[Security] Add HMAC request signing and SBOM generation #65
Description
Description
Enhance security with HMAC request signing for store operations and add SBOM generation for supply chain security.
Background
Production APIs need additional security measures beyond API keys. HMAC signing prevents replay attacks, and SBOM generation ensures supply chain security.
Requirements
- Implement HMAC request signing for store endpoint
- Prevent replay attacks with timestamp validation
- Document max body size and batch limits
- Add SBOM generation (CycloneDX) in CI
- Generate SBOM on each release
- Document security architecture
- Add security testing for HMAC
Implementation Details
Files to modify:
src/contextforge_memory/security/- New security modulesrc/contextforge_memory/main.py- Add HMAC validation.github/workflows/- Add SBOM generationdocs/security/- Security documentationtests/- Add security tests
Technical approach:
- Implement HMAC signature validation
- Add timestamp-based replay protection
- Create SBOM generation pipeline
- Add security testing framework
- Document security procedures
Acceptance Criteria
- HMAC signing works correctly
- Replay attacks are prevented
- SBOM is generated in CI
- Security architecture is documented
- Security tests pass
Testing Requirements
- HMAC validation tests
- Replay attack tests
- SBOM generation tests
- Security integration tests
Documentation Updates
- Security documentation - HMAC setup
- SBOM documentation - Generation process
- Security guide - Best practices
- API documentation - Security requirements
Related Issues
- Depends on: P0 rate limiting
- Blocks: None