name: security-audit description: Perform a security pass aligned with MediaJira standards (no secrets, auth/CORS, input validation, least privilege, credential handling). Use for pre-release checks or when touching auth/sensitive code.

Security Audit

Follow .cursor/AGENTS.md (Security section and Error handling conventions) and .cursor/rules.md (security and privacy).
Use any user-provided context (module or path) to focus the audit scope.

Secrets and logging: Confirm no .env, tokens, keys, or credentials are committed or logged. Search for accidental exposure of auth headers or sensitive data in logs.
Dependencies: Check for known vulnerabilities in backend and frontend dependencies. Update outdated or vulnerable packages.
Backend: Validate that all client input is validated and sanitized; treat client data as untrusted. Ensure permissions are enforced (auth and authorization early); default to deny. Use DRF ValidationError/PermissionDenied; do not expose stack traces or internals. Review CORS: allowed origins allowlisted in backend/backend/settings.py; no wildcards for production.
Frontend: Confirm credentials: only token (and minimal user/org context) stored; no passwords. Token sent only via the axios interceptor (Authorization: Bearer); components do not read or send tokens directly. API layer does not swallow errors; 401 handled by interceptor (clear storage, redirect to login).
Infrastructure: Review environment variables and access controls. Ensure production uses HTTPS for all traffic.