Archive code-review-fix change and sync specs to main

- Synced 14 capability delta specs to main specs
- Created 6 new main specs: api-authentication, error-boundary, input-validation, security-headers, shared-types
- Updated 8 existing specs with security, validation, and performance requirements
- Archived change to openspec/changes/archive/2026-02-20-code-review-fix/

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

openspec/changes/archive/2026-02-20-code-review-fix/specs/security-headers/spec.md

@@ -0,0 +1,21 @@
+## ADDED Requirements
+
+### Requirement: Security response headers
+The Next.js application SHALL add security response headers to all routes via the `headers()` function in `next.config.js`. The following headers SHALL be set:
+- `X-Frame-Options: DENY`
+- `X-Content-Type-Options: nosniff`
+- `Referrer-Policy: strict-origin-when-cross-origin`
+- `Permissions-Policy: camera=(), microphone=(), geolocation=()`
+- `Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: blob:`
+
+#### Scenario: Headers present on HTML response
+- **WHEN** a browser requests any page
+- **THEN** the response includes all five security headers
+
+#### Scenario: Headers present on API response
+- **WHEN** a client requests any `/api/*` endpoint
+- **THEN** the response includes all five security headers
+
+#### Scenario: Clickjacking prevented
+- **WHEN** a third-party site attempts to embed the application in an iframe
+- **THEN** the browser blocks the embedding due to `X-Frame-Options: DENY`