Files
nick-doc/Taskmaster/Tasks/task-4-7.md
Siavash Sameni 0060b16912 docs: ship in-house RN checkout, scope 5 follow-up tasks (#7-11)
In-house Request Network checkout went fully end-to-end on dev today.
A real 0.01 USDC payment flowed through wallet connect -> approve ->
ERC20FeeProxy.transferFromWithReferenceAndFee -> RN webhook ->
TransactionSafetyProvider -> Payment.status=completed -> page success
state. Tx 0x494c77a29161b5100d8e0b1ac675f1822955d0bb3633ecdbfafb886f84f2f320.

Docs:
- New PRD: Wallet, Multichain, Confirmations, AML, Trezor
  (5 follow-ups, each sized for an independent contributor)
- Updated PRD: Request Network In-House Checkout (phases 0..3 done,
  phase 4 partial, phases 5-6 not started)
- Updated handoff: deployed versions, what is working end-to-end,
  follow-up tasks index

Taskmaster: 5 new top-level tasks (#7..#11) covering ephemeral
destination wallets, multichain proxy registry + USDC/USDT, runtime
confirmation thresholds, optional seller-paid AML screening, and
Trezor signing for admin actions. Tasks are scoped fine-grained so
each is independent enough for kimi to pick up.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-28 15:50:24 +04:00

36 lines
1.4 KiB
Markdown

---
taskmaster_id: "4.7"
status: "done"
priority: "medium"
depends_on: ["1"]
parent_id: "4"
source: "taskmaster"
generated_at: "2026-05-28T11:49:27.076Z"
---
# 4.7 - Define secure build and supply-chain policy
- [x] 4.7 - Define secure build and supply-chain policy #taskmaster #priority/medium #status/done 🔼 🆔 tm-4-7 ⛔ tm-1
## Metadata
| Field | Value |
| --- | --- |
| Taskmaster ID | 4.7 |
| Status | done |
| Priority | medium |
| Dependencies | 1 |
| Parent | 4 - Define backend security and refactor strategy from latest audit |
## Description
Reduce npm/dependency compromise risk across frontend and any remaining Node services.
## Details
Completed. Produced 09 - Audits/Secure Build and Supply-Chain Policy.md. 11 sections + 3 appendices: lockfile policy (npm ci mandatory), dependency update cadence (biweekly routine, immediate security-critical), advisory monitoring with SLAs (Critical 24h, High 72h, Medium 1 week), known exposure register with 5 open 2026 CVEs (multer, axios, tanstack, express, node) and SLA deadlines, npm provenance policy, secrets rotation schedule for all 10 secret types, production build reproducibility requirements, frontend vs backend risk separation with interim policy, incident response for 3 scenarios, CI/CD enforcement checklist with Gitea Actions YAML example.
## Verification
Policy is actionable in CI and includes response steps for compromised package, leaked token, and vulnerable dependency alerts.