Every assertion below is enforced in code at boot or on every request. This page consolidates them so an operator can confirm posture without reading the source.
Status: Implemented. Each row cites the file path that enforces it.
Boot-time assertions (src/config/validateEnv.ts)
| Assertion | Behaviour |
|---|---|
JWT_SECRET set, ≥32 chars | Hard-fail boot in production |
JWT_REFRESH_SECRET set, ≥32 chars | Hard-fail boot in production |
DATABASE_URL set (or full PG quartet) | Hard-fail boot in production |
CORS_ALLOWED_ORIGINS set, no *, every entry valid http(s) | Hard-fail boot in production |
PUBLIC_URL set and valid http(s) | Hard-fail boot in production |
PORT parses to integer in [1, 65535] | Hard-fail boot |
Resend transport: all of (RESEND_API_KEY, ALERT_EMAIL_TO, EMAIL_FROM) or none | Hard-fail boot in production if partial |
Observability tokens (SENTRY_DSN, RAILWAY_API_TOKEN, VERCEL_API_TOKEN, NEON_API_KEY) | Warn-only — boot succeeds |
COMMS_* identities | Warn-only; falls back to @govula.com placeholder |
CORS (src/app.ts)
| Behaviour | Where |
|---|---|
Origins parsed from CORS_ALLOWED_ORIGINS | getCorsOrigins() in src/config/index.ts |
| Production rejects unknown origins with 403 CORS_DENIED | src/app.ts |
Wildcard * rejected at boot | validateEnv.ts |
| Per-request rejection logged with origin + path metadata | logger.warn('CORS: blocked request from disallowed origin', …) |
Helmet / CSP (src/app.ts)
| Header | Value |
|---|---|
Content-Security-Policy | Strict — defaultSrc: 'self', objectSrc: 'none', frameSrc: 'none' |
Strict-Transport-Security | max-age=31536000; includeSubDomains; preload |
X-Frame-Options | DENY |
X-Content-Type-Options | nosniff |
Referrer-Policy | no-referrer |
Rate limiting
| Surface | Limiter | Where |
|---|---|---|
| Global all-routes | express-rate-limit | src/app.ts |
Auth (/api/v1/auth/*) | authRateLimiter | src/middleware/authRateLimit.ts |
| Password reset | passwordResetRateLimiter | same |
| Investor tracking | per-route limit | src/routes/investorTracking.ts |
| Walkthrough requests | per-route limit | route file |
| Audit export | per-route limit | route file |
| Per-tenant (opt-in) | perTenantRateLimit | src/middleware/perTenantRateLimit.ts |
Known gap (audit F-S6): POST /api/v1/gps/verify only has the global limiter. Tracked as the existing project task "Lock down public peer-onboarding endpoint…".
Tenant isolation (RLS)
| Assertion | Where |
|---|---|
| RLS in STRICT mode (no bypass-on-null) | src/migrations/018_strict_rls.sql |
app.tenant_id set inside transaction | queryWithTenant() in src/repositories/database.ts |
System queries require typed SystemQueryReason + actor | queryAsSystem() same file |
Raw getClient() escape hatch hard-throws | src/repositories/database.ts:509 |
| Cross-tenant aggregates require min-cohort=5 | industry_benchmarks.cohort_size CHECK >= 5 |
Audit immutability
| Ledger | Append-only mechanism |
|---|---|
audit_log | Postgres DO INSTEAD NOTHING rule (src/migrations/014_forensic_audit.sql) |
tenant_operation_log | same (src/migrations/035_tenant_operations.sql) |
operator_audit_events | same (src/migrations/037_operator_domain.sql) |
| Hash chain integrity | SHA-256, replayable via force_audit_replay_validation |
Body parsing
| Behaviour | Where |
|---|---|
| Body ≤ 1 MB | express.json({ limit: '1mb' }) in src/app.ts |
| Oversized body → 413 (NOT 500) | error handler in same file |
| Malformed JSON → 400 (NOT 500) | same |
| Unknown route → 404 with structured payload | same |
Health endpoints
| Path | Behaviour |
|---|---|
GET /health | Unconditional liveness; never auth-gated; never blocked by middleware. Use this for load balancer healthchecks. |
GET /api/v1/health | Full readiness envelope; gated on the boot envelope in production. Use this for "should this instance receive traffic?". |
Operator elevation
| Assertion | Where |
|---|---|
| Operator capabilities require explicit elevation over normal session | src/middleware/operatorElevation.ts |
| Elevation requires reason ≥ 10 chars | src/services/operatorService.ts |
| Recent-auth check ≤ 30 min, fail-closed | same |
| Every elevation grant + every capability invocation audited | recordAuditEvent('operator.elevation.granted', …) |
What's NOT enforced (audit gaps)
These are real gaps documented in ../audits/phase1-readiness-audit.md. Tracked as separate project tasks:
POST /api/v1/gps/onboardis unauthenticated (F-A1) — HIGHPOST /api/v1/gps/verifylacks per-route rate limit (F-A2)body_htmlrendered withdangerouslySetInnerHTMLfrom operator-controlled content lacks server-side sanitization contract (F-S1)- CSRF posture is mixed; no CSRF token model (F-S2) — currently mitigated by Bearer-header default
Manual confirmation
Run the post-deploy verification block from ../production-checklist.md. Every assertion above produces a deterministic HTTP response — no inspection of internal state is required.
Where to read more
../production-checklist.md— pre/post deploy gatessecrets-management.md— env hierarchyobservability-setup.md— what to monitor- In-app:
/docs/deployment/production-hardening