feat: Security workflows (#14)

* Install beads and resolve issues

* fix: resolve E2E test failures caused by inherited hx-select on body

The hx-select="#main-content" on <body> was inherited by all HTMX
elements, causing modal fetches (bucket/user create) to select nothing
from responses that don't contain #main-content. This resulted in
modals never being inserted into the DOM.

Changes:
- Remove global hx-target/hx-select/hx-swap from body tag
- Switch to Alpine.js CSP build with pinned version
- Rewrite buckets dropdown from Alpine to vanilla JS
- Fix browser upload progress modal visibility
- Update E2E tests to use native Playwright clicks
- Add template security tests enforcing best practices
- Add MCP server config and CLAUDE.md symlink

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: damacus

.beads/.gitignore

@@ -0,0 +1,46 @@
+# SQLite databases
+*.db
+*.db?*
+*.db-journal
+*.db-wal
+*.db-shm
+
+# Daemon runtime files
+daemon.lock
+daemon.log
+daemon.pid
+bd.sock
+sync-state.json
+last-touched
+
+# Local version tracking (prevents upgrade notification spam after git ops)
+.local_version
+
+# Legacy database files
+db.sqlite
+bd.db
+
+# Worktree redirect file (contains relative path to main repo's .beads/)
+# Must not be committed as paths would be wrong in other clones
+redirect
+
+# Merge artifacts (temporary files from 3-way merge)
+beads.base.jsonl
+beads.base.meta.json
+beads.left.jsonl
+beads.left.meta.json
+beads.right.jsonl
+beads.right.meta.json
+
+# Sync state (local-only, per-machine)
+# These files are machine-specific and should not be shared across clones
+.sync.lock
+.jsonl.lock
+sync_base.jsonl
+export-state/
+
+# NOTE: Do NOT add negation patterns (e.g., !issues.jsonl) here.
+# They would override fork protection in .git/info/exclude, allowing
+# contributors to accidentally commit upstream issue databases.
+# The JSONL files (issues.jsonl, interactions.jsonl) and config files
+# are tracked by git by default since no pattern above ignores them.

.beads/README.md

@@ -0,0 +1,81 @@
+# Beads - AI-Native Issue Tracking
+
+Welcome to Beads! This repository uses **Beads** for issue tracking - a modern, AI-native tool designed to live directly in your codebase alongside your code.
+
+## What is Beads?
+
+Beads is issue tracking that lives in your repo, making it perfect for AI coding agents and developers who want their issues close to their code. No web UI required - everything works through the CLI and integrates seamlessly with git.
+
+**Learn more:** [github.com/steveyegge/beads](https://github.com/steveyegge/beads)
+
+## Quick Start
+
+### Essential Commands
+
+```bash
+# Create new issues
+bd create "Add user authentication"
+
+# View all issues
+bd list
+
+# View issue details
+bd show <issue-id>
+
+# Update issue status
+bd update <issue-id> --status in_progress
+bd update <issue-id> --status done
+
+# Sync with git remote
+bd sync
+```
+
+### Working with Issues
+
+Issues in Beads are:
+- **Git-native**: Stored in `.beads/issues.jsonl` and synced like code
+- **AI-friendly**: CLI-first design works perfectly with AI coding agents
+- **Branch-aware**: Issues can follow your branch workflow
+- **Always in sync**: Auto-syncs with your commits
+
+## Why Beads?
+
+✨ **AI-Native Design**
+- Built specifically for AI-assisted development workflows
+- CLI-first interface works seamlessly with AI coding agents
+- No context switching to web UIs
+
+🚀 **Developer Focused**
+- Issues live in your repo, right next to your code
+- Works offline, syncs when you push
+- Fast, lightweight, and stays out of your way
+
+🔧 **Git Integration**
+- Automatic sync with git commits
+- Branch-aware issue tracking
+- Intelligent JSONL merge resolution
+
+## Get Started with Beads
+
+Try Beads in your own projects:
+
+```bash
+# Install Beads
+curl -sSL https://raw.githubusercontent.com/steveyegge/beads/main/scripts/install.sh | bash
+
+# Initialize in your repo
+bd init
+
+# Create your first issue
+bd create "Try out Beads"
+```
+
+## Learn More
+
+- **Documentation**: [github.com/steveyegge/beads/docs](https://github.com/steveyegge/beads/tree/main/docs)
+- **Quick Start Guide**: Run `bd quickstart`
+- **Examples**: [github.com/steveyegge/beads/examples](https://github.com/steveyegge/beads/tree/main/examples)
+
+---
+
+*Beads: Issue tracking that moves at the speed of thought* ⚡

.beads/config.yaml

@@ -0,0 +1,67 @@
+# Beads Configuration File
+# This file configures default behavior for all bd commands in this repository
+# All settings can also be set via environment variables (BD_* prefix)
+# or overridden with command-line flags
+
+# Issue prefix for this repository (used by bd init)
+# If not set, bd init will auto-detect from directory name
+# Example: issue-prefix: "myproject" creates issues like "myproject-1", "myproject-2", etc.
+# issue-prefix: ""
+
+# Use no-db mode: load from JSONL, no SQLite, write back after each command
+# When true, bd will use .beads/issues.jsonl as the source of truth
+# instead of SQLite database
+# no-db: false
+
+# Disable daemon for RPC communication (forces direct database access)
+# no-daemon: false
+
+# Disable auto-flush of database to JSONL after mutations
+# no-auto-flush: false
+
+# Disable auto-import from JSONL when it's newer than database
+# no-auto-import: false
+
+# Enable JSON output by default
+# json: false
+
+# Default actor for audit trails (overridden by BD_ACTOR or --actor)
+# actor: ""
+
+# Path to database (overridden by BEADS_DB or --db)
+# db: ""
+
+# Auto-start daemon if not running (can also use BEADS_AUTO_START_DAEMON)
+# auto-start-daemon: true
+
+# Debounce interval for auto-flush (can also use BEADS_FLUSH_DEBOUNCE)
+# flush-debounce: "5s"
+
+# Export events (audit trail) to .beads/events.jsonl on each flush/sync
+# When enabled, new events are appended incrementally using a high-water mark.
+# Use 'bd export --events' to trigger manually regardless of this setting.
+# events-export: false
+
+# Git branch for beads commits (bd sync will commit to this branch)
+# IMPORTANT: Set this for team projects so all clones use the same sync branch.
+# This setting persists across clones (unlike database config which is gitignored).
+# Can also use BEADS_SYNC_BRANCH env var for local override.
+# If not set, bd sync will require you to run 'bd config set sync.branch <branch>'.
+# sync-branch: "beads-sync"
+
+# Multi-repo configuration (experimental - bd-307)
+# Allows hydrating from multiple repositories and routing writes to the correct JSONL
+# repos:
+#   primary: "."  # Primary repo (where this database lives)
+#   additional:   # Additional repos to hydrate from (read-only)
+#     - ~/beads-planning  # Personal planning repo
+#     - ~/work-planning   # Work planning repo
+
+# Integration settings (access with 'bd config get/set')
+# These are stored in the database, not in this file:
+# - jira.url
+# - jira.project
+# - linear.url
+# - linear.api-key
+# - github.org
+# - github.repo

.beads/interactions.jsonl

@@ -0,0 +1,5 @@
+{"id":"ironbuckets-1is","title":"Pin third-party CDN assets to immutable versions","description":"Replace mutable CDN references (@latest, 3.x.x) with explicit versions and add tests to prevent regression.","status":"closed","priority":2,"issue_type":"task","owner":"dan.webb@damacus.io","created_at":"2026-02-09T21:47:28.504938Z","created_by":"Dan Webb","updated_at":"2026-02-09T21:54:03.726755Z","closed_at":"2026-02-09T21:54:03.726755Z","close_reason":"Pinned mutable CDN script references to explicit versions and added regression tests to prevent @latest/3.x.x usage."}
+{"id":"ironbuckets-5hj","title":"Add baseline security response headers","description":"Implement server-level security headers middleware (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and HSTS when HTTPS). Add tests.","status":"open","priority":1,"issue_type":"task","owner":"dan.webb@damacus.io","created_at":"2026-02-09T21:47:28.439513Z","created_by":"Dan Webb","updated_at":"2026-02-09T21:47:28.439513Z"}
+{"id":"ironbuckets-ef2","title":"Introduce CSP compatible with current templates and remove easy inline JS hotspots","description":"Add a Content-Security-Policy header and reduce inline-script/event-handler usage where low-risk, preserving app behavior. Add regression tests.","status":"closed","priority":2,"issue_type":"task","owner":"dan.webb@damacus.io","created_at":"2026-02-09T21:47:37.736295Z","created_by":"Dan Webb","updated_at":"2026-02-09T21:54:03.720101Z","closed_at":"2026-02-09T21:54:03.720101Z","close_reason":"Introduced CSP via security middleware and aligned interactive templates with CSRF-aware request wiring while preserving existing UI behavior."}
+{"id":"ironbuckets-q5x","title":"Harden auth cookie flags and clearing semantics","description":"Set Secure based on request security context and ensure logout clearing cookie uses matching attributes (Path, SameSite, Secure, MaxAge). Add handler tests.","status":"closed","priority":1,"issue_type":"task","owner":"dan.webb@damacus.io","created_at":"2026-02-09T21:47:28.449391Z","created_by":"Dan Webb","updated_at":"2026-02-09T21:49:10.68477Z","closed_at":"2026-02-09T21:49:10.68477Z","close_reason":"Implemented secure-context cookie handling with consistent logout clearing attributes and added auth handler tests."}
+{"id":"ironbuckets-tfa","title":"Add CSRF protection for state-changing routes","description":"Enable CSRF middleware and ensure HTMX requests include CSRF token header. Add tests for allowed/blocked POST behavior.","status":"closed","priority":1,"issue_type":"task","owner":"dan.webb@damacus.io","created_at":"2026-02-09T21:47:28.455923Z","created_by":"Dan Webb","updated_at":"2026-02-09T21:54:03.733698Z","closed_at":"2026-02-09T21:54:03.733698Z","close_reason":"Added CSRF middleware for interactive state-changing requests and template-side HTMX CSRF token header propagation with tests."}

.beads/issues.jsonl

@@ -0,0 +1,4 @@
+{
+  "database": "beads.db",
+  "jsonl_export": "issues.jsonl"
+}

.beads/metadata.json

@@ -0,0 +1,19 @@
+{
+  "mcpServers": {
+    "github": {
+      "command": "npx",
+      "args": ["-y", "@modelcontextprotocol/server-github"],
+      "env": {
+        "GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_TOKEN}"
+      }
+    },
+    "git": {
+      "command": "uvx",
+      "args": ["mcp-server-git", "--repository", "."]
+    },
+    "context7": {
+      "command": "npx",
+      "args": ["-y", "@upstash/context7-mcp@latest"]
+    }
+  }
+}

.mcp.json

@@ -188,3 +188,29 @@ Run `task --list` to see all available tasks. Key ones:
 5. **Use existing patterns**—follow the code style already in the codebase
 6. **Run linting**—ensure code passes `golangci-lint`
 7. **Document changes**—update relevant docs when adding features
+
+## Landing the Plane (Session Completion)
+
+**When ending a work session**, you MUST complete ALL steps below. Work is NOT complete until `git push` succeeds.
+
+**MANDATORY WORKFLOW:**
+
+1. **File issues for remaining work** - Create issues for anything that needs follow-up
+2. **Run quality gates** (if code changed) - Tests, linters, builds
+3. **Update issue status** - Close finished work, update in-progress items
+4. **PUSH TO REMOTE** - This is MANDATORY:
+   ```bash
+   git pull --rebase
+   bd sync
+   git push
+   git status  # MUST show "up to date with origin"
+   ```
+5. **Clean up** - Clear stashes, prune remote branches
+6. **Verify** - All changes committed AND pushed
+7. **Hand off** - Provide context for next session
+
+**CRITICAL RULES:**
+- Work is NOT complete until `git push` succeeds
+- NEVER stop before pushing - that leaves work stranded locally
+- NEVER say "ready to push when you are" - YOU must push
+- If push fails, resolve and retry until it succeeds

AGENTS.md

@@ -0,0 +1 @@
+../AGENTS.md

CLAUDE.md

@@ -21,6 +21,13 @@ func main() {
 		log.Printf("MINIO_ENDPOINT not set, using default: %s", minioEndpoint)
 	}
 
+	e := newServer(minioEndpoint)
+
+	// Start Server
+	e.Logger.Fatal(e.Start(":8080"))
+}
+
+func newServer(minioEndpoint string) *echo.Echo {
 	e := echo.New()
 
 	// Services
@@ -44,6 +51,8 @@ func main() {
 		},
 	}))
 	e.Use(middleware.Recover())
+	e.Use(customMiddleware.SecurityHeaders())
+	e.Use(customMiddleware.CSRF())
 	// Apply auth middleware globally - it will skip public routes internally
 	e.Use(customMiddleware.AuthMiddleware(authService))
 
@@ -136,6 +145,5 @@ func main() {
 	e.POST("/settings/restart", settingsHandler.RestartService)
 	e.GET("/settings/logs", settingsHandler.GetLogs)
 
-	// Start Server
-	e.Logger.Fatal(e.Start(":8080"))
+	return e
 }