3.6 KiB
id, epic, title, type, status, feature, depends-on, blocks, created, updated
| id | epic | title | type | status | feature | depends-on | blocks | created | updated | ||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 11-documentation | security-headers-rate-limit-sbom | Documentation and conformance reference updates | technical-story | done | core-shared |
|
2026-05-20T00:00:00Z | 2026-05-20T11:49:44.873Z |
Goal
Write the consumer-facing cookbooks (security-headers.md, rate-limiting.md) and update the cross-cutting reference docs (glossary, CLAUDE.md, conformance quickref) so downstream consumers, AI agents, and compliance officers can discover and apply security headers, rate-limiting, and SBOM from a single reading session.
Why
Implementations are complete after Story 10, but the institutional knowledge of how to use them, customize them, and understand their conformance contracts lives only in code. The cookbooks close that gap by walking concrete wiring steps, key-naming conventions, and verification workflows. The CLAUDE.md and conformance-quickref updates keep the conformance rule count accurate (12 → 13) and surface the rateLimit manifest field in the authoritative reference every agent reads at session start.
Done when
docs/guides/security-headers.mdcovers: per-framework middleware wiring (Next.js, TanStack, CMS), nonce threading for consumer-added inline scripts, CSP allowlist customization (allowedConnectOriginsetc.), Sentry nonce integration steps, securityheaders.com verification workflow.docs/guides/rate-limiting.mdcovers: manifestrateLimitfield declaration, canonical key-naming convention<feature>:<scope>:<key>, multi-budget patterns,InMemoryRateLimitfor dev/test, guidance on wiring a production backend viaBindContext.rateLimit.docs/glossary.mdhas entries for:IRateLimit,RateLimited(brand),withRateLimit,SecurityHeadersConfig,buildSecurityHeaders,SBOM(CycloneDX context),nonce(CSP context).CLAUDE.mdconformance rule count updated 12 → 13;rateLimit?: RateLimitBudget[]documented in the manifest field table.docs/guides/conformance-quickref.mdupdated to listno-undeclared-rate-limitas the 13th rule.pnpm typecheck && pnpm lint && pnpm test && pnpm conformance && pnpm fallow:audit && pnpm coverage:diffall pass after each task.
In scope
docs/guides/security-headers.md(new file).docs/guides/rate-limiting.md(new file).docs/glossary.md— new entries only; no existing entry edits.CLAUDE.md— conformance rule count bump (12 → 13) +rateLimitmanifest field row.docs/guides/conformance-quickref.md— addno-undeclared-rate-limitentry.
Out of scope
- ADR-023 amendment — Story 10.
- Any new code changes — docs only; all implementation is done.
- Compliance fill-in docs (incident runbook, password policy) — Epic D.
Tasks
- Write
docs/guides/security-headers.md(per-framework wiring, nonce threading for consumer inline scripts, CSP allowlist customization, Sentry nonce integration, securityheaders.com verification) anddocs/guides/rate-limiting.md(manifest field, key-naming convention<feature>:<scope>:<key>, multi-budget patterns, dev/staging/prod backend wiring); all gates pass. - Add entries for
IRateLimit,RateLimitedbrand,withRateLimit,SecurityHeadersConfig,buildSecurityHeaders,SBOM,nonce(CSP context) todocs/glossary.md; updateCLAUDE.mdconformance rule count 12 → 13 and addrateLimit?: RateLimitBudget[]to the manifest field documentation; addno-undeclared-rate-limitas the 13th rule indocs/guides/conformance-quickref.md; all gates pass.