security/platform: close audit findings #19–#26

Tests, CSP nonce middleware, SSRF guard, perf-route hardening, Docker env isolation, migration runbook, RBAC E2E coverage. Tickets resolved: - #19: MfaSetup.test.ts — static source tests confirming local QR rendering - #20: ssrf-guard.test.ts (16 tests) + webhook-procedure-support mock fix - #21: /api/perf route.test.ts (5 tests) — header-only auth, fail-closed - #22: middleware.ts (nonce-based CSP) + middleware.test.ts (6 tests); layout.tsx async + nonce prop; CSP removed from next.config.ts - #23: Active-session registry enforcement verified (already in codebase) - #24: docker-compose.yml REDIS_URL hardcoded (no host-env substitution) - #25: docker-compose.yml REDIS_URL + docs/developer-runbook.md created - #26: e2e/dev-system/rbac-data-access.spec.ts (12 tests, 3 roles × 4 procedures) Quality gates: tsc clean, api 1447/1447, web 189/189 passing. Turbo concurrency capped at 2 (package.json) to prevent OOM under parallel test runs. Co-Authored-By: claude-flow <ruv@ruv.net>
2026-04-01 22:14:20 +02:00
parent 4901bc878b
commit bfdf0a82da
15 changed files with 1013 additions and 23 deletions
@@ -14,6 +14,12 @@ vi.mock("../lib/audit.js", () => ({
  createAuditEntry: vi.fn(),
 }));

+// Mock the SSRF guard so tests do not perform real DNS lookups.
+// The guard's security behaviour is covered separately in ssrf-guard.test.ts.
+vi.mock("../lib/ssrf-guard.js", () => ({
+  assertWebhookUrlAllowed: vi.fn().mockResolvedValue(undefined),
+}));
+
 function createContext(db: Record<string, unknown>) {
  return {
    db: db as never,