fix(security): timing-safe HMAC, HKDF per-row salt, case-insensitive email
- downloadTokens: pad buffers to equal length before timingSafeEqual to eliminate length-oracle side channel (PR #81) - keyRotation: add HKDF key derivation with random 16-byte per-row salt; existing rows without salt decrypt via legacy SHA-256 path; all new encryptions use HKDF (PR #76) - projects: use case-insensitive comparison for shared_with email in GET /projects/:projectId, matching access.ts pattern (PR #79) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
| Repository | Dshamir/AI-Legal |
|---|---|
| Author | Dshamir <dshamir@blucap.ca> |
| Authored | |
| Parents | af4ed2db |
| Stats | 7 files changed , +398 , -349 |
| Part of | Upstream-PR security and infra hardening |
Capture this commit into my fork
Download a Markdown prompt that tells Claude how to port this
exact commit into your working tree. Run it via
claude -p < capture-commit-52f47ba4.md
from inside the repo you want the change in.