Closes#16
Adds a comprehensive HTTP/web service security hardening policy to `REPO_POLICIES.md` that must be satisfied before tagging 1.0. The policy covers all items sneak specified (without limitation):
**Security headers** — HSTS (min 1 year, includeSubDomains), CSP (restrictive `default-src 'self'` baseline), X-Frame-Options / frame-ancestors, X-Content-Type-Options: nosniff, Referrer-Policy, Permissions-Policy.
**Request/response limits** — max request body size on all endpoints, max response size for paginated APIs, ReadTimeout + ReadHeaderTimeout (slowloris defense), WriteTimeout, IdleTimeout, per-handler execution time limits.
**Authentication & session security** — rate limiting on password-based auth (API keys exempt as high-entropy), CSRF tokens on state-mutating forms (header-auth APIs exempt), bcrypt/scrypt/argon2 for passwords, session cookies with HttpOnly + Secure + SameSite.
**Reverse proxy awareness** — true client IP detection via X-Forwarded-For/X-Real-IP with trusted proxy allowlist (never trust unconditionally).
**CORS** — explicit origin allowlist for authenticated endpoints; wildcard only for public unauthenticated read-only APIs.
**Error handling** — no leaking stack traces, SQL queries, file paths, or implementation details to clients.
**TLS** — HSTS and secure cookie flags required regardless of whether the service terminates TLS directly or sits behind a reverse proxy.
The policy is explicitly non-exhaustive (defense-in-depth: "when in doubt, harden").
Also adds corresponding checklist sections to `EXISTING_REPO_CHECKLIST.md` and `NEW_REPO_CHECKLIST.md` so that HTTP hardening is verified during repo setup and 1.0 preparation.
Co-authored-by: user <user@Mac.lan guest wan>
Co-authored-by: clawbot <clawbot@eeqj.de>
Reviewed-on: #17
Co-authored-by: clawbot <clawbot@noreply.example.org>
Co-committed-by: clawbot <clawbot@noreply.example.org>
Add policy rule: build artifacts and code-derived data must not be committed to repos if they can be generated during the build process.
Notable exception: Go protobuf-generated files (`.pb.go`) may be committed because `go get` downloads source but does not execute build steps.
This addresses feedback from sneak/chat PR [#61](sneak/chat#61).
Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de>
Reviewed-on: #15
Co-authored-by: clawbot <clawbot@noreply.example.org>
Co-committed-by: clawbot <clawbot@noreply.example.org>
- Move title and last_modified to YAML front matter (all policy docs)
- Make all document sections H1, subsections H2
- Update version rule to reference front matter format
- Fix "our" → "your" typo in Go styleguide
- Fix Python styleguide numbering (2. → 1.)
- Fix README: "flat collection" → accurate description, remove stale TODO
- Remove Makefile items from code styleguides (repo stuff, not code),
add note linking to Repository Policies
- Change zerolog → slog in Go styleguide
- Fix JS styleguide npm reference: both work, but use make targets
- Drop .json from healthcheck path, add JSON content-type requirement
- Add Author/License to Go HTTP Server Conventions
- Convert hyperlinks to backtick URLs in checklists for consistency
- Add version/front matter to both checklists
- Add .golangci.yml from upaas as authoritative copy in this repo
- Update REPO_POLICIES.md to reference .golangci.yml by URL
- Add fetch URLs for all template files in both checklists:
.gitignore, .editorconfig, Makefile, .prettierrc, .prettierignore,
REPO_POLICIES.md, .golangci.yml, check.yml
- Rename REPO_POLICIES.md heading from "Development Policies" to
"Repository Policies" to distinguish from code styleguides
- Move version line above heading per convention
- Add scope statement and links to code styleguide documents
- Add missing Makefile and LICENSE to minimum files list
- Add version lines to all cross-project docs (CODE_STYLEGUIDE*.md,
GO_HTTP_SERVER_CONVENTIONS.md)
- Clean up CODE_STYLEGUIDE.md heading (was old repo name)
- Update EXISTING_REPO_CHECKLIST.md link text to match new heading
- All Dockerfiles must run make check as a build step
- Every repo needs a Gitea Actions workflow running docker build on push
- Greatly strengthen the hash-pinning rule: explicitly list all reference
types, ban curl|bash installs, mark as most important rule in document
- Add model .gitea/workflows/check.yml pinned by commit hash
