feat: add auth frontend React app for Firefox Sync setup

[layertwo]

Implements the auth-frontend spec as a React + TypeScript SPA using
Vite, Tailwind CSS v4, and shadcn/ui components. The app guides users
through OIDC authentication (OAuth 2.0 + PKCE) and displays the Token
Server URI needed to configure Firefox Sync in about:config.

Also removes stale TODO section from lambda/README.md — all items
listed there were already fully implemented.

https://claude.ai/code/session_01H7N7JBgYGnkJjzj7mF88F7

[claude]

Claude finished @layertwo's task in 1m 41s —— View job

---

Code Review Complete ✓

Review Checklist

Core Quality

• Code follows conventions - TypeScript/React patterns are well-structured
• No commented-out code - Clean implementation
• Proper error handling - Comprehensive error handling throughout
• DRY principle applied - Good modularization

Python & Development

• N/A - This is a TypeScript/React frontend application

Security

• No hardcoded secrets - Config uses placeholder values
• Input validation present - CSRF protection via state parameter
• Command/injection restrictions - No direct command execution
• Secure error handling - Errors don't expose sensitive details

OWASP Top 10

• SQL Injection - N/A (no database queries in frontend)
• Cross-Site Scripting (XSS) - 1 MEDIUM issue found
• Broken Authentication - Properly implemented with PKCE
• Sensitive Data Exposure - 1 LOW issue found
• XML External Entities (XXE) - N/A (no XML parsing)
• Broken Access Control - N/A (relies on backend)
• Security Misconfiguration - 1 LOW issue found
• Cross-Site Request Forgery (CSRF) - Properly mitigated with state parameter
• Using Components with Known Vulnerabilities - Dependencies appear current
• Insufficient Logging & Monitoring - Adequate for frontend app

Documentation

• README updated - Generic Vite template README, could be improved
• Complex logic commented - Code is self-documenting

---

Security Findings Summary

MEDIUM Severity Issues

1. Potential XSS via Error Message Display (ErrorPage.tsx:38-40)

• Location: frontend/src/components/ErrorPage.tsx:38
• Issue: Error details are rendered with whitespace-pre-line but not sanitized. If error messages contain user-controlled content (e.g., from URL parameters or API responses), this could allow XSS.
• Impact: If an attacker can control error message content (e.g., via malicious OAuth callback parameters), they could inject HTML/JavaScript.
• Recommendation: Sanitize error details before display or ensure error messages never contain user-controlled content.
• Code:

<p className="text-sm text-muted-foreground whitespace-pre-line">
  {details}
</p>

LOW Severity Issues

1. Sensitive Token Exposure in Console Logs (App.tsx:30)

• Location: frontend/src/App.tsx:30
• Issue: Errors are logged to console with console.error, which could expose error details containing tokens or sensitive information in production.
• Recommendation: In production builds, avoid logging detailed error information to the console. Use a proper error tracking service instead.
• Code:

console.error(`[ffsync] ${title}: ${message}`, details ?? "")

2. Missing Content Security Policy (CSP)

• Location: frontend/index.html
• Issue: No CSP headers are configured, which could help mitigate XSS attacks.
• Recommendation: Add CSP meta tag or configure CSP headers at the CDN/web server level to restrict inline scripts and external resource loading.

3. Session Storage Data Not Encrypted

• Location: frontend/src/lib/session.ts
• Issue: PKCE code verifier and state are stored in sessionStorage without encryption. While sessionStorage is origin-bound, if an attacker gains XSS access, they could steal these values.
• Impact: Combined with the XSS risk above, this could allow session hijacking.
• Recommendation: While sessionStorage is reasonably secure for temporary OAuth state, consider the defense-in-depth principle. Document that CSP and XSS prevention are critical security controls.

---

Code Quality Observations

Strengths

1. Excellent OAuth/OIDC Implementation: Properly implements PKCE (RFC 7636) with secure random values and SHA-256 challenge
2. Strong CSRF Protection: State parameter is properly validated in the OAuth callback
3. Good Error Handling: Comprehensive error messages help users troubleshoot issues
4. Type Safety: Excellent TypeScript usage with proper type definitions
5. Clean Architecture: Well-organized module structure with clear separation of concerns
6. Browser Compatibility Checks: Proactive validation of required browser features

Areas for Improvement

1. Error Message Handling (MEDIUM Priority)
The current error display pattern could be vulnerable to XSS:

• ErrorPage.tsx:38 - Unsanitized error details rendering
• App.tsx:71 - Error messages may include unsanitized external input

Fix suggestion: Add DOMPurify or ensure error messages are always developer-controlled strings.

2. README Documentation (LOW Priority)
frontend/README.md still contains the generic Vite template content. Should document:

• Purpose of the auth frontend
• Configuration requirements
• Deployment instructions
• Security considerations

3. Configuration Validation (LOW Priority)
config.ts:30-31 - URL sanitization only removes trailing slashes. Consider validating URL format more strictly:

// Consider adding URL validation
try {
  new URL(config.oidcProviderUrl);
  new URL(config.tokenServerUrl);
} catch {
  throw new Error(`Invalid URL format in configuration`);
}

4. Missing Security Headers (LOW Priority)
Consider documenting that the following headers should be set at the web server/CDN level:

• Content-Security-Policy
• X-Content-Type-Options: nosniff
• X-Frame-Options: DENY
• Referrer-Policy: no-referrer

---

Recommendations

1. Address XSS Risk (MEDIUM): Sanitize error messages or ensure they never contain user-controlled content
2. Update README (LOW): Replace generic Vite content with app-specific documentation
3. Document Security Requirements (LOW): Add security considerations section to README
4. Remove Production Console Logging (LOW): Strip console.error calls in production builds

---

Overall Assessment

This is a well-implemented OAuth/OIDC frontend with proper PKCE support and good security practices. The code is clean, type-safe, and follows React best practices. The main concern is the potential XSS vector through error message rendering, which should be addressed before production deployment.

The authentication flow is secure, properly validates state parameters to prevent CSRF, and follows OAuth 2.0 + PKCE best practices. The session management is appropriate for a temporary authentication flow.

Recommendation: Approve after addressing the MEDIUM severity XSS issue.

[github-actions]

Coverage report

This PR does not seem to contain any modification to coverable code.

[claude]

Claude finished @layertwo's task in 1m 53s —— View job

---

Code Review Complete ✓

Review Checklist

Core Quality

• Code follows conventions - TypeScript/React patterns well-structured
• No commented-out code - Clean implementation
• Proper error handling - Comprehensive error handling throughout
• DRY principle applied - Good modularization

Python & Development

• N/A - This is a TypeScript/React frontend application

Security

• No hardcoded secrets - Config uses placeholder values
• Input validation present - CSRF protection via state parameter
• Command/injection restrictions - No command execution vulnerabilities
• Secure error handling - 1 MEDIUM issue identified

OWASP Top 10

• SQL Injection - N/A (no database in frontend)
• Cross-Site Scripting (XSS) - 1 MEDIUM issue identified
• Broken Authentication - Properly implemented with PKCE
• Sensitive Data Exposure - 1 LOW issue identified
• XML External Entities (XXE) - N/A (no XML parsing)
• Broken Access Control - N/A (relies on backend)
• Security Misconfiguration - 1 LOW issue identified
• Cross-Site Request Forgery (CSRF) - Properly mitigated with state parameter
• Using Components with Known Vulnerabilities - Dependencies appear current
• Insufficient Logging & Monitoring - Adequate for frontend

Documentation

• README updated - Generic Vite template remains (LOW priority improvement)
• Complex logic commented - Code is self-documenting

---

Security Issues Summary

MEDIUM Severity

Potential XSS via Unsanitized Error Display (ErrorPage.tsx:38-40)

• Location: frontend/src/components/ErrorPage.tsx:38
• Issue: Error details prop is rendered directly with whitespace-pre-line className without sanitization. If error messages can include user-controlled content (from URL parameters, API responses, or OAuth callback parameters), this creates an XSS vector.
• Impact: An attacker controlling error message content could inject malicious HTML/JavaScript.
• Evidence:

<p className="text-sm text-muted-foreground whitespace-pre-line">
  {details}
</p>

• Current usage: Error details are passed from:

  • App.tsx:72 - Static troubleshooting text (safe)
  • App.tsx:110 - Static troubleshooting text (safe)
  • oauth.ts:40 - OAuth error_description from URL params (UNSAFE - user-controllable)
  • oauth.ts:108 - Token exchange error details from API (potentially unsafe)
  • token-server.ts:36,41 - Token server response body (potentially unsafe)

• Recommendation: Sanitize error details before display or ensure error messages never contain unsanitized external content. Add DOMPurify or restrict error details to developer-controlled strings only.

• Fix this →

LOW Severity

1. Console Logging of Sensitive Information (App.tsx:30)

• Location: frontend/src/App.tsx:30
• Issue: console.error logs error details that may contain tokens or sensitive data in production builds.
• Recommendation: Strip console logging in production builds or use a proper error tracking service that sanitizes sensitive data.
• Fix this →

2. Missing Content Security Policy

• Location: frontend/index.html
• Issue: No CSP headers configured to restrict inline scripts and external resources.
• Recommendation: Add CSP meta tag or configure headers at CDN/web server level. Example:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' https://auth.example.com https://sync.example.com;">

• Fix this →

3. Unencrypted Session Storage

• Location: frontend/src/lib/session.ts
• Issue: PKCE code verifier and state stored in plain text in sessionStorage. While sessionStorage is origin-bound, this is vulnerable if XSS occurs.
• Impact: Combined with XSS vulnerability, attackers could steal OAuth session state.
• Recommendation: Document that CSP and XSS prevention are critical defense-in-depth controls. Consider noting in README that sessionStorage security depends on XSS prevention.

4. Generic README Documentation

• Location: frontend/README.md
• Issue: Still contains generic Vite template content instead of app-specific documentation.
• Recommendation: Document auth frontend purpose, configuration requirements, deployment instructions, and security considerations.
• Fix this →

---

Code Quality Observations

Strengths

1. Excellent OAuth/OIDC Implementation: Properly implements PKCE (RFC 7636) with SHA-256 challenge and secure random values (pkce.ts:5-13)
2. Strong CSRF Protection: State parameter properly validated with timing-safe comparison (oauth.ts:44-55)
3. Secure PKCE Generation: Uses crypto.getRandomValues() for cryptographically secure randomness (pkce.ts:5-6)
4. Good Error Handling: Comprehensive error messages throughout with network error fallbacks
5. Type Safety: Excellent TypeScript usage with proper type definitions (types.ts)
6. Clean Architecture: Well-organized module structure with clear separation of concerns
7. Browser Compatibility Checks: Proactive validation of required browser features (browser-check.ts)
8. Session Cleanup: Properly clears OAuth state after token exchange (App.tsx:104, oauth.ts:57, 111)

Security Strengths

• PKCE implementation follows RFC 7636 specifications correctly
• State parameter prevents CSRF attacks in OAuth flow
• Code verifier removed from storage after use (oauth.ts:111)
• HTTPS enforced implicitly through proper OAuth redirect URI validation
• No client secrets stored (using PKCE for public clients correctly)

Minor Observations

1. URL Validation (config.ts:30-31): Only removes trailing slashes. Consider adding URL format validation using new URL() constructor to catch malformed URLs early.

2. Error Message Construction (oauth.ts:40): OAuth error descriptions come directly from URL parameters and are displayed to users. While React escapes text content by default, this is concerning when combined with the ErrorPage XSS issue.

3. Token Server Response Handling (token-server.ts:35-36): Full response body displayed in error messages. Could expose sensitive server details.

---

Overall Assessment

This is a well-implemented OAuth/OIDC frontend with proper PKCE support and solid security practices. The code is clean, type-safe, and follows React best practices. The authentication flow correctly implements OAuth 2.0 + PKCE for public clients.

Primary Concern: The MEDIUM severity XSS vulnerability in ErrorPage.tsx should be addressed before production deployment. While React escapes text content by default, the combination of displaying external error content without explicit sanitization creates unnecessary risk.

Recommendation: Address the MEDIUM severity XSS issue, then approve for deployment. The LOW severity issues can be addressed in follow-up improvements.

Additional Notes:

• No Python code changes beyond removing completed TODO items from lambda/README.md
• All security issues are in the new frontend TypeScript code
• Dependencies are current (React 19, Vite 7, TypeScript 5.9)

---

[claude]

Claude finished @layertwo's task in 2m 25s —— View job

---

Code Review Complete ✓

Review Checklist

Core Quality

• Code follows conventions - TypeScript/React patterns well-structured
• No commented-out code - Clean implementation
• Proper error handling - Comprehensive error handling throughout
• DRY principle applied - Good modularization

Python & Development

• N/A - This is a TypeScript/React frontend application

Security

• No hardcoded secrets - Config uses placeholder values
• Input validation present - CSRF protection via state parameter
• Command/injection restrictions - No command execution
• Secure error handling - 1 MEDIUM issue identified

OWASP Top 10

• SQL Injection - N/A (no database in frontend)
• Cross-Site Scripting (XSS) - 1 MEDIUM issue identified
• Broken Authentication - Properly implemented with PKCE
• Sensitive Data Exposure - 1 LOW issue identified
• XML External Entities (XXE) - N/A (no XML parsing)
• Broken Access Control - N/A (relies on backend)
• Security Misconfiguration - 1 LOW issue identified
• Cross-Site Request Forgery (CSRF) - Properly mitigated with state parameter
• Using Components with Known Vulnerabilities - Dependencies current
• Insufficient Logging & Monitoring - Adequate for frontend

Documentation

• README updated - Generic Vite template (LOW priority improvement)
• Complex logic commented - Code is self-documenting

---

Security Issues Summary

MEDIUM Severity

1. Potential XSS via Unsanitized Error Display

• Location: frontend/src/components/ErrorPage.tsx:38-40
• Issue: Error details prop is rendered directly without sanitization. While React escapes text content by default, error messages from external sources (OAuth error_description, API responses) are displayed to users without explicit sanitization.
• Evidence:

  <p className="text-sm text-muted-foreground whitespace-pre-line">
    {details}
  </p>

• Attack Vectors:
  • oauth.ts:40 - OAuth error_description from URL params (user-controllable)
  • oauth.ts:108 - Token exchange error details from API
  • token-server.ts:36 - Full token server response body displayed
• Impact: If an attacker can control error message content (e.g., via malicious OAuth callback parameters or compromised API responses), React's text escaping provides protection, but the whitespace-pre-line class and direct rendering create a larger attack surface than necessary.
• Recommendation: While React does provide XSS protection through text escaping, implement defense-in-depth by:
  1. Sanitizing or validating error messages before display
  2. Limiting error details to developer-controlled strings only
  3. Avoiding rendering raw API response bodies in error messages
• Risk Assessment: MEDIUM due to defense-in-depth concerns, though React's built-in escaping mitigates the immediate risk.

Fix this →

LOW Severity

1. Console Logging of Sensitive Information

• Location: frontend/src/App.tsx:30
• Issue: console.error logs error details that may contain tokens or sensitive data in production builds.
• Code:

  console.error(`[ffsync] ${title}: ${message}`, details ?? "")

• Recommendation: Strip console logging in production builds or filter sensitive data. Use import.meta.env.PROD to conditionally disable logging.

Fix this →

2. Missing Content Security Policy

• Location: frontend/index.html
• Issue: No CSP headers configured to restrict inline scripts and external resources, which would provide defense-in-depth against XSS.
• Recommendation: Add CSP meta tag or configure headers at CDN/web server level:

  <meta http-equiv="Content-Security-Policy" 
        content="default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; 
                 connect-src 'self' https://auth.example.com https://sync.example.com;">

Fix this →

3. Generic README Documentation

• Location: frontend/README.md
• Issue: Contains generic Vite template content instead of app-specific documentation.
• Recommendation: Document:
  • Purpose of the auth frontend
  • Configuration requirements (config.json setup)
  • Deployment instructions
  • Security considerations (CSP, HTTPS requirement)

Fix this →

4. Unencrypted Session Storage

• Location: frontend/src/lib/session.ts
• Issue: PKCE code verifier and state stored in plain text in sessionStorage.
• Assessment: This is acceptable for temporary OAuth state as sessionStorage is origin-bound and cleared after use. However, combined with any XSS vulnerability, this could allow session hijacking.
• Recommendation: Document that XSS prevention (CSP, input validation) is critical for protecting session data. This is already mitigated by proper session cleanup after token exchange.

---

Code Quality Observations

Strengths

1. Excellent OAuth/OIDC Implementation: Properly implements PKCE (RFC 7636) with SHA-256 challenge and cryptographically secure random values (pkce.ts:5-13)
2. Strong CSRF Protection: State parameter properly validated with simple comparison (oauth.ts:44-55)
3. Secure PKCE Generation: Uses crypto.getRandomValues() for cryptographically secure randomness (pkce.ts:5-6)
4. Good Error Handling: Comprehensive error messages with network error fallbacks throughout
5. Type Safety: Excellent TypeScript usage with proper type definitions in types.ts
6. Clean Architecture: Well-organized module structure with clear separation of concerns
7. Browser Compatibility Checks: Proactive validation of required browser features (browser-check.ts)
8. Session Cleanup: Properly clears OAuth state after token exchange (App.tsx:104, oauth.ts:57,111)

Security Strengths

• PKCE implementation follows RFC 7636 correctly
• State parameter prevents CSRF in OAuth flow
• Code verifier removed from storage after use
• HTTPS implicitly enforced through OAuth redirect URI validation
• No client secrets stored (correctly using PKCE for public clients)
• Proper OIDC discovery implementation with validation

Minor Observations

1. URL Validation (config.ts:30-31)

• Only removes trailing slashes without validating URL format
• Consider adding validation using new URL() constructor to catch malformed URLs early

2. Error Message Construction (oauth.ts:40)

• OAuth error descriptions come directly from URL parameters
• React's text escaping provides protection, but consider using predefined error messages for better control

3. Token Server Response Handling (token-server.ts:35-36)

• Full response body displayed in error messages
• Could expose sensitive server details; consider generic error messages

---

Summary

This is a well-implemented OAuth/OIDC frontend with proper PKCE support and solid security practices. The code is clean, type-safe, and follows React best practices. The authentication flow correctly implements OAuth 2.0 + PKCE for public clients.

Primary Concern: The error handling pattern, while protected by React's text escaping, creates unnecessary attack surface by displaying external error content. This should be addressed before production deployment.

Status: The security issues identified in previous reviews remain unaddressed. The MEDIUM severity issue regarding error message handling should be resolved.

Recommendation: Address the MEDIUM severity error handling issue, then approve for deployment. The LOW severity issues can be addressed in follow-up improvements.

Note: This review covers the PR as of commit ef5f197. The frontend implementation is solid, with security concerns focused on error handling and defense-in-depth measures.

---

[claude]

Claude finished @layertwo's task in 1m 44s —— View job

---

Code Review Complete ✓

Review Checklist

Core Quality

• Code follows conventions - TypeScript/React patterns well-structured
• No commented-out code - Clean implementation
• Proper error handling - Comprehensive error handling throughout
• DRY principle applied - Good modularization with reusable components

Python & Development

• N/A - This is a TypeScript/React frontend application (only change to Python code is removing completed TODOs from lambda/README.md)

Security

• No hardcoded secrets - Config uses placeholder values in config.json
• Input validation present - FIXED: Sanitization now implemented via sanitizeExternal() function
• Command/injection restrictions - No command execution vulnerabilities
• Secure error handling - FIXED: Error messages now sanitized before display

OWASP Top 10

• SQL Injection - N/A (no database in frontend)
• Cross-Site Scripting (XSS) - FIXED: Input sanitization implemented
• Broken Authentication - Properly implemented with PKCE (RFC 7636)
• Sensitive Data Exposure - IMPROVED: Console logging now conditional on DEV mode
• XML External Entities (XXE) - N/A (no XML parsing)
• Broken Access Control - N/A (relies on backend)
• Security Misconfiguration - FIXED: CSP headers now implemented
• Cross-Site Request Forgery (CSRF) - Properly mitigated with state parameter
• Using Components with Known Vulnerabilities - Dependencies current (React 19, Vite 7)
• Insufficient Logging & Monitoring - Adequate for frontend app

Documentation

• README updated - Generic Vite template remains (LOW priority)
• Complex logic commented - Code is self-documenting

---

Security Issues Addressed Since Previous Reviews

Excellent work! The following security issues from previous reviews have been resolved:

1. XSS via Unsanitized Error Display ✓ FIXED

   • Added sanitizeExternal() function in oauth.ts:37-39 that strips HTML tags and limits length
   • Applied to OAuth error descriptions (oauth.ts:43-46)
   • Applied to token exchange errors (oauth.ts:110-112)
   • Applied to token server response bodies (token-server.ts:36)

2. Console Logging of Sensitive Information ✓ IMPROVED

   • Console logging now conditional on import.meta.env.DEV (App.tsx:30-34)
   • Production builds only log generic error titles, not details

3. Missing Content Security Policy ✓ FIXED

   • Comprehensive CSP now implemented in index.html:8
   • Restricts: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' https:; img-src 'self' data:; font-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self';
   • Provides strong defense-in-depth against XSS attacks

---

Remaining Issue

LOW Severity

Generic README Documentation

• Location: frontend/README.md:1-73
• Issue: Still contains generic Vite template content instead of app-specific documentation
• Impact: Minimal - does not affect functionality or security, but reduces clarity for developers/operators
• Recommendation: Document:
  • Purpose of the auth frontend (OAuth 2.0 + PKCE authentication for Firefox Sync)
  • Configuration requirements (config.json setup with OIDC provider details)
  • Deployment instructions (build process, static hosting requirements)
  • Security considerations (CSP, HTTPS requirement, sessionStorage behavior)
• Fix this →

---

Code Quality Observations

Strengths

1. Excellent Security Improvements

   • Input sanitization function strips HTML tags and limits length
   • CSP headers provide defense-in-depth
   • Conditional logging prevents production data leakage

2. Strong OAuth/OIDC Implementation

   • Properly implements PKCE (RFC 7636) with SHA-256 challenge (pkce.ts:1-23)
   • Cryptographically secure random values via crypto.getRandomValues() (pkce.ts:6)
   • Proper CSRF protection with state parameter validation (oauth.ts:50-62)

3. Robust Error Handling

   • Comprehensive error messages with network fallbacks throughout
   • Errors provide actionable troubleshooting guidance without exposing sensitive details
   • Proper cleanup of OAuth session state after token exchange (App.tsx:108)

4. Type Safety

   • Excellent TypeScript usage with proper type definitions (types.ts)
   • No any types found in reviewed code
   • Proper interface definitions for configuration and state

5. Clean Architecture

   • Well-organized module structure with clear separation of concerns
   • Reusable UI components following shadcn/ui patterns
   • Browser compatibility checks prevent runtime issues (browser-check.ts)

6. Session Management

   • Proper session cleanup after authentication flow
   • OAuth state removed after validation to prevent replay attacks
   • SessionStorage appropriately used for temporary OAuth state

Security Strengths

• PKCE implementation follows RFC 7636 specifications correctly
• State parameter prevents CSRF attacks in OAuth flow
• Code verifier removed from storage immediately after token exchange
• HTTPS implicitly required through OAuth redirect URI validation
• No client secrets stored (correctly using PKCE for public clients)
• OIDC discovery properly validates required endpoints

Minor Observations

1. URL Validation (config.ts:30-31)

   • Currently only removes trailing slashes
   • Consider adding format validation using new URL() constructor to catch malformed URLs early
   • Not a security issue as invalid URLs will fail at fetch time, but earlier validation improves UX

2. SessionStorage Security Note

   • PKCE state stored in sessionStorage is acceptable for temporary OAuth flows
   • Origin-bound and properly cleaned up after use
   • Security depends on XSS prevention (now properly addressed via CSP and input sanitization)

---

Overall Assessment

APPROVED ✓

This is a well-implemented OAuth/OIDC frontend with excellent security practices. The latest commit (54480e3) successfully addresses all MEDIUM severity security issues identified in previous reviews. The code is clean, type-safe, follows React best practices, and properly implements OAuth 2.0 + PKCE for public clients.

The authentication flow is secure with:

• Proper CSRF protection via state parameter validation
• XSS mitigation through input sanitization and CSP headers
• No sensitive data exposure in production logs
• Correct PKCE implementation for public OAuth clients
• Secure session management with proper cleanup

The remaining documentation issue is LOW priority and does not block deployment.

Changes Summary:

• Added: 32 new files (frontend React app + auth flow implementation)
• Modified: 2 files (.gitignore, lambda/README.md to remove completed TODOs)
• No backend security changes: Lambda code changes are documentation-only

Deployment Readiness: ✓ Ready for production deployment

The only remaining item is improving the README documentation, which can be addressed in a follow-up PR without blocking this one.

---

In general, the right fix is to stop using a fragile “strip tags with one regex” approach, and instead either: (a) use a well-tested HTML sanitization library, or (b) simplify the sanitization to a safe transformation such as HTML-encoding or aggressive removal of tag delimiters (< and >), which cannot reintroduce tags on reprocessing. Because we must only touch this file and avoid adding nonstandard dependencies where possible, the most robust, low-impact fix here is to change sanitizeExternal to remove < and > characters themselves, instead of trying to parse tags. That avoids the multi-character sanitization pitfall and guarantees that no HTML elements, including <script, can be formed from the sanitized output.

Concretely, update sanitizeExternal in frontend/src/lib/oauth.ts so that it replaces all < and > characters (and optionally similar dangerous characters) with either nothing or safe escape sequences, and then truncates as before. This preserves existing behavior at the call sites (still returns a string, still enforces maxLength) while making the sanitization safe against the specific CodeQL concern. No other lines or imports need to change.

In general, the best fix is to avoid ad‑hoc regex‑based HTML sanitization and instead use a well‑tested library designed for this purpose, or at minimum ensure that tag removal is robust against multi‑character partial matches by repeatedly applying the replacement until no tags remain. Since we must keep functionality (get up to 500 characters of tag‑stripped text) and not change imports beyond well‑known libraries, we can improve the existing regex‑based approach by looping until no more tags are removed. This directly addresses the “incomplete multi‑character sanitization” issue without changing how the result is used elsewhere.

Concretely, in frontend/src/lib/token-server.ts, lines around 35–37 should be updated so that after const body = await response.text(), we do not call body.replace(/<[^>]*>/g, "") just once. Instead, we should implement a small loop that repeatedly strips tags until subsequent iterations make no changes, then slice to 500 characters. For example, introduce a local sanitizedBody variable, run a do { ... } while(...) loop with the same regex, and then assign detail = sanitizedBody.slice(0, 500). This requires no new imports or global utilities and keeps existing behavior (plain text, max 500 chars) while ensuring that patterns like nested/overlapping tags cannot reappear after a single replacement.