Skip to content

fix: security hardening — webhook auth, bounded limits, talent role types#1658

Merged
bokelley merged 2 commits into
mainfrom
bokelley/high-impact-backlog
Mar 23, 2026
Merged

fix: security hardening — webhook auth, bounded limits, talent role types#1658
bokelley merged 2 commits into
mainfrom
bokelley/high-impact-backlog

Conversation

@bokelley

Copy link
Copy Markdown
Contributor

Summary

Test plan

  • TypeScript compiles clean (npm run typecheck)
  • All 762 tests pass (npm test)
  • Pre-commit hooks pass (full test suite + schema validation + link checking)
  • CI passes

Closes #1633, #1634, #1635

🤖 Generated with Claude Code

bokelley and others added 2 commits March 23, 2026 21:47
…ypes

- Return 401 (not 500) when WORKOS_WEBHOOK_SECRET is unset (#1633)
- Add WORKOS_WEBHOOK_SECRET to env-validation startup warnings
- Bound all admin endpoint limit/offset params with clampLimit/clampOffset (#1634)
- Type-constrain training agent talent roles to enum values (#1635)

Closes #1633, #1634, #1635

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Raise clampOffset max to 1M (avoid silent truncation on large tables)
- Use `as const` array for TalentRole (enables runtime validation)
- Add changeset description

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@bokelley bokelley merged commit a88cad4 into main Mar 23, 2026
11 checks passed
@aao-release-bot aao-release-bot Bot mentioned this pull request May 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix: WorkOS webhook verification fails open when secret is unset

1 participant