From db9b45a9ad99810d63f76e22ea7d4a9988ef9e6a Mon Sep 17 00:00:00 2001
From: Username <user@mymx.me>
Date: Thu, 25 Dec 2025 00:10:37 +0100
Subject: [PATCH] docs: update task tracking after CI enhancement

---
 ROADMAP.md  | 1 +
 TASKLIST.md | 1 +
 TODO.md     | 1 +
 3 files changed, 3 insertions(+)

diff --git a/ROADMAP.md b/ROADMAP.md
index 0229b51..ada11c7 100644
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -190,6 +190,7 @@ These features will not be implemented:
 | 2024-12    | systemd service unit               | Security-hardened deployment example
 | 2024-12    | Rate limit headers                 | X-RateLimit-* on 201/429 responses
 | 2024-12    | Pentest remediation complete       | 15 security hardening items from formal review
+| 2024-12    | Enhanced CI security               | SBOM generation, dedicated security-tests job
 
 ## Review Schedule
 
diff --git a/TASKLIST.md b/TASKLIST.md
index 32a5d09..973c969 100644
--- a/TASKLIST.md
+++ b/TASKLIST.md
@@ -28,6 +28,7 @@ Prioritized, actionable tasks. Each task is small and completable in one session
 
 | Date       | Task
 |------------|--------------------------------------------------------------
+| 2024-12    | Enhance CI with security-tests job, SBOM generation, memory checks
 | 2024-12    | Complete pentest remediation (CRYPTO-001, TIMING-001)
 | 2024-12    | Complete pentest remediation (HASH-001, ENUM-001)
 | 2024-12    | Complete pentest remediation (FLOOD-001, CLI-002, CLI-003, AUDIT-001)
diff --git a/TODO.md b/TODO.md
index 10d40c4..10ea965 100644
--- a/TODO.md
+++ b/TODO.md
@@ -17,6 +17,7 @@ Unstructured intake buffer for ideas, issues, and observations. Items here are r
 
 ## Observations
 
+- CI enhanced: security-tests job, SBOM generation (CycloneDX), memory leak checks
 - Comprehensive pentest plan completed (PENTEST_PLAN.md) - all remediations implemented
 - PKI uses AES-256-GCM for CA private key encryption (PBKDF2 key derivation)
 - SHA1 fingerprints are X.509 standard, not security-relevant (usedforsecurity=False)