fix(api): validate rolePresets with RolePresetsSchema before DB cast
Replace z.array(z.unknown()) with RolePresetsSchema for blueprint role presets mutation input, ensuring structural validation before Prisma JSON cast. Also adds SECURITY.md for vulnerability disclosure. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,27 @@
|
||||
# Security Policy
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
If you discover a security vulnerability in CapaKraken, please report it responsibly.
|
||||
|
||||
**Do not** open a public GitHub issue for security vulnerabilities.
|
||||
|
||||
Instead, please email the maintainer directly with:
|
||||
|
||||
1. A description of the vulnerability
|
||||
2. Steps to reproduce
|
||||
3. Potential impact assessment
|
||||
|
||||
We will acknowledge receipt within 48 hours and provide a timeline for resolution.
|
||||
|
||||
## Supported Versions
|
||||
|
||||
Only the latest version on the `main` branch receives security updates.
|
||||
|
||||
## Security Practices
|
||||
|
||||
- Dependencies are audited nightly via `pnpm audit` and on every CI run
|
||||
- Authentication uses Argon2-based password hashing via Auth.js v5
|
||||
- Rate limiting is enforced on all API endpoints with Redis-backed counters
|
||||
- All database mutations use parameterized queries via Prisma (no raw SQL)
|
||||
- Session tokens are rotated on password change
|
||||
Reference in New Issue
Block a user