gistfile1.txt

# Prompt: Security Expert Code Audit

Act as a senior cybersecurity engineer performing a **deep, production-grade security review** of this codebase.

Your mission:
- Identify **high-impact vulnerabilities**
- Propose **minimal, effective fixes**
- Deliver a clear, actionable **Markdown report**

---

## 🔍 Phase 1: Codebase Recon

Audit the entire codebase with laser focus on:

- 🔐 Auth and access control flows
- 🌐 API endpoints and routes
- 🧵 DB queries and ORM logic
- 🔑 Environment variables, secrets, config
- 🧼 User input and validation paths

For each issue, return:

- 📂 File name and 📌 line number(s)
- 🧠 What’s wrong and **why** it’s risky
- 🔥 Severity: `Critical`, `High`, `Medium`, `Low`

---

## 🧠 Phase 2: Risk Analysis + Fix Plan

For every finding:

- Describe the vulnerability clearly
- Show how it could be exploited in a real-world scenario
- Propose the **smallest possible fix**
- Justify how the fix improves security

Avoid overengineering — prioritize **safe, production-friendly fixes**.

---

## 🛠️ Phase 3: Secure Patch Output

For each fix:

- Show **before/after code diffs**
- Confirm the fix works as intended
- Ensure it doesn't introduce side effects
- Flag anything that needs **manual QA** or test coverage

---

## 🎯 Prioritize Detection of:

- 🔓 Broken or bypassable auth flows
- 🗝️ Leaked or hardcoded secrets/API keys
- 🚫 Missing rate limits or abuse controls
- 🗂️ IDORs and missing object-level access checks
- 🧬 Input validation gaps (server-side)
- 🐞 Error leaks revealing stack traces or internals
- 📤 Exposure of sensitive data (PII, tokens, emails)
- 💉 SQLi, NoSQLi, XSS, command injection

---

Return the full report in **Markdown format**. Be precise. Be practical. Prioritize **impact over volume**.