Skip to content

rebuild: ADR-0019..0025 + PQC ESM migration + P0 CORS/auth security fixes#216

Open
HeadyMe wants to merge 2 commits into
mainfrom
integrate/adr-pqc-security-phase1
Open

rebuild: ADR-0019..0025 + PQC ESM migration + P0 CORS/auth security fixes#216
HeadyMe wants to merge 2 commits into
mainfrom
integrate/adr-pqc-security-phase1

Conversation

@HeadyMe

@HeadyMe HeadyMe commented Jun 18, 2026

Copy link
Copy Markdown
Member

Summary

Consolidates architectural decision records (ADR-0019 through ADR-0025), PQC ESM migration, and Phase 1 P0 security fixes from the rebuild branch.

New ADRs

ADR Title Strength
0019 Nine-domain brand architecture — nonprofit/commercial IRS split ⭐⭐⭐⭐⭐
0020 Drupal 11 as headless CMS ⭐⭐⭐⭐
0022 GCP region canonical lock — us-east1, blocks heady-prod-609590223909 ⭐⭐⭐⭐⭐
0023 heady-manager.js decomposition mandate ⭐⭐⭐⭐⭐
0024 src/config/domain-registry.js canonical domain file ⭐⭐⭐⭐⭐
0025 content-gateway Cloudflare Worker contract ⭐⭐⭐⭐

P0 Security Fixes (ADR-0023 Phase 1)

src/middleware/auth.js

heady-manager.js:399 — timing attack

- if (adminToken !== process.env.ADMIN_TOKEN) {
+ // crypto.timingSafeEqual with padding — constant-time comparison
+ if (!timingSafeStringEqual(provided, expected)) {

heady-manager.js:458/465 — tier derivation timing leak

- const tier = token === process.env.HEADY_API_KEY ? 'admin' : 'core'
+ const tier = resolveAuthTier(token, authEngine) // timingSafeEqual fallback

src/middleware/cors.js

heady-manager.js:197 — CORS wildcard

- origin: process.env.ALLOWED_ORIGINS?.split(',') ?? '*'
+ // Origin not in DOMAIN_REGISTRY → 403 CORS_ORIGIN_REJECTED
+ if (!isAllowedOrigin(origin)) return res.status(403).json(...)

New Source Files

File Purpose
src/config/domain-registry.js Canonical 9-domain registry with frozen enums, CORS set, Firebase tenant map, PQC namespace util
src/middleware/auth.js P0 timing-safe auth middleware with tier resolution
src/middleware/cors.js P0 DOMAIN_REGISTRY-driven CORS, 403 on unknown origin
src/security/pqc.js ESM migration v2.0.0, private class fields, ML-KEM-768/ML-DSA-65
src/routes/pqc.js ESM migration, export default router

Breaking Change

ALLOWED_ORIGINS env var is deprecated. Remove from all environments after merge — src/middleware/cors.js uses DOMAIN_REGISTRY exclusively.

Checklist

  • No require() in any new file (ADR-0011)
  • No magic numbers — phi-scaled constants only (ADR-0006)
  • CORS wildcard removed (ADR-0023 P0)
  • Timing-safe token comparison (ADR-0023 P0)
  • headyconnection.org commercial: false in registry (ADR-0019 IRS)
  • Unit tests for timing-safe auth (follow-up)
  • Unit tests for CORS rejection (follow-up)

HeadyMe added 2 commits June 18, 2026 03:23
@HeadyMe
feat(security/adr): Phase 1 P0 security fixes + ADR-0019..0025
7293a2b 
ADR-0019: Nine-domain brand architecture (IRS nonprofit/commercial split)
ADR-0020: Drupal 11 as headless CMS (JSON:API + Firebase Auth SSO)
ADR-0022: GCP region canonical lock (us-east1, block heady-prod-609590223909)
ADR-0023: heady-manager.js decomposition mandate (P0 security timeline)
ADR-0024: domain-registry.js canonical domain file
ADR-0025: content-gateway Cloudflare Worker contract (Drupal JSON:API)

P0 SECURITY FIXES (ADR-0023 Phase 1):
- src/middleware/auth.js: crypto.timingSafeEqual replaces string === comparison
- src/middleware/cors.js: DOMAIN_REGISTRY allowlist replaces wildcard '*'
- src/config/domain-registry.js: canonical ESM registry (9 domains)

PQC ESM MIGRATION (ADR-0011):
- src/security/pqc.js: CJS → ESM, private class fields, v2.0.0
- src/routes/pqc.js: CJS → ESM, export default router
@HeadyMe
ci: empty commit to trigger CI on PR #216 (no workflow file changes)
748ab24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@HeadyMe