SSRF Protection β All external URL fetches (image provider, bulk helpers) now use ssrfSafeFetch with strict timeouts and domain validation
Token Encryption β Meta API tokens encrypted at rest with AES-256. Refresh workers use encrypted storage exclusively
RBAC Enforcement β Billing endpoints (cancel, change-plan, extra-users) now require proper role authorization. Finance role removed from cross-tenant admin bypass
Tenant Isolation β Worker run status endpoints now enforce session-based data isolation. Added ownership checks on thumbnail/video URL signing
HMAC Verification β Public postback endpoints validate HMAC signatures. OAuth state comparison uses timing-safe equality
CORS Hardening β Wildcard origin rejected in non-local environments. Strict origin validation in production
Meta API Auth Migration β All Meta API calls migrated from URL query params to Bearer header authorization. Plaintext token fallback rejected in production
Input Validation β TypeBox schema validation hardened across all endpoints. Mass assignment prevention on user-modifiable objects
β¨ Improved
TLS Verification β PostgreSQL connections now require TLS certificate verification in production
Credit System β Row-level locking (FOR UPDATE) on AI chat credit deduction prevents race conditions