chore(ci): add fork-side SSO audit script + workflow

[awais786]

Summary

Per-fork SSO contract audit in CI. Mirrors Pressingly/plane#32, Pressingly/twenty#9, Pressingly/outline#20.

Checks

Row	File	Invariant	Severity
14	frontend/src/app/main/data/auth.cljs	SPA logout MUST NOT call /oauth2/sign_out	informational
20	backend/src/app/http/auth_request.clj	MUST contain session/delete-fn (drop+expire path) AND create-session! (re-key path)	security-critical
21	same	No polynomial-backtracking email-shape regex	regression guard

Spec source: sso-rules-moneta/openspec/specs/proxy-auth-middleware/spec.md.

Current state

Local dry-run on foss-main: row 20 ❌ — auth_request.clj doesn't have the session/delete-fn call yet. PR #18 introduces it. When #18 merges, the audit goes green.

To unblock this PR, rebase onto fix/proxy-auth-stale-session-on-user-switch.

🤖 Generated with Claude Code

[github-actions]

Penpot SSO Fork Audit

Cross-app contract: https://github.com/awais786/sso-rules-moneta/blob/main/openspec/specs/proxy-auth-middleware/spec.md
Row numbers match the 21-row table at https://github.com/awais786/sso-rules-moneta/blob/main/skills/app-rules/SKILL.md#5-report

Row	Invariant	Status	Notes
14	logout shape: SPA logout does not call /oauth2/sign_out	✅	frontend/src/app/main/data/auth.cljs does not invoke /oauth2/sign_out (this row verifies only that the SPA doesn't try to clear the upstream proxy cookie itself; that's the portal's job)
20	session-identity reconciliation present (Rule 2 mismatch flush)	❌	backend/src/app/http/auth_request.clj is missing: session/delete-fn (drop+expire path); The cross-app spec (proxy-auth-middleware Rule 2) requires wrap-authz to reconcile the upstream X-Auth-Request-Email against the session profile-id. On resolvable + active mismatch: re-key by calling create-session! on the response with the new profile-id. On unresolvable upstream: dissoc the session markers AND call (session/delete-fn cfg) to expire the browser cookie. Without both paths, the stale-session-on-user-switch leak returns. Reference: #18.
21	email-shape detection uses substring, not polynomial regex	✅	No polynomial-backtracking email-shape regex in backend/src/app/http/auth_request.clj; using re-matches (implicit anchoring on fixed-size input) or substring check

1 violations. Security-critical (row 20): 1.

[Copilot]

Pull request overview

Adds a CI-side audit script and GitHub Actions workflow that statically verify Penpot's source tree against the cross-app SSO contract (rows 14, 20, 21 of the openspec table). The audit is intended to catch regressions in the SPA logout shape, the session-identity reconciliation in wrap-authz (which is introduced in companion PR #18), and the reintroduction of polynomial-backtracking email regex.

Changes:

• New scripts/sso-audit.sh performing three grep-based invariant checks against auth_request.clj and auth.cljs, exiting non-zero only on the security-critical row 20 failure.
• New .github/workflows/sso-audit.yml running the script on PRs touching auth code, on push to foss-main, weekly, and on dispatch — publishing results to the job summary and a sticky PR comment.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
scripts/sso-audit.sh	Bash audit script implementing the three fork-side spec checks and printing a markdown status table.
.github/workflows/sso-audit.yml	Workflow that invokes the script, surfaces results to the step summary and a sticky PR comment, and fails on security-critical violations.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[awais786]

Closing: fork-side audit tooling not needed on this fork. The audit is being maintained in sso-rules-moneta instead, which is the single source of truth across all forks.