docs: add BP-02 deferred backlog item for runtime bundle integrity (#1857)

When CDN bundle loading lands, runtime checksum verification (SHA-256 manifest, fail-closed on mismatch) becomes a security boundary. This adds the backlog item and context so it's picked up at the right time. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-27 03:01:15 -04:00 · 2026-03-24 02:52:12 +05:30
parent 60de8d6c1e
commit 17232e7698
1 changed files with 13 additions and 0 deletions
--- a/specs/projects/sdk/workstreams/build-pipeline/SPEC.md
+++ b/specs/projects/sdk/workstreams/build-pipeline/SPEC.md
@@ -43,9 +43,22 @@
 | ID | Title | Status | Priority | Depends On | Plan | PR |
 |----|-------|--------|----------|------------|------|----|
 | BP-01 | WebView bundle build + copy script | Done | Medium | NSL-01, NSL-02 | [plans/BP-01-build-script.md](./plans/BP-01-build-script.md) | Complete on `feat/webview-sdk` |
+| BP-02 | Runtime bundle integrity for CDN loading | Deferred | High | — | — | — |

 Allowed statuses: `Ready`, `In Progress`, `Blocked`, `Deferred`, `Done`

+### BP-02 Context (Deferred)
+
+When the SDK moves to CDN-hosted bundles in production, runtime integrity verification becomes a security boundary. Scope:
+
+- Build step: generate a signed manifest (SHA-256 checksums of all bundle files) during `build-webview-bundle.sh`
+- Android: Kotlin runtime check — verify downloaded bundle against manifest before loading into WebView
+- iOS: Swift runtime check — same verification before `WKWebView.loadFileURL`
+- Fail closed: refuse to load on any mismatch (missing file, checksum diff, missing manifest)
+- The existing Gradle `validateWebViewBundle` task remains a dev-time guard; this is the prod-time counterpart
+
+Trigger: when remote/CDN bundle loading is implemented.
+
 ## Active Plans

 | Plan | IDs | Status |