# Security Checklist

- Passwords: Argon2id via Passlib.
- Session: HttpOnly SameSite cookies with JWT payloads.
- CSRF: double-submit token for unsafe API methods.
- Tokens: invitation and reset tokens are random, expiring and stored as SHA-256 hashes.
- SMTP secret: encrypted with Fernet.
- CORS: explicit allowed origins only.
- CSP: set by Caddy for the frontend surface.
- IDOR: home-scoped APIs verify membership.
- SQL injection: SQLAlchemy query builder and parameter binding.
- Audit logs: admin and sensitive actions are recorded without secrets.
- Rate limits: login, invite and reset-sensitive endpoints are throttled.

Recommended external tools:

```sh
pip-audit
bandit -r backend/app
npm audit --audit-level=moderate
gitleaks detect --source .
trivy fs .
trivy image <image>
```