Feature/wp hardening shd

.github/ADR-001-service-account-pat.md

@@ -1,9 +1,9 @@
 # ADR-001: Ecosystem-Wide GitHub Service Account (`weown-bot`) + Fine-Grained PATs
 
 **Status**: Accepted
-**Version**: v3.3.4.1 (#WeOwnVer)
+**Version**: v3.4.2.1 (#WeOwnVer)
 **Date**: 2026-04-23
-**Deciders**: `@romandidomizio`, `@ncimino`
+**Deciders**: `@romandidomizio` (original author, left 2026-05-15) — `@ncimino` (current maintainer)
 **Supersedes**: None
 **Superseded by**: None
 
@@ -40,7 +40,7 @@ Key properties:
 4. **90-day expiration** — enforced by GitHub for fine-grained tokens
 5. **Centralized secret management** — all PATs stored in Infisical project `weown-bot GitHub PATs` (see ADR-002)
 6. **2FA mandatory** on the `weown-bot` GitHub account (TOTP + recovery codes held by infrastructure team)
-7. **Documented stewardship** — primary owner today is `@romandidomizio`; transitions to one of Mohammed/Shahid/Dhruv post-2026-05-15 (see CODEOWNERS)
+7. **Documented stewardship** — primary PAT steward is `@ncimino` (Nik) as of 2026-05-15 (see CODEOWNERS); `@iamwaseem18` and `@mshahid538` are secondary stewards at `@ncimino`'s discretion
 8. **No direct commit access** — branch protection rules require PRs; `weown-bot` authors PRs but does not merge to `main`
 
 ---
@@ -100,10 +100,10 @@ Some teams mint short-lived tokens via GitHub OIDC → an external IdP → GitHu
 
 | Risk | Likelihood | Impact | Mitigation |
 |---|---|---|---|
-| PAT leaked | Low | Medium | Fine-grained scope, Infisical audit logs, immediate rotation procedure, branch protection still requires 2 reviewers |
+| PAT leaked | Low | Medium | Fine-grained scope, Infisical audit logs, immediate rotation procedure, branch protection still requires 1 reviewer |
 | PAT expires unrotated | Medium | Low | 3-layer alert stack (GitHub email, Infisical reminder, scheduled `pat-health-check.yml`) |
 | `weown-bot` account compromised | Low | High | 2FA mandatory, unique email, enterprise-managed, no direct commit access, incident response in `INCIDENT_RESPONSE.md` |
-| Stewardship gap post-2026-05-15 | Medium | Medium | CODEOWNERS TODO + transition checklist in workflows README |
+| Stewardship gap post-2026-05-15 | Resolved | — | Transition complete 2026-05-15; `@ncimino` is primary steward per CODEOWNERS; `@iamwaseem18`/`@mshahid538` available at `@ncimino`'s discretion |
 
 ---
 

.github/ADR-002-infisical-github-sync.md

@@ -3,7 +3,7 @@
 **Status**: Accepted
 **Version**: v3.3.5.1 (#WeOwnVer)
 **Date**: 2026-04-23 (initial) / 2026-04-28 (naming convention revised twice + canonical no-trailing-slash form for folder paths — see Decision Log)
-**Deciders**: `@romandidomizio`, `@ncimino`
+**Deciders**: `@romandidomizio` (original author, left 2026-05-15) — `@ncimino` (current maintainer)
 **Related**: ADR-001 (service account and PATs)
 **Supersedes**: None
 **Superseded by**: None

.github/ADR-003-main-branch-ruleset.md

@@ -3,14 +3,14 @@
 **Status**: Accepted
 **Version**: v3.3.5.1 (#WeOwnVer)
 **Date**: 2026-04-23 (ruleset configured) / 2026-04-27 (ADR last revised)
-**Deciders**: `@romandidomizio`, `@ncimino`
+**Deciders**: `@romandidomizio` (original author, left 2026-05-15) — `@ncimino` (current maintainer)
 **Supersedes**: None
 **Superseded by**: None
 **Related**:
 
 - [`ADR-001`](ADR-001-service-account-pat.md) — service account + PAT posture
 - [`ADR-002`](ADR-002-infisical-github-sync.md) — Infisical secret synchronization
-- [`ADR-004`](ADR-004-copilot-auto-review-ruleset.md) — `~ALL` branches ruleset (deletion + non_fast_forward + copilot_code_review) at both repo and enterprise scope; complement to this ADR
+- [`ADR-004`](ADR-004-copilot-auto-review-ruleset.md) — `~ALL` branches ruleset (`non_fast_forward` + `copilot_code_review`) at both repo and enterprise scope; complement to this ADR
 - [`.github/workflows/README.md` §8.1](workflows/README.md#81-branch-ruleset-on-main-configured-2026-04-23) — authoritative ruleset reference
 - [`.github/CODEOWNERS`](CODEOWNERS) — path-based reviewer enforcement
 
@@ -55,7 +55,7 @@ Prior to this ADR, `main` was protected only by the legacy Branch Protection UI
 
 | # | Rule | SOC 2 | ISO 27001 | ISO 42001 | NIST CSF 2.0 | CIS v8 | Rationale |
 |---|---|---|---|---|---|---|---|
-| 1 | Require PR with 2 reviewers | CC6.3, CC8.1 | A.5.15, A.5.37 | A.6.2.8 | PR.AC-4, PR.IP-3 | 16.9, 16.11 | Segregation of duties; no solo merges |
+| 1 | Require PR with 1 reviewer | CC6.3, CC8.1 | A.5.15, A.5.37 | A.6.2.8 | PR.AC-4, PR.IP-3 | 16.9, 16.11 | Reviewer oversight; no unreviewed merges |
 | 2 | Dismiss stale approvals on new push | CC8.1 | A.5.37 | A.9.4 | PR.IP-1 | 16.11 | Prevents approve-then-amend bypass |
 | 3 | Require review from Code Owners | CC6.3 | A.5.15 | A.6.2.8 | PR.AC-4 | 16.9 | Path-specific expertise enforced |
 | 4 | Require approval of most recent reviewable push | CC8.1 | A.5.37 | A.9.4 | PR.IP-1 | 16.11 | Closes race: approve PR → sneak bad commit → merge |
@@ -115,11 +115,11 @@ Under SOC 2 CC6.3 and ISO 27001 A.5.15, reviewers and approvers must be subject
 - **Mechanical enforcement**: All rules apply without human intervention. No "we forgot to check" gaps.
 - **AI review depth**: Rules #10 + CodeQL #9 ensure every change gets both rule-based (CodeQL) and context-aware (Copilot) review before human approval.
 - **Incident containment**: Rules #11 + #12 + signed commits (#6) make history rewriting / branch destruction cryptographically and administratively hard.
-- **Small-team scalability**: With only 2 active approvers today (`@ncimino` + `@romandidomizio`), the 2-reviewer rule forces coordination but does not block progress. Post-2026-05-15 handoff expands the approver pool per `CODEOWNERS` and the transition checklist.
+- **Small-team scalability**: `@ncimino` is the primary approver (sole CODEOWNERS assignee as of 2026-05-15); the 1-reviewer rule ensures coverage without blocking progress. `@iamwaseem18` and `@mshahid538` are available as secondary reviewers at `@ncimino`'s discretion per CODEOWNERS.
 
 ### Negative / trade-offs
 
-- **Merge latency**: A PR needs 2 approvers to merge. With distributed teams this may add 12-24h per PR. Mitigation: same-day turnaround culture; urgent hotfixes route through `hotfix/*` with the same ruleset (no bypass) — escalation is a reviewer-availability issue, not a ruleset issue.
+- **Merge latency**: A PR needs 1 approver to merge. With distributed teams this may add 12-24h per PR. Mitigation: same-day turnaround culture; urgent hotfixes route through `hotfix/*` with the same ruleset (no bypass) — escalation is a reviewer-availability issue, not a ruleset issue.
 - **CodeQL false positives**: Default Setup's "warning and higher" threshold means some low-confidence findings can block merges. Mitigation: reviewer dismisses with justification in the Code Quality tab (this action is itself audit-logged).
 - **External contributor friction**: Fork-PRs from outside the org need reviewers to explicitly trigger workflow runs + approve CodeQL. This is the intended posture — external contributions deserve extra scrutiny.
 - **Bypass list discipline**: Adding even one role to the bypass list breaks SOC 2 evidence. Any proposal to add a bypass must be documented here as a superseding ADR.
@@ -152,7 +152,7 @@ We evaluated three postures for the `<dev>` segment:
 - Team size (~6 core contributors as of 2026-04-23) doesn't justify Option A's maintenance cost
 - External contributors (audit reviewers, one-time collaborators) are expected occasionally and must remain unblocked
 - PR review records + CODEOWNERS enforcement already provide audit-grade attribution
-- The 2-reviewer rule (#1) + CODEOWNERS (#3) catch misuse socially
+- The 1-reviewer rule (#1) + CODEOWNERS (#3) catch misuse socially
 - `auto-pr-to-main.yml` attributes automation activity using `${{ github.triggering_actor || github.actor }}`, so the recorded actor is the GitHub user who triggered the workflow run (push, `workflow_dispatch`, or re-run) when available, or the workflow actor otherwise. Attribution is derived directly from GitHub's event context rather than branch-name parsing, inline handle mapping, or git-author-email fallback — no maintenance, no drift risk, and audit evidence is consistent with GitHub's own audit log
 
 ### Upgrade triggers — when to revisit