v0.4.0 — Open-Source Release: license, secret-scan gates, hygiene, CI hardening, pre-flight checklist#3
Merged
Merged
Conversation
Triggered by issue AGE-6 "Make repository public". v0.4.0 is a repo/process milestone — no product changes — covering OSS licensing, git-history secret scanning, repo hygiene cleanup, public CI/CD verification, and the visibility flip. Five phases (7-11) with 21 requirements (4 LIC + 5 SEC + 4 CLEAN + 4 CIPUB + 4 PUB), all 1:1 mapped to phases. Phase numbering continues from v0.3.0 (last phase 6 → next phase 7). v0.3.0 phase directories remain under .planning/phases/ until the v0.3.0-rc1 tag push completes the v0.3.0 shipping event; archived v0.3.0 REQUIREMENTS.md / ROADMAP.md preserved under .planning/milestones/. Treats the visibility flip (PUB-02) as one-way: every Phase 7-10 audit must be GREEN before Phase 11 fires the trigger. Default-stance for secret remediation: rotate without history rewrite unless the secret grants ongoing access that cannot be revoked upstream.
Closes v0.4.0 LIC-01..04 (Phase 7 of Open-Source Release milestone).
LIC-01: LICENSE file at repo root (MIT, copyright "Nikita Ivanov and
AgentLinux contributors", 2026); license choice logged as ADR-013
with patent / copyleft / trademark / reversibility analysis.
LIC-02: README badge cluster gains shields.io license badge; new
"## License" and "## Contributing" sections; broken
github.com/agentlinux/agent-linux URLs corrected to Roo4L/Agent-Linux
in test/release badges and Links section.
LIC-03: SPDX-License-Identifier headers backfilled to 16 first-party
source files (plugin/bin, plugin/lib, plugin/provisioner,
plugin/cli/src/{index,runner,types}.ts, scripts/build-release.sh,
packaging/curl-installer/install.sh, tests/harness/run.sh). New-file
convention + existing-file backfill policy recorded in ADR-013.
LIC-04: CONTRIBUTING.md at repo root — quick start, behavior-test
contract, review-loop conventions, lightweight DCO-equivalent
(submitting a PR affirms MIT-relicensability), security reporting note.
Phase-close audit at .planning/phases/07-license-and-public-docs/
07-AUDIT.md emits GATE: GREEN.
Closes v0.4.0 SEC-01..05 (Phase 8 of Open-Source Release milestone). Audited 255 commits across all branches via three independent passes: - gitleaks (Docker, --redact, --log-opts=--all): 1 finding, triaged as false positive (OpenNebula API hostname `api.nebula.k8s.svcs.io` in retired v0.2.0 planning note .planning/.continue-here.md line 65, matched the generic-api-key regex on the literal "API:" prefix). - trufflehog (--only-verified): 1458 chunks, 4.98 MB, zero verified + zero unverified findings. - Targeted manual audit across 8 patterns (Buttondown, GitHub, Anthropic, npm, .env/.npmrc/.git-credentials/SSH artifacts, Bearer headers, AWS AKIA, PEM private keys): 0 matches. SEC-04 closes as a no-op — no real secrets to rotate. ADR-014 records the decision rule for any future leak (default: rotate without history rewrite unless the secret grants ongoing access that cannot be revoked upstream). SEC-05 gitleaks gate is wired in two layers: - pre-commit hook (`gitleaks/gitleaks @ v8.21.2`): fast-feedback path, scans staged files on every commit. - CI job in test.yml (`gitleaks/gitleaks-action@v2`, fetch-depth=0, permissions: contents:read): durable path, scans full history on every PR — catches force-pushes, --no-verify bypasses, and any pre-existing leak that pre-dates the gate. Smoke test (docs/audits/v0.4.0/SEC-05-gate-evidence.md): contrived ghp_*, AKIA*, and PEM private-key block in a /tmp fixture all trigger gitleaks exit-non-zero against the same .gitleaks.toml the hook uses. Gate fires as expected; fixture deleted post-test. `.gitleaks.toml` extends upstream defaults and allowlists `.planning/ *.md` (workflow narrative, frequent false-positive trigger) plus the specific SEC-01 fingerprint. Phase-close audit at .planning/phases/08-secret-scanning/08-AUDIT.md emits GATE: GREEN.
…udits Closes v0.4.0 CLEAN-01..04 (Phase 9 of Open-Source Release milestone). CLEAN-01 (branch review): 2 remote branches — `master` (default) and `engineer/-issueIdentifier` (active PR #2, opened 2026-04-25). Both <24h old; no stale, no abandoned, no merged-but-unpurged. No deletions warranted. CIPUB-03 flagged: branch protection on `master` is currently OFF (must be ON before flip — Phase 10). CLEAN-02 (large files): largest blob anywhere in history is a 126 KB STATE.md snapshot (all markdown narrative). Zero blobs >500 KB. Only 3 binary-shaped files in HEAD: hand-written brand SVGs (<10 KB each). No history rewrite or LFS migration required. CLEAN-03 (.gitignore audit): hardened for public-repo posture. Added .env*, .npmrc, .git-credentials, .netrc, *.pem/*.key/*.crt, SSH key names, editor/OS files (.vscode, .idea, .DS_Store, *.swp, etc.), coverage outputs, TS/Python/pnpm caches. Existing `check-added-large-files` (default 500 KB threshold) and `detect-private-key` pre-commit hooks remain active — combined with SEC-05 gitleaks gate that's four-layer defence. CLEAN-04 (content review): no customer/vendor/prospect names; no PII; no TODO/FIXME in public-facing docs; OpenNebula references are appropriate public history per ADR-001 + research files. `.planning/` retention is a deliberate convention (recorded in CLAUDE.md) — it documents project evolution and contains no secrets per SEC-01..05. All four audit reports under docs/audits/v0.4.0/CLEAN-*.md. Phase-close audit at .planning/phases/09-repo-hygiene/09-AUDIT.md emits GATE: GREEN.
…on ready Closes v0.4.0 CIPUB-01..04 (Phase 10 of Open-Source Release milestone). Two of four close on maintainer execution of pre-staged commands. CIPUB-01 (workflow permissions): test.yml gains explicit top-level `permissions: contents: read`. The other four workflows already had explicit blocks (deploy.yml: pages:write + id-token:write; nightly-* .yml: contents:read; release.yml: contents:read with publish-job escalation to contents:write that's tag-push-gated). Per-workflow inventory + "what's NOT being granted" list in docs/audits/v0.4.0/CIPUB-01-workflow-audit.md. CIPUB-02 (fork-PR exfiltration): zero pull_request_target, zero workflow_run, zero PR-controlled-ref interpolation, zero ref-override on actions/checkout. Default-stance recorded: prefer pull_request, treat any future pull_request_target as opt-in with security review. Audit in docs/audits/v0.4.0/CIPUB-02-fork-pr-exfiltration.md. CIPUB-03 (branch protection): designed full configuration — enforce_admins, linear history, no force-push, no deletions, 1 approval + dismiss-stale, strict status checks (pre-commit, cli-unit, bats-docker matrix, gitleaks). Two ready-to-apply gh api commands (Option A "after this branch merges"; Option B "bootstrap before merge" without gitleaks context). MAINTAINER TASK — runs ~30s, verification jq snippet provided. Doc: docs/audits/v0.4.0/CIPUB-03-branch-protection.md. CIPUB-04 (smoke runs): de facto GREEN from PR #2 + nightly runs <24h old (all 4 jobs green on PR #2; nightly-qemu and nightly-mutation green on master). Explicit workflow_dispatch commands documented for belt-and-braces. MAINTAINER TASK — capture run URLs in CIPUB-04-runs.md follow-up. Doc: docs/audits/v0.4.0/CIPUB-04-workflow-smoke.md. Phase-close audit at .planning/phases/10-public-cicd/10-AUDIT.md emits GATE: GREEN-pending-2-maintainer-tasks.
v0.4.0 milestone state at end of /gsd-autonomous run: - Phases 7-10 ✓ complete (commits c52b3c1, c94920a, 158e465, 446c89b) - Phase 11 ⏳ STOPPED for maintainer sign-off, per the explicit /gsd-autonomous invocation note that PUB-02 (visibility flip) is checkpoint:human-verify PUB-01 pre-flight checklist (docs/audits/v0.4.0/PUB-01-preflight-checklist.md) references every Phase 7-10 artifact: 13 of 17 line items already evidenced; 2 close on staged Phase 10 maintainer commands (CIPUB-03 branch protection apply via single `gh api -X PUT`; CIPUB-04 workflow_dispatch smoke runs). Phase 11 AUDIT (.planning/phases/11-public-flip/11-AUDIT.md) emits GATE: BLOCKED-on-PUB-01-signoff and documents what the maintainer does next: branch protection apply → workflow_dispatch smoke → PUB-01 sign-off → PUB-02 flip → PUB-03 anonymous-clone + curl-pipe-bash smoke → PUB-04 release notes. ROADMAP.md and STATE.md updated to reflect 4/5 phases complete and the stop-point for maintainer hand-off.
… triggered Per maintainer authorization on Multica issue 883fac5a, executing the Phase 11 maintainer-action items: - CIPUB-03: branch protection applied to master via gh api (Option B bootstrap; will swap to Option A after this PR merges and the new gitleaks job runs once on master). Verification JSON in CIPUB-03-applied.json: enforce_admins=true, linear=true, force_pushes=false, deletions=false, reviews=1, dismiss=true, strict=true, contexts=[pre-commit, cli-unit, bats-docker (ubuntu-22.04), bats-docker (ubuntu-24.04)]. - CIPUB-04: 4 workflow runs triggered on agent/claude-code/5b93ad3c (test on push + test on PR + nightly-qemu + nightly-mutation). nightly-mutation already green; remainder green-or-running at sign-off. Run URLs in CIPUB-04-runs.md. - PUB-01: pre-flight checklist signed off; both prior maintainer-action items (CIPUB-03 and CIPUB-04) now closed with concrete evidence. Next: wait for in-progress runs to complete green; merge this PR; swap branch protection to Option A; flip repo visibility (PUB-02); run post-flip smoke (PUB-03); write release notes (PUB-04). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
… fixtures CI on agent/claude-code/5b93ad3c surfaced three pre-commit/CI failures that were latent before the new gitleaks gate landed in master-CI history: 1. gitleaks (full-history, CI): the ADR at docs/decisions/014-secret-remediation-noop.md line 20 quotes the same `API: api.nebula.k8s.svcs.io` text that the .planning allowlist already suppresses — the ADR documents *why* it's a false positive, but the allowlist scoped to .planning/*.md doesn't reach docs/decisions/. Widened the path allowlist + pinned the specific fingerprint (c94920a:docs/decisions/014-secret-remediation-noop.md:20). 2. detect-private-key (pre-commit): SEC-03 and SEC-05 audit docs embed a PEM-shaped fixture block as the test material that proves the gitleaks gate fires. The hook can't tell evidence from real keys; excluded those two specific files by path. The hook still runs on every other file. 3. trailing-whitespace: auto-applied by the hook to PUB-01-preflight-checklist.md. No source-code change; no behavior change. Phase 8 audits still hold — trufflehog 0/0, no real PEM keys anywhere in history. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The gitleaks-action@v2 calls /repos/{owner}/{repo}/pulls/{n}/commits on
pull_request events to compute the diff range. With only contents: read,
that API returned 403 ("Resource not accessible by integration") and the
job aborted before any scan ran. Adding pull-requests: read at the job
level (still no write permissions anywhere).
The push-event scan was already green after the previous fix(ci) commit.
This makes the pull_request-event scan pass too.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
LICENSE,CONTRIBUTING.md, SPDX headers on 16 first-party source files; introduces gitleaks v8.21.2 in pre-commit + CI; tightens least-privilege workflowpermissions:; designs and applies branch protection (Option B bootstrap, swap to Option A after this PR merges).Phases
c52b3c1) — MIT LICENSE, README/CONTRIBUTING, SPDX headers, ADR-013.c94920a) — gitleaks + trufflehog full-history scans (clean), targeted manual audit (8 patterns × 255 commits, 0 matches), ADR-014, gitleaks gate live in pre-commit + CI.158e465) — branch + large-file + .gitignore + content audits.446c89b) — workflowpermissions:blocks audited;pull_request_targetconfirmed unused; branch-protection design + apply commands.47780b2) — pre-flight checklist staged; visibility flip is the explicit checkpoint.Audit trail
docs/audits/v0.4.0/(12 files: SEC-01..05, CLEAN-01..04, CIPUB-01..04, PUB-01-preflight).planning/phases/07-11/<NN>-AUDIT.md(5 files)Test plan
test.ymlon this branch — currently green-or-runningnightly-qemu.yml+nightly-mutation.ymlsmoke-dispatched on this refmasterahead of this merge — seedocs/audits/v0.4.0/CIPUB-03-applied.jsongitleakscontext) once that job has run once onmaster🤖 Generated with Claude Code