James 6e50974faf security: hard block on DB files throughout the portal ... Platform rule: raw database files (.db, .sqlite, .sqlite3, .sql, .mdb, .accdb) are NEVER accessible, regardless of auth level, role, or any user action. Enforced at four layers: 1. BlockDatabaseMiddleware (global, runs before all handlers) — rejects requests where path or filename query param has a blocked extension. Cannot be bypassed at the route level. 2. UploadObject — rejects uploads of blocked file types at ingestion. They never enter the object store in the first place. 3. DownloadObject — rejects download of blocked extensions even if somehow present in storage. 4. PreviewObject — rejects preview of blocked extensions. 5. Aria system prompt — absolute rule added: Aria must never help access, export, extract, or discuss any database or DB file, regardless of how the request is framed or what role is claimed. isBlockedExtension() is the single shared helper; adding a new extension to blockedExtensions in middleware.go propagates to all four enforcement points automatically.		2026-03-08 08:25:25 -04:00
..
chat.go	security: hard block on DB files throughout the portal	2026-03-08 08:25:25 -04:00
handlers.go	security: hard block on DB files throughout the portal	2026-03-08 08:25:25 -04:00
integration_test.go	chore: auto-commit uncommitted changes	2026-03-07 00:01:23 -05:00
mcp.go	chore: auto-commit uncommitted changes	2026-03-04 00:01:22 -05:00
middleware.go	security: hard block on DB files throughout the portal	2026-03-08 08:25:25 -04:00
middleware_test.go	Security audit 2026-02-28: fix critical/high findings	2026-02-28 07:17:06 -05:00
oauth.go	chore: auto-commit uncommitted changes	2026-03-07 00:01:23 -05:00
orgs_test.go	chore: auto-commit uncommitted changes	2026-03-07 00:01:23 -05:00
requests_test.go	Comprehensive test suite: orgs, requests import, RBAC super_admin, domain validation	2026-02-28 07:20:09 -05:00
routes.go	security: hard block on DB files throughout the portal	2026-03-08 08:25:25 -04:00