chore: generate and attach CycloneDX SBOM to every release

.github/workflows/sbom.yml

@@ -0,0 +1,37 @@
+name: SBOM
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Release tag to attach the SBOM to'
+        required: true
+        type: string
+
+permissions:
+  contents: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.release.tag_name || inputs.tag }}
+  cancel-in-progress: false
+
+jobs:
+  generate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          ref: ${{ github.event.release.tag_name || inputs.tag }}
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: npm
+      - run: npm ci
+      - run: npm run sbom
+      - name: Attach SBOM to release
+        env:
+          GH_TOKEN: ${{ github.token }}
+          TAG: ${{ github.event.release.tag_name || inputs.tag }}
+        run: gh release upload "$TAG" sbom.cdx.json --clobber

.gitignore

@@ -27,6 +27,9 @@ tmp/
 .tmp/
 *.tgz
 
+# Generated artefacts
+sbom.cdx.json
+
 # OS noise
 .DS_Store
 Thumbs.db

CHANGELOG.md

@@ -10,6 +10,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 - `ALLOWLIST_FILE` env var: when set, the contents of the referenced JSON file replace the built-in `sanitize-html` configuration. Lets different consumers run with different policies without forking. Malformed input fails fast at startup.
 - `lib/allowlist.js` module exporting `DEFAULT_ALLOWLIST` (the previous hardcoded config) and `loadAllowlist({ path })` for tests and programmatic use.
 - `RATE_LIMIT_RPM` env var: opt-in per-IP rate limiting on `POST /validate` (requests per minute). Disabled by default. `/health` and `/openapi.json` are never rate-limited. 429 responses include `retry-after` and `ratelimit-*` headers and are documented in the OpenAPI spec.
+- CycloneDX 1.6 SBOM (`sbom.cdx.json`) generated from the production lockfile via `@cyclonedx/cyclonedx-npm`. New `npm run sbom` script for local use, and a `.github/workflows/sbom.yml` workflow that runs on `release: published` (plus `workflow_dispatch` for backfilling) and uploads the SBOM as a release asset.
 
 ## [2.2.0] - 2026-05-10
 

README.md

@@ -127,6 +127,7 @@ Every request is logged as a single JSON line on stdout via [`pino-http`](https:
 - **Rate limiting is opt-in via `RATE_LIMIT_RPM`** and disabled by default. The service still expects to live behind a gateway for auth and TLS; the in-process limiter is defence-in-depth for `/validate`, not a substitute for an upstream policy layer.
 - **Property-based fuzzing.** `tests/fuzzing.test.js` runs `fast-check` against `/validate` to exercise invariants (no dangerous tags ever leak to `sanitized`, sanitization is idempotent, front matter never appears inside `sanitized`). Hundreds of randomized payloads per release.
 - **Schema-validated boundary.** `POST /validate` rejects any body that does not conform to the OpenAPI `ValidateRequest` schema (`ajv`). Extra fields, wrong types, and missing/empty values are caught before reaching the sanitizer, with structured `details` per violation.
+- **SBOM attached to every release.** A CycloneDX 1.6 JSON Software Bill of Materials (`sbom.cdx.json`) is generated from the production lockfile and uploaded as a release asset by `.github/workflows/sbom.yml`. Run `npm run sbom` to produce one locally.
 
 `npm audit` reports zero vulnerabilities at the time of writing (May 2026, against `express@5`, `sanitize-html@2.17`, `pino@10`, `pino-http@11`, `ajv@8`, `express-rate-limit@8`, `jest@30`, `supertest@7.2`, `fast-check@4`).