From f2dfffe90190e7b3186da5693bab471dc8183b0f Mon Sep 17 00:00:00 2001
From: frarol96 <frarol96@noreply.localhost>
Date: Sat, 30 May 2026 19:23:48 +0000
Subject: [PATCH] Delete security-audit-findings.json

---
 security-audit-findings.json | 63 ------------------------------------
 1 file changed, 63 deletions(-)
 delete mode 100644 security-audit-findings.json

diff --git a/security-audit-findings.json b/security-audit-findings.json
deleted file mode 100644
index aa4f854..0000000
--- a/security-audit-findings.json
+++ /dev/null
@@ -1,63 +0,0 @@
-[
-  {
-    "id": "LUMI-001",
-    "severity": "High",
-    "title": "Missing CSRF protection on state-changing routes",
-    "affected": [
-      "/admin/*",
-      "/profile/*",
-      "/auth/logout"
-    ],
-    "evidence": "No CSRF middleware in src/web/server.js; POST routes rely solely on session cookies.",
-    "impact": "Logged-in admins can be tricked into executing sensitive actions (plugin install/update, settings changes, restart).",
-    "fix": "Add CSRF tokens or Origin/Referer checks and set SameSite cookies."
-  },
-  {
-    "id": "LUMI-002",
-    "severity": "Medium",
-    "title": "Session cookie missing Secure and SameSite",
-    "affected": [
-      "/"
-    ],
-    "evidence": "Set-Cookie: connect.sid=...; Path=/; HttpOnly (no Secure/SameSite)",
-    "impact": "Session cookie may be sent over HTTP or cross-site requests; increases CSRF/session hijack risk.",
-    "fix": "Configure express-session cookie options with Secure and SameSite=Lax; set trust proxy behind TLS."
-  },
-  {
-    "id": "LUMI-003",
-    "severity": "Medium",
-    "title": "Session fixation risk after OAuth login",
-    "affected": [
-      "/auth/discord/callback",
-      "/auth/twitch/callback"
-    ],
-    "evidence": "Session is populated without regeneration in src/web/server.js (req.session.user set directly).",
-    "impact": "An attacker who can set a session ID before login could reuse it after the victim authenticates.",
-    "fix": "Call req.session.regenerate() before setting authenticated session data."
-  },
-  {
-    "id": "LUMI-004",
-    "severity": "Medium",
-    "title": "Plugin route role not enforced",
-    "affected": [
-      "/plugins/sample-plugin",
-      "/plugins/*"
-    ],
-    "evidence": "web.mount uses app.use without role guard; sample plugin labeled admin is accessible publicly.",
-    "impact": "Plugin pages intended for admins can be reachable by unauthenticated users.",
-    "fix": "Enforce navItem.role in web.mount with requireRole(role)."
-  },
-  {
-    "id": "LUMI-005",
-    "severity": "Low",
-    "title": "Missing baseline security headers",
-    "affected": [
-      "/",
-      "/commands",
-      "/leaderboards"
-    ],
-    "evidence": "No CSP/XFO/XCTO/Referrer-Policy/Permissions-Policy headers; X-Powered-By present.",
-    "impact": "Increases exposure to clickjacking/XSS/mime sniffing and framework fingerprinting.",
-    "fix": "Use helmet and disable x-powered-by."
-  }
-]
\ No newline at end of file