docs: update for systemd and rate limit headers

2025-12-24 20:05:30 +01:00
parent cf458347ef
commit 4577a1d7e4
4 changed files with 57 additions and 39 deletions
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -12,7 +12,7 @@ FlaskPaste v1.5.0 is deployed with comprehensive security hardening and abuse pr
 - Content-hash deduplication (abuse prevention)
 - Proof-of-work spam prevention
 - Anti-flood system (dynamic PoW difficulty under load)
- IP-based rate limiting (configurable per-IP limits)
+- IP-based rate limiting with X-RateLimit-* headers
 - Entropy enforcement (require encrypted uploads)
 - E2E encryption in CLI (AES-256-GCM, key in URL fragment)
 - URL prefix support for reverse proxy deployments
@@ -23,12 +23,13 @@ FlaskPaste v1.5.0 is deployed with comprehensive security hardening and abuse pr
 - Scheduled cleanup (pastes, hashes, rate limits)
 - Security headers and request tracing
 - Container deployment support
+- systemd service unit with security hardening
 - Security tooling (ruff, bandit, mypy, pip-audit)
 - CI/CD pipeline with lint, security, and test jobs
 - CLI with list, search, update, export commands
 - Public certificate registration (PoW-protected)
 - CLI register command for certificate enrollment
- Comprehensive test suite (283 tests)
+- Comprehensive test suite (284 tests)
 - PKI audit logging (certificate lifecycle events)
 - Request duration metrics (Prometheus histogram)
 - Memory leak detection in CI pipeline
@@ -119,9 +120,10 @@ Focus: Integration with external systems.
 ├───┼─────────────────────────────────┼────────────────────────────────────┤
 │ 1 │ CLI client (fpaste)             │ Done (with E2E + PKI)
 │ 2 │ /client endpoint                │ Done (downloadable CLI)
-│ 3 │ Ansible deployment role         │ Planned
-│ 4 │ Kubernetes manifests            │ Planned
-│ 5 │ Shell aliases/functions         │ Planned
+│ 3 │ systemd service unit            │ Done (with security hardening)
+│ 4 │ Ansible deployment role         │ Planned
+│ 5 │ Kubernetes manifests            │ Planned
+│ 6 │ Shell aliases/functions         │ Planned
 └───┴─────────────────────────────────┴────────────────────────────────────┘
 ```

@@ -184,6 +186,8 @@ These features will not be implemented:
 | 2024-12    | PKI audit logging                  | Full certificate lifecycle traceability
 | 2024-12    | Request duration metrics           | Prometheus histogram for observability
 | 2024-12    | Memory leak CI job                 | tracemalloc-based leak detection in CI
+| 2024-12    | systemd service unit               | Security-hardened deployment example
+| 2024-12    | Rate limit headers                 | X-RateLimit-* on 201/429 responses

 ## Review Schedule