Skip to content

Epic A: State Security & Integrity #21

Description

@fsecada01

Epic A — State Security & Integrity · Milestone: 0.6.0b · See claudedocs/dev_plan_production_grade_2026-06-24.md

The top credibility/security gap: server state round-trips to the client unsigned.

  • A1 Sign serialized state (HMAC) with configurable secret; verify inbound, reject tampered (CorruptStateError) — enabler
  • A2 Key management + rotation; document STATE_SIGNING_KEY per adapter
  • A3 Locked/immutable server-trusted fields
  • A4 Audit CSRF coverage across FastAPI/Litestar/Flask HTTP paths; document; note WS CSRF limitation

Critical path: A1 is the security gate. Land early.

Metadata

Metadata

Assignees

No one assigned

    Labels

    epicEpic tracking issuesecuritySecurity-relevant worktier:table-stakesRequired for production-grade

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions