feat: enhance security, performance, and stability

This commit introduces a range of improvements across the application:

- **Security:**
  - Adds authentication to the CSP metrics endpoint.
  - Hardens CSP bypass detection regex to prevent ReDoS attacks.
  - Improves CORS headers for the CSP metrics API.
  - Adds filtering for acknowledged alerts in security monitoring.

- **Performance:**
  - Optimizes database connection pooling for NeonDB.
  - Improves session fetching with abort controller.

- **Stability:**
  - Adds error handling to the tRPC demo component.
  - Fixes type inconsistencies in session data mapping.

- **Docs & DX:**
  - Ignores  files in git.
  - Fixes a token placeholder in the documentation.

lib/csp.ts

@@ -401,30 +401,30 @@ export function parseCSPViolation(report: CSPViolationReport): {
 }
 
 /**
- * CSP bypass detection patterns
+ * CSP bypass detection patterns - optimized to prevent ReDoS attacks
  */
 export const CSP_BYPASS_PATTERNS = [
-  // Common XSS bypass attempts
-  /javascript:/i,
-  /data:text\/html/i,
-  /vbscript:/i,
-  /livescript:/i,
+  // Common XSS bypass attempts (exact matches to prevent ReDoS)
+  /^javascript:/i,
+  /^data:text\/html/i,
+  /^vbscript:/i,
+  /^livescript:/i,
 
-  // Base64 encoded attempts
-  /data:.*base64.*script/i,
-  /data:text\/javascript/i,
-  /data:application\/javascript/i,
+  // Base64 encoded attempts (limited quantifiers to prevent ReDoS)
+  /^data:[^;]{0,50};base64[^,]{0,100},.*script/i,
+  /^data:text\/javascript/i,
+  /^data:application\/javascript/i,
 
-  // JSONP callback manipulation
-  /callback=.*script/i,
+  // JSONP callback manipulation (limited lookahead)
+  /callback=[^&]{0,200}script/i,
 
-  // Common CSP bypass techniques
-  /location\.href.*javascript/i,
-  /document\.write.*script/i,
-  /eval\(/i,
+  // Common CSP bypass techniques (limited quantifiers)
+  /location\.href[^;]{0,100}javascript/i,
+  /document\.write[^;]{0,100}script/i,
+  /\beval\s*\(/i,
   /\bnew\s+Function\s*\(/i,
-  /setTimeout\s*\(\s*['"`].*['"`]/i,
-  /setInterval\s*\(\s*['"`].*['"`]/i,
+  /setTimeout\s*\(\s*['"`][^'"`]{0,500}['"`]/i,
+  /setInterval\s*\(\s*['"`][^'"`]{0,500}['"`]/i,
 ];
 
 /**
@@ -550,14 +550,14 @@ export function detectCSPBypass(content: string): {
     }
   }
 
-  // Determine risk level based on pattern types
+  // Determine risk level based on pattern types (ReDoS-safe patterns)
   const highRiskPatterns = [
-    /javascript:/i,
-    /eval\(/i,
+    /^javascript:/i,
+    /\beval\s*\(/i,
     /\bnew\s+Function\s*\(/i,
-    /data:text\/javascript/i,
-    /data:application\/javascript/i,
-    /data:.*base64.*script/i,
+    /^data:text\/javascript/i,
+    /^data:application\/javascript/i,
+    /^data:[^;]{0,50};base64[^,]{0,100},.*script/i,
   ];
 
   const hasHighRiskPattern = detectedPatterns.some((pattern) =>

lib/database-pool.ts

@@ -21,15 +21,24 @@ export const createEnhancedPrismaClient = () => {
         ? { rejectUnauthorized: false }
         : undefined,
 
-    // Connection pool settings
-    max: env.DATABASE_CONNECTION_LIMIT || 20, // Maximum number of connections
+    // Connection pool settings optimized for Neon
+    max: env.DATABASE_CONNECTION_LIMIT || 15, // Maximum number of connections (reduced for Neon)
+    min: 2, // Minimum connections to keep warm (prevent auto-pause)
     idleTimeoutMillis: env.DATABASE_POOL_TIMEOUT * 1000 || 30000, // Use env timeout
-    connectionTimeoutMillis: 5000, // 5 seconds
-    query_timeout: 10000, // 10 seconds
-    statement_timeout: 10000, // 10 seconds
+    connectionTimeoutMillis: 10000, // 10 seconds (increased for Neon cold starts)
+    query_timeout: 15000, // 15 seconds (increased for Neon)
+    statement_timeout: 15000, // 15 seconds (increased for Neon)
+
+    // Keepalive settings to prevent Neon auto-pause
+    keepAlive: true,
+    keepAliveInitialDelayMillis: 10000,
+
+    // Application name for monitoring in Neon dashboard
+    application_name:
+      dbUrl.searchParams.get("application_name") || "livedash-app",
 
     // Connection lifecycle
-    allowExitOnIdle: true,
+    allowExitOnIdle: false, // Keep minimum connections alive for Neon
   };
 
   const adapter = new PrismaPg(poolConfig);