Jason Woltje 7390cac2cc fix(#338): Bind CSRF token to user session with HMAC ...

- Token now includes HMAC binding to session ID
- Validates session binding on verification
- Adds CSRF_SECRET configuration requirement
- Requires authentication for CSRF token endpoint
- 51 new tests covering session binding security

Security: CSRF tokens are now cryptographically tied to user sessions,
preventing token reuse across sessions and mitigating session fixation
attacks.

Token format: {random_part}:{hmac(random_part + user_id, secret)}

Refs #338

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-02-05 16:33:22 -06:00

..

api

fix(#338): Bind CSRF token to user session with HMAC

2026-02-05 16:33:22 -06:00

coordinator

feat(#313): Implement FastAPI and agent tracing instrumentation

2026-02-04 14:25:48 -06:00

orchestrator

fix(#337): Add Zod validation for Redis deserialization

2026-02-05 15:54:48 -06:00

web

fix(#337): Fix boolean logic bug in ReactFlowEditor (use || instead of ??)

2026-02-05 16:08:55 -06:00