{"schema_version":"vigil-security-health-v1","generated_at":"2026-06-21T05:45:58.600Z","overall":"fortress","criticals_ok":true,"recommended_ok":true,"secrets":[{"name":"SUPABASE_URL","criticality":"critical","present":true,"ok":true,"purpose":"Primary database endpoint"},{"name":"SUPABASE_SERVICE_KEY","criticality":"critical","present":true,"ok":true,"purpose":"Server-only DB key (service_role)"},{"name":"VIGIL_SESSION_SECRET","criticality":"critical","present":true,"ok":true,"purpose":"HMAC signing for sessions + CSRF"},{"name":"VIGIL_REF_TOKEN_PEPPER","criticality":"recommended","present":true,"ok":true,"purpose":"Rainbow-table resistance for owner-scoped tokens"},{"name":"VIGIL_WEBHOOK_SIGNING_KEY","criticality":"recommended","present":true,"ok":true,"purpose":"HMAC for outbound compliance webhooks"},{"name":"RESEND_API_KEY","criticality":"recommended","present":true,"ok":true,"purpose":"Email delivery"},{"name":"SAHAMATI_PUBKEY_PEM","criticality":"optional","present":false,"ok":true,"purpose":"Strict signature verification for AA artifacts"},{"name":"RAZORPAY_KEY_ID","criticality":"optional","present":false,"ok":true,"purpose":"Razorpay billing (India)"},{"name":"RAZORPAY_KEY_SECRET","criticality":"optional","present":false,"ok":true,"purpose":"Razorpay billing (India)"},{"name":"RAZORPAY_WEBHOOK_SECRET","criticality":"optional","present":false,"ok":true,"purpose":"Razorpay webhook signature verification"},{"name":"HELIUS_API_KEY","criticality":"optional","present":false,"ok":true,"purpose":"Solana RPC"},{"name":"HELIUS_WEBHOOK_SECRET","criticality":"optional","present":true,"ok":true,"purpose":"Helius webhook signature verification"},{"name":"CRON_SECRET","criticality":"recommended","present":true,"ok":true,"purpose":"Authorize Vercel scheduled crons"}],"controls":[{"id":"security_headers","name":"Edge proxy security headers","status":"on","note":"CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy applied to every response","file":"lib/securityHeaders.ts"},{"id":"cors_allowlist","name":"Cross-Origin Resource Sharing allowlist","status":"on","note":"Browser callers are restricted to vigil.costrinity.xyz + costrinity.xyz","file":"proxy.ts"},{"id":"session_jwt","name":"HMAC-signed session cookies","status":"on","note":"JWT-shaped tokens, HttpOnly + Secure + SameSite=Strict","file":"lib/session.ts"},{"id":"csrf_protection","name":"CSRF synchronizer token","status":"available","note":"lib/csrf.ts deriveCsrfToken + verifyCsrfFromRequest available; rolling out per-route","file":"lib/csrf.ts"},{"id":"rate_limiting_ip","name":"Per-IP sliding-window rate limit","status":"on","note":"auth endpoints + stats + anomaly + razorpay + privacy-scan","file":"lib/ipRateLimit.ts"},{"id":"webhook_outbound_signing","name":"Outbound webhook HMAC signing","status":"on","note":"HMAC-SHA256 over compliance webhook payloads","file":"lib/webhookDispatch.ts"},{"id":"webhook_ssrf_guard","name":"Outbound webhook SSRF guard","status":"on","note":"Refuses loopback, RFC1918, link-local, cloud metadata services","file":"lib/webhookDispatch.ts"},{"id":"reference_token_pepper","name":"Reference-token server-side pepper","status":"on","note":"Owner-scoped SHA-256 hardened with optional pepper for low-entropy identifiers","file":"lib/referenceToken.ts"},{"id":"safe_error_responses","name":"Sanitized error responses","status":"on","note":"safeApiError logs raw error server-side; returns generic { error, request_id } to client","file":"lib/safeError.ts"},{"id":"security_audit_trail","name":"Security event audit log","status":"on","note":"Append-only security_audit_events table; logs auth failures, IDOR attempts, rate limits","file":"lib/auditTrail.ts"},{"id":"input_validation","name":"Hardened input validators","status":"available","note":"lib/inputValidation.ts — bounded length, format checks, prototype-pollution guards","file":"lib/inputValidation.ts"},{"id":"request_size_guards","name":"JSON body size + depth guards","status":"available","note":"lib/requestSize.ts safeReadJsonBody — Content-Length pre-check + streamed cap + depth limit","file":"lib/requestSize.ts"},{"id":"log_sanitization","name":"Log-injection prevention","status":"on","note":"safeLog scrubs CRLF, control chars, credential patterns, PII","file":"lib/logSanitizer.ts"},{"id":"rls","name":"Postgres Row-Level Security","status":"on","note":"All operator-scoped tables have RLS; service_role bypasses for server-side writes","file":"db/schema.sql"},{"id":"sahamati_strict_mode","name":"Sahamati strict signature verification","status":"deny-unverified","note":"Set SAHAMATI_DENY_UNVERIFIED=1 to refuse unverified artifacts during onboarding","file":"app/api/sahamati/consent-handle/route.ts"}],"links":{"security_md":"https://vigil.costrinity.xyz/SECURITY.md","status":"/api/status","global_status":"/api/compliance/global-status"}}