Skip to content

Tracking: enforcement-baseline — deterministic security enforcement per ADR-401 #504

Description

@aaronsb

Successor cluster to internet-hardening (#442, May 2026). That round fixed what the endpoints enforce; this round makes the conventions machine-enforced so they survive maintainer gaps — motivated by finding a #439-class regression (#501) two weeks after the May fixes landed.

Decision record: ADR-401 — Deterministic Security Enforcement Baseline (docs/architecture/authentication-security/)
Audit: docs/security/security-consistency-audit-2026-06-09.md

Work items, in ADR priority order:

Quick fix (not gated on tooling):

Per ADR-401: new security conventions introduced after this cluster ship with their enforcement check in the same PR. Close this when all items above are closed and ADR-401 moves to Accepted.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enforcement-baselineDeterministic security enforcement cluster (consistency audit 2026-06-09, ADR-401)securitySecurity-related changes

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions