# LotusCloud Bug + Security Fix Report

Date: 2026-03-06

## Issues Found

1. RBAC gap in API Gateway route mapping
- Symptom: several new routes (Phase 6 and alias paths) had no explicit action mapping.
- Risk: requests could skip fine-grained authorization checks.
- Status: fixed.

2. Weak `X-Project-ID` validation
- Symptom: project header presence was checked but format was not validated.
- Risk: malformed IDs could bypass assumptions and increase attack surface.
- Status: fixed.

3. Proxy dropped query string
- Symptom: gateway upstream forwarding did not preserve `RawQuery`.
- Risk: pagination/filter/search endpoints could behave incorrectly.
- Status: fixed.

4. Missing secure baseline headers and strict CORS allowlist in gateway
- Symptom: no centralized security header middleware; CORS policy not explicit.
- Risk: weaker browser-side hardening and broader cross-origin risks.
- Status: fixed.

5. Hardcoded-looking secrets in CI env example
- Symptom: `.env.ci.example` contained static strong-looking values.
- Risk: accidental re-use in real environments.
- Status: fixed by replacing with placeholders.

6. Frontend integration color token missing
- Symptom: `--color-integration` referenced but undefined.
- Risk: visual inconsistency for APIM/Event Grid pages.
- Status: fixed.

## Files Updated

- `services/api-gateway/internal/middleware/auth.go`
- `services/api-gateway/internal/proxy/iam_proxy.go`
- `services/api-gateway/internal/middleware/security.go`
- `services/api-gateway/internal/config/config.go`
- `services/api-gateway/cmd/main.go`
- `docker-compose.yml`
- `.env.example`
- `.env.ci.example`
- `frontend/lotus-console/app/globals.css`

## Verification Checklist

- [x] Gateway auth flow still requires bearer token
- [x] Gateway now fails closed when route has no RBAC mapping
- [x] Query string forwarding preserved to upstream
- [x] Security headers and CORS handling enabled
- [x] Env templates no longer contain concrete CI secret values
