DashBoard/openspec/changes/archive/2026-02-08-security-stability-hardening-round2/tasks.md

1. LDAP Endpoint Hardening

• 1.1 Add strict LDAP_API_URL validation (https + allowlisted hosts) in auth service initialization.
• 1.2 Add tests for valid/invalid LDAP URL configurations and ensure unsafe URLs are rejected without outbound auth call.

2. Bounded Process Cache

• 2.1 Extend ProcessLevelCache with configurable max_size and LRU eviction behavior.
• 2.2 Wire bounded cache configuration for WIP/Resource process-level caches and add regression tests.

3. Circuit Breaker Lock Contention Reduction

• 3.1 Refactor circuit breaker transition logging to execute outside lock-protected section.
• 3.2 Add tests verifying transition logs are emitted while state mutation remains correct.

4. HTTP Security Headers and Input Boundary Validation

• 4.1 Add global after_request security headers (CSP, frame, content-type, referrer, HSTS in production).
• 4.2 Tighten pagination boundary handling (page/page_size) for WIP detail endpoint and add tests.

5. Validation and Documentation

• 5.1 Run targeted backend/frontend tests plus benchmark smoke to confirm no behavior regression.
• 5.2 Update README.md and README.mdj with round-2 security/stability hardening notes.