Executive summary
Sign-in, access control, and tenant separation look solid, with one critical configuration issue to fix first: a live payment key is exposed on a public route. Guard confirmed 1 critical, 2 high, and 4 medium findings across code, dependencies, tests, and runtime. Fixing the exposed key and the admin auth gap moves this repo from “risky” to “reviewable” in an afternoon.
Findings, ranked by severity
What we checked
- Sign-in and session handling
- Access control and tenant separation
- Incoming data, uploads, and integrations
- Dependencies and supply chain
Enji Guard
GET /api/health returns STRIPE_SECRET_KEY with no authentication. Rotate the key and remove it from the response. File: apps/api/src/routes/health.ts, line 5.