Remove tracked security audit report

security_best_practices_report.md

@@ -1,29 +0,0 @@
-# Security Best Practices Report
-
-## Executive Summary
-
-I did a final security pass on the current alpha codebase after the recent auth, origin, proxy, and base-path changes. I do not see any remaining critical or high-severity blockers that should stop a public alpha release.
-
-The previously identified major issues are now addressed:
-- WebSocket cookie resume is gated by exact host origin checks.
-- Radio metadata fetching validates public URLs and revalidates redirects.
-- The PHP media proxy now requires the configured app origin and a valid authenticated session.
-- Auth helper endpoints now support normal same-origin browser requests without weakening the origin boundary for cross-site callers.
-
-## Current Assessment
-
-### No Critical or High Findings
-
-I do not currently see a critical or high-severity issue in the shipped Python server, TypeScript client, or PHP media proxy based on this code audit.
-
-### Lower-Risk Notes
-
-1. DNS rebinding / TOCTOU remains a residual hardening concern for any design that validates DNS first and then opens network connections later. The current Python and PHP outbound URL checks are substantially better than before and are reasonable for this alpha.
-2. The frontend still uses `localStorage` for non-secret preferences and UI hints. I did not find any remaining secret/session token storage in browser-accessible storage.
-3. The current client/tooling dependency tree was improved earlier in this session. Remaining risk appears limited to lower-priority dev-tooling exposure rather than deployed runtime code.
-
-## Recommendation
-
-From a code-security perspective, this project looks acceptable for a public alpha release.
-
-If you want one future hardening item after the alpha goes public, I would prioritize continued dependency maintenance and periodic review of the optional PHP proxy surface.