stack/docs/reports/code-review/gateway-security-20260313.md

Code Review Report — Gateway Security Hardening

Scope Reviewed

• apps/gateway/src/chat/chat.gateway-auth.ts
• apps/gateway/src/chat/chat.gateway.ts
• apps/gateway/src/conversations/conversations.dto.ts
• apps/gateway/src/chat/__tests__/chat-security.test.ts

Findings

• No blocker findings in the final changed surface.

Review Summary

• Correctness: socket auth helper now returns Better Auth session data unchanged, and gateway disconnects clients whose handshake does not narrow to a valid session payload
• Security: conversation role validation now rejects system; conversation content ceiling is 32k; chat request ceiling remains 10k
• Testing: targeted auth, ownership, and DTO regression tests pass
• Quality: pnpm typecheck, pnpm lint, and pnpm format:check all pass after the final edits

Residual Risk

• chat.gateway.ts uses local narrowing around an unknown session result because the requested helper contract intentionally returns unknown.