Tracking: enforcement-baseline — deterministic security enforcement per ADR-401

Successor cluster to `internet-hardening` (#442, May 2026). That round fixed what the endpoints enforce; this round makes the conventions machine-enforced so they survive maintainer gaps — motivated by finding a #439-class regression (#501) two weeks after the May fixes landed.

**Decision record:** ADR-401 — Deterministic Security Enforcement Baseline (`docs/architecture/authentication-security/`)
**Audit:** `docs/security/security-consistency-audit-2026-06-09.md`

Work items, in ADR priority order:

- [ ] #496 — CI: make lint_queries.py blocking; fix stale baseline annotations
- [ ] #497 — lint_queries.py interpolation rule; fix two dormant injection sites
- [ ] #498 — Error-detail hygiene: str(e) lint + 155-instance burn-down
- [ ] #499 — Route-contract lint: response_model + auth/`# public:` marker
- [ ] #500 — CI: run the auth/permission test suite on every PR
- [ ] #502 — Infra config asserts: ports, nginx headers, weak-secret refusal
- [ ] #503 — gitleaks, dependency audits, dependabot

Quick fix (not gated on tooling):
- [ ] #501 — query_definitions.py get_current_active_user

Per ADR-401: new security conventions introduced after this cluster ship with their enforcement check in the same PR. Close this when all items above are closed and ADR-401 moves to Accepted.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Tracking: enforcement-baseline — deterministic security enforcement per ADR-401 #504

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Tracking: enforcement-baseline — deterministic security enforcement per ADR-401 #504

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions