This file documents the current security posture of the code in this repository.

If you discover a vulnerability, report it privately to the maintainer before public disclosure.

• Include affected version, attack path, proof of concept, and impact.

• Direct access guards in PHP files (defined( 'ABSPATH' ) || exit;).
• Strict settings sanitization/allowlisting in Dewey_Settings.
• Admin asset loading gated by capability and allowlisted admin screens.
• Admin asset loading bypasses AJAX/cron contexts and supports a final policy filter gate.
• Asset manifest normalization before script/style registration (defensive type checks).
• Frontend prompt input normalization (control-char stripping and max-length guard).
• Frontend submit throttling and bounded in-memory chat history.
• Assistant system prompt sanitization at REST boundary before AI generation.
• Admin-gated non-public indexing mode (draft/private indexing requires explicit opt-in).
• REST route capability and nonce checks for query/status/reindex/confirm-action/execute-action.
• Content write actions (Dewey_Action_Handler) enforce per-action current_user_can() checks; Dewey can never perform an action the logged-in user cannot perform themselves.
• Destructive actions (trash, publish) are gated behind HMAC-signed, TTL-limited tokens verified by verify_action_token() before any database mutation.
• Created posts are always saved as drafts; publishing requires an explicit second confirmation step.
• Per-route, per-user server-side rate limiting with 429 responses.
• Index integrity checks with automatic orphan-entry cleanup and capped integrity reports.
• Build/release preflight checks (lint, tests, docs consistency, security scan).
• Release packaging hardening:
  • slug validation,
  • path containment checks,
  • symlink rejection,
  • non-regular file rejection,
  • strict runtime allowlist.
• Static security scanner checks for high-risk PHP patterns:
  • code execution primitives (eval, assert, create_function),
  • command execution (shell_exec, exec, passthru, system),
  • unsafe decoding/deserialization (base64_decode, unserialize),
  • dynamic include from superglobals,
  • preg_replace with /e modifier.
• Static security scanner checks for high-risk frontend patterns:
  • eval and new Function,
  • direct HTML sink usage (dangerouslySetInnerHTML, innerHTML, outerHTML).
• Navigation command sidebar scraper validates all scraped URLs against a strict allowlist (isSafeAdminUrl) before they enter the Fuse.js index or are used for navigation — prevents open-redirect via rogue plugin menu items.

• This repository ships Dewey REST endpoints at /wp-json/dewey/v1/:
  • POST /query
  • GET /status
  • POST /reindex
  • POST /confirm-action
  • POST /execute-action
• Query and status are editor-capable routes, while reindex/confirm-action/execute-action are admin-only.

Run before shipping:

1. npm run lint
2. npm run test:js
3. npm run test:php
4. npm run check
5. npm run release -- <version>

• Add endpoint-level nonce and capability negative tests.
• Add CI dependency audit and security-policy enforcement gates.