security: Phase 2 fixes — biomarker validation, input hardening, CSP, loading states

- Add biomarker sanitizer (prompt injection prevention for Bedrock LLM)
- Apply sanitizer to /api/report/clinical and /api/report/summary
- Strip HTML tags from feed post content before storage
- Validate feed action field against allowlist
- Validate animalPersonality against allowlist in chat route
- Clamp ageMonths to 0-240 across chat and report routes
- Add loading.tsx at root, intake, kid-dashboard, games
- Add error.tsx boundaries at intake, kid-dashboard, games
- Add robots.txt (disallow /api/, /intake/, /kid-dashboard/)
- Add OpenGraph + Twitter Card metadata to layout.tsx
- Harden CSP: add object-src none, base-uri self, form-action self
- Add lint + type-check to amplify.yml preBuild
- Fix DOCS.md version (16.1.6 -> 16.2.2)
- Remove unused S3_MODELS_BUCKET from .env.local.example
- Document 13 deferred security items in DOCS.md

Author: Partha-dev01

.env.local.example

@@ -25,8 +25,8 @@ DYNAMODB_CHILD_PROFILES_TABLE=autisense-child-profiles
 DYNAMODB_SESSION_SUMMARIES_TABLE=autisense-session-summaries
 DYNAMODB_FEED_POSTS_TABLE=autisense-feed-posts
 
-# ── S3 ────────────────────────────────────────────
-S3_MODELS_BUCKET=autisense-models
+# ── S3 (removed — models served from public/ via CDN) ──
+# S3_MODELS_BUCKET is no longer used at runtime
 
 # ── Amazon Bedrock ────────────────────────────────
 BEDROCK_REGION=us-east-1

amplify.yml

@@ -5,6 +5,8 @@ frontend:
       commands:
         - nvm use 22
         - npm ci
+        - npm run lint
+        - npm run type-check
         - npm run test:unit
     build:
       commands:

app/api/chat/conversation/route.ts

@@ -258,7 +258,12 @@ export async function POST(req: NextRequest) {
 
   // Input length limits — prevent prompt injection + cost inflation
   const childName = String(body.childName).slice(0, 50).replace(/[^\p{L}\p{N}\s'-]/gu, "");
-  const { ageMonths, turnNumber, animalPersonality } = body;
+  const ageMonths = Math.max(0, Math.min(240, Number(body.ageMonths) || 36));
+  const { turnNumber } = body;
+  const allowedPersonalities = ["dog", "cat", "rabbit", "parrot"];
+  const animalPersonality = allowedPersonalities.includes(body.animalPersonality as string)
+    ? (body.animalPersonality as string)
+    : "dog";
   const messages = Array.isArray(body.messages) ? body.messages.slice(0, 20) : [];
 
   // Hard cap — force farewell after 15 turns

app/api/chat/generate-words/route.ts

@@ -239,7 +239,8 @@ export async function POST(request: NextRequest) {
 
   try {
     const body: GenerateRequest = await request.json();
-    const { ageMonths = 36, count = 6, mode = "words" } = body;
+    const { count = 6, mode = "words" } = body;
+    const ageMonths = Math.max(0, Math.min(240, Number(body.ageMonths) || 36));
 
     if (!["words", "sentences", "instructions"].includes(mode)) {
       return NextResponse.json({ error: "Invalid mode" }, { status: 400 });

app/api/feed/route.ts

@@ -125,6 +125,10 @@ export async function POST(request: NextRequest) {
   try {
     const body = await request.json();
     const { action } = body;
+    const validActions = ["create", "react", "delete"];
+    if (action && !validActions.includes(action as string)) {
+      return NextResponse.json({ error: "Invalid action" }, { status: 400 });
+    }
 
     if (action === "react") return handleReaction(body, user.id);
     if (action === "delete") return handleDelete(body, user.id);
@@ -152,7 +156,7 @@ async function handleCreate(body: Record<string, unknown>, userId: string) {
   const post: FeedPostItem = {
     postId: crypto.randomUUID(),
     userId,
-    content: (content as string).trim(),
+    content: (content as string).trim().replace(/<[^>]*>/g, ""),
     category: category as string,
     reactions: { heart: 0, helpful: 0, relate: 0 },
     reactedBy: { heart: [], helpful: [], relate: [] },

app/api/report/clinical/route.ts

@@ -241,7 +241,9 @@ export async function POST(req: NextRequest) {
     );
   }
 
-  const { biomarkers, childAge } = body;
+  const { sanitizeBiomarkers } = await import("../../../lib/validation/biomarker");
+  const biomarkers = sanitizeBiomarkers(body.biomarkers) as unknown as BiomarkerAggregate;
+  const childAge = body.childAge !== undefined ? Math.max(0, Math.min(240, Number(body.childAge) || 0)) : undefined;
 
   // Always generate the deterministic template first
   const baseReport = buildTemplateReport(biomarkers, childAge);

app/api/report/summary/route.ts

@@ -76,7 +76,8 @@ export async function POST(req: NextRequest) {
     );
   }
 
-  const { biomarkers } = body;
+  const { sanitizeBiomarkers } = await import("../../../lib/validation/biomarker");
+  const biomarkers = sanitizeBiomarkers(body.biomarkers) as unknown as BiomarkerAggregate;
 
   const prompt = `Generate a parent-friendly screening summary for a child based on the following biomarker data. Map to DSM-5 criteria. Keep it to 3-4 paragraphs.
 

app/games/error.tsx

@@ -0,0 +1,45 @@
+"use client";
+
+// eslint-disable-next-line @typescript-eslint/no-unused-vars
+export default function Error({
+  error,
+  reset,
+}: {
+  error: Error & { digest?: string };
+  reset: () => void;
+}) {
+  return (
+    <div style={{
+      display: "flex",
+      flexDirection: "column",
+      alignItems: "center",
+      justifyContent: "center",
+      minHeight: "60vh",
+      gap: 16,
+      padding: 24,
+      textAlign: "center",
+    }}>
+      <h2 style={{ color: "var(--text-primary)", fontSize: "1.2rem", fontWeight: 600 }}>
+        Something went wrong
+      </h2>
+      <p style={{ color: "var(--text-muted)", fontSize: "0.9rem", maxWidth: 400 }}>
+        Don&apos;t worry — your progress is saved. Try refreshing or click below.
+      </p>
+      <button
+        onClick={reset}
+        style={{
+          padding: "10px 24px",
+          borderRadius: 12,
+          border: "2px solid var(--sage-300)",
+          background: "var(--sage-50)",
+          color: "var(--sage-600)",
+          fontWeight: 600,
+          cursor: "pointer",
+          fontSize: "0.9rem",
+        }}
+      >
+        Try again
+      </button>
+    </div>
+  );
+}

app/games/loading.tsx

@@ -0,0 +1,22 @@
+export default function Loading() {
+  return (
+    <div style={{
+      display: "flex",
+      flexDirection: "column",
+      alignItems: "center",
+      justifyContent: "center",
+      minHeight: "60vh",
+      gap: 16,
+    }}>
+      <div style={{
+        width: 40,
+        height: 40,
+        border: "4px solid var(--sage-200)",
+        borderTopColor: "var(--sage-500)",
+        borderRadius: "50%",
+        animation: "spin 0.8s linear infinite",
+      }} />
+      <p style={{ color: "var(--text-muted)", fontSize: "0.9rem" }}>Loading...</p>
+    </div>
+  );
+}

app/intake/error.tsx

@@ -0,0 +1,45 @@
+"use client";
+
+// eslint-disable-next-line @typescript-eslint/no-unused-vars
+export default function Error({
+  error,
+  reset,
+}: {
+  error: Error & { digest?: string };
+  reset: () => void;
+}) {
+  return (
+    <div style={{
+      display: "flex",
+      flexDirection: "column",
+      alignItems: "center",
+      justifyContent: "center",
+      minHeight: "60vh",
+      gap: 16,
+      padding: 24,
+      textAlign: "center",
+    }}>
+      <h2 style={{ color: "var(--text-primary)", fontSize: "1.2rem", fontWeight: 600 }}>
+        Something went wrong
+      </h2>
+      <p style={{ color: "var(--text-muted)", fontSize: "0.9rem", maxWidth: 400 }}>
+        Don&apos;t worry — your progress is saved. Try refreshing or click below.
+      </p>
+      <button
+        onClick={reset}
+        style={{
+          padding: "10px 24px",
+          borderRadius: 12,
+          border: "2px solid var(--sage-300)",
+          background: "var(--sage-50)",
+          color: "var(--sage-600)",
+          fontWeight: 600,
+          cursor: "pointer",
+          fontSize: "0.9rem",
+        }}
+      >
+        Try again
+      </button>
+    </div>
+  );
+}