Security Hardening rules

Check for the use of eval() to handle asynchronous execution. Eval leads to security vulnerabilities. Recommend using Async/Await or Promises instead.

Validate CPF/CNPJ format and checksum server-side; reject storage of invalid identifiers and never auto-correct them. Store normalized (digits-only) representation.

Register a Monolog processor to mask emails/phones and attach pii_redacted:true; forbid direct logging of raw identifiers.

Expose constant dicts as read-only via MappingProxyType (or frozen dataclasses) to prevent runtime mutation.

Default to private visibility; expose the minimal surface and prefer val with private set when mutation is needed.

For simple form submissions from RSC, use server actions with schema validation and then revalidate paths/tags. Avoid client fetch for trivial mutations.

Pin cryptography libraries to vetted versions (e.g., BouncyCastle FIPS) and generate a CycloneDX SBOM as part of the build. Reject PRs introducing floating or insecure versions. (PCI DSS 4.0 Req. 6 & supply chain)

Ship only runtime artifacts (binaries, compiled assets, minimal configs). Exclude tests, sources, docs, and dev tooling.

Use safe casts (as?) with null checks or require statements instead of unchecked as.

Do not expose full, unminified source maps publicly in production. If source maps are required for error tracking, serve them behind authentication or IP allowlists and set "X-Robots-Tag: noindex".

Expose DTOs/ViewModels from API endpoints; avoid leaking persistence/domain entities directly.

If user input is used in OS command arguments, it can be manipulated to expand access or execute unintended commands. Ensure proper sanitization to prevent injection.

Add middleware to set HSTS, X-Content-Type-Options, and secure cookies; log JSON with actor and trace_id for auth and admin routes.

Serve assets with accurate Content-Type (e.g., text/css, application/javascript, image/avif, image/webp, font/woff2, image/svg+xml) and include charset for text types. Do not default to text/plain or application/octet-stream.

Check for the use of graphql-upload. This library enables file uploads using multipart requests, which can be exploited for CSRF attacks if not properly secured.

For third-party scripts, use <Script> with an appropriate strategy and onLoad callbacks. Avoid dangerouslySetInnerHTML for scripts.

Accept only short-lived tokens from the gateway (JWT/JWE or opaque) and validate signature/expiry; do not persist tokens beyond business need. Never attempt to reconstruct PAN from tokens. (PCI DSS data minimization)

Use instanceof/pattern matching and guard before casts; avoid ClassCastException.