## Description Security review and hardening of the entire GitHub integration. ## Checklist - [ ] Webhook signature verification uses timing-safe comparison - [ ] OIDC JWT validation checks: signature, expiry, audience, issuer - [ ] No secrets (API keys, private keys, tokens) appear in any log output - [ ] All external input (webhook payloads, config files, API params) validated with Zod - [ ] GitHub API tokens are short-lived and properly scoped - [ ] Database queries use parameterized queries (TypeORM handles this) - [ ] Webhook delivery ID deduplication prevents replay attacks - [ ] Error responses don't leak internal details - [ ] libsodium encryption for GitHub secrets is correct - [ ] Rate limiting on manual reconciliation endpoint - [ ] CORS and content-type validation on webhook endpoint ## Acceptance Criteria - [ ] All checklist items verified - [ ] No HIGH/CRITICAL findings - [ ] Any accepted risks documented
Description
Security review and hardening of the entire GitHub integration.
Checklist
Acceptance Criteria