- Rate-limit /api/flows/start to 10 req/min per user (in-memory, matches login pattern)
- Add middleware.ts: validates x-csrf-token header against csrf_token cookie on all
API POST requests; issues the cookie on GET if missing; sets CSP, X-Frame-Options,
X-Content-Type-Options, and Referrer-Policy on all responses
- Add lib/csrf.ts: client-side apiFetch() wrapper that injects the CSRF header
- Update all client components (login, useFlowRun, docker, caddy, git, systemd)
to use apiFetch() for POST requests
- Cookie config in login route already correct (NODE_ENV check, httpOnly, sameSite=strict)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Truncate accumulated stdout/stderr to last 64KB before persisting FlowStep
to prevent unbounded DB growth on verbose commands
- Add @@index([user_id, started_at(sort: Desc)]) to FlowRun schema so audit
list queries (WHERE user_id = ? ORDER BY started_at DESC) use the index
- Add migration 20260513200000_flowrun_user_idx
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
