feat(security): production-readiness PR 1 — bearer auth, security headers, error envelope

First of 5 PRs landing the production-readiness audit fixes. Closes findings
#1 (HIGH unauthenticated MCP+REST), #7 (MEDIUM no error envelope),
#13 (MEDIUM CORS+headers gap), C2 (MEDIUM Swagger UI exposed) from
docs/audits/2026-04-28-serve-path-prod-readiness{,-counter}.md.

- Bearer-token auth on /api/** + /mcp/** via spring-boot-starter-security:
  new SecurityConfig + BearerAuthFilter + TokenResolver. SHA-256 pre-hash
  for length-oracle-safe constant-time compare. RFC 7235 case-insensitive
  scheme matching. Auth header value never reaches a logger. Permit list:
  /, /index.html, /favicon.ico, /assets/**, /static/**, /error,
  /actuator/health/{liveness,readiness}.
- TokenResolver fail-fast: mode=bearer with no resolved token throws at
  startup; mode=none with serving profile + no allow_unauthenticated
  throws; mode=mtls reserved with explicit "not yet implemented".
- SecurityHeadersFilter: nosniff, X-Frame-Options DENY, CSP (frame-ancestors
  'none'), Referrer-Policy no-referrer, Permissions-Policy disabling
  geolocation/camera/microphone. HSTS only when X-Forwarded-Proto: https.
- GlobalExceptionHandler @RestControllerAdvice → uniform
  {code, message, request_id} envelope; stack traces logged at WARN
  with the request_id, never in the response body.
- CorsConfig default changed from loopback to empty (deny-all).
- application.yml serving profile: springdoc disabled, server.error.*
  set to never, management.endpoints.web.exposure.include narrowed to
  health,info, health.show-details: never.
- application.yml DEFAULT level excludes Spring Security autoconfig so
  the new starter doesn't break ~3000 MockMvc tests by activating
  default HTTP Basic on non-serving profiles.
- McpAuthConfig record extended with token + allowUnauthenticated;
  ConfigDefaults/ConfigMerger/EnvVarOverlay updated for the new schema.
- 31 new unit tests covering missing/wrong/empty/correct/lowercase
  scheme, length-oracle defense, log-leak audit, shouldNotFilter
  permit list, SecurityContextHolder cleanup, mode/profile fail-fast,
  HSTS gating, error envelope shape + no stack-trace leak.
- Full suite: 3453 tests / 0 failures / 0 errors.

Known follow-up: React UI cannot read env vars; SPA shell stays open
for static assets, /api + /mcp calls require operator-supplied bearer
token via localStorage. First-class UI auth bootstrap is its own design.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: aksOps

CHANGELOG.md

@@ -225,6 +225,86 @@ for that specific tag for the per-commit details.
   path-B board ruling, they are not to be re-introduced without an explicit
   board reversal — see `shared/runbooks/engineering-standards.md` §5.1.
 
+### Security
+
+- **Production-readiness PR 1 of 5 — security baseline.** First half of the
+  audit findings catalogued under `docs/audits/2026-04-28-serve-path-prod-readiness.md`
+  (+ `-counter.md`). Closes audit findings #1, #7, #13 (HIGH/MEDIUM) and C2 (MEDIUM).
+  - **Bearer-token auth on `/api/**` and `/mcp/**`** (audit #1). Added
+    `spring-boot-starter-security`. New `config/security/SecurityConfig`,
+    `BearerAuthFilter`, `TokenResolver`. Token source priority:
+    `CODEIQ_MCP_TOKEN` env > `codeiq.mcp.auth.token` config > startup failure.
+    Constant-time compare via SHA-256 pre-hash + `MessageDigest.isEqual` —
+    32-byte digests on both sides defeat the length oracle. RFC 7235 §2.1
+    case-insensitive scheme matching (`Bearer`, `bearer`, etc.). Authorization
+    header value never reaches a logger from this code. Permit list:
+    `/`, `/index.html`, `/favicon.ico`, `/assets/**`, `/static/**`, `/error`,
+    `/actuator/health/{liveness,readiness}` — everything else under
+    `/api/**`, `/mcp/**`, `/actuator/**` requires the bearer token.
+  - **Fail-fast on misconfiguration** (audit #14 partial). `mode=bearer` with
+    no token resolved → throws at startup. `mode=none` with active `serving`
+    profile and `allow_unauthenticated` not explicitly set → throws at
+    startup. `mode=mtls` is reserved and explicitly throws "not yet
+    implemented" rather than silently passing through.
+  - **Defensive response headers** (audit #13). New
+    `config/security/SecurityHeadersFilter` sets `X-Content-Type-Options:
+    nosniff`, `X-Frame-Options: DENY`, `Content-Security-Policy: default-src
+    'self'; ... frame-ancestors 'none'`, `Referrer-Policy: no-referrer`,
+    `Permissions-Policy` disabling geolocation/camera/microphone.
+    `Strict-Transport-Security: max-age=31536000; includeSubDomains` is set
+    only when `X-Forwarded-Proto: https` is present (AKS terminates TLS at
+    ingress) — setting HSTS over plain HTTP would lock out misconfigured envs.
+  - **Uniform error envelope** (audit #7). New
+    `api/GlobalExceptionHandler` (`@RestControllerAdvice`,
+    `@Profile("serving")`) maps every uncaught exception to
+    `{"code","message","request_id"}` with the right HTTP status.
+    `IllegalArgumentException` → 400 with surfaced message.
+    `ResponseStatusException` → status code passes through. Anything else →
+    500 with generic message; the actual exception is logged at WARN with
+    the `request_id` so on-call can correlate without leaking stack frames
+    to the client. `application.yml` now sets
+    `server.error.include-stacktrace: never` + `include-message: never` +
+    `include-binding-errors: never` as belt-and-suspenders.
+  - **Default CORS deny-all in serving** (audit #13). `config/CorsConfig`
+    default changed from loopback patterns to empty. Empty means register
+    no mappings → Spring MVC rejects all preflighted cross-origin requests.
+    Operators who genuinely need cross-origin (e.g. dev with a separate
+    Vite server on a different port) explicitly set
+    `codeiq.cors.allowed-origin-patterns`. Logs the resolved state at
+    startup. The React UI at `/` is unaffected — it's served same-origin.
+  - **Swagger UI / api-docs disabled in serving** (counter-audit C2).
+    `springdoc.api-docs.enabled: false` + `springdoc.swagger-ui.enabled: false`
+    in the serving profile of `application.yml`. The OpenAPI schema is
+    reconnaissance data; reachable only when running locally or with the
+    indexing profile.
+  - **`management.endpoints.web.exposure.include` narrowed** to `health,info`
+    in serving (was `health,info,metrics`); `health.show-details: never`.
+    Defense-in-depth alongside the `SecurityFilterChain` `authenticated()`
+    rule on `/actuator/**`.
+  - **Spring Security autoconfig excluded outside serving.** Without the
+    `serving` profile (CLI, tests, IDE runs), Spring Security's default
+    HTTP Basic chain would lock all endpoints — adding the starter would
+    break ~3000 existing tests that pass through MockMvc with no token.
+    `application.yml` excludes `SecurityAutoConfiguration`,
+    `SecurityFilterAutoConfiguration`, `UserDetailsServiceAutoConfiguration`
+    at the default level; the `serving` profile re-enables them by listing
+    only `UserDetailsServiceAutoConfiguration` (so the auto user/password
+    is suppressed but the filter chain is built from `SecurityConfig`).
+  - **Tests:** 31 new unit tests across `BearerAuthFilterTest` (14 cases:
+    missing/wrong/empty/correct/lowercase scheme, length-oracle defense,
+    log-leak audit, `shouldNotFilter` paths, `SecurityContextHolder` cleanup),
+    `TokenResolverTest` (9 cases for mode/profile/env-priority/fail-fast),
+    `SecurityHeadersFilterTest` (5 cases for header presence/HSTS gating),
+    `GlobalExceptionHandlerTest` (3 cases verifying the envelope shape and
+    no stack-trace leak). Full suite: 3453 tests / 0 failures / 0 errors.
+
+  **Known follow-up (not in this PR):** the React UI cannot read env vars,
+  so the SPA shell is unauthenticated to access static assets. API/MCP calls
+  from the UI must inject `Authorization: Bearer <token>` from
+  operator-supplied localStorage. A first-class UI auth bootstrap (login
+  flow + token-issuance endpoint, OR server-side template injection) is its
+  own design — tracked as a follow-up issue.
+
 ## [0.1.0] - 2026-03-28
 
 First general-availability cut. See the

CLAUDE.md

@@ -433,6 +433,12 @@ bean for code paths that haven't been ported yet.
 - **Parallel agent conflicts**: Don't dispatch multiple agents editing the same files concurrently. Use worktree isolation or sequential execution.
 - **SonarCloud project key**: `RandomCodeSpace_codeiq`, org: `randomcodespace`
 - **CI workflow**: Single `ci-java.yml` runs build + SonarCloud analysis. No cross-platform builds needed (JVM).
+- **Spring Security only loads in the `serving` profile.** `application.yml` excludes `SecurityAutoConfiguration` + `SecurityFilterAutoConfiguration` + `UserDetailsServiceAutoConfiguration` at the **default** level so adding `spring-boot-starter-security` doesn't break ~3000 MockMvc tests by activating a default HTTP Basic chain. The `serving` profile re-enables them by listing only `UserDetailsServiceAutoConfiguration` (suppresses the auto user/password printout); the chain itself is built by `config/security/SecurityConfig`. **Don't** drop the default exclude — non-serving contexts (CLI, tests) must have no Spring Security wiring at all.
+- **`BearerAuthFilter.shouldNotFilter` and `SecurityConfig.permitAll()` paths must stay in sync.** The filter runs before Spring's `AuthorizationFilter`, so if a path is in `permitAll()` but NOT in `shouldNotFilter`, the filter rejects it with 401 before Spring's chain can permit it. Open paths today: `/`, `/index.html`, `/favicon.ico`, `/assets/**`, `/static/**`, `/error`, `/actuator/health`, `/actuator/health/liveness`, `/actuator/health/readiness`. Adding any new permit-all endpoint requires updating BOTH places.
+- **Constant-time bearer-token compare uses SHA-256 pre-hash.** Both the provided and expected token are hashed with SHA-256 before `MessageDigest.isEqual`. SHA-256 always produces 32-byte digests, so `isEqual` runs over fixed-size arrays — defeats the length oracle that makes raw `isEqual` unsafe across mismatched-length inputs. **Don't** "optimize" by removing the hash and comparing raw token bytes; that re-introduces the oracle.
+- **Never log the `Authorization` header.** `BearerAuthFilter` deliberately never passes the header value to a logger, even at DEBUG. The rejection log line carries only `method` and `requestURI`. There's a regression test (`tokenValueNeverAppearsInLogs`) that captures all log lines for the filter and asserts the secret substring is absent.
+- **`mode=none` + active `serving` profile = startup failure** unless `codeiq.mcp.auth.allow_unauthenticated=true` is **explicitly** set. This is by design — operators must opt into permissive mode deliberately. `mode=mtls` is reserved and currently throws "not yet implemented" (better than silently passing through).
+- **`server.error.include-stacktrace: never`** is set in the serving profile as defense-in-depth alongside `GlobalExceptionHandler`. Don't enable it for "easier debugging" — stack frames in the response body leak class names + paths (CWE-209). Use the `request_id` in the envelope to correlate to the WARN log line where the full stack is captured.
 
 ## Supply-chain observability (OpenSSF)
 

pom.xml

@@ -155,6 +155,10 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-actuator</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
 
         <!-- Neo4j Embedded (Community Edition) -->
         <dependency>

src/main/java/io/github/randomcodespace/iq/api/GlobalExceptionHandler.java

@@ -0,0 +1,71 @@
+package io.github.randomcodespace.iq.api;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.slf4j.MDC;
+import org.springframework.context.annotation.Profile;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.ExceptionHandler;
+import org.springframework.web.bind.annotation.RestControllerAdvice;
+import org.springframework.web.server.ResponseStatusException;
+
+import java.util.LinkedHashMap;
+import java.util.Map;
+import java.util.UUID;
+
+/**
+ * Uniform error envelope for the REST API: {@code {"code","message","request_id"}}
+ * with the appropriate HTTP status. Stack traces and class names never reach the
+ * response body — only logged at WARN with the {@code request_id} so on-call can
+ * correlate.
+ *
+ * <p>Active in the {@code serving} profile only.
+ */
+@RestControllerAdvice
+@Profile("serving")
+public class GlobalExceptionHandler {
+
+    private static final Logger log = LoggerFactory.getLogger(GlobalExceptionHandler.class);
+
+    @ExceptionHandler(ResponseStatusException.class)
+    public ResponseEntity<Map<String, Object>> handleResponseStatus(ResponseStatusException ex) {
+        HttpStatus status = HttpStatus.resolve(ex.getStatusCode().value());
+        String code = status != null ? status.name() : "ERROR";
+        String message = ex.getReason() != null
+                ? ex.getReason()
+                : (status != null ? status.getReasonPhrase() : "Error");
+        return ResponseEntity.status(ex.getStatusCode()).body(envelope(code, message));
+    }
+
+    @ExceptionHandler(IllegalArgumentException.class)
+    public ResponseEntity<Map<String, Object>> handleBadInput(IllegalArgumentException ex) {
+        // Validation errors are surfaceable — but never include the class name or
+        // a stack trace.
+        return ResponseEntity
+                .status(HttpStatus.BAD_REQUEST)
+                .body(envelope("INVALID_INPUT", ex.getMessage()));
+    }
+
+    @ExceptionHandler(Throwable.class)
+    public ResponseEntity<Map<String, Object>> handleAny(Throwable ex) {
+        String requestId = currentRequestId();
+        log.warn("Unhandled exception (request_id={})", requestId, ex);
+        return ResponseEntity
+                .status(HttpStatus.INTERNAL_SERVER_ERROR)
+                .body(envelope("INTERNAL_ERROR", "An internal error occurred."));
+    }
+
+    private static Map<String, Object> envelope(String code, String message) {
+        Map<String, Object> body = new LinkedHashMap<>();
+        body.put("code", code);
+        body.put("message", message);
+        body.put("request_id", currentRequestId());
+        return body;
+    }
+
+    private static String currentRequestId() {
+        String id = MDC.get("request_id");
+        return id != null ? id : UUID.randomUUID().toString();
+    }
+}

src/main/java/io/github/randomcodespace/iq/config/CorsConfig.java

@@ -1,12 +1,16 @@
 package io.github.randomcodespace.iq.config;
 
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
 import org.springframework.web.servlet.config.annotation.CorsRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
+import jakarta.annotation.PostConstruct;
+
 /**
  * CORS configuration for the {@code serving} profile.
  *
@@ -16,17 +20,21 @@
  * analysis happens locally via the CLI ({@code codeiq index} / {@code codeiq enrich})
  * and the server never accepts data manipulation.
  *
- * <p>Default origin patterns cover the common local-dev cases (loopback on any port).
- * Override via {@code codeiq.cors.allowed-origin-patterns} (CSV) when serving over a
- * trusted network or behind a reverse proxy.
+ * <p><b>Default is deny-all in serving.</b> The React UI is served same-origin from the
+ * same Spring container, so cross-origin access is not required for normal operation.
+ * Operators who genuinely need cross-origin access (e.g., serving the API behind a
+ * reverse proxy at a different origin) must explicitly set
+ * {@code codeiq.cors.allowed-origin-patterns} to a non-empty CSV — when empty, no CORS
+ * mappings are registered and Spring MVC rejects all preflighted cross-origin requests.
+ *
+ * <p>Local development with the Vite dev server (running on a separate port) is the
+ * usual reason to set this — typical value: {@code http://localhost:[*],http://127.0.0.1:[*]}.
  */
 @Configuration
 @Profile("serving")
 public class CorsConfig {
 
-    /** Default allowed origin patterns: loopback on any port (covers local dev / IDE proxies). */
-    static final String DEFAULT_ALLOWED_ORIGIN_PATTERNS =
-            "http://localhost:[*],http://127.0.0.1:[*]";
+    private static final Logger log = LoggerFactory.getLogger(CorsConfig.class);
 
     /** Read-only REST API: only safe / preflight verbs. */
     static final String[] API_ALLOWED_METHODS = {"GET", "OPTIONS"};
@@ -37,11 +45,26 @@ public class CorsConfig {
     /** Allow all request headers — clients commonly send custom MCP / Auth headers. */
     static final String ALLOWED_HEADERS = "*";
 
-    @Value("${codeiq.cors.allowed-origin-patterns:" + DEFAULT_ALLOWED_ORIGIN_PATTERNS + "}")
-    private String allowedOriginPatterns = DEFAULT_ALLOWED_ORIGIN_PATTERNS;
+    /** Empty default = deny-all (no mappings registered). */
+    @Value("${codeiq.cors.allowed-origin-patterns:}")
+    private String allowedOriginPatterns = "";
+
+    @PostConstruct
+    void logCorsState() {
+        if (allowedOriginPatterns == null || allowedOriginPatterns.isBlank()) {
+            log.info("CORS: deny-all (no allowed-origin-patterns configured). "
+                    + "Set codeiq.cors.allowed-origin-patterns to enable cross-origin access.");
+        } else {
+            log.info("CORS: allowed-origin-patterns = {}", allowedOriginPatterns);
+        }
+    }
 
     @Bean
     public WebMvcConfigurer corsConfigurer() {
+        if (allowedOriginPatterns == null || allowedOriginPatterns.isBlank()) {
+            // Deny-all: register no mappings. Spring MVC rejects cross-origin requests.
+            return new WebMvcConfigurer() {};
+        }
         String[] patterns = allowedOriginPatterns.split(",");
         return new WebMvcConfigurer() {
             @Override