islandflow/piolium/attack-surface/variant-summary.md

Phase 12 Variant Summary

Variant analysis reviewed surviving findings in piolium/findings-draft/ and searched code/attack-surface artifacts for sibling sources, sinks, and flow shapes. piolium/attack-pattern-registry.json was not present, so no registry update could be made.

Confirmed variants

1. piolium/findings-draft/p12-001-unauthenticated-nats-market-event-injection.md — expands the confirmed unauthenticated flow.news producer-impersonation flaw to the other trusted market/derived NATS subjects consumed by API, compute, and candles.
2. piolium/findings-draft/p12-002-candles-jetstream-redelivery-duplicates-derived-candles.md — same JetStream side-effects-before-ack idempotency gap as compute, present in the candles worker.

Searches performed

• HTML injection/XSS: only apps/web/app/terminal.tsx uses dangerouslySetInnerHTML and the regex sanitizer pattern.
• Admin proxy: only apps/web/app/api/admin/synthetic/* injects a server bearer token into public Next route proxying.
• WebSocket auth/origin: unauthenticated upgrade pattern is centralized in services/api/src/index.ts; no additional WS servers found.
• NATS producer trust: API consumer binding matrix and worker subscriptions show additional subjects accepting schema-only messages from the unauthenticated broker.
• JetStream redelivery/idempotency: candles worker matches the compute side-effect-before-ack shape.
• Infrastructure exposure: root compose exposure finding remains centralized to root docker-compose.yml; production compose does not publish infra ports directly in the same way.