rcode-hardenlisted

@.rcode/references/karpathy-guidelines.md ## Overview Pre-launch security pass for SaaS code. Not a generic OWASP checklist — opinionated for the rcode-default stack (Next.js / Strapi / Postgres / Keycloak / Sentry). Especially focused on the failure modes that have actually bitten rcode projects: Keycloak ↔ AD sync drift, multi-tenant query leaks, and JWT-as-source-of-truth bugs. ## Workflow 1. **Map the attack surface.** List every endpoint, file upload, third-party webhook, and background job. If you can't enumerate them, you can't audit them. 2. **Per surface, run the checklist** below. 3. **Triage findings:** Critical (block launch), High (fix before next sprint), Medium (track in `incidents/known-issues.md`). 4. **Verify fixes** end-to-end — most security bugs are caught by writing the malicious test case, not by code review alone. ## Checklist (applied per surface) ### Authentication - JWT verified on every request, not just `POST /login`. The token can be forged otherwise. - Issuer (`iss`), audience (`aud`), expiry (`exp`), and signature all checked. Missing any one is a compromise. - For Keycloak: re-fetch the JWKS keys, don't pin them — Keycloak rotates. - AD sync: every Keycloak login should re-validate the user against AD; stale Keycloak users post-AD-deactivation is the documented rcode incident. - Session invalidation on password change actually clears all sessions, not just the current one. ### Authorization - Role checks AT the resource handler, not