security: bound Zod inputs, add SSE per-user cap and tRPC body limit (#51) #59

Merged

Hartmut merged 1 commits from security/zod-audit-51 into main

2026-04-18 13:53:28 +02:00

Author	SHA1	Message	Date
Hartmut	40ca0c3046	security: bound Zod inputs, add SSE per-user cap and tRPC body limit (#51 ) CI / Architecture Guardrails (pull_request) Successful in 2m6s Details CI / Lint (pull_request) Successful in 7m29s Details CI / Typecheck (pull_request) Successful in 8m3s Details CI / Unit Tests (pull_request) Successful in 8m11s Details CI / Build (pull_request) Successful in 5m24s Details CI / E2E Tests (pull_request) Successful in 5m25s Details CI / Fresh-Linux Docker Deploy (pull_request) Successful in 6m30s Details CI / Release Images (pull_request) Has been skipped Details CI / Assistant Split Regression (pull_request) Successful in 3m47s Details Mechanical .max() bounds across 9 router schemas per the convention in #51: IDs at 64, names at 200, search/filter strings at 500, arrays at 100-5000 depending on domain. Webhook secret bounded at min(16)/max(256). Reports route now validates startDate/endDate via zod with year bounds and rejects end<start. SSE timeline route enforces a per-user connection cap of 8 (returns 429 with Retry-After). tRPC route rejects bodies over 2 MiB via Content-Length check before auth/DB work. Covers 12 call-sites listed in #51. ESLint rule and zod conventions doc remain as follow-up.	2026-04-18 13:31:18 +02:00