2.2 KiB
id, prd, title, type, status, features, created, updated
| id | prd | title | type | status | features | created | updated | |||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| security-headers-rate-limit-sbom | docs/work/prds/security-headers-rate-limit-sbom.prd.md | Security headers + rate-limit primitive + SBOM in CI — Epic C of ADR-025 | epic | done |
|
2026-05-20T00:00:00Z | 2026-05-20T11:49:44.873Z |
Goal
Ship three hardening primitives — framework-agnostic security header middleware, a manifest-declared rate-limit conformance channel, and per-release SBOM evidence — so downstream consumers get compliant default headers, lint-enforced rate-limit gates, and CycloneDX audit artifacts without inventing any of them.
Why
Security scanners flag the absence of HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and CSP on every template app response. Auth endpoints (signIn, signUp) ship without rate-limit declarations, leaving credential-stuffing windows open until a consumer notices their auth logs. Consumers pursuing SOC 2 / ISO 27001 / FedRAMP must invent SBOM tooling and bolt it into their release flow. ADR-025 settled the strategy; this epic is the implementation.
Stories
- 01 — Rate-limit type primitives and manifest field
- 02 — Rate-limit implementations: Noop, InMemory, Recording
- 03 —
no-undeclared-rate-limitESLint rule - 04 —
withRateLimitwrapper and conformance extensions - 05 — auth.signIn rate-limit backfill
- 06 — Security headers core module
- 07 — Per-framework security header adapters
- 08 — App wiring: web-next
- 09 — App wiring: web-tanstack and cms
- 10 — SBOM CI workflow and ADR-023 amendment
- 11 — Documentation and conformance reference updates