EnrichNode Wiki

History Foundation Era

2 min read

Scope

Earliest two commits on master. Pre-rewrite codebase. Span: 2026-03-11 → 2026-03-24.

There is no “initial commit” in the visible history — the first commit is already a security pass over an existing codebase, suggesting the project was imported from elsewhere or had its history rewritten before this point.

Commits

006a770 — 2026-03-11

“fix: Security hardening — 12 issues resolved across codebase”

Author: Shayer Rizvi. Co-author: Claude Sonnet 4.6. The first commit visible in master.

Critical fixes

  • keycloak.ts — replaced broken crypto.subtle.importKey('spki') with crypto.createVerify('RSA-SHA256') for JWT signature verification. Previous code did not actually verify signatures.
  • compliance.ts — switched opt-out hashing from SHA256(salt || contact) to HMAC-SHA256(key=salt, data=contact). Resists length-extension. See Opt-Out Hashes.

High

  • 8 API endpoints (leads, companies, organizations, users, projects, documents, scrape, export): parseInt() was returning NaN on malformed query params; added radix and || fallback.

Medium

  • lib/webhooks.ts — length check before crypto.timingSafeEqual() to prevent uncaught TypeError.
  • api/middleware/rate-limit.ts — validate X-Forwarded-For to prevent header injection into Redis keys.
  • db/schema.ts — GIN index on companies.enriched_data.

Low

  • cache.ts — removed stale RATSIT / PROFF key prefixes from dropped data sources.

Tests: 56 unit tests pass after the change. tsc and eslint clean.

106d384 — 2026-03-24

“chore: restore point — pre enterprise enrichment plan implementation”

Plain restore-point commit. Body says “Captures all modified files before Phase 1 critical fixes begin” and references plans/ENTERPRISE_ENRICHMENT_PLAN.md. No functional change worth describing — this is a save before the History Phase Refactor Era tear-down.

Significance

  • The HMAC-SHA256 switch is a breaking change for opt-out matching. Any opt-out hashes computed under the old SHA256 scheme are now invalid.
  • The keycloak fix means JWT verification was non-functional before 2026-03-11. Treat anything authenticated before that date as untrusted.

See also

Opt-Out Hashes, History Overview, Notable Commits.

See also

Graph View

Backlinks