security: address assessment findings and bump to v2026.3.11

- C1: Disable Swagger UI in production (env gate)
- M1+M2: Add Helmet.js for security headers (CSP, X-Frame-Options,
  X-Content-Type-Options, Referrer-Policy) and remove X-Powered-By
- H2: Add @nestjs/throttler rate limiting (5 req/min on login/register)
- M4: Remove orgSchema from JWT payload and client-side storage;
  tenant middleware now resolves schema from orgId via cached DB lookup
- L1: Fix Chatwoot user identification (read from auth store on ready)
- Remove schemaName from frontend Organization type and UI displays

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/package-lock.json

@@ -16,10 +16,12 @@
         "@nestjs/platform-express": "^10.4.15",
         "@nestjs/schedule": "^6.1.1",
         "@nestjs/swagger": "^7.4.2",
+        "@nestjs/throttler": "^6.5.0",
         "@nestjs/typeorm": "^10.0.2",
         "bcryptjs": "^3.0.3",
         "class-transformer": "^0.5.1",
         "class-validator": "^0.14.1",
+        "helmet": "^8.1.0",
         "ioredis": "^5.4.2",
         "newrelic": "latest",
         "passport": "^0.7.0",
@@ -1791,6 +1793,17 @@
         }
       }
     },
+    "node_modules/@nestjs/throttler": {
+      "version": "6.5.0",
+      "resolved": "https://registry.npmjs.org/@nestjs/throttler/-/throttler-6.5.0.tgz",
+      "integrity": "sha512-9j0ZRfH0QE1qyrj9JjIRDz5gQLPqq9yVC2nHsrosDVAfI5HHw08/aUAWx9DZLSdQf4HDkmhTTEGLrRFHENvchQ==",
+      "license": "MIT",
+      "peerDependencies": {
+        "@nestjs/common": "^7.0.0 || ^8.0.0 || ^9.0.0 || ^10.0.0 || ^11.0.0",
+        "@nestjs/core": "^7.0.0 || ^8.0.0 || ^9.0.0 || ^10.0.0 || ^11.0.0",
+        "reflect-metadata": "^0.1.13 || ^0.2.0"
+      }
+    },
     "node_modules/@nestjs/typeorm": {
       "version": "10.0.2",
       "resolved": "https://registry.npmjs.org/@nestjs/typeorm/-/typeorm-10.0.2.tgz",
@@ -5277,6 +5290,15 @@
         "node": ">= 0.4"
       }
     },
+    "node_modules/helmet": {
+      "version": "8.1.0",
+      "resolved": "https://registry.npmjs.org/helmet/-/helmet-8.1.0.tgz",
+      "integrity": "sha512-jOiHyAZsmnr8LqoPGmCjYAaiuWwjAPLgY8ZX2XrmHawt99/u1y6RgrZMTeoPfpUbV96HOalYgz1qzkRbw54Pmg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
     "node_modules/html-entities": {
       "version": "2.6.0",
       "resolved": "https://registry.npmjs.org/html-entities/-/html-entities-2.6.0.tgz",

backend/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hoa-ledgeriq-backend",
-  "version": "2026.03.10",
+  "version": "2026.3.11",
   "description": "HOA LedgerIQ - Backend API",
   "private": true,
   "scripts": {
@@ -25,11 +25,14 @@
     "@nestjs/platform-express": "^10.4.15",
     "@nestjs/schedule": "^6.1.1",
     "@nestjs/swagger": "^7.4.2",
+    "@nestjs/throttler": "^6.5.0",
     "@nestjs/typeorm": "^10.0.2",
     "bcryptjs": "^3.0.3",
     "class-transformer": "^0.5.1",
     "class-validator": "^0.14.1",
+    "helmet": "^8.1.0",
     "ioredis": "^5.4.2",
+    "newrelic": "latest",
     "passport": "^0.7.0",
     "passport-jwt": "^4.0.1",
     "passport-local": "^1.0.0",
@@ -37,7 +40,6 @@
     "reflect-metadata": "^0.2.2",
     "rxjs": "^7.8.1",
     "typeorm": "^0.3.20",
-    "newrelic": "latest",
     "uuid": "^9.0.1"
   },
   "devDependencies": {

backend/src/app.module.ts

@@ -2,6 +2,7 @@ import { Module, MiddlewareConsumer, NestModule } from '@nestjs/common';
 import { APP_GUARD } from '@nestjs/core';
 import { ConfigModule, ConfigService } from '@nestjs/config';
 import { TypeOrmModule } from '@nestjs/typeorm';
+import { ThrottlerModule } from '@nestjs/throttler';
 import { AppController } from './app.controller';
 import { DatabaseModule } from './database/database.module';
 import { TenantMiddleware } from './database/tenant.middleware';
@@ -52,6 +53,10 @@ import { ScheduleModule } from '@nestjs/schedule';
         },
       }),
     }),
+    ThrottlerModule.forRoot([{
+      ttl: 60000,   // 1-minute window
+      limit: 100,   // 100 requests per minute (global default)
+    }]),
     DatabaseModule,
     AuthModule,
     OrganizationsModule,

backend/src/database/tenant.middleware.ts

@@ -13,8 +13,8 @@ export interface TenantRequest extends Request {
 
 @Injectable()
 export class TenantMiddleware implements NestMiddleware {
-  // In-memory cache for org status to avoid DB hit per request
-  private orgStatusCache = new Map<string, { status: string; cachedAt: number }>();
+  // In-memory cache for org info to avoid DB hit per request
+  private orgCache = new Map<string, { status: string; schemaName: string; cachedAt: number }>();
   private static readonly CACHE_TTL = 60_000; // 60 seconds
 
   constructor(
@@ -30,23 +30,25 @@ export class TenantMiddleware implements NestMiddleware {
         const token = authHeader.substring(7);
         const secret = this.configService.get<string>('JWT_SECRET');
         const decoded = jwt.verify(token, secret!) as any;
-        if (decoded?.orgSchema) {
-          // Check if the org is still active (catches post-JWT suspension)
-          if (decoded.orgId) {
-            const status = await this.getOrgStatus(decoded.orgId);
-            if (status && ['suspended', 'archived'].includes(status)) {
+        if (decoded?.orgId) {
+          // Look up org info (status + schema) from orgId with caching
+          const orgInfo = await this.getOrgInfo(decoded.orgId);
+          if (orgInfo) {
+            if (['suspended', 'archived'].includes(orgInfo.status)) {
               res.status(403).json({
                 statusCode: 403,
-                message: `This organization has been ${status}. Please contact your administrator.`,
+                message: `This organization has been ${orgInfo.status}. Please contact your administrator.`,
               });
               return;
             }
+            req.tenantSchema = orgInfo.schemaName;
           }
-
-          req.tenantSchema = decoded.orgSchema;
           req.orgId = decoded.orgId;
           req.userId = decoded.sub;
           req.userRole = decoded.role;
+        } else if (decoded?.sub) {
+          // Superadmin or user without org — still set userId
+          req.userId = decoded.sub;
         }
       } catch {
         // Token invalid or expired - let Passport handle the auth error
@@ -55,19 +57,23 @@ export class TenantMiddleware implements NestMiddleware {
     next();
   }
 
-  private async getOrgStatus(orgId: string): Promise<string | null> {
-    const cached = this.orgStatusCache.get(orgId);
+  private async getOrgInfo(orgId: string): Promise<{ status: string; schemaName: string } | null> {
+    const cached = this.orgCache.get(orgId);
     if (cached && Date.now() - cached.cachedAt < TenantMiddleware.CACHE_TTL) {
-      return cached.status;
+      return { status: cached.status, schemaName: cached.schemaName };
     }
     try {
       const result = await this.dataSource.query(
-        `SELECT status FROM shared.organizations WHERE id = $1`,
+        `SELECT status, schema_name as "schemaName" FROM shared.organizations WHERE id = $1`,
         [orgId],
       );
       if (result.length > 0) {
-        this.orgStatusCache.set(orgId, { status: result[0].status, cachedAt: Date.now() });
-        return result[0].status;
+        this.orgCache.set(orgId, {
+          status: result[0].status,
+          schemaName: result[0].schemaName,
+          cachedAt: Date.now(),
+        });
+        return { status: result[0].status, schemaName: result[0].schemaName };
       }
     } catch {
       // Non-critical — don't block requests on cache miss errors

backend/src/main.ts

@@ -3,6 +3,7 @@ import * as os from 'node:os';
 import { NestFactory } from '@nestjs/core';
 import { ValidationPipe } from '@nestjs/common';
 import { SwaggerModule, DocumentBuilder } from '@nestjs/swagger';
+import helmet from 'helmet';
 import { AppModule } from './app.module';
 
 const cluster = _cluster as any; // Cast to 'any' bypasses the missing property errors
@@ -41,6 +42,24 @@ async function bootstrap() {
 
   app.setGlobalPrefix('api');
 
+  // Security headers — Helmet sets CSP, X-Frame-Options, X-Content-Type-Options,
+  // Referrer-Policy, Permissions-Policy, and removes X-Powered-By
+  app.use(
+    helmet({
+      contentSecurityPolicy: {
+        directives: {
+          defaultSrc: ["'self'"],
+          scriptSrc: ["'self'", "'unsafe-inline'", 'https://chat.hoaledgeriq.com'],
+          connectSrc: ["'self'", 'https://chat.hoaledgeriq.com', 'wss://chat.hoaledgeriq.com'],
+          imgSrc: ["'self'", 'data:', 'https://chat.hoaledgeriq.com'],
+          styleSrc: ["'self'", "'unsafe-inline'"],
+          frameSrc: ["'self'", 'https://chat.hoaledgeriq.com'],
+          fontSrc: ["'self'", 'data:'],
+        },
+      },
+    }),
+  );
+
   // Request logging — only in development (too noisy / slow for prod)
   if (!isProduction) {
     app.use((req: any, _res: any, next: any) => {
@@ -63,15 +82,17 @@ async function bootstrap() {
     credentials: true,
   });
 
-  // Swagger docs — available in all environments
+  // Swagger docs — disabled in production to avoid exposing API surface
+  if (!isProduction) {
     const config = new DocumentBuilder()
       .setTitle('HOA LedgerIQ API')
       .setDescription('API for the HOA LedgerIQ')
-    .setVersion('2026.03.10')
+      .setVersion('2026.3.11')
       .addBearerAuth()
       .build();
     const document = SwaggerModule.createDocument(app, config);
     SwaggerModule.setup('api/docs', app, document);
+  }
 
   await app.listen(3000);
   console.log(`Backend worker ${process.pid} listening on port 3000`);

backend/src/modules/auth/auth.controller.ts

@@ -9,6 +9,7 @@ import {
 } from '@nestjs/common';
 import { ApiTags, ApiOperation, ApiBearerAuth } from '@nestjs/swagger';
 import { AuthGuard } from '@nestjs/passport';
+import { Throttle } from '@nestjs/throttler';
 import { AuthService } from './auth.service';
 import { RegisterDto } from './dto/register.dto';
 import { LoginDto } from './dto/login.dto';
@@ -23,12 +24,14 @@ export class AuthController {
 
   @Post('register')
   @ApiOperation({ summary: 'Register a new user' })
+  @Throttle({ default: { limit: 5, ttl: 60000 } })
   async register(@Body() dto: RegisterDto) {
     return this.authService.register(dto);
   }
 
   @Post('login')
   @ApiOperation({ summary: 'Login with email and password' })
+  @Throttle({ default: { limit: 5, ttl: 60000 } })
   @UseGuards(AuthGuard('local'))
   async login(@Request() req: any, @Body() _dto: LoginDto) {
     const ip = req.headers['x-forwarded-for'] || req.ip;

backend/src/modules/auth/auth.service.ts

@@ -118,7 +118,6 @@ export class AuthService {
       sub: user.id,
       email: user.email,
       orgId: membership.organizationId,
-      orgSchema: membership.organization.schemaName,
       role: membership.role,
     };
 
@@ -177,7 +176,6 @@ export class AuthService {
 
     if (defaultOrg) {
       payload.orgId = defaultOrg.organizationId;
-      payload.orgSchema = defaultOrg.organization?.schemaName;
       payload.role = defaultOrg.role;
     }
 
@@ -195,7 +193,6 @@ export class AuthService {
       organizations: orgs.map((uo) => ({
         id: uo.organizationId,
         name: uo.organization?.name,
-        schemaName: uo.organization?.schemaName,
         status: uo.organization?.status,
         role: uo.role,
       })),

backend/src/modules/auth/strategies/jwt.strategy.ts

@@ -18,7 +18,6 @@ export class JwtStrategy extends PassportStrategy(Strategy) {
       sub: payload.sub,
       email: payload.email,
       orgId: payload.orgId,
-      orgSchema: payload.orgSchema,
       role: payload.role,
       isSuperadmin: payload.isSuperadmin || false,
       impersonatedBy: payload.impersonatedBy || null,

backend/src/modules/health-scores/health-scores.controller.ts

@@ -16,7 +16,7 @@ export class HealthScoresController {
   @Get('latest')
   @ApiOperation({ summary: 'Get latest operating and reserve health scores' })
   getLatest(@Req() req: any) {
-    const schema = req.user?.orgSchema;
+    const schema = req.tenantSchema;
     return this.service.getLatestScores(schema);
   }
 
@@ -24,7 +24,7 @@ export class HealthScoresController {
   @ApiOperation({ summary: 'Trigger both health score recalculations (async — returns immediately)' })
   @AllowViewer()
   async calculate(@Req() req: any) {
-    const schema = req.user?.orgSchema;
+    const schema = req.tenantSchema;
 
     // Fire-and-forget — background processing saves results to DB
     Promise.all([
@@ -44,7 +44,7 @@ export class HealthScoresController {
   @ApiOperation({ summary: 'Trigger operating fund health score recalculation (async)' })
   @AllowViewer()
   async calculateOperating(@Req() req: any) {
-    const schema = req.user?.orgSchema;
+    const schema = req.tenantSchema;
 
     // Fire-and-forget
     this.service.calculateScore(schema, 'operating').catch((err) => {
@@ -61,7 +61,7 @@ export class HealthScoresController {
   @ApiOperation({ summary: 'Trigger reserve fund health score recalculation (async)' })
   @AllowViewer()
   async calculateReserve(@Req() req: any) {
-    const schema = req.user?.orgSchema;
+    const schema = req.tenantSchema;
 
     // Fire-and-forget
     this.service.calculateScore(schema, 'reserve').catch((err) => {

frontend/index.html

@@ -23,23 +23,19 @@
           })
         }
       })(document,"script");
-    </script>
-    <script>
-    window.addEventListener('chatwoot:ready', function () {
-      // 1. Identify the user (use your real variables/server-side values)
-      window.$chatwoot.setUser("{{ current_user.id }}", {  // or just a string like "user-123"
-        identifier: "{{ current_user.id }}",
-        name: "{{ current_user.name }}",
-        email: "{{ current_user.email }}",
-        // identifier_hash: "your-hmac-hash-if-using-verification",
-      });
-
-      // 2. Send current URL + extras
-      window.$chatwoot.setCustomAttributes({
-        current_page_url: window.location.href,
-        // e.g. user_plan: "premium",
-        // last_action: "viewed_pricing"
+      window.addEventListener('chatwoot:ready', function() {
+        try {
+          var raw = localStorage.getItem('ledgeriq-auth');
+          if (!raw) return;
+          var auth = JSON.parse(raw);
+          var user = auth && auth.state && auth.state.user;
+          if (user && window.$chatwoot) {
+            window.$chatwoot.setUser(user.id, {
+              name: (user.firstName || '') + ' ' + (user.lastName || ''),
+              email: user.email
             });
+          }
+        } catch (e) {}
       });
     </script>
   </body>

frontend/package.json

@@ -1,6 +1,6 @@
 {
   "name": "hoa-ledgeriq-frontend",
-  "version": "2026.03.10",
+  "version": "2026.3.11",
   "private": true,
   "type": "module",
   "scripts": {

frontend/src/pages/auth/SelectOrgPage.tsx

@@ -120,11 +120,6 @@ export function SelectOrgPage() {
                   <Text fw={500}>{org.name}</Text>
                   <Group gap={4}>
                     <Badge size="sm" variant="light">{org.role}</Badge>
-                    {org.schemaName && (
-                      <Badge size="xs" variant="dot" color="gray">
-                        {org.schemaName}
-                      </Badge>
-                    )}
                   </Group>
                 </div>
               </Group>

frontend/src/pages/settings/SettingsPage.tsx

@@ -38,10 +38,6 @@ export function SettingsPage() {
               <Text size="sm" c="dimmed">Your Role</Text>
               <Badge variant="light">{currentOrg?.role || 'N/A'}</Badge>
             </Group>
-            <Group justify="space-between">
-              <Text size="sm" c="dimmed">Schema</Text>
-              <Text size="sm" ff="monospace" c="dimmed">{currentOrg?.schemaName || 'N/A'}</Text>
-            </Group>
           </Stack>
         </Card>
 

frontend/src/stores/authStore.ts

@@ -5,7 +5,6 @@ interface Organization {
   id: string;
   name: string;
   role: string;
-  schemaName?: string;
   status?: string;
   settings?: Record<string, any>;
 }