chore(compliance): standards alignment 2026-05-30

[williaby]

Compliance Remediations

Applied by the repo-compliance system against standards manifest (built-in inventories, first audit run).

Changes Made

Foundations

• Added [project.urls] table to pyproject.toml (FOUND-014)
• Populated keywords field in pyproject.toml (FOUND-015)
• Added org-team deferral comment to CODEOWNERS (FOUND-016)
• Created LICENSES/ODbL-1.0.txt — referenced by REUSE.toml but absent (CAND-001)
• Removed phantom paths from REUSE.toml (poetry.lock, .zenodo.json, validate_workflows.sh, codemeta.json) (CAND-009)
• Replaced hardcoded version strings in 3 source files with importlib.metadata (CAND-003)
• Merged duplicate ### Fixed sections in CHANGELOG.md (CAND-004)
• Fixed CHANGELOG comparison URL slugs: audio_processor → audio-processor (CAND-005)
• Created docs/known-vulnerabilities-template.md (CAND-006)
• Added <!-- DRAFT: ... --> comments to docs/draft_*.md files (CAND-010)

Toolchain

• Added [plugins] section to .qlty/qlty.toml with ruff, basedpyright, bandit (TOOL-QLTY-001)
• Aligned ruff target-version to py311 to match requires-python = ">=3.11" minimum (TOOL-PYVER-001)
• Added #CRITICAL RAD tags to routes.py (_jobs concurrency, file upload security) and deepgram_client.py (ExternalResources) (CAND-008)

CI/CD

• Removed continue-on-error: true from pytest step in sonarcloud.yml (CI-007-SC)
• Fixed Scorecard badge URI in README.md and scorecard.yml: audio_processor → audio-processor
• Added CI-013 deduplication notice to codeql.yml and dependency-review.yml
• Added Redis SHA-pin instructions to docker-compose.yml (CAND-007)
• Added Scorecard pinning instructions to .clusterfuzzlite/Dockerfile, build.sh, scripts/setup-supply-chain.sh

Claude Docs

• Replaced 49+ em-dash violations across 5 files (CLAUDE-007)
• Replaced AI-pattern blacklist words (comprehensive, seamless, robust, crucial) in docs (CLAUDE-008)
• Created folder-level CLAUDE.md for src/audio_processor/api/, src/audio_processor/services/, and tests/ (CLAUDE-010)

MkDocs

• Added upper-bound pins to mkdocs and plugin dependencies (MKDOCS-VER-001/002)
• Added development/setup.md to nav (MKDOCS-NAV-001)
• Fixed repo_name slug from underscore to hyphen (MKDOCS-REPO-001)
• Enabled strict: true (MKDOCS-STRICT-001)
• Updated copyright year to 2025-2026 (MKDOCS-COPYRIGHT-001)
• Added --strict verification comment to docs.yml (MKDOCS-CI-001)

OSSF

• Created docs/ossf-badge-checklist.md — pre-filled questionnaire for badge application (OSSF-001)

Checks Resolved

FOUND-014, FOUND-015, FOUND-016, TOOL-QLTY-001, TOOL-PYVER-001, CI-007-SC, CI-013, CLAUDE-007, CLAUDE-008, CLAUDE-010, MKDOCS-VER-001, MKDOCS-VER-002, MKDOCS-NAV-001, MKDOCS-REPO-001, MKDOCS-STRICT-001, MKDOCS-COPYRIGHT-001, MKDOCS-CI-001, CAND-001 through CAND-010

Manual Steps Required

• File OpenSSF Best Practices Badge at https://bestpractices.coreinfrastructure.org/en/projects/new — use docs/ossf-badge-checklist.md as guide
• Pin Redis image in docker-compose.yml: run docker inspect redis:7-alpine --format '{{index .RepoDigests 0}}' and substitute SHA
• Pin atheris in .clusterfuzzlite/Dockerfile and build.sh with version + hash
• Pin keyrings.google-artifactregistry-auth in scripts/setup-supply-chain.sh with version + hash
• Create @ByronWilliamsCPA/maintainers team to enable dual-ownership on CODEOWNERS paths

Pre-commit

All hooks pass on the full changeset. Pre-commit domain was entirely clean — no findings.

Generated with Claude Code

[coderabbitai]

Warning

Review limit reached

@williaby, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 50 minutes and 58 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b4c0d96d-98c5-4058-a102-f3918ea90a14

📥 Commits

Reviewing files that changed from the base of the PR and between 408e2e0 and 259edf4.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock, !**/*.lock

📒 Files selected for processing (39)

• .clusterfuzzlite/Dockerfile
• .clusterfuzzlite/build.sh
• .github/CODEOWNERS
• .github/workflows/README.md
• .github/workflows/codeql.yml
• .github/workflows/dependency-review.yml
• .github/workflows/scorecard.yml
• .github/workflows/sonarcloud.yml
• .qlty/qlty.toml
• .secrets.baseline
• .trivyignore
• CHANGELOG.md
• README.md
• REUSE.toml
• docker-compose.yml
• docs/OPENSSF_COMPLIANCE.md
• docs/development/architecture.md
• docs/draft_ADR.md
• docs/draft_audio_preprocessing.md
• docs/draft_tech_spec.md
• docs/draft_vision.md
• docs/known-vulnerabilities-template.md
• docs/known-vulnerabilities.md
• docs/ossf-badge-checklist.md
• docs/planning/adr/adr-001-initial-architecture.md
• docs/planning/phases/phase-2-integration.md
• docs/planning/project-vision.md
• docs/planning/tech-spec.md
• mkdocs.yml
• pyproject.toml
• scripts/setup-supply-chain.sh
• src/audio_processor/__init__.py
• src/audio_processor/api/CLAUDE.md
• src/audio_processor/api/__init__.py
• src/audio_processor/cli.py
• src/audio_processor/services/CLAUDE.md
• src/audio_processor/services/deepgram_client.py
• tests/CLAUDE.md
• tests/unit/test_version_fallback.py

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/openssf-compliance-docs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

✅ FIPS Compatibility Check

Metric	Count
Errors	0
Warnings	0
Info	1

Status: ✅ PASSED

What is FIPS?

FIPS 140-2/140-3 is a US government standard for cryptographic modules.
Systems running Ubuntu LTS with fips-updates or similar configurations
restrict cryptographic algorithms to NIST-approved ones.

Common issues:

• Using hashlib.md5() without usedforsecurity=False
• Dependencies using non-approved algorithms (bcrypt, DES, RC4)
• Weak cipher configurations

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

uv.lock

Package	Version	License	Issue Type
pydantic-settings	2.14.1	Null	Unknown License

Denied Licenses:

GPL-2.0, GPL-3.0

OpenSSF Scorecard

Package	Version	Score	Details
pip/mkdocstrings	0.30.1	Unknown	Unknown
pip/pydantic-settings	2.14.1	Unknown	Unknown

Scanned Files

• uv.lock

[Copilot]

Pull request overview

Compliance-focused remediation sweep to align the repository with the current standards manifest (packaging metadata, licensing/REUSE hygiene, CI hardening, documentation/tooling conventions), with a small amount of runtime version plumbing updated to derive versions from package metadata.

Changes:

• Updated packaging metadata and dependency constraints (keywords/URLs, Python target version alignment, MkDocs upper-bounds, lockfile updates).
• Hardened/clarified CI and supply-chain guidance (SonarCloud failing on test failures, Scorecard slug fixes, pinning guidance for images/deps, Qlty plugin enablement).
• Added/updated compliance and documentation artifacts (missing license text, OSSF checklist/template docs, CLAUDE folder guidelines, changelog/slug cleanups, draft doc wording normalization).

Reviewed changes

Copilot reviewed 38 out of 39 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
uv.lock	Updates locked dependency graph to reflect new MkDocs upper-bound constraints and refreshed transitive versions.
tests/CLAUDE.md	Adds folder-level testing guidelines and stated coverage gates (needs alignment with actual enforced thresholds).
src/audio_processor/services/deepgram_client.py	Replaces SDK call-site comment with RAD/#CRITICAL external resource verification notes.
src/audio_processor/services/CLAUDE.md	Adds services-layer folder guidance including RAD tagging and error-handling expectations.
src/audio_processor/cli.py	Switches Click --version reporting to derive from installed distribution metadata.
src/audio_processor/api/routes.py	Adds RAD/#CRITICAL notes about shared in-memory job store concurrency and upload-input security concerns.
src/audio_processor/api/CLAUDE.md	Adds API-layer folder guidance (decorator metadata, exception mapping, async conventions).
src/audio_processor/api/__init__.py	Derives APP_VERSION from importlib.metadata rather than a hardcoded string.
src/audio_processor/__init__.py	Derives __version__ from importlib.metadata with a safe fallback when not installed.
scripts/setup-supply-chain.sh	Adds Scorecard guidance comments for pinning a pip-installed dependency with hash.
REUSE.toml	Removes non-existent/phantom paths to keep REUSE config accurate.
README.md	Fixes OpenSSF Scorecard badge slug to match the hyphenated repo name.
pyproject.toml	Adds keywords and [project.urls]; constrains MkDocs deps; aligns Ruff target-version to py311.
mkdocs.yml	Fixes repo_name slug, adds new nav entry, and enables strict: true.
LICENSES/ODbL-1.0.txt	Adds missing ODbL license text referenced by REUSE configuration.
docs/planning/tech-spec.md	Rewords TL;DR to remove banned/flagged phrasing (“comprehensive”).
docs/planning/project-vision.md	Rewords TL;DR/core value statements to remove banned/flagged phrasing.
docs/planning/phases/phase-2-integration.md	Refines milestone description to be more specific than “comprehensive output”.
docs/planning/adr/adr-001-initial-architecture.md	Rewords TL;DR to remove banned/flagged phrasing.
docs/ossf-badge-checklist.md	Adds a pre-filled OpenSSF badge questionnaire checklist (one evidence line needs correction re: SHA pinning).
docs/OPENSSF_COMPLIANCE.md	Rewords “comprehensive” statements and clarifies security scanning/tooling descriptions.
docs/known-vulnerabilities-template.md	Adds a template for documenting deferred vulnerabilities with required fields and audit trail.
docs/draft_vision.md	Normalizes punctuation/formatting and removes em-dash patterns in draft vision doc.
docs/draft_tech_spec.md	Normalizes formatting (revision history table) and removes em-dash patterns in draft tech spec.
docs/draft_audio_preprocessing.md	Normalizes punctuation/formatting and removes em-dash patterns in draft preprocessing doc.
docs/draft_ADR.md	Normalizes list/table formatting and removes em-dash patterns in draft ADR doc.
docs/development/architecture.md	Rewords a sentence to remove banned/flagged phrasing.
docker-compose.yml	Adds instructions/comments to pin Redis image by SHA digest for reproducibility (still unpinned).
CHANGELOG.md	Merges/normalizes formatting in an entry (em-dash to colon style).
.secrets.baseline	Updates baseline metadata (line number + generation timestamp) to match current repo state.
.qlty/qlty.toml	Enables Qlty plugins (ruff, basedpyright, bandit) via new [plugins] section.
.github/workflows/sonarcloud.yml	Removes continue-on-error for pytest; adjusts coverage verification behavior accordingly.
.github/workflows/scorecard.yml	Fixes Scorecard dashboard URL slug to hyphenated repo name.
.github/workflows/README.md	Rewords “comprehensive” statements and clarifies workflow descriptions.
.github/workflows/dependency-review.yml	Adds CI-013 note about potential duplication with org-level reusable security workflow.
.github/workflows/codeql.yml	Adds CI-013 note about potential duplication with org-level reusable security workflow.
.github/CODEOWNERS	Adds deferral note about missing org team for dual-ownership.
.clusterfuzzlite/Dockerfile	Adds Scorecard pinning instructions for base image and atheris installation.
.clusterfuzzlite/build.sh	Adds Scorecard pinning instruction comment for atheris install.

[williaby]

PR Review

Status: do not merge yet — PR is CONFLICTING with main and 3 CI gates fail (2 provably PR-introduced). main is green on REUSE + SonarCloud.

🔴 Critical (must fix before merge)

1. Merge conflict with main in api/__init__.py and api/routes.py. git merge-tree confirms content conflicts in both. Root cause: PR refactor: architecture review remediation (job lifecycle, dead code, API hardening, decomposition) #53 ("API hardening") landed on main after this branch diverged and edited the same files. Fix: merge main in and resolve, re-applying the importlib version plumbing on top of refactor: architecture review remediation (job lifecycle, dead code, API hardening, decomposition) #53.

2. REUSE Compliance — PR-introduced. reuse lint fails with Unused licenses: ODbL-1.0: the PR added LICENSES/ODbL-1.0.txt but no file carries an SPDX-License-Identifier: ODbL-1.0 tag, and REUSE.toml maps nothing to it. Fix: map the ODbL-licensed data files in REUSE.toml, or remove the unused license file.

3. SonarCloud Quality Gate — 71.4% new-code coverage (< 80%). Uncovered except PackageNotFoundError fallbacks in __init__.py and api/__init__.py. Fix: add a test forcing PackageNotFoundError to assert the "unknown" fallback.

🟠 Important (should fix)

4. Container/Trivy failing (x2). Specific CVE not extractable (CI log endpoint returned only runner-agent noise; no comparable Trivy run on main to diff). PR changes no runtime Dockerfile/deps, so most likely a base-image CVE. Re-run post-merge and inspect the Trivy SARIF; add a documented .trivyignore entry if confirmed.

5. docs/ossf-badge-checklist.md:66 (Copilot): claims the Docker image is "pinned by SHA digest," but only pinning instructions exist (redis:7-alpine, FROM ...:v1 still unpinned) — contradicts the PR's own "Manual Steps Required." Reword to "instructions provided; pinning pending."

Note: the green CodeRabbit check is an ack only — CodeRabbit was rate-limited ("Review limit reached") and produced no findings. Re-trigger with @coderabbitai review after the conflict fix.

The compliance work itself is sound; blockers are stale-branch integration vs. #53 plus one self-inflicted REUSE regression.

🤖 Generated with Claude Code

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@williaby — thanks for the thorough triage. Your analysis is spot-on. Here's a consolidated action checklist in priority order:

---

Ordered action plan

🔴 Must fix before merge

1. Merge main → branch, resolve conflicts in api/__init__.py and api/routes.py, then re-apply the importlib.metadata version plumbing on top of the #53 API-hardening changes.

2. Fix REUSE ODbL-1.0 regression — choose one:

   • Add SPDX-License-Identifier: ODbL-1.0 headers to any data files that are actually under ODbL, and map them in REUSE.toml; or
   • Remove LICENSES/ODbL-1.0.txt entirely if no files in this repo use that license.

3. Cover PackageNotFoundError fallbacks — add a test that mocks importlib.metadata.version to raise PackageNotFoundError and asserts the returned version equals "unknown". This applies to both src/audio_processor/__init__.py and src/audio_processor/api/__init__.py.

🟠 Should fix

4. Trivy/CVE — re-run post-merge; inspect the SARIF artifact for the specific CVE(s); add a documented .trivyignore entry with justification if the CVE is confirmed as a base-image issue unrelated to this PR's changes.

5. docs/ossf-badge-checklist.md line 66 — reword the Docker pinning claim from "pinned by SHA digest" to something like "pinning instructions provided; SHA substitution pending (see Manual Steps in PR description)."

---

Once conflicts are resolved and the REUSE/coverage fixes are pushed, drop a comment and I'll run a full review.

[williaby]

PR Fix Summary

Resolved the blockers from the review. Branch rebased onto main (was CONFLICTING; now MERGEABLE).

Conflict resolution (rebase onto main / PR #53)

• api/__init__.py: re-applied the importlib.metadata version plumbing on top of refactor: architecture review remediation (job lifecycle, dead code, API hardening, decomposition) #53's hardened module (kept both refactor: architecture review remediation (job lifecycle, dead code, API hardening, decomposition) #53's asynccontextmanager import and the new metadata imports).
• api/routes.py: dropped the two #CRITICAL RAD tags. refactor: architecture review remediation (job lifecycle, dead code, API hardening, decomposition) #53 already addressed both: the concurrency concern (bare _jobs dict replaced by the JobStore/Redis abstraction) and upload validation (filename check + streamed hard size cap in _stream_upload_to_temp, plus require_api_key and rate_limit). Re-asserting "no validation" would misdescribe the hardened code.

CI fixes

• REUSE (fix(reuse), 971e8ad): removed LICENSES/ODbL-1.0.txt. The ODbL annotation block matches no files, so the license was unused; reuse lint is now compliant (matches main, which never had the file).
• SonarCloud new-code coverage (test, 843f257): added tests/unit/test_version_fallback.py covering the except PackageNotFoundError fallback branches. Full unit suite: 449 passed, 91.04% coverage.

Review comments (docs, 09a2d41)

• docs/ossf-badge-checklist.md: corrected the Docker SHA-pinning evidence (instructions documented, pinning pending). Replied on thread.
• tests/CLAUDE.md: corrected the coverage-threshold table to the actually-enforced gates. Replied on thread.

Deferred (post-push verification)

• Container Security Scan / Trivy: rebased onto main (which passes Trivy) and this PR changes no Dockerfile or dependencies, so it is expected to clear. If it still fails, the SARIF will be inspected and any base-image CVE handled via a documented .trivyignore entry per project policy.

Local gates green: ruff, basedpyright (0/0), pytest + 91% coverage, reuse lint, markdownlint. CI re-run triggered by the push.

🤖 Generated with Claude Code

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[williaby]

CI re-run result (SHA 09a2d41)

Cleared (4 of the 6 originally-failing checks):

• SonarCloud Code Analysis + SonarCloud Analysis: SUCCESS (new-code coverage now passes after the fallback test)
• Check REUSE Compliance + REUSE Compliance Check: SUCCESS (unused ODbL license removed)

Still failing (pre-existing, not introduced by this PR):

• Container Security Scan / Container Vulnerability Scan (Trivy) + Security Summary

My earlier note expected these to clear after the rebase; they did not. Root cause is Trivy CVE-database drift, not this PR. The base image is SHA-pinned (python:3.12-slim@sha256:090ba77e...) and unchanged here; Trivy's DB has newer Debian-tracker CVEs than the last .trivyignore curation (2026-05-28). The new open alerts are in base-image transitive libraries: util-linux (CVE-2026-3184, CVE-2026-27456), ffmpeg (CVE-2026-6385, CVE-2026-30997), pip, tar, zlib, libxml2, libtiff, libtasn1, and Perl IO::Compress.

Recommended: handle in a dedicated .trivyignore-refresh PR, adding each CVE with a documented risk assessment in docs/known-vulnerabilities.md per the unfixed-CVE policy. Note the ffmpeg CVEs need genuine exploitability analysis (this service runs ffmpeg on user-uploaded media), so they should not be blanket-suppressed. Bulk-suppressing CVEs inside this unrelated compliance PR would violate the project's security policy, so it was intentionally left out of scope.

🤖 Generated with Claude Code