docs: update task tracking after CI enhancement

ROADMAP.md

@@ -190,6 +190,7 @@ These features will not be implemented:
 | 2024-12    | systemd service unit               | Security-hardened deployment example
 | 2024-12    | Rate limit headers                 | X-RateLimit-* on 201/429 responses
 | 2024-12    | Pentest remediation complete       | 15 security hardening items from formal review
+| 2024-12    | Enhanced CI security               | SBOM generation, dedicated security-tests job
 
 ## Review Schedule
 

TASKLIST.md

@@ -28,6 +28,7 @@ Prioritized, actionable tasks. Each task is small and completable in one session
 
 | Date       | Task
 |------------|--------------------------------------------------------------
+| 2024-12    | Enhance CI with security-tests job, SBOM generation, memory checks
 | 2024-12    | Complete pentest remediation (CRYPTO-001, TIMING-001)
 | 2024-12    | Complete pentest remediation (HASH-001, ENUM-001)
 | 2024-12    | Complete pentest remediation (FLOOD-001, CLI-002, CLI-003, AUDIT-001)

TODO.md

@@ -17,6 +17,7 @@ Unstructured intake buffer for ideas, issues, and observations. Items here are r
 
 ## Observations
 
+- CI enhanced: security-tests job, SBOM generation (CycloneDX), memory leak checks
 - Comprehensive pentest plan completed (PENTEST_PLAN.md) - all remediations implemented
 - PKI uses AES-256-GCM for CA private key encryption (PBKDF2 key derivation)
 - SHA1 fingerprints are X.509 standard, not security-relevant (usedforsecurity=False)