{
  "steward": "react-auth-steward",
  "project": "Azure-AI-RAG-CSharp-Semantic-Kernel-Functions",
  "runDate": "2026-03-21",
  "runId": "2026-03-21T00-00-00",
  "findings": [
    {
      "id": "RAUTH-NOAUTH-001",
      "title": "No authentication layer — API fully open",
      "severity": "critical",
      "category": "NOAUTH",
      "file": "src/web/src/SupportAgent/Agent.js",
      "line": 29,
      "description": "No authentication library (MSAL or otherwise) is installed or configured. API calls are plain unauthenticated fetch requests. Any user or client with network access to REACT_APP_API_HOST can freely invoke /chat and /session, consuming Azure OpenAI quota and CosmosDB reads without restriction.",
      "recommendation": "Install @azure/msal-browser and @azure/msal-react. Register the application in Azure Entra ID. Wrap the app in MsalProvider and require authentication before API calls.",
      "status": "open"
    },
    {
      "id": "RAUTH-ROUTE-001",
      "title": "No route protection — all content accessible without login",
      "severity": "critical",
      "category": "ROUTE",
      "file": "src/web/src/App.js",
      "line": 9,
      "description": "App.js renders Main directly under the / route with no auth guard, no AuthenticatedTemplate, and no redirect to a login page. The full UI including the AI chat interface renders immediately for any visitor regardless of identity.",
      "recommendation": "Wrap protected routes with AuthenticatedTemplate from @azure/msal-react. Redirect unauthenticated visitors to a login page or invoke loginRedirect()/loginPopup() automatically.",
      "status": "open"
    },
    {
      "id": "RAUTH-MSAL-001",
      "title": "No MSAL library installed or configured",
      "severity": "notable",
      "category": "MSAL",
      "file": "src/web/package.json",
      "description": "Neither @azure/msal-browser nor @azure/msal-react appears in package.json. There is no auth configuration object (clientId, authority, redirectUri). This is a prerequisite for Azure AD / Entra ID authentication.",
      "recommendation": "Add @azure/msal-browser and @azure/msal-react to dependencies. Create authConfig.js with clientId, tenant-specific authority, redirectUri from environment variable, and cacheLocation set to sessionStorage.",
      "status": "open"
    },
    {
      "id": "RAUTH-TOKEN-001",
      "title": "API calls carry no credentials or Authorization header",
      "severity": "notable",
      "category": "TOKEN",
      "file": "src/web/src/SupportAgent/Agent.js",
      "line": 29,
      "description": "The fetch calls in Agent.js send no Authorization header. Even if the backend were secured, the frontend would receive 401 errors with no mechanism to acquire and attach a bearer token.",
      "recommendation": "Use acquireTokenSilent before each API call to obtain a token, with fallback to acquireTokenPopup on InteractionRequiredAuthError. Attach the token as 'Authorization: Bearer <token>' in fetch headers.",
      "status": "open"
    },
    {
      "id": "RAUTH-SESSION-001",
      "title": "No logout or session termination mechanism",
      "severity": "notable",
      "category": "SESSION",
      "description": "There is no logout button, no session expiry handling, and no mechanism to call logoutRedirect() or logoutPopup(). Once authentication is added, users will have no way to end their session without server-side invalidation.",
      "recommendation": "Add a logout action that calls msalInstance.logoutRedirect() or msalInstance.logoutPopup() to clear both the client-side MSAL cache and the server-side session cookie.",
      "status": "open"
    },
    {
      "id": "RAUTH-LOG-001",
      "title": "API response logged to console — sensitive data exposure risk",
      "severity": "minor",
      "category": "LOG",
      "file": "src/web/src/SupportAgent/Agent.js",
      "line": 38,
      "description": "console.log(res) logs the full raw API JSON response on every chat message. If the API evolves to return session tokens, user identifiers, or other sensitive data, these will appear in the browser developer console and be accessible to browser extensions.",
      "recommendation": "Remove console.log(res) or gate it behind a development-only check: if (process.env.NODE_ENV === 'development') console.log(res).",
      "status": "open"
    },
    {
      "id": "RAUTH-DEMO-001",
      "title": "Application is self-described as demo-only",
      "severity": "info",
      "category": "DEMO",
      "file": "README.md",
      "description": "The root README.md and src/web/README.md both include disclaimers that the application is for educational and demonstration purposes only. This context may explain the absence of authentication as an intentional simplification for demo use.",
      "recommendation": "No action required for demo usage. Apply authentication before any production or staging deployment.",
      "status": "open"
    },
    {
      "id": "RAUTH-DEPLOY-001",
      "title": "Bicep deployment exposes app at public Azure Web App URL without auth",
      "severity": "info",
      "category": "DEPLOY",
      "file": "infra/",
      "description": "The Bicep deployment described in README.md provisions the React app to a publicly accessible Azure Web App domain. The absence of auth combined with a public deployment URL is a compounding risk factor. Infrastructure access controls are owned by the Infra Security Steward.",
      "recommendation": "Ensure auth is added before any deployment beyond local development. See Infra Security Steward for network-level controls.",
      "status": "open"
    }
  ],
  "summary": {
    "critical": 2,
    "notable": 3,
    "minor": 1,
    "info": 2,
    "total": 8
  }
}