# Security Notes

The canonical security notes are maintained at `docs/SECURITY_NOTES.md`.

Short version:

- Implemented: password hashing, password policy, RBAC, CSRF, tenant ownership columns, audit log foundations, escaped templates, CSV formula protection, CSP/security headers, session cookie policy, production-gated demo login, tenant-scoped report/profitability foundations including purchase-order accrual and supplier-invoice matching, no committed real secrets, and masked LLM/API-key settings.
- Still required before public release: full MySQL-backed tenant-isolation tests, public REST API security if released, stronger multipart upload hardening, live OAuth/webhook security, live billing webhook/payment security, production infrastructure controls, dependency scanning in CI, backup/restore, monitoring, and penetration testing.