- H-1 cert-DN spoofing: IRuntimeConfig::certAuthTrusted() now defaults to
false (fail-closed). X-SSL-Client-DN is an ordinary request header; a
loopback bind does not prove it came from a TLS-terminating proxy.
Consumers must opt in explicitly behind a header-stripping proxy.
- H-3 scope reparenting: ScopeGuardRepository::save() now also checks the
EXISTING row's scope (via a new required entity-id accessor), so an actor
can't claim an out-of-scope row by relabelling it in the request body.
- H-2 IQueryable bypass: add ScopeGuardQueryable<T> — filters query()
results through the same predicate so the queryable surface can't escape
the scope guard.
- H-4 TemporalRepository TOCTOU: serialise the read-modify-write with a
per-instance mutex (no more duplicate-live / lost-update under concurrent
same-entity saves) and add an optional TxRunner so the close-then-insert
pair can commit/rollback atomically.
- H-5 SMTP header injection: reject CR/LF/NUL in `to`/`fromAddress` before
building the envelope and From:/To: header lines.
Tests: expand test_repository_decorators (reparenting + queryable filtering),
add curl-guarded test_smtp_transport (base64 vectors + CRLF guard). All 15
ctest targets pass. README updated.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
