docs(audit): align documentation with post-remediation backend reality

- Update data model enums to match backend models
- Update API reference auth requirements
- Add dispute module references and warning blocks
- Add 2026-05-24 audit remediation callout to Overview
- Generate task breakdowns and audit artifacts
- Add doc alignment report (.taskmaster/reports/)
This commit is contained in:
Siavash Sameni
2026-05-24 11:16:29 +04:00
parent b824ca0435
commit 4cf5c49274
74 changed files with 5964 additions and 81 deletions

View File

@@ -0,0 +1,35 @@
---
taskmaster_id: "4.7"
status: "done"
priority: "medium"
depends_on: ["1"]
parent_id: "4"
source: "taskmaster"
generated_at: "2026-05-24T07:15:25.199Z"
---
# 4.7 - Define secure build and supply-chain policy
- [x] 4.7 - Define secure build and supply-chain policy #taskmaster #priority/medium #status/done 🔼 🆔 tm-4-7 ⛔ tm-1
## Metadata
| Field | Value |
| --- | --- |
| Taskmaster ID | 4.7 |
| Status | done |
| Priority | medium |
| Dependencies | 1 |
| Parent | 4 - Define backend security and refactor strategy from latest audit |
## Description
Reduce npm/dependency compromise risk across frontend and any remaining Node services.
## Details
Completed. Produced 09 - Audits/Secure Build and Supply-Chain Policy.md. 11 sections + 3 appendices: lockfile policy (npm ci mandatory), dependency update cadence (biweekly routine, immediate security-critical), advisory monitoring with SLAs (Critical 24h, High 72h, Medium 1 week), known exposure register with 5 open 2026 CVEs (multer, axios, tanstack, express, node) and SLA deadlines, npm provenance policy, secrets rotation schedule for all 10 secret types, production build reproducibility requirements, frontend vs backend risk separation with interim policy, incident response for 3 scenarios, CI/CD enforcement checklist with Gitea Actions YAML example.
## Verification
Policy is actionable in CI and includes response steps for compromised package, leaked token, and vulnerable dependency alerts.