Security Hardening: idempotency, rate limits, audit logs, session & auth fixes

[whogf22]

Merges the comprehensive security-hardening work from copilot/security-audit into master.

Summary of fixes

1. Idempotency-Key middleware on all money-moving endpoints (orders, cancel, crypto deposits, admin confirm, v1 API).
2. Append-only ledger: atomic transactions + TronPoller dedup key trongrid:{txId}.
3. Authorization: requireAuth / requireAdmin + ownership checks (order.userId !== user.id).
4. Rate limiting: authLimiter, apiLimiter, orderLimiter, financialLimiter, passwordLimiter, adminLimiter.
5. Immutable audit_logs table (auth, financial, profile, admin events).
6. Business-logic guards: VALID_ORDER_TRANSITIONS state machine, double-cancel/double-confirm prevention, negative-amount guard, $10k deposit cap.
7. Session hardening: regenerate on login, named cookie getotps.sid, httpOnly+sameSite=lax+secure, trust-proxy.
8. Env validation: SESSION_SECRET >=32 chars required in prod, default ADMIN_PASSWORD rejected.

Notes

• Can't automatically merge: resolve conflicts before merging.
• npm audit: 0 vulns. tsc --noEmit clean. build green.
• Bumps drizzle-orm 0.45.2 and vite 7.3.2.

Post-merge checklist

• SESSION_SECRET >=32 chars set in prod
• ADMIN_PASSWORD not default
• New tables (idempotency_keys, audit_logs) auto-migrate via storage.ts inline DDL
• pm2 reload getotps and nginx reload if needed
• Smoke test: login, order create/cancel, crypto deposit, admin confirm with repeated Idempotency-Key

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
getotps	Ready	Preview, Comment	Apr 21, 2026 9:31am

[ecc-tools]

🔒 Upgrade Required

Private repository analysis requires Pro or Enterprise.

Upgrade: https://ecc.tools/pricing?plan=pro

---

_{ECC Tools keeps the core app open, and puts private repos, team features, and enterprise controls behind paid tiers.}