You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CONTRIBUTING.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -50,7 +50,7 @@ All pull requests run the following workflows automatically:
50
50
51
51
-`validate`: Ubuntu-hosted fast/runtime/release/MCP scopes, MCP runtime pin freshness (advisory only on pull requests), and MCP safe-call smoke.
52
52
-`cross-platform`: lightweight metadata/path smoke on standard Ubuntu, Windows, and macOS public runners.
53
-
-`security-static`: action pins, actionlint, text security scan, ShellCheck, Pyright, Semgrep CLI. Also runs on a weekly schedule.
53
+
-`security-static`: action pins, actionlint, text security scan, ShellCheck, and Pyright. Also runs on a weekly schedule.
54
54
-`codeql`: GitHub CodeQL analysis for Python and GitHub Actions with `security-and-quality` queries. Also runs on a weekly schedule.
55
55
-`dependency-review`: blocks merges that introduce dependencies with high-severity vulnerabilities or licenses outside the AGPL-3.0-or-later compatible allow-list.
56
56
-`labeler`: applies area labels based on changed paths.
plans these installed-runtime diagnostics and reports `NOT PROVEN` when `codex`
86
+
is not available locally.
87
+
72
88
The default install posture is owner-standard full-auto:
73
89
`~/.codex/config.toml` receives the active owner defaults, and
74
90
`~/.codex/rldyour-yolo.config.toml` is the explicit `--profile rldyour-yolo`
@@ -194,7 +210,7 @@ GitHub Actions run automatically on this public repository:
194
210
195
211
-`validate.yml`: on every push to `main` and every pull request targeting `main`, runs Ubuntu-hosted fast validation, optional runtime/release/MCP scopes, MCP runtime pin freshness, and MCP safe-call smoke. `workflow_dispatch` is available for narrower scopes.
196
212
-`cross-platform.yml`: runs lightweight metadata/path smoke on standard Ubuntu, Windows, and macOS public runners.
197
-
-`security-static.yml`: on push to `main`, pull requests, and weekly schedule, runs action pin validation, actionlint, repository text security scan, ShellCheck, Pyright, and Semgrep CLI without paid GitHub Code Security.
213
+
-`security-static.yml`: on push to `main`, pull requests, and weekly schedule, runs action pin validation, actionlint, repository text security scan, ShellCheck, and Pyright without paid GitHub Code Security.
198
214
-`codeql.yml`: on push to `main`, pull requests, and weekly schedule, runs GitHub CodeQL analysis with `security-and-quality` queries for Python and GitHub Actions.
199
215
-`dependency-check.yml`: on daily schedule and on push to MCP runtime pin sources, checks pinned MCP runtime versions through `scripts/check_mcp_runtime_versions.py --fail-on-outdated`. Surfaces stale pins as a maintainer-visible signal without blocking pull requests.
200
216
-`release.yml`: on push of a SemVer tag matching `X.Y.Z[-pre]`, validates `VERSION` and `CHANGELOG.md`, builds a deterministic bundle, generates a release manifest and SPDX 2.3 SBOM, exports the GitHub dependency-graph SBOM when available, attaches artifact attestations, and publishes the GitHub Release. `workflow_dispatch` remains available as a fallback.
Copy file name to clipboardExpand all lines: SECURITY.md
+2-3Lines changed: 2 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,7 +12,7 @@ historical patch in the line.
12
12
13
13
| Version | Supported |
14
14
| --- | --- |
15
-
| Current exact tag `1.1.23`| Yes |
15
+
| Current exact tag `1.1.24`| Yes |
16
16
| Older `1.1.*` tags | No; upgrade to current exact tag |
17
17
| Older minor / major lines | No |
18
18
@@ -58,8 +58,7 @@ These targets are best-effort and not contractual.
58
58
Scanning Push Protection and related live repository settings are required
59
59
public-adapter controls and are verified from the private root control plane
60
60
when an owner token is available.
61
-
- No-paid static security gates use ShellCheck, Pyright, Semgrep CLI, action pin validation, repository text security scanning, and custom repository validators.
62
-
- Semgrep excludes only the `bash.lang.security.ifs-tampering.ifs-tampering` rule because the repository intentionally uses `IFS=$'\n\t'` as part of its strict shell prologue and validates shell scripts separately with ShellCheck.
61
+
- No-paid static security gates use ShellCheck, Pyright, action pin validation, repository text security scanning, CodeQL, Gitleaks, dependency review, and custom repository validators.
-`scripts/scan_text_security.py` scans tracked text and agent-only paths for credential patterns and hidden Unicode controls without printing matched values.
65
64
- The full git history was scanned with `gitleaks` (8.30.1) before the public release; 190 commits, 0 leaks found.
Copy file name to clipboardExpand all lines: docs/adr/0002-testing-and-ci-quality-gates.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,8 +21,8 @@ The repository had a strong smoke/static validation gate but no conventional uni
21
21
- Split manual CI into fast, runtime, release, MCP, and full scopes with Ubuntu
22
22
as the heavy runtime runner, and add lightweight standard public Ubuntu,
23
23
Windows, and macOS smoke for path/archive/metadata portability.
24
-
- Keep the no-paid static security workflow manual-only, using ShellCheck, Pyright, Semgrep CLI, action SHA-pin validation, and text security scanning.
25
-
-Exclude Semgrep's global `IFS` tampering rule from the no-paid gate because the repository intentionally uses `IFS=$'\n\t'` as part of its strict shell prologue and relies on ShellCheck plus project validators for shell safety.
24
+
- Keep the no-paid static security workflow manual-only, using ShellCheck, Pyright, action SHA-pin validation, and text security scanning.
25
+
-Keep shell safety covered through ShellCheck plus project validators; the repository intentionally uses `IFS=$'\n\t'` as part of its strict shell prologue.
26
26
- Keep the upstream repository public and standard-runner-only so normal push,
27
27
PR, scheduled, CodeQL, Scorecard, and dependency-review workflows stay in the
0 commit comments