Act as a senior security engineer. Review the authentication system of this project and make it secure. Ensure passwords are securely hashed, sessions expire, email verification is enabled, password reset tokens expire, login attempts are rate limited, and authentication secrets are never exposed to the frontend.

Review all API endpoints and database queries. Ensure every request verifies the logged-in user owns the data being accessed. Prevent IDOR vulnerabilities by enforcing ownership checks before reading, modifying, or deleting any resource.

Review all JWT implementation in this project. Ensure tokens are signed with a strong secret or RS256, expiry is enforced, tokens are not stored in localStorage, refresh token rotation is implemented, and the 'none' algorithm is rejected.

Review all admin and internal routes in this project. Ensure every admin endpoint verifies both authentication and role/permission level before granting access. Add middleware that blocks non-admin users at the routing layer, not just the UI layer.

Audit the password reset flow end to end. Ensure reset tokens are cryptographically random, single-use, and expire within 15 minutes. Confirm the old password is invalidated immediately on reset, tokens are hashed in the database, and the endpoint is rate limited.

Scan the entire project for secrets, API keys, tokens, and credentials. Ensure nothing sensitive is exposed in frontend code or committed to the repository. Move everything to environment variables and confirm they're only accessed server-side.

Audit all database queries in this project. Identify anywhere raw user input is used in queries. Replace with parameterized queries or prepared statements everywhere. Flag any ORM usage that bypasses safe query building.

Review all places in the codebase where user input is rendered to the DOM. Ensure output is properly escaped or sanitized. Identify any use of innerHTML, dangerouslySetInnerHTML, or eval with user data and replace with safe alternatives.

Audit the file upload functionality in this project. Enforce file type validation on the server side, limit file sizes, rename uploaded files to prevent path traversal, store files outside the web root or in object storage like S3, and scan for malicious content where possible.

Add rate limiting across the entire application — login attempts, account creation, API endpoints, and AI generation routes. Prevent bots and automated scripts from abusing the system. Use sliding window or token bucket strategy where appropriate.

Audit the CORS configuration across all API routes. Replace wildcard origins with explicit allowed domains. Ensure credentials are not sent with wildcard origins. Restrict allowed methods and headers to only what's needed.

Audit all webhook endpoints in this project. Ensure every incoming webhook is verified using HMAC signature validation with the provider's secret. Reject any request that fails verification before processing. Add replay attack protection using timestamp validation.

Review all error handling across this application. Ensure stack traces, database errors, and internal system details are never exposed to the client in production. Replace verbose errors with generic messages for the user while logging full details server-side only.

Configure this application for secure production deployment. Enforce HTTPS everywhere, restrict database access from the public internet, store all secrets securely, and add structured logging for auth events, API errors, and unusual traffic patterns.

Audit all project dependencies for known vulnerabilities. Run npm audit or equivalent, identify high and critical severity issues, suggest safe version upgrades or alternative packages, and flag any abandoned or unmaintained dependencies that should be replaced.