From b839cae49efd4b9d35c2868a4137101a4d71bd7f Mon Sep 17 00:00:00 2001
From: nsfisis <nsfisis@gmail.com>
Date: Tue, 30 Dec 2025 21:54:52 +0900
Subject: feat(dev): update roadmap

---
 docs/dev/roadmap.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'docs/dev')

diff --git a/docs/dev/roadmap.md b/docs/dev/roadmap.md
index 4533633..38ef3be 100644
--- a/docs/dev/roadmap.md
+++ b/docs/dev/roadmap.md
@@ -188,6 +188,23 @@ Smaller features first to enable early MVP validation.
 
 ---
 
+## Phase 9: Security Hardening
+
+**Goal**: Address security vulnerabilities identified in code review
+
+### High Priority
+- [ ] Add rate limiting to login endpoint (brute force protection)
+- [ ] Configure CORS middleware
+
+### Medium Priority
+- [ ] Fix card update authorization in sync push (verify existing card ownership)
+- [ ] Unify password length requirement (add-user.ts: 8 chars → 15 chars)
+
+### Low Priority
+- [ ] Consider httpOnly cookie for token storage (XSS mitigation)
+
+---
+
 ## Future Considerations
 
 By priority:
-- 
cgit v1.2.3-70-g09d2