Follow-up slice of #227.
Protect the remaining file-serving handlers identified by CodeQL in server/index.js.
Scope:
- apply the established request limit to the CSRF-token endpoint and client static/fallback routes;
- preserve normal browser, API, and health-check behavior;
- add focused regression coverage for the standard 429 response;
- resolve alerts through code, without suppression or query changes;
- do not add, inspect, store, or search email data.
Acceptance criteria:
- CodeQL closes the two remaining file-system route alerts;
- normal static and CSRF requests work within the configured window;
- server tests and CI pass.
Production rollout verification remains part of #176.
Follow-up slice of #227.
Protect the remaining file-serving handlers identified by CodeQL in server/index.js.
Scope:
Acceptance criteria:
Production rollout verification remains part of #176.