dream: security headers + cache-control middleware + 12 tests

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

plans/dream-on-sx.md

@@ -141,6 +141,13 @@ with extensions + hardening below.
   `dream-attr`, `dream-escape-join`. Fixed a real **XSS hole** in the todo demo, which
   interpolated user text into `<li>` unescaped — now `(dream-escape (get it :text))`;
   regression test asserts `<script>` renders as `&lt;script&gt;`. 16 suites, 401/401.
+- **2026-06-07 — Ext: security headers + cache-control** (`lib/dream/headers.sx`, 12
+  tests, 413 total). `dream-security-headers` middleware (X-Content-Type-Options
+  nosniff, X-Frame-Options DENY, Referrer-Policy no-referrer; opt-in HSTS via
+  `dream-security-headers-with`). Cache helpers `dream-cache`/`dream-private-cache`/
+  `dream-no-store`/`dream-no-cache` + `dream-cache-for` middleware. **dream-on-sx is
+  feature-complete: roadmap + 10 extensions, 413/413 across 17 suites. SATURATED —
+  remaining work is host-on-sx's job to consume `dream-run` (don't edit hosts/).**
 
 ## Extensions (post-roadmap)
 
@@ -157,6 +164,7 @@ The five-types core is complete; these harden it toward a production HTTP front
 - [x] **`api.sx` facade + README** — `dream-make-app` / `dream-serve` + `README.md`.
 - [x] **Auth** — base64 (pure SX), HTTP Basic auth + Bearer-token middleware.
 - [x] **HTML escaping** (`dream-escape`/`dream-attr`) — fixed an XSS hole in the todo demo.
+- [x] **Security headers + cache-control** (`dream-security-headers`, `dream-cache`/`-no-store`).
 
 ## Stdlib additions Dream will need