In-house Request Network checkout went fully end-to-end on dev today. A real 0.01 USDC payment flowed through wallet connect -> approve -> ERC20FeeProxy.transferFromWithReferenceAndFee -> RN webhook -> TransactionSafetyProvider -> Payment.status=completed -> page success state. Tx 0x494c77a29161b5100d8e0b1ac675f1822955d0bb3633ecdbfafb886f84f2f320. Docs: - New PRD: Wallet, Multichain, Confirmations, AML, Trezor (5 follow-ups, each sized for an independent contributor) - Updated PRD: Request Network In-House Checkout (phases 0..3 done, phase 4 partial, phases 5-6 not started) - Updated handoff: deployed versions, what is working end-to-end, follow-up tasks index Taskmaster: 5 new top-level tasks (#7..#11) covering ephemeral destination wallets, multichain proxy registry + USDC/USDT, runtime confirmation thresholds, optional seller-paid AML screening, and Trezor signing for admin actions. Tasks are scoped fine-grained so each is independent enough for kimi to pick up. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
36 lines
1.4 KiB
Markdown
36 lines
1.4 KiB
Markdown
---
|
|
taskmaster_id: "4.7"
|
|
status: "done"
|
|
priority: "medium"
|
|
depends_on: ["1"]
|
|
parent_id: "4"
|
|
source: "taskmaster"
|
|
generated_at: "2026-05-28T11:49:27.076Z"
|
|
---
|
|
|
|
# 4.7 - Define secure build and supply-chain policy
|
|
|
|
- [x] 4.7 - Define secure build and supply-chain policy #taskmaster #priority/medium #status/done 🔼 🆔 tm-4-7 ⛔ tm-1
|
|
|
|
## Metadata
|
|
|
|
| Field | Value |
|
|
| --- | --- |
|
|
| Taskmaster ID | 4.7 |
|
|
| Status | done |
|
|
| Priority | medium |
|
|
| Dependencies | 1 |
|
|
| Parent | 4 - Define backend security and refactor strategy from latest audit |
|
|
|
|
## Description
|
|
|
|
Reduce npm/dependency compromise risk across frontend and any remaining Node services.
|
|
|
|
## Details
|
|
|
|
Completed. Produced 09 - Audits/Secure Build and Supply-Chain Policy.md. 11 sections + 3 appendices: lockfile policy (npm ci mandatory), dependency update cadence (biweekly routine, immediate security-critical), advisory monitoring with SLAs (Critical 24h, High 72h, Medium 1 week), known exposure register with 5 open 2026 CVEs (multer, axios, tanstack, express, node) and SLA deadlines, npm provenance policy, secrets rotation schedule for all 10 secret types, production build reproducibility requirements, frontend vs backend risk separation with interim policy, incident response for 3 scenarios, CI/CD enforcement checklist with Gitea Actions YAML example.
|
|
|
|
## Verification
|
|
|
|
Policy is actionable in CI and includes response steps for compromised package, leaked token, and vulnerable dependency alerts.
|