🔒 Security Hardening, Architecture Improvements & UX Polish
Comprehensive audit-driven improvements across 4 phases.
🛡️ Security (Phase 0)
- Auth guard — API route protection via
withAuthmiddleware - CSRF protection — Token-based guard for state-changing routes
- Request payload validation — Zod schemas for all endpoints
- Body size guard — Route-specific limits with audio upload threshold
- Rate limiter — Per-IP limiting with configurable thresholds
🏗️ Architecture (Phase 1–2)
- DI container for service registration
- PolicyEngine consolidation for routing/security/rate limiting
- SQLite migration system with versioned runner
- Graceful shutdown with connection draining
- Pipeline decomposition — composable proxy stages
- Plugin architecture, prompt template versioning, eval scheduling
- Resolved all TypeScript errors; removed
@ts-checkdirectives
🧪 Testing & CI (Phase 2)
- Jest coverage thresholds enforced in CI (368 tests)
- Proxy pipeline integration tests
- CI security audit workflow
- k6 load tests with ramping VUs
- Fixed ESLint 9 flat config for
@typescript-eslintplugin
✨ UX & Polish (Phase 3–4)
- Session management card with logout
- Focus indicators —
:focus-visible+--focus-ringutility - Audit log viewer with structured event display
- Quick Start links corrected to Endpoint page
- Troubleshooting documentation