Security: CSP, rate-limit phishing, CDN denylist, audit rotation

docs/audit-retention.md

@@ -0,0 +1,25 @@
+# Audit Log Retention Policy
+
+## Overview
+
+The SecurityAuditLogger manages a local in-memory audit log with deterministic rotation and quota enforcement.
+
+## Configuration
+
+| Parameter | Default | Description |
+|-----------|---------|-------------|
+| MAX_LOG_SIZE | 10,000 | Maximum number of log entries in memory |
+| MAX_ALERT_SIZE | 1,000 | Maximum number of security alerts in memory |
+| RETENTION_PERIOD_MS | 7 days | Maximum age of log entries before cleanup |
+| EVICTION_THRESHOLD | 0.9 (90%) | Capacity threshold for eviction warning |
+
+## Rotation Behavior
+
+1. **LRU-by-time eviction**: When MAX_LOG_SIZE is exceeded, the oldest 30% of entries are evicted
+2. **Warning**: A console warning is issued when storage reaches 90% capacity
+3. **Remote export**: Evicted entries are exported to the remote sink (if configured) before removal
+4. **Alert rotation**: When MAX_ALERT_SIZE is exceeded, alerts are sorted by recency and the oldest 30% are removed
+
+## Remote Export
+
+Set `NEXT_PUBLIC_AUDIT_EXPORT_URL` to enable remote export of evicted entries. The export is sent as a POST request with JSON body containing the entries, session ID, and timestamp.

docs/csp.md

@@ -0,0 +1,35 @@
+# Content Security Policy (CSP)
+
+## Overview
+
+PropChain enforces a strict Content Security Policy to prevent XSS attacks. The policy is applied via Next.js middleware.
+
+## Policy Directives
+
+- `default-src 'self'` - Only same-origin resources by default
+- `img-src 'self' data: ipfs:` - Images from self, data URIs, and IPFS
+- `script-src 'self' 'nonce-...'` - Only same-origin scripts with valid nonce
+- `style-src 'self' 'unsafe-inline'` - Styles from self (inline allowed for Tailwind)
+- `font-src 'self' data:` - Fonts from self and data URIs
+- `connect-src 'self'` - API connections only to same origin
+- `frame-src 'self'` - Frames only from same origin
+- `base-uri 'self'` - Base URIs restricted to same origin
+- `form-action 'self'` - Form submissions only to same origin
+- `frame-ancestors 'self'` - Framing only by same origin
+
+## Environment Behavior
+
+- **Production**: `Content-Security-Policy` header (enforced)
+- **Non-production**: `Content-Security-Policy-Report-Only` header (reported only)
+
+## CSP Reports
+
+CSP violations are reported to `POST /api/csp-report`. In development mode, reports are logged to the console.
+
+## Exclusions
+
+The following paths are excluded from CSP:
+- `/api/*` - API routes
+- `/_next/static/*` - Next.js static assets
+- `/_next/image/*` - Next.js image optimization
+- `/favicon.ico`, `/sitemap.xml`, `/robots.txt`

docs/phishing-denylist.md

@@ -0,0 +1,36 @@
+# Phishing Denylist
+
+## Overview
+
+The phishing denylist is sourced from a trusted CDN at runtime with a signed manifest. A small fallback list is bundled for offline protection.
+
+## CDN Manifest Schema
+
+```json
+{
+  "version": "1.0.0",
+  "updatedAt": "2026-06-27T00:00:00Z",
+  "domains": ["phishing-domain-1.com", "phishing-domain-2.com"],
+  "contracts": ["0x1234..."],
+  "signature": "base64-encoded-signature"
+}
+```
+
+## Update Procedure
+
+1. Update the phishing manifest JSON with new domains/contracts
+2. Sign the manifest with the project's signing key
+3. Upload to the CDN at `https://cdn.propchain.io/security/phishing-manifest.json`
+4. The frontend automatically fetches the latest manifest (cached for 1 hour)
+5. If the manifest fails verification, the fallback list is used
+
+## Configuration
+
+Set `NEXT_PUBLIC_PHISHING_MANIFEST_URL` and `NEXT_PUBLIC_MANIFEST_SIGNING_KEY` in your environment.
+
+## Fallback List
+
+A minimal fallback list is bundled for offline/startup scenarios:
+- `metamask.io.fake`
+- `myetherwallet.com.scam`
+- `trustwallet.app.phish`