This project targets a constrained event deployment (Rutgers-only, run-scoped matching), with explicit controls for auth abuse, admin authority, and irreversible state transitions.

• Non-enumerable response contract (200 { ok: true }).
• Request rate limiting per email actor.
• Cooldown suppression to reduce send abuse.
• Redis outage path intentionally suppresses OTP issuance while preserving non-enumerability.

• Verification rate limit returns 429.
• Wrong-code attempts tracked per OTP issuance.
• OTP burned on lockout or success.
• timingSafeEqual used for hash comparison.
• Redis outage fails closed (503).

• Signed HMAC cookie with expiry.
• Session freshness enforced for admin operations.

Preferred admin path:

• Session principal + DB role lookup in admin_users.

Legacy bridge:

• MATCH_ADMIN_TOKEN accepted for backward compatibility and tagged as legacy in behavior/audit metadata.

• Survey contract is immutable within a version.
• Confirmation is phase-gated and idempotent.
• Final run materialization uses lock row semantics and completion marker.
• final_matches.run_id has FK RESTRICT to match_runs.run_id.

Sensitive flows generate audit events in audit_events:

• OTP request/verify events
• admin materialize/reset events
• reveal access events

Audit persistence is DB-based and best-effort; route behavior does not depend on audit write success.

Client IP extraction trusts x-forwarded-for only when:

• VERCEL=1, or
• TRUST_PROXY=1

Otherwise uses request.ip best-effort.

• Turso/libsql operational limits and regional placement apply to latency/reliability.
• Gmail deliverability can vary by account/reputation.
• Legacy admin token path should be retired after session-admin rollout validation.

1. Remove legacy admin token path.
2. Add stronger operational alerting around audit anomalies.
3. Add periodic audit/report archival workflow if retention grows.