Skip to content

fix: security hardening, CSP, WCAG contrast, env vars#27

Merged
m4cd4r4 merged 4 commits intomasterfrom
fix/impeccable-review
Mar 16, 2026
Merged

fix: security hardening, CSP, WCAG contrast, env vars#27
m4cd4r4 merged 4 commits intomasterfrom
fix/impeccable-review

Conversation

@m4cd4r4
Copy link
Copy Markdown
Owner

@m4cd4r4 m4cd4r4 commented Mar 16, 2026

Summary

  • Security hardening: 7 fixes from agentic security review (auth bypass, SQL injection, rate limiting, filename sanitization, proxy auth, MCP auth, security headers)
  • Content-Security-Policy header blocking external script injection
  • WCAG AA contrast fix (text-ink-300 for dark mode clause references)
  • Remotion video updates (GlowOrb removal, scaleX animations)
  • Environment variable documentation (.env.example for frontend and backend)
  • Playwright test spec uses BASE_URL env var

Test plan

  • TypeScript compiles clean (both frontend and demo-video)
  • Python files compile clean (auth.py, search.py, analysis.py, graph.py, deals.py, documents.py)
  • Playwright production tests: 27/28 passing (28th passes after merge)
  • Verify Vercel production deployment with new env vars
  • Set backend API_KEY after Vercel deploy confirmed

🤖 Generated with Claude Code

m4cd4r4 and others added 4 commits March 16, 2026 13:11
@m4cd4r4 @claude
fix: security hardening + remotion video updates + WCAG contrast fix
9c18214 
Security (agentic review - 7 fixes):
- Reject requests in non-dev environments when API_KEY is unset (auth.py)
- Add PROXY_SECRET env var to gate frontend API proxy access (route.ts)
- Add BRIGHTCLAUSE_API_KEY support to MCP server (index.js)
- Replace SQL f-string interpolation with parameterized query (search.py)
- Add rate limits to 7 AI-inference endpoints (analysis, graph, deals)
- Sanitize filenames in batch upload with null byte and length checks
- Add security headers: HSTS, X-Frame-Options, nosniff, Referrer-Policy

Remotion video:
- Remove GlowOrb from all 8 scenes (AI slop reduction)
- Convert width-based bar animations to scaleX (compositor performance)
- Remove colored accent stripe from deal cards

WCAG:
- Fix hero-visual clause refs contrast (text-ink-400 -> text-ink-500)
- Add 28-test Playwright verification spec for live site checks

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@m4cd4r4 @claude
fix: use text-ink-300 for clause section refs (WCAG AA contrast)
1254594 
ink-500 was dimmer than ink-400 in dark mode (lower numbers = brighter).
ink-300 (190, 186, 178) gives well over 4.5:1 contrast on bg-ink-800/30.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@m4cd4r4 @claude
fix: use BASE_URL in Playwright verification spec
efbf466 
LIVE_URL was hardcoded to brightclause.com. Now reads from BASE_URL
env var so tests can run against preview deployments too.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@m4cd4r4 @claude
feat: add CSP header and document env vars
fa6087b 
Add Content-Security-Policy header covering script-src, style-src,
font-src, connect-src, worker-src, frame-src. Blocks external script
injection while allowing Next.js, Google Fonts, and Vercel Analytics.

Add .env.example for frontend (BACKEND_URL, BACKEND_API_KEY,
PROXY_SECRET) and update backend .env.example with generation hint.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@vercel
Copy link
Copy Markdown

vercel bot commented Mar 16, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
contractclarity Building Building Preview, Comment Mar 16, 2026 5:41am

Request Review

@m4cd4r4 m4cd4r4 merged commit 93bcea0 into master Mar 16, 2026
1 of 2 checks passed
@m4cd4r4 m4cd4r4 deleted the fix/impeccable-review branch March 16, 2026 05:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@m4cd4r4