Cross-cutting input-validation, isolation, and DoS-resistance fixes across
the app, API, billing, queue, and infra layers.
- Runtime validation (zod) for client-supplied admin actions (role/plan/
limits), series generation index, and all pg-boss queue payloads
- Auth: require email verification before sign-in; reject weak/placeholder/
short BETTER_AUTH_SECRET in production
- Billing: sanitize Stripe/PayPal errors (log server-side, generic to client);
race-safe subscription upsert; only count "processed" webhook events as
handled; verify org membership in getEffectivePlan to block plan escalation
- Series generation: reserve usage up front and refund on failure; bill the
owning org, not the caller's active org
- Injection defenses: HTML-escape user fields in emails, strip CR/LF from
subject/recipient, validate ElevenLabs voiceId before URL interpolation
- Media routes: stream off disk instead of buffering whole files; rate-limit
anonymous public audio/cover endpoints by client IP
Leon Serfaty
51c541ad22