singularity-forge

History

Jeremy McSpadden ab03677567 fix(security): activate auth middleware and harden shutdown/update routes (#4023 ) The Next.js auth middleware (proxy.ts) was never wired in — it exported `proxy` from a file named proxy.ts, but Next.js requires a `middleware` export from middleware.ts. The middleware-manifest.json was empty, leaving all 42 API routes accessible without authentication. Fixes: - Rename web/proxy.ts → web/middleware.ts, export `middleware` not `proxy` - Add defense-in-depth auth-guard to /api/shutdown and /api/update routes - Remove shell: true from update-service spawn (command injection surface) - Update contract tests to verify middleware file name and export Closes #4014 Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-13 07:52:43 -04:00
..
route.ts	fix(security): activate auth middleware and harden shutdown/update routes (#4023 )	2026-04-13 07:52:43 -04:00

Jeremy McSpadden ab03677567 fix(security): activate auth middleware and harden shutdown/update routes (#4023 )

The Next.js auth middleware (proxy.ts) was never wired in — it exported
`proxy` from a file named proxy.ts, but Next.js requires a `middleware`
export from middleware.ts. The middleware-manifest.json was empty,
leaving all 42 API routes accessible without authentication.

Fixes:
- Rename web/proxy.ts → web/middleware.ts, export `middleware` not `proxy`
- Add defense-in-depth auth-guard to /api/shutdown and /api/update routes
- Remove shell: true from update-service spawn (command injection surface)
- Update contract tests to verify middleware file name and export

Closes #4014

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-13 07:52:43 -04:00

route.ts

fix(security): activate auth middleware and harden shutdown/update routes (#4023 )

2026-04-13 07:52:43 -04:00