# Monthly Security Audit — 2026-03-11

## Scope
MAINT-02 monthly scan. Full audit of `core/security/`, `core/archipelago/src/api/rpc/`, nginx config, and frontend.

## Findings Summary

| Severity | Count | Fixed | Deferred |
|----------|-------|-------|----------|
| Critical | 2 | 0 | 2 (known, architectural) |
| High | 5 | 0 | 5 (known, requires design) |
| Medium | 7 | 2 | 5 |
| Low | 6 | 0 | 6 |
| Info | 4 | 0 | 4 |

## Fixes Applied This Cycle

### MED-03: Shell injection in bitcoin.conf generation — FIXED
`core/archipelago/src/api/rpc/package.rs` — Replaced `sh -c echo` shell command with `tokio::fs::write()` to eliminate shell injection surface.

### MED-07: No body size limit on /rpc/ endpoint — FIXED
`image-recipe/configs/nginx-archipelago.conf` — Added `client_max_body_size 1m` to `/rpc/` location in both HTTP and HTTPS server blocks.

## Known Issues (Deferred)

### CRIT-01: Deterministic encryption key
Secrets encryption key derived from data directory path. Requires architectural redesign (Argon2 from user password or TPM-backed key). Tracked for v1.1.

### CRIT-02: Hardcoded Bitcoin RPC password
`archipelago123` shared across all deployments. Requires per-install random password generation and secrets manager integration. Tracked for v1.1.

### HIGH-01 through HIGH-05
Known from FINAL-02 audit (2026-03-10). CSP hardening, HSTS, IP spoofing for rate limiting, Bitcoin RPC binding — all tracked for v1.1.

## Dependency CVE Check

### npm
- `serialize-javascript` ≤7.0.2 (GHSA-5c6j-r48x-rmvq): RCE via RegExp.flags — dev-only, no runtime impact
- `rollup` path traversal (GHSA-mw96-cpmx-2vgc): dev-only build tool
- No new runtime dependency CVEs

### Cargo
- No new advisories affecting current pinned versions (checked cargo-audit equivalent)

### Podman/Debian
- No critical Debian 12 security advisories for Podman 4.x since last scan
- Container base images using pinned versions (no `:latest` in production manifests)

## Next Cycle
Due: 2026-04-11. Focus areas: CRIT-01 key derivation redesign, CSP tightening.