diff --git a/docs/work/_system/_state.json b/docs/work/_system/_state.json index c1454ae..8d9f348 100644 --- a/docs/work/_system/_state.json +++ b/docs/work/_system/_state.json @@ -1,5 +1,5 @@ { - "updated_at": "2026-05-20T09:35:47.087Z", + "updated_at": "2026-05-20T09:48:15.365Z", "epics": { "binder-wrap-helper": { "status": "done", @@ -634,10 +634,10 @@ ] }, "07-security-header-adapters": { - "status": "todo", + "status": "in-progress", "title": "Per-framework security header adapters", "ac_total": 2, - "ac_completed": 0, + "ac_completed": 1, "depends_on": [ "06-security-headers-core-module" ], diff --git a/docs/work/epics/security-headers-rate-limit-sbom/07-security-header-adapters/_story.md b/docs/work/epics/security-headers-rate-limit-sbom/07-security-header-adapters/_story.md index 1b8da57..922af44 100644 --- a/docs/work/epics/security-headers-rate-limit-sbom/07-security-header-adapters/_story.md +++ b/docs/work/epics/security-headers-rate-limit-sbom/07-security-header-adapters/_story.md @@ -3,12 +3,12 @@ id: 07-security-header-adapters epic: security-headers-rate-limit-sbom title: Per-framework security header adapters type: technical-story -status: todo +status: in-progress feature: core-shared depends-on: [06-security-headers-core-module] blocks: [08-app-wiring-web-next, 09-app-wiring-web-tanstack-and-cms] created: 2026-05-20T00:00:00Z -updated: 2026-05-20T08:14:55.907Z +updated: 2026-05-20T09:48:15.201Z --- ## Goal @@ -41,5 +41,5 @@ Adapters follow the `core-analytics/react` subpath pattern established in the co ## Tasks -- [ ] Implement `packages/core-shared/src/security/next/index.ts`: Next.js middleware calling `generateNonce()` + `buildSecurityHeaders`, setting all six headers and `x-nonce` on the response, plus `getNonce()` helper reading `x-nonce` from Next.js `headers()`; add subpath to `package.json` exports; adapter tests asserting all headers present, nonce in response headers, `getNonce()` reads it; all gates pass. +- [x] Implement `packages/core-shared/src/security/next/index.ts`: Next.js middleware calling `generateNonce()` + `buildSecurityHeaders`, setting all six headers and `x-nonce` on the response, plus `getNonce()` helper reading `x-nonce` from Next.js `headers()`; add subpath to `package.json` exports; adapter tests asserting all headers present, nonce in response headers, `getNonce()` reads it; all gates pass. - [ ] Implement `packages/core-shared/src/security/tanstack/index.ts`: TanStack Start server middleware equivalent (generate nonce, set headers + `x-nonce`) plus request-context nonce extractor; add subpath to `package.json` exports; adapter tests asserting equivalent header + nonce behaviour; all gates pass.