fix(security/qa): remediate CRIT/HIGH/MED findings + unify rate-limit IP extraction

Security:
- C-01 sensei/context-builder: API-key role via getApiKeyRole() (no session-user conflation)
- C-02 llm/batch-test: withAuth wrap with batches resource RBAC + CSRF
- H-01 sengoku/campaigns/[id] PATCH: URL allowlist (http/https) closes SSRF
- H-02 unify getClientIp() across 9 rate-limited routes (TRUSTED_PROXY-gated)
- H-05 sengoku/campaigns/[id] GET: bound runs listing (MAX_RUNS, safe filename)
- M-01 api-auth: HMAC key randBytes(32) at boot (replaces static string)
- M-02 demo/index: deny demo mode in NODE_ENV=production
- L-02 deploy-dojo: quote BUILD_SHA/BUILD_DATE build-args

Code review:
- HIGH-1 WidgetCard: narrow NavItem union with 'hidden' in item guard
- HIGH-2 adversarial-skills-extended: corrected JSDoc category counts (22/5)
- MED-1 BehavioralAnalysisContext: memoised snapshot selectors
- MED-2/LOW-1 test rate-limit isolation via unique IPv4 per test
- MED-3 adversarial-skills-extended test: supply-chain assertion matches 2 real skills

UX:
- AdversarialLab Shingan launcher deep-links to Scanner Deep Scan sub-tab via #deep-scan hash

Test infra:
- src/test/setup.ts: TRUSTED_PROXY=test so rate-limit suites see unique IPs
- llm/batch-test test: mock @/lib/auth/route-guard for withAuth bypass

Verified:
- npm run typecheck: clean
- npx vitest run: 6252/6252 pass (467 files)
- Voyager deploy: 17 PASS / 0 FAIL / 0 WARN, /api/health OK

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

Author: SchenLong

deploy/deploy-dojo.sh

@@ -222,8 +222,8 @@ else
 
     info "Building Docker image on Voyager (SHA: ${BUILD_SHA})..."
     ssh "${VOYAGER_USER}@${VOYAGER_IP}" "cd ${REMOTE_DIR}/app && docker build \
-        --build-arg BUILD_SHA=${BUILD_SHA} \
-        --build-arg BUILD_DATE=${BUILD_DATE} \
+        --build-arg BUILD_SHA=\"${BUILD_SHA}\" \
+        --build-arg BUILD_DATE=\"${BUILD_DATE}\" \
         --build-arg NEXT_PUBLIC_APP_URL=https://dojo.bucc.internal \
         --build-arg NEXT_PUBLIC_API_URL=https://dojo.bucc.internal \
         -t dojolm-web:latest \

packages/dojolm-web/src/app/api/buki/fuzz/route.ts

@@ -8,6 +8,7 @@
 
 import { NextRequest, NextResponse } from 'next/server';
 import { checkApiAuth } from '@/lib/api-auth';
+import { getClientIp } from '@/lib/api-handler';
 import {
   createFuzzSession,
   fuzz,
@@ -63,10 +64,7 @@ export async function POST(request: NextRequest) {
   const authResult = checkApiAuth(request);
   if (authResult) return authResult;
 
-  const ip =
-    request.headers.get('x-forwarded-for')?.split(',').pop()?.trim() ||
-    request.headers.get('x-real-ip')?.trim() ||
-    'unknown';
+  const ip = getClientIp(request);
 
   if (!checkRateLimit(ip)) {
     return NextResponse.json(

packages/dojolm-web/src/app/api/compliance/export/__tests__/route.test.ts

@@ -97,12 +97,22 @@ import { fileStorage } from '@/lib/storage/file-storage'
 // Helpers
 // ---------------------------------------------------------------------------
 
+// Counter ensures each test request gets a unique IP so the module-level rate
+// limiter (10 req/min/IP) cannot cause cross-test contamination.
+let __ceTestRequestCounter = 0
 function createGetRequest(params: Record<string, string> = {}): NextRequest {
   const url = new URL('http://localhost:42001/api/compliance/export')
   for (const [k, v] of Object.entries(params)) {
     url.searchParams.set(k, v)
   }
-  return new NextRequest(url.toString(), { method: 'GET' })
+  __ceTestRequestCounter += 1
+  const oct3 = __ceTestRequestCounter % 250
+  const oct4 = Math.floor(__ceTestRequestCounter / 250) % 250
+  const uniqueIp = `10.0.${oct3}.${oct4 + 1}`
+  return new NextRequest(url.toString(), {
+    method: 'GET',
+    headers: { 'x-forwarded-for': uniqueIp },
+  })
 }
 
 // ---------------------------------------------------------------------------
@@ -179,8 +189,9 @@ describe('GET /api/compliance/export', () => {
 
     expect(res.status).toBe(400)
     const body = await res.json()
-    expect(body.error).toContain('Unsupported format')
-    expect(body.error).toContain('xml')
+    expect(body.error).toContain('Unsupported export format')
+    // Note: the actual format token is not echoed back, valid formats are listed instead
+    expect(body.error).toContain('json')
   })
 
   // CE-006: Unauthorized request returns 401

packages/dojolm-web/src/app/api/compliance/export/route.ts

@@ -16,6 +16,7 @@
 
 import { NextRequest, NextResponse } from 'next/server'
 import { checkApiAuth } from '@/lib/api-auth'
+import { getClientIp } from '@/lib/api-handler'
 import { isDemoMode } from '@/lib/demo'
 import { fileStorage } from '@/lib/storage/file-storage'
 import { BAISS_CONTROLS, getBAISSSummary } from '@/lib/data/baiss-framework'
@@ -726,10 +727,7 @@ export async function GET(request: NextRequest) {
   const authResult = checkApiAuth(request)
   if (authResult) return authResult
 
-  const ip =
-    request.headers.get('x-forwarded-for')?.split(',').pop()?.trim() ||
-    request.headers.get('x-real-ip')?.trim() ||
-    'unknown';
+  const ip = getClientIp(request);
 
   if (!checkRateLimit(ip)) {
     return NextResponse.json(

packages/dojolm-web/src/app/api/compliance/frameworks/route.ts

@@ -11,6 +11,7 @@ import { NextRequest, NextResponse } from 'next/server'
 import { isDemoMode } from '@/lib/demo'
 import { demoComplianceFrameworksGet } from '@/lib/demo/mock-api-handlers'
 import { checkApiAuth } from '@/lib/api-auth'
+import { getClientIp } from '@/lib/api-handler'
 import { getConfiguredAppOrigin } from '@/lib/request-origin'
 
 // In-memory rate limiter — 30 requests per minute per IP
@@ -47,10 +48,8 @@ export async function GET(request: NextRequest) {
   const authError = checkApiAuth(request)
   if (authError) return authError
 
-  const ip =
-    request.headers.get('x-forwarded-for')?.split(',').pop()?.trim() ||
-    request.headers.get('x-real-ip')?.trim() ||
-    'unknown';
+  // TRUSTED_PROXY-gated IP extraction — prevents XFF spoofing in non-proxy topologies.
+  const ip = getClientIp(request);
 
   if (!checkRateLimit(ip)) {
     return NextResponse.json(

packages/dojolm-web/src/app/api/llm/batch-test/__tests__/route.test.ts

@@ -43,6 +43,19 @@ vi.mock('@/lib/api-auth', () => ({
   checkApiAuth: () => null,
 }));
 
+// C-02 fix wrapped POST/GET with withAuth — bypass for unit tests by invoking
+// the inner handler directly with a synthetic admin user.
+vi.mock('@/lib/auth/route-guard', () => ({
+  withAuth: (handler: (req: NextRequest, ctx: { params?: Record<string, string>; user: { id: string; role: string; username: string } }) => Promise<Response> | Response) => {
+    return async (req: NextRequest, ctx?: { params?: Record<string, string> }) => {
+      return handler(req, {
+        params: ctx?.params,
+        user: { id: 'admin-1', role: 'admin', username: 'admin' },
+      });
+    };
+  },
+}));
+
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------

packages/dojolm-web/src/app/api/llm/batch-test/route.ts

@@ -10,7 +10,7 @@ import { getStorage } from '@/lib/storage/storage-interface';
 import { executeSingleTestWithRetry } from '@/lib/llm-execution';
 import { getConcurrentLimit, getMaxBatchSize, getPerHostLimit, LOCAL_GPU_PROVIDERS } from '@/lib/llm-constants';
 import type { LLMModelConfig } from '@/lib/llm-types';
-import { checkApiAuth } from '@/lib/api-auth';
+import { withAuth } from '@/lib/auth/route-guard';
 
 const MAX_CONCURRENT_BATCHES = 3;
 
@@ -40,10 +40,7 @@ async function reconcileRunningBatches(storage: Awaited<ReturnType<typeof getSto
   }
 }
 
-export async function POST(request: NextRequest) {
-  const authError = checkApiAuth(request);
-  if (authError) return authError;
-
+async function handlePost(request: NextRequest): Promise<NextResponse> {
   try {
     // BUG-001/002: Reconcile in-memory state before checking limit
     const storageForReconcile = await getStorage();
@@ -144,10 +141,7 @@ export async function POST(request: NextRequest) {
 const BATCH_LIST_DEFAULT_LIMIT = 50;
 const BATCH_LIST_MAX_LIMIT = 200;
 
-export async function GET(request: NextRequest) {
-  const authError = checkApiAuth(request);
-  if (authError) return authError;
-
+async function handleGet(request: NextRequest): Promise<NextResponse> {
   try {
     const { searchParams } = request.nextUrl;
     const rawLimit = searchParams.get('limit');
@@ -191,6 +185,17 @@ export async function GET(request: NextRequest) {
   }
 }
 
+// RBAC-gated exports — analyst and above can execute batches; viewers can read.
+export const POST = withAuth(async (request) => handlePost(request), {
+  resource: 'batches',
+  action: 'execute',
+});
+
+export const GET = withAuth(async (request) => handleGet(request), {
+  resource: 'batches',
+  action: 'read',
+});
+
 // ===========================================================================
 // Per-host concurrency tracking
 // ===========================================================================

packages/dojolm-web/src/app/api/llm/coverage/route.ts

@@ -11,6 +11,7 @@ import { demoCoverageGet } from '@/lib/demo/mock-api-handlers';
 import { apiError } from '@/lib/api-error';
 import { fetchCoverageMap } from '@/lib/llm-server-utils';
 import { checkApiAuth } from '@/lib/api-auth';
+import { getClientIp } from '@/lib/api-handler';
 
 // In-memory rate limiter — 30 coverage requests per minute per IP
 const rateLimiter = new Map<string, number[]>();
@@ -41,10 +42,7 @@ export async function GET(request: NextRequest) {
   const authError = checkApiAuth(request);
   if (authError) return authError;
 
-  const ip =
-    request.headers.get('x-forwarded-for')?.split(',').pop()?.trim() ||
-    request.headers.get('x-real-ip')?.trim() ||
-    'unknown';
+  const ip = getClientIp(request);
 
   if (!checkRateLimit(ip)) {
     return NextResponse.json(

packages/dojolm-web/src/app/api/llm/export/__tests__/route.test.ts

@@ -34,6 +34,9 @@ vi.mock('jspdf', () => {
   };
 });
 
+// jspdf-autotable return value is unused by the export route (only its side
+// effect of rendering into the pdf instance matters). If the route ever starts
+// reading the return value, this mock must return a shape the route expects.
 vi.mock('jspdf-autotable', () => ({
   default: vi.fn(),
 }));
@@ -44,10 +47,20 @@ import { fileStorage } from '@/lib/storage/file-storage';
 
 // --- Helpers ---
 
+// Counter to give each test request a unique IP so the module-level rate
+// limiter in route.ts doesn't trip across tests.
+let __exportTestRequestCounter = 0;
 function createGetRequest(params: Record<string, string>): NextRequest {
   const url = new URL('http://localhost:42001/api/llm/export');
   Object.entries(params).forEach(([k, v]) => url.searchParams.set(k, v));
-  return new NextRequest(url);
+  __exportTestRequestCounter += 1;
+  // Build a valid IPv4 to survive future IP-validation on the route.
+  const oct3 = __exportTestRequestCounter % 250;
+  const oct4 = Math.floor(__exportTestRequestCounter / 250) % 250;
+  const uniqueIp = `10.0.${oct3}.${oct4 + 1}`;
+  return new NextRequest(url, {
+    headers: { 'x-forwarded-for': uniqueIp },
+  });
 }
 
 function makeMockExecution(overrides: Partial<any> = {}): any {
@@ -97,7 +110,10 @@ const mockExec2 = makeMockExecution({
 
 describe('GET /api/llm/export', () => {
   beforeEach(() => {
-    vi.clearAllMocks();
+    // resetAllMocks clears call history AND queued mockResolvedValueOnce/mockRejectedValueOnce
+    // implementations — needed because EXP-001 queues two `mockResolvedValueOnce` but subsequent
+    // tests only queue one, and any leftover queue leaks into later tests.
+    vi.resetAllMocks();
     (checkApiAuth as any).mockReturnValue(null);
   });
 
@@ -335,7 +351,7 @@ describe('GET /api/llm/export', () => {
     expect(res.status).toBe(400);
 
     const data = await res.json();
-    expect(data.error).toContain('Unsupported format');
+    expect(data.error).toContain('Unsupported export format');
   });
 
   // EXP-013: Internal error returns 500

packages/dojolm-web/src/app/api/llm/export/route.ts

@@ -7,6 +7,7 @@
 
 import { NextRequest, NextResponse } from 'next/server';
 import { checkApiAuth } from '@/lib/api-auth';
+import { getClientIp } from '@/lib/api-handler';
 import { fileStorage } from '@/lib/storage/file-storage';
 import type { ReportFormat, LLMTestExecution } from '@/lib/llm-types';
 
@@ -60,10 +61,7 @@ export async function GET(request: NextRequest) {
     const authResult = checkApiAuth(request);
     if (authResult) return authResult;
 
-    const ip =
-      request.headers.get('x-forwarded-for')?.split(',').pop()?.trim() ||
-      request.headers.get('x-real-ip')?.trim() ||
-      'unknown';
+    const ip = getClientIp(request);
 
     if (!checkRateLimit(ip)) {
       return NextResponse.json(