Scope
Fix all 6 CRITICAL/HIGH security findings that block production deployment of PR #113.
Fixes Included
- C1 - PFX MAC Integrity (~2h): Enable
checkIntegrity: true in pfx-parser.ts:70-73
- H1 - IV Reuse (~2h): Generate fresh IV per
encryptInvoice call in session-manager.ts:128-137
- H2 - IDOR Workflow Registry (~3h): Add tenant scoping to
workflow-registry.ts:96-100 and all workflow mutations in ksef-resolvers.ts:823-939
- H3 - CORS Tightening (~3h): Restrict
.pages.dev to project-specific patterns across 5 services. Extract shared CORS utility.
- H4 - Private Key in Workflow State (~3h): Store key encrypted in D1, pass reference ID only in
cert-renewal.ts:160-183 and types.ts:14-25
- H5 - Test Cert Gate (~1h): Add environment guard to
generateTestCertificate in ksef-resolvers.ts:533-566
Estimated: 14 hours
Acceptance Criteria
Scope
Fix all 6 CRITICAL/HIGH security findings that block production deployment of PR #113.
Fixes Included
checkIntegrity: trueinpfx-parser.ts:70-73encryptInvoicecall insession-manager.ts:128-137workflow-registry.ts:96-100and all workflow mutations inksef-resolvers.ts:823-939.pages.devto project-specific patterns across 5 services. Extract shared CORS utility.cert-renewal.ts:160-183andtypes.ts:14-25generateTestCertificateinksef-resolvers.ts:533-566Estimated: 14 hours
Acceptance Criteria