Skip to content

chore(bestpractices): rewrite to canonical autofill schema (RAN-57)#96

Merged
aksOps merged 1 commit into
mainfrom
chore/ran-57-bestpractices-canonical-schema
Apr 26, 2026
Merged

chore(bestpractices): rewrite to canonical autofill schema (RAN-57)#96
aksOps merged 1 commit into
mainfrom
chore/ran-57-bestpractices-canonical-schema

Conversation

@aksOps
Copy link
Copy Markdown
Contributor

@aksOps aksOps commented Apr 26, 2026

Summary

Closes RAN-57. Rewrites .bestpractices.json from the custom group structure (status / evidence / audit keys) to bestpractices.dev's canonical flat per-criterion schema so the autofill robot can pre-fill the criteria page on board flip for project_id 12650.

All 67 passing-level criteria from upstream criteria.yml (top-level '0': block) are now answered with <key>_status + <key>_justification + (where met_url_required: true upstream) <key>_url:

  • 43 MUST → 42 Met, 1 N/A (crypto_password_storagena_allowed: true; codeiq is a developer CLI with no auth surface)
  • 10 SHOULD → 9 Met, 1 N/A (crypto_pfsserve binds to localhost; PFS is the operator's concern per SECURITY.md scope)
  • 14 SUGGESTED → 11 Met, 1 N/A (dynamic_analysis_unsafe — Java is memory-safe), 2 ? placeholders (dynamic_analysis, dynamic_analysis_enable_assertions — no DAST/fuzzing pipeline today)

Each justification cites the concrete source-of-truth: LICENSE, SECURITY.md, shared/runbooks/engineering-standards.md §1–9, shared/runbooks/release.md, shared/runbooks/test-strategy.md, pom.xml JaCoCo coverage gate, .github/workflows/{ci-java,security,scorecard,release-java,beta-java}.yml, .github/dependabot.yml, scripts/setup-git-signed.sh, cache/FileHasher.java (SHA-256), GitHub Releases, GHSA advisory channel.

The 8 met_url_required: true criteria (contribution, license_location, release_notes, report_process, report_archive, vulnerability_report_process, vulnerability_report_private, contribution_requirements) resolve to public GitHub URLs.

Schema validated locally: 67/67 criteria covered, all _status values in {Met, Unmet, N/A, ?}, every met_url_required criterion with Met status carries a _url.

Refs

  • Parent: RAN-50
  • Companion: RAN-52 (codeiq OpenSSF lane)
  • Trigger: board comment on RAN-50
  • Schema source: coreinfrastructure/best-practices-badge criteria/criteria.yml top-level '0':

Test plan

  • JSON.parse(.bestpractices.json) succeeds
  • All 67 upstream criterion ids present with _status + _justification
  • All 8 met_url_required criteria carry a valid _url
  • No invalid _status values
  • CI green (mvn -B -ntp clean verify + OSS-CLI security stack + Scorecard) — auto-merge on green
  • Board flips bestpractices.dev/projects/12650 → passing (manual board action — out of repo scope)

🤖 Generated with Claude Code

@aksOps @Paperclip-Paperclip
chore(bestpractices): rewrite to canonical autofill schema (RAN-57)
924b656 
Strip the custom group structure (`status` / `evidence` / `audit`) and
rewrite `.bestpractices.json` against bestpractices.dev's flat
per-criterion key/value schema so the autofill robot can pre-fill
the criteria page on board flip.

All 67 passing-level criteria are now answered with `<key>_status`,
`<key>_justification`, and (where required by upstream
`criteria.yml`) `<key>_url`:

- 43 MUST: 42 Met + 1 N/A (`crypto_password_storage` — na_allowed,
  codeiq is a developer CLI with no auth surface).
- 10 SHOULD: 9 Met + 1 N/A (`crypto_pfs` — codeiq runs on
  localhost; PFS is the operator's responsibility).
- 14 SUGGESTED: 11 Met + 1 N/A (`dynamic_analysis_unsafe` — Java is
  memory-safe) + 2 "?" placeholders (`dynamic_analysis`,
  `dynamic_analysis_enable_assertions` — no DAST/fuzzing today).

Each justification cites the concrete source-of-truth (`LICENSE`,
`SECURITY.md`, `shared/runbooks/engineering-standards.md` §1–9,
`shared/runbooks/release.md`, `shared/runbooks/test-strategy.md`,
`pom.xml` JaCoCo gate, `.github/workflows/{ci-java,security,scorecard,
release-java,beta-java}.yml`, `.github/dependabot.yml`,
`scripts/setup-git-signed.sh`, `cache/FileHasher.java` SHA-256). The
required `_url` fields on `contribution`, `license_location`,
`release_notes`, `report_process`, `report_archive`,
`vulnerability_report_process`, `vulnerability_report_private`, and
`contribution_requirements` resolve to public GitHub URLs.

Refs: RAN-50 (parent) | RAN-52 (codeiq OpenSSF lane) | bestpractices.dev/projects/12650

Co-Authored-By: Paperclip <noreply@paperclip.ing>
@aksOps aksOps enabled auto-merge (squash) April 26, 2026 03:27
@aksOps aksOps merged commit 80c2fc8 into main Apr 26, 2026
13 checks passed
@aksOps aksOps deleted the chore/ran-57-bestpractices-canonical-schema branch April 26, 2026 03:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aksOps