madbase/.goose/memory/M0_Implementation.txt

# security M0 roadmap implementation
# M0 Security Hardening Implementation Plan

## Overview
Goal: Eliminate all exploitable vulnerabilities before any deployment or beta.
Timeline: CRITICAL - blocks all other milestones

## Files to Modify
1. common/src/config.rs - Remove Serialize, require JWT_SECRET
2. auth/src/middleware.rs - Remove secret logging
3. auth/src/handlers.rs - Remove token logging, fix confirmation checks
4. auth/src/oauth.rs - Fix CSRF validation and account takeover
5. gateway/src/middleware.rs - Remove DB URL logging
6. gateway/src/admin_auth.rs - Implement proper session validation
7. gateway/src/control.rs - Restrict CORS origins
8. gateway/src/worker.rs - Restrict CORS origins
9. control_plane/src/lib.rs - Require ADMIN_PASSWORD, hash passwords, hide secrets
10. control-plane-api/src/lib.rs - Add API key auth
11. storage/src/backend.rs - Remove hardcoded S3 credentials
12. storage/src/handlers.rs - Fix SQL injection in SET LOCAL
13. storage/src/tus.rs - Fix path traversal
14. data_api/src/handlers.rs - Fix SQL injection in SET LOCAL
15. functions/src/deno_runtime.rs - Fix JavaScript injection

## Priority Order
1. Start with config changes (blocks startup)
2. Fix logging issues (immediate security improvement)
3. Fix auth vulnerabilities (critical for production)
4. Fix injection attacks (critical for production)
5. Fix transport security (important for deployment)

## Testing Strategy
After each change:
1. Run cargo check to verify compilation
2. Run cargo test for affected crates
3. Manual testing of affected endpoints
4. Final security audit checklist