fix(security): Phase 1 P0 hardening from cross-project audit
All checks were successful
CI / Lint, Unit Tests & Build (push) Successful in 5m42s
CI / Deploy production (on server) (push) Successful in 33s

Close open uploads, image-proxy SSRF, fail-open AI quotas in production,
auth gaps on app routes, and MCP tenant isolation issues.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Antigravity
2026-06-20 16:53:19 +00:00
parent 40f30155c2
commit 4d96605144
16 changed files with 264 additions and 95 deletions

View File

@@ -27,7 +27,11 @@ export const authConfig = {
nextUrl.pathname.startsWith('/canvas') ||
nextUrl.pathname.startsWith('/notebooks') ||
nextUrl.pathname.startsWith('/note/') ||
nextUrl.pathname.startsWith('/brainstorm');
nextUrl.pathname.startsWith('/brainstorm') ||
nextUrl.pathname.startsWith('/insights') ||
nextUrl.pathname.startsWith('/graph') ||
nextUrl.pathname.startsWith('/revision') ||
nextUrl.pathname.startsWith('/support');
const isAdminPage = nextUrl.pathname.startsWith('/admin');
const isPublicPage = nextUrl.pathname === '/' ||
nextUrl.pathname === '/login' ||