Matt
4b9743a594
audit: 33-agent comprehensive audit + critical fixes
Full team audit run, all reports verbatim in docs/AUDIT-2026-05-12.md
(5900+ lines, 30+ critical findings). Already-fixed this commit:
- permission-overrides PUT: self-target block + RolePermissions allow-list + cross-tenant guard
- /api/auth/resolve-identifier: rate-limit + synthetic miss-email kill enumeration
- admin email-change: rotates account.accountId + revokes sessions
- middleware: token-gated email confirm/cancel routes whitelisted
- NAV_CATALOG: 10 dead-link sweeps to existing /admin/<x> targets
Feature work landing same commit: optional username sign-in
(migration 0054), per-user permission overrides (0055) with three-state
matrix tabbed inside UserForm, user disable button, role + outcome +
stage label normalisation across the platform, admin email-change
with auto-notification template.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 16:52:35 +02:00
..
2026-05-12 14:50:58 +02:00
2026-05-12 16:52:35 +02:00
2026-05-09 04:09:17 +02:00
2026-05-05 21:03:31 +02:00
2026-05-12 16:52:35 +02:00
2026-05-07 20:59:28 +02:00
2026-05-12 16:14:12 +02:00
2026-05-04 22:57:01 +02:00
2026-05-08 15:38:04 +02:00
2026-05-04 22:57:01 +02:00
2026-05-12 16:52:35 +02:00
2026-05-04 22:57:01 +02:00
2026-05-12 16:52:35 +02:00
2026-05-12 16:52:35 +02:00
2026-05-05 21:31:50 +02:00
2026-05-11 14:02:26 +02:00
2026-05-08 02:20:27 +02:00
2026-05-12 14:50:58 +02:00
2026-05-12 16:52:35 +02:00
2026-05-06 20:35:34 +02:00
2026-05-12 16:52:35 +02:00
2026-03-26 11:52:51 +01:00
2026-05-05 19:52:58 +02:00
2026-05-05 14:12:59 +02:00
2026-05-11 13:56:46 +02:00
2026-05-05 14:12:59 +02:00
2026-05-05 19:52:58 +02:00
2026-05-04 22:57:01 +02:00
2026-05-05 14:12:59 +02:00
2026-05-06 22:06:40 +02:00
2026-05-06 14:59:07 +02:00
2026-05-05 14:12:59 +02:00
2026-03-26 11:52:51 +01:00
2026-05-09 18:36:53 +02:00