Skip to content

Commit b125cb0

Browse files
OpsKernclaude
andcommitted
chore(writ-core): v0.1.0 release prep
Add CONTRIBUTING.md (DCO sign-off requirement, PR flow), SECURITY.md (private disclosure, 90-day window), and docs/release-notes-v0.1.0.md. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent a26cdcc commit b125cb0

3 files changed

Lines changed: 75 additions & 0 deletions

File tree

CONTRIBUTING.md

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
# Contributing to writ
2+
3+
## Opening an issue
4+
5+
- Search existing issues before opening a new one.
6+
- For bugs: include the writ version (`go list -m github.com/opskernel-io/writ`), Go version, OS, and a minimal reproducer.
7+
- For feature requests: describe the problem you're solving, not just the solution.
8+
9+
## Submitting a pull request
10+
11+
1. Fork the repo and create a branch from `main`.
12+
2. Make your changes. Run `go test ./...` and `go vet ./...` before pushing.
13+
3. Open a PR against `main`. Keep the title concise and in the imperative mood ("Add X", "Fix Y").
14+
4. A maintainer will review within 5 business days. CI must pass before merge.
15+
16+
## DCO sign-off
17+
18+
This project uses the [Developer Certificate of Origin (DCO)](https://developercertificate.org/) in place of a CLA. Add a sign-off line to every commit:
19+
20+
```
21+
git commit -s -m "your commit message"
22+
```
23+
24+
This appends `Signed-off-by: Your Name <your@email.com>` to the commit message. By signing off you certify that you wrote the code or have the right to submit it under the Apache 2.0 license.
25+
26+
PRs with unsigned commits will not be merged.
27+
28+
## Code style
29+
30+
- Standard `gofmt` formatting.
31+
- No new exported symbols without a doc comment.
32+
- Security-sensitive code (`internal/audit`, `internal/gate`) must pass `gosec ./...` with no new suppressions unless reviewed and justified in the PR description.

SECURITY.md

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
# Security policy
2+
3+
## Supported versions
4+
5+
| Version | Supported |
6+
|---------|-----------|
7+
| 0.x | Yes |
8+
9+
## Reporting a vulnerability
10+
11+
**Do not open a public GitHub issue for security vulnerabilities.**
12+
13+
Report vulnerabilities by email to **thewismit@gmail.com**. Include:
14+
15+
- A description of the vulnerability and its potential impact
16+
- Steps to reproduce or a proof-of-concept
17+
- Affected versions (if known)
18+
19+
You will receive an acknowledgement within 2 business days. We aim to release a fix within 30 days of confirmation; for critical issues, sooner.
20+
21+
**Disclosure window:** We follow a 90-day coordinated disclosure policy. After 90 days from the date of your report (or on the day a fix ships, whichever comes first), you are free to publish your findings. We will credit you in the release notes unless you prefer to remain anonymous.
22+
23+
## Scope
24+
25+
In scope: the `writ` Go module and the `cmd/writ` CLI.
26+
27+
Out of scope: vulnerabilities in third-party dependencies (report those to the respective projects). We will bump affected dependencies promptly when upstream fixes ship.

docs/release-notes-v0.1.0.md

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
## writ v0.1.0
2+
3+
writ is a pre-execution codification gate and Merkle audit chain for Go agents. Every outbound LLM API call is evaluated against an OPA policy before it leaves the process; every gate decision is written to a SHA-256-linked append-only chain that breaks verification if altered.
4+
5+
**EU AI Act Article 12 posture (enforcement begins 2026-08-02):**
6+
7+
- 3 requirements met in full: automatic logging, technical logging, traceability
8+
- 3 requirements partially met with defined remediation paths: tamper-evident storage, cross-restart chain continuity, full input capture
9+
- 2 named gaps with a roadmap: RFC 3161 external timestamping, managed 6-month retention
10+
11+
**What's next:**
12+
13+
- Cross-restart hash linking (closes partial requirement 2)
14+
- `chattr +a` filesystem protection helper (closes partial requirement 1)
15+
- RFC 3161 timestamp integration via `github.com/digitorus/timestamp`
16+
- Commercial-tier: hosted eIDAS-compliant timestamping and retention management

0 commit comments

Comments
 (0)