security: deep audit fixes — error leak prevention, DOMPurify XSS guard, mutex race fix, i18n parity, HMAC warning

- [C-1] Fix sync.Mutex copy in guard.GuardStats (go vet race condition) - [C-2] Replace 3x raw err.Error() HTTP leaks with generic messages (tenant_handlers, ws_transport, immune) - [M-1] Add isomorphic-dompurify to LegalPage and AIAssistant (XSS defense-in-depth) - [M-4] Add swaggo/swag dependency for Swagger docs - [L-4] Add slog.Warn for hardcoded dev HMAC key in tpmaudit - [L-5] Add 2 missing i18n keys (nav.contacts, nav.start_free) — 365/365 parity
2026-05-09 11:32:37 +02:00 · 2026-03-31 19:52:21 +10:00 · 2026-03-31 19:52:21 +10:00 · a54c892736
commit a54c892736
parent 02b511a41e
7 changed files with 69 additions and 8 deletions
--- a/internal/transport/p2p/ws_transport.go
+++ b/internal/transport/p2p/ws_transport.go
@ -133,7 +133,8 @@ func (t *WSTransport) handleP2P(w http.ResponseWriter, r *http.Request) {
 		t.mu.RUnlock()
 		if handler != nil {
 			if err := handler(payload); err != nil {
-				http.Error(w, err.Error(), http.StatusInternalServerError)
+				log.Printf("ws-transport: sync handler error: %v", err)
+				http.Error(w, "sync processing failed", http.StatusInternalServerError)
 				return
 			}
 		}