fix: monthly security scan — fix shell injection and add RPC body limit (MAINT-02)

- Replace sh -c echo with tokio::fs::write for bitcoin.conf generation
- Add client_max_body_size 1m to /rpc/ in both HTTP and HTTPS nginx blocks
- Document full audit findings in docs/security-audit-2026-03-11.md

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-03-11 18:09:16 +00:00
parent 6700152416
commit 1505b1b1cc
4 changed files with 60 additions and 5 deletions

View File

@@ -428,7 +428,7 @@
- [x] **MAINT-01** — Monthly dependency update cycle. Each month: run `cargo update` and `npm update`, review changelogs for security fixes, run full test suite, deploy. Track in `docs/dependency-audit-log.md`.
- [ ] **MAINT-02** — Monthly security scan. Each month: run `/harden-security`, check for new CVEs affecting dependencies, review Podman/Debian security advisories. Patch any critical issues within 48 hours.
- [x] **MAINT-02** — Monthly security scan. Each month: run `/harden-security`, check for new CVEs affecting dependencies, review Podman/Debian security advisories. Patch any critical issues within 48 hours.
- [ ] **MAINT-03** — Quarterly quality sweep. Each quarter: run full `/sweep`, compare to baseline, fix any regressions. Run 72-hour stability test.