- Update data model enums to match backend models - Update API reference auth requirements - Add dispute module references and warning blocks - Add 2026-05-24 audit remediation callout to Overview - Generate task breakdowns and audit artifacts - Add doc alignment report (.taskmaster/reports/)
36 lines
1.4 KiB
Markdown
36 lines
1.4 KiB
Markdown
---
|
|
taskmaster_id: "4.7"
|
|
status: "done"
|
|
priority: "medium"
|
|
depends_on: ["1"]
|
|
parent_id: "4"
|
|
source: "taskmaster"
|
|
generated_at: "2026-05-24T07:15:25.199Z"
|
|
---
|
|
|
|
# 4.7 - Define secure build and supply-chain policy
|
|
|
|
- [x] 4.7 - Define secure build and supply-chain policy #taskmaster #priority/medium #status/done 🔼 🆔 tm-4-7 ⛔ tm-1
|
|
|
|
## Metadata
|
|
|
|
| Field | Value |
|
|
| --- | --- |
|
|
| Taskmaster ID | 4.7 |
|
|
| Status | done |
|
|
| Priority | medium |
|
|
| Dependencies | 1 |
|
|
| Parent | 4 - Define backend security and refactor strategy from latest audit |
|
|
|
|
## Description
|
|
|
|
Reduce npm/dependency compromise risk across frontend and any remaining Node services.
|
|
|
|
## Details
|
|
|
|
Completed. Produced 09 - Audits/Secure Build and Supply-Chain Policy.md. 11 sections + 3 appendices: lockfile policy (npm ci mandatory), dependency update cadence (biweekly routine, immediate security-critical), advisory monitoring with SLAs (Critical 24h, High 72h, Medium 1 week), known exposure register with 5 open 2026 CVEs (multer, axios, tanstack, express, node) and SLA deadlines, npm provenance policy, secrets rotation schedule for all 10 secret types, production build reproducibility requirements, frontend vs backend risk separation with interim policy, incident response for 3 scenarios, CI/CD enforcement checklist with Gitea Actions YAML example.
|
|
|
|
## Verification
|
|
|
|
Policy is actionable in CI and includes response steps for compromised package, leaked token, and vulnerable dependency alerts.
|