x for latest security patches" },
+  "@sentry/nextjs": { minVersion: "8.0.0", advisory: "Sentry v8 for latest fixes" },
+  "ioredis": { minVersion: "5.4.0", advisory: "ioredis 5.4+ for connection security" },
+  "next-auth": { minVersion: "5.0.0", advisory: "Auth.js v5 for security hardening" },
+};
+
+interface Finding {
+  package: string;
+  currentVersion: string;
+  minimumVersion: string;
+  severity: "high" | "medium" | "low";
+  advisory: string;
+}
+
+/**
+ * Simple semver comparison: returns true if `current` >= `minimum`.
+ * Handles standard x.y.z versions and beta/rc suffixes.
+ */
+function isVersionSafe(current: string, minimum: string): boolean {
+  const normalize = (v: string) =>
+    v
+      .replace(/^[~^>=<]*/, "")
+      .split("-")[0]!
+      .split(".")
+      .map((n) => parseInt(n, 10) || 0);
+
+  const cur = normalize(current);
+  const min = normalize(minimum);
+
+  for (let i = 0; i < 3; i++) {
+    const c = cur[i] ?? 0;
+    const m = min[i] ?? 0;
+    if (c > m) return true;
+    if (c < m) return false;
+  }
+  return true; // equal
+}
+
+function scanPackageJson(): Finding[] {
+  const findings: Finding[] = [];
+
+  try {
+    // Read root package.json and web app package.json
+    const paths = [
+      join(process.cwd(), "package.json"),
+      join(process.cwd(), "../../package.json"), // monorepo root from apps/web
+    ];
+
+    const allDeps: Record<string, string> = {};
+
+    for (const p of paths) {
+      try {
+        const content = JSON.parse(readFileSync(p, "utf-8"));
+        Object.assign(allDeps, content.dependencies ?? {}, content.devDependencies ?? {});
+      } catch {
+        // File not found — skip
+      }
+    }
+
+    for (const [pkg, rule] of Object.entries(MINIMUM_SAFE_VERSIONS)) {
+      const installed = allDeps[pkg];
+      if (!installed) continue;
+
+      if (!isVersionSafe(installed, rule.minVersion)) {
+        findings.push({
+          package: pkg,
+          currentVersion: installed,
+          minimumVersion: rule.minVersion,
+          severity: "high",
+          advisory: rule.advisory ?? "Update recommended",
+        });
+      }
+    }
+  } catch (error) {
+    console.error("[security-audit] Error scanning package.json:", error);
+  }
+
+  return findings;
+}
+
+/**
+ * GET /api/cron/security-audit
+ *
+ * Checks installed dependency versions against known minimum safe versions.
+ * Creates a CRITICAL notification for ADMIN users if high-severity issues found.
+ *
+ * Protected by CRON_SECRET environment variable.
+ * When set, requests must include `Authorization: Bearer <secret>`.
+ */
+export async function GET(request: Request) {
+  const cronSecret = process.env["CRON_SECRET"];
+  if (cronSecret) {
+    const auth = request.headers.get("authorization");
+    if (auth !== `Bearer ${cronSecret}`) {
+      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+    }
+  }
+
+  try {
+    const findings = scanPackageJson();
+    const highSeverity = findings.filter((f) => f.severity === "high");
+
+    // Alert admins if high-severity findings exist
+    if (highSeverity.length > 0) {
+      const adminUsers = await prisma.user.findMany({
+        where: { systemRole: "ADMIN" },
+        select: { id: true },
+      });
+
+      if (adminUsers.length > 0) {
+        const details = highSeverity
+          .map((f) => `${f.package}@${f.currentVersion} (need >=${f.minimumVersion})`)
+          .join(", ");
+
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        await createNotificationsForUsers({
+          db: prisma as any,
+          userIds: adminUsers.map((u) => u.id),
+          type: "SYSTEM_ALERT",
+          title: `Security Audit: ${highSeverity.length} high-severity finding(s)`,
+          body: `Outdated packages detected: ${details}. Run \`pnpm update\` and review advisories.`,
+          category: "system",
+          priority: "CRITICAL",
+          link: "/admin/settings",
+        });
+      }
+    }
+
+    return NextResponse.json({
+      ok: highSeverity.length === 0,
+      totalFindings: findings.length,
+      highSeverity: highSeverity.length,
+      findings,
+      scannedAt: new Date().toISOString(),
+    });
+  } catch (error) {
+    console.error("[cron/security-audit] Error:", error);
+    return NextResponse.json(
+      { ok: false, error: "Internal error" },
+      { status: 500 },
+    );
+  }
+}