Heap dump capability

Severity: Optional

This is a debugging tool - only needed when investigating memory leaks. However, if it exists, it must be properly protected.

Check automatically:

1. Look for heap dump mechanism:

# Look for heap dump endpoints or functions
grep -riE "heapdump|heap.dump|writeHeapSnapshot|v8.getHeapSnapshot" --include="*.ts" --include="*.js" src/ lib/ app/ 2>/dev/null | head -10

# Check for debug endpoints
grep -riE "/debug|/diagnostic|/profil" --include="*.ts" --include="*.js" src/ lib/ app/ 2>/dev/null | head -10

# Look for heapdump package
grep -E "heapdump|v8-profiler|heap-profile" package.json 2>/dev/null

2. If endpoint found, verify protection:

# Check for auth on debug endpoints
grep -riE "debug.*token|debug.*key|x-debug|admin.*header|auth.*debug" --include="*.ts" --include="*.js" src/ lib/ app/ 2>/dev/null | head -10

3. Verify protection mechanism:
   • Requires secret token/header, AND/OR
   • Behind Zero Trust/VPN
   • Not publicly accessible

If not found, ask user:

• "Is there a way to capture heap dumps from production?"
• "How would you debug a memory leak in production?"

Cross-reference with:

• PERF-003 (heap dumps useful when leak detected)
• SEC-001 (Section 13 - Zero Trust protection)

Pass criteria:

• No heap dump capability (acceptable - it's optional), OR
• Heap dump mechanism exists AND is protected by:
  • Secret token/header, AND/OR
  • Zero Trust/VPN access only

Fail criteria:

• Heap dump endpoint exists but is unprotected (security issue)
• Heap dump accessible without authentication

Partial (acceptable):

• No built-in endpoint but can SSH/exec into container to trigger dump (as long as SSH/exec access is properly restricted)

Evidence to capture:

• Heap dump mechanism (endpoint URL, CLI command, or cloud feature)
• Protection method (token, Zero Trust, SSH-only, etc.)
• If none exists, note "Not implemented (acceptable)"

---