Security review batch — 2026-05-14 UTC
Reviewer: security-agent Requested by: Kristerpher Henderson Context: T-9 days to v1 launch (2026-05-23 UTC) Issues reviewed: #536, #515, #454, #320, #318, #317, #316, #315
Cross-cutting themes
-
Build-time vs. runtime conflation. Five of the eight issues (#315, #316, #317, #318, #320) are npm audit HIGH findings that affect only the CRA build toolchain, not the shipped production bundle. Current npm audit shows zero HIGH/CRITICAL vulnerabilities — these are all candidates for closure with a single verification pass. The noise-to-signal ratio in the nightly scanner will improve once #91 (CRA-to-Vite migration) ships and drops the entire react-scripts subtree.
-
Secrets rotation with incomplete paper trails. Issue #454 (Heroku token rotation) went through a partial SRE batch on 2026-05-06 but left three explicit steps documented as pending, including revocation of the leaked auth ID
ba6a2961-00e8-45d8-a3b6-7866b505a3a6. No subsequent comment confirms those steps completed. This is the only live-risk open item in the batch. -
Code-complete, operator-action-pending. Issue #536 reached code-complete state via PR #880 (merged 2026-05-02) but remains open because two Infisical vault seeds are confirmed pending. Pattern: cards stay open past code merge because operator-action steps are not tracked as explicit sub-tasks.
-
Post-launch audit hardening is correctly deferred. Issue #515 (Ed25519 subsystem signing) is a well-scoped post-launch sprint item. The hash chain provides adequate tamper evidence for v1; signing adds subsystem attribution that becomes critical for regulated environments.
Per-issue verdict table
| # | Title | Class | Severity | Verdict | PM action |
|---|---|---|---|---|---|
| #536 | CF zone_id + account_id from vault, remove from tfvars | Secrets handling | LOW (code done) | Code complete; operator vault seeds pending | Confirm vault seeds complete, then close |
| #515 | SC-12 Ed25519 subsystem signing | Audit integrity | MEDIUM | Defer post-launch (correct per card) | File vault-path readiness sub-card before sprint |
| #454 | Heroku Platform API tokens stale (401) | Secrets / credential hygiene | HIGH | Operator action required — old auth revocation unconfirmed | Escalate to operator: verify ba6a2961 revoked |
| #320 | trivy: GHSA-5c6j-r48x-rmvq in serialize-javascript@6.0.2 | Supply chain (build-time) | LOW | Likely resolved; confirm and close | Run npm audit, close if clean |
| #318 | npm audit: workbox-webpack-plugin HIGH | Supply chain (build-time) | LOW | Likely resolved; confirm and close | Run npm audit, close if clean |
| #317 | npm audit: workbox-build HIGH | Supply chain (build-time) | LOW | Likely resolved; confirm and close | Run npm audit, close if clean |
| #316 | npm audit: serialize-javascript HIGH | Supply chain (build-time) | LOW | Likely resolved; confirm and close | Run npm audit, close if clean |
| #315 | npm audit: rollup-plugin-terser HIGH | Supply chain (build-time) | LOW | Likely resolved; confirm and close | Run npm audit, close if clean |
Detailed findings
#536 — fix(infra): inject CF zone_id + account_id from vault
Class: Secrets handling / IaC hygiene Current severity: LOW (code fix merged)
PR #880 merged 2026-05-02T02:11:25Z. The tfvars files now contain sentinels only. The gitleaks false-positive on terraform/freescout/terraform.tfvars:31 is eliminated. However, the last comment on the issue (from the implementing PR) states that two Infisical vault seeds are still pending operator action:
/MooseQuest/cloudflare/CF_ACCESS_ACCOUNT_ID_MOOSEQUEST
/MooseQuest/cloudflare/CLOUDFLARE_ZONE_ID_RAXX_APP
Without these seeds, terraform plan on the freescout stack fails. The sentinel approach actively breaks the old path — there is no soft fallback. This is a pre-launch blocker for the freescout terraform stack specifically.
Operator action: Seed the two Infisical entries and confirm in the issue thread. Close after confirmation.
#515 — SC-12 Ed25519 subsystem signing
Class: Audit integrity / tamper-evidence Current severity: MEDIUM (post-launch gap, not v1 blocker)
The card is correctly scoped as non-MVP-blocking. The hash chain (SC-6) already provides tamper evidence for individual event rows. Ed25519 signing adds subsystem attribution — the ability to prove that a sys_* event was fired by the authorized subsystem and not injected by a DB-write-capable attacker.
Pre-conditions before sprint kickoff that are not yet confirmed: - Infisical vault paths for Ed25519 private keys for all three subsystems (MQ-A, Raptor order-router, Raptor paper-gate) - SC-3 and SC-6 shipped
PM action: Add a sub-card for Infisical vault path provisioning before the signing sprint is dispatched. No urgency for launch.
#454 — Heroku Platform API tokens stale (401)
Class: Secrets / credential hygiene Current severity: HIGH (unconfirmed revocation of leaked credential)
This is the highest-risk open item in the batch. Timeline:
- 2026-04-25: Heroku token leaked in transcript
- 2026-05-06 SRE batch: new token minted and distributed; GH Actions secret updated
- 2026-05-06 comment: three steps confirmed pending vault write and explicit revocation of old auth ba6a2961-00e8-45d8-a3b6-7866b505a3a6
- #680 (vault access blocker) is now CLOSED, meaning vault access should be unblocked
No comment after 2026-05-06 confirms that the old auth was revoked. If ba6a2961-00e8-45d8-a3b6-7866b505a3a6 is still active, the 2026-04-25 leaked token continues to provide live Heroku API access across all four apps.
Operator escalation required. Verify revocation via:
heroku authorizations
If ba6a2961-00e8-45d8-a3b6-7866b505a3a6 is still listed, revoke immediately:
heroku authorizations:revoke ba6a2961-00e8-45d8-a3b6-7866b505a3a6
Then confirm vault writes for /MooseQuest/heroku/HEROKU_PLATFORM_API_TOKEN and /MooseQuest/heroku/HEROKU_API_KEY__AUTH_ID.
#320, #318, #317, #316, #315 — npm/trivy build-time HIGH cluster
Class: Supply chain / build-time tooling Current severity (all five): LOW — build-time only, no production bundle exposure
All five issues are from the same root: react-scripts bundling workbox, rollup-plugin-terser, and serialize-javascript. The 2026-05-02 triage correctly identified these as blocked on #91 (CRA-to-Vite migration).
Current state (verified 2026-05-14 UTC): npm audit --prefix frontend/trademaster_ui returns zero HIGH/CRITICAL vulnerabilities. The lockfile has advanced serialize-javascript to 7.0.5 (past GHSA-5c6j-r48x-rmvq). The workbox HIGH findings are also absent from current output.
All five are candidates for immediate closure. The remaining 10 LOW findings in the current npm audit are acceptable posture for v1.
PM action: Run one verification pass of npm audit --prefix frontend/trademaster_ui, confirm zero HIGH/CRITICAL, then close all five issues (#315, #316, #317, #318, #320) together referencing the verification run.
PM action list
-
ESCALATE TO OPERATOR (today): Issue #454 — confirm old Heroku auth
ba6a2961-00e8-45d8-a3b6-7866b505a3a6has been revoked. This is the only item with a live-credential risk. If not revoked, it is a pre-launch blocker. -
Operator confirm + close #536: Kristerpher should confirm the two Infisical vault seeds are written (
CF_ACCESS_ACCOUNT_ID_MOOSEQUEST,CLOUDFLARE_ZONE_ID_RAXX_APPunder/MooseQuest/cloudflare/). If confirmed, close #536. -
Close #315, #316, #317, #318, #320 as a batch: Run
npm audit --prefix frontend/trademaster_uion current main, confirm zero HIGH/CRITICAL, close all five with a single comment referencing the verification. Leave #91 open for the CRA-to-Vite migration. -
File sub-card for #515: Before dispatching the Ed25519 signing sprint, file a sub-card: "Confirm Infisical vault paths for Ed25519 private keys (MQ-A, Raptor order-router, Raptor paper-gate) exist before sprint kickoff." No urgency; post-launch.
-
Label hygiene: Issue #454 now carries
severity:high(applied 2026-05-14). Issues #315-#318, #320 currently carryseverity:highfrom auto-filing — these should be downgraded toseverity:medium-lowonce closed to reflect the actual build-time-only exposure. Alternatively, close immediately and the label becomes moot.