# KYN POS Security Notes

Phase 1 is only the foundation skeleton. It does not yet include real staff authentication, PIN lockout, order/payment writes, or POS transactions.

Security rules already included:

- Public webroot should be `/public` only.
- Routes are allowlisted in `/inc/router.php`.
- Templates escape output with `e()` and `attr()`.
- CSRF helpers are available for all future POST/AJAX actions.
- Session cookie settings use `HttpOnly`, `SameSite=Lax`, and `Secure` when HTTPS is detected.
- Database secrets stay in `/inc/config.local.php`, which is ignored by Git.
- Logs are kept outside public webroot.

Future required work:

- Replace foundation demo login with real staff/PIN authentication.
- Hash passwords and PINs.
- Enforce role permissions server-side.
- Use prepared statements for all user/string/mixed SQL.
- Use transactions for every multi-table order/payment write.
- Add audit logs for financial, menu, staff, void, comp, discount, and closeout actions.