Next clean up 42

.github/workflows/continuous.yml

@@ -46,6 +46,18 @@ jobs:
       - name: Test
         run: npm run test
 
+      - name: Generate SBOM
+        if: github.event_name == 'push'
+        run: npx cyclonedx-npm --output-format JSON --output-file sbom.cdx.json
+
+      - name: Upload SBOM artifact
+        if: github.event_name == 'push'
+        uses: actions/upload-artifact@v7
+        with:
+          name: sbom
+          path: sbom.cdx.json
+          retention-days: 30
+
       - uses: ./.github/workflows/actions/upload-distribution-archives
 
   assembleInformation:

.github/workflows/release.yml

@@ -41,6 +41,9 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
+      - name: Audit dependencies
+        run: npm audit --audit-level=high
+
       - name: Build
         run: npx turbo run build
 

STYLE_GUIDE.md

@@ -9,6 +9,7 @@ This is a quick reference for component code standards. For comprehensive detail
 - [Prop Validation](#prop-validation)
 - [Quick Reference Table](#quick-reference-table)
 - [Full Documentation](#full-documentation)
+- [Security](#security)
 - [Enforcement](#enforcement)
 
 ## Key Rules at a Glance
@@ -387,6 +388,31 @@ For detailed explanations, examples, and comprehensive guidelines, see:
 - **[CONTRIBUTING.md](CONTRIBUTING.md)** — Contribution workflow and testing requirements
 - **[ARCHITECTURE.md](ARCHITECTURE.md)** — System design, component patterns, and testing strategy
 
+## Security
+
+These rules enforce the component library's secure-by-default posture and are verified during code review and CodeQL analysis.
+
+**Never use `innerHTML` with unsanitized input.** Any HTML that originates from outside the component (consumer props, fetched content) must be passed through DOMPurify before rendering. The existing `sanitizeSvg` utility in `src/utils/svg.ts` is the pattern to follow.
+
+```ts
+// ✅ Correct — sanitize before setting innerHTML
+import DOMPurify from 'dompurify'
+element.innerHTML = DOMPurify.sanitize(externalHtml)
+
+// ❌ Wrong — direct assignment from untrusted source
+element.innerHTML = props.htmlContent
+```
+
+**Never use `eval`, `new Function`, or `setTimeout`/`setInterval` with a string argument.** These bypass CSP and open script injection paths. Use typed callbacks instead.
+
+**Never make default network requests.** Components must not initiate `fetch` or `XMLHttpRequest` calls on their own. The only exception is `ds-icon`, which fetches a consumer-provided SVG URL and immediately sanitizes the response with DOMPurify. New network calls require explicit justification and the same sanitization treatment.
+
+**Never write sensitive data to `localStorage` or `sessionStorage`.** The only permitted `localStorage` use is the animation preference flag (`DS_ANIMATION_KEY`), which stores a non-sensitive boolean. Authentication tokens, user identifiers, and PII must never be stored in web storage by design system components.
+
+**Never use inline event handler attributes.** Use `addEventListener` in `connectedCallback` / `disconnectedCallback` pairs. Inline handlers (`onclick="..."`) break CSP `script-src` policies.
+
+**Prefer semantic HTML over ARIA overrides.** A correct element (`<button>`, `<a>`, `<input>`) provides accessibility for free and reduces attack surface compared to a `<div>` with ARIA roles.
+
 ## Enforcement
 
 Style violations are caught by:

TODOS.md

@@ -85,7 +85,7 @@ These improvements help our components work seamlessly across all supported fram
 | footer           | WC     | ✅     | ✅   | ✅     | ✅   | ✅     | ✅        |
 | file-upload      | WC     | ✅     | ✅   | ✅     | ✅   | ✅     | ✅        |
 | select           | CSS    | ✅     | ✅   | ✅     | ✅   | ✅     | ✅        |
-| navbar           | Hybrid | ⬜     | ⬜   | ⬜     | ⬜   | ⬜     | ⬜        |
+| navbar           | Hybrid | ✅     | ✅   | ✅     | ✅   | ✅     | ✅        |
 | time-input       | CSS    | ✅     | ✅   | ✅     | ✅   | ✅     | ✅        |
 | date             | WC     | ⬜     | ⬜   | ⬜     | ⬜   | ⬜     | ⬜        |
 | dropdown         | WC     | ⬜     | ⬜   | ⬜     | ⬜   | ⬜     | ⬜        |

docs/public/.well-known/security.txt

@@ -0,0 +1,4 @@
+Contact: https://github.com/baloise/design-system/security/advisories/new
+Policy: https://github.com/baloise/design-system/blob/next/SECURITY.md
+Preferred-Languages: en, de
+Expires: 2027-12-31T00:00:00.000Z