docs(readme): refresh hero + polish sections + add Security & Privacy#6
Merged
yahav-ohana merged 8 commits intomainfrom Apr 21, 2026
Merged
docs(readme): refresh hero + polish sections + add Security & Privacy#6yahav-ohana merged 8 commits intomainfrom
yahav-ohana merged 8 commits intomainfrom
Conversation
- Swap the externally-hosted user-attachments cover for a repo-hosted transparent logo at .github/assets/boost-logo.png (works on both light and dark GitHub themes). - Keep the "Boost - faster agents, faster CI" tagline; add a small "Sponsored by JFrog" attribution under the badges instead of a JFrog-Boost compound brand. - Expand the badge row: Release, Go 1.25, Platforms, Downloads, Stars, Agent-native, OpenTelemetry, License. No CI badge since ci.yml does not live in this repo. - Weave in the "one boost, three surfaces" narrative (terminal / coding agent / CI) with a Why Boost bullet list, a before/after `npm ci` snippet that demonstrates the token compression concretely (~9,800 -> ~640 tokens), and shield rows for supported coding agents (Cursor, Claude Code, Copilot, Codex CLI, Gemini CLI, OpenCode, Windsurf, Cline) and CIs (GitHub Actions supported; GitLab / Jenkins / CircleCI / Azure Pipelines marked "coming soon"). - Split Quick Start into three collapsible sections - CLI, Coding agent (`boost init`), and CI (`uses: jfrog/boost@v0`). - Fix the rolling-major tag from @v1 to @v0 (matches actual tags). - Condense the 7-line Beta notice into a single blockquote linking TERMS_OF_USE.md. - Usage examples, Update, Documentation link, License, and the Dima Gershovich memorial are all preserved. Docs-only change. License position unchanged. Made-with: Cursor
- Split badges into two centered rows so the license badge is no longer stranded alone on the second line. - Trim the Beta blockquote to a single line; drop the "APIs and behavior may change" sentence. - Before/after now leads with three value bullets (tokens, cache-backed reruns, OTel) before a tightened npm ci diff - no longer a pure token-reduction story. - Replace stacked shields for supported tools with two compact Tool/Status markdown tables. - Shorten the CI quickstart to jfrog/boost@v0 + actions/checkout@v4 + ... - Rewrite Usage examples to span compression, cache, local test tracking, and CI log digest. - New Security & Privacy section above License: local-first SQLite, secrets scrubbed via the built-in concealer (Gitleaks patterns plus env-var globs like *_TOKEN / *_SECRET / AWS_* / DATABASE_URL), user-redirectable OTel endpoint, signed releases, Beta Agreement link. Made-with: Cursor
yahav-ohana
changed the title
Restores the centered logo image, two-row badges, and Sponsored-by-JFrog block that were accidentally dropped from the previous polish commit. Also adds a subtitle line under the main tagline: For coding agents, their commands, and the CI that runs them. Mirrors the website's hero framing so both surfaces tell the same story. Made-with: Cursor
…ate privacy bullet - Remove the "Beta. This software is in beta under JFrog's Online Beta Agreement." blockquote; the License section + the Terms bullet in Security & Privacy already link out to TERMS_OF_USE.md. - Move Quick Start above Why Boost so first-time readers hit the install + usage snippet before the marketing framing. - Supported tools: replace the two markdown tables with single-line interpunct lists for agents and CI platforms - much less vertical space. - Security & Privacy: rewrite the "Your data, your backend" bullet to be accurate. Drop the implication that users can pick the destination (traces are always exported). New framing focuses on what is actually collected (only metadata - timing, exit code, cache stats; never raw log bodies / file contents / request payloads) and on the option to plug boost into an existing OTLP stack. - Fix stray backtick placement around AWS_* in the secrets bullet. Made-with: Cursor
Prepend a brand-green website badge to the meta badge row, matching how leading OSS projects (Astro, Bun, Deno) surface their main site. Uses shields.io badge styling with a chrome glyph so the link stands out as the primary call-to-action for new visitors. Made-with: Cursor
- New SECURITY.md at repo root (GitHub will surface it under the Security tab). Covers vulnerability reporting via security@jfrog.com and GitHub Private Vulnerability Reporting, response-time windows, a 90-day coordinated disclosure default, supported versions, the three security principles (local-first, only metadata leaves with secret redaction via env-var patterns + Gitleaks, OTLP-open), supply-chain notes (signed releases, pinned install.sh checksum, jfrog/boost@v0 pinning guidance), Out of Scope, Terms & Privacy pointers, and a Contact block. - README Security & Privacy shrunk from 6 bullets to 3 + a link to ./SECURITY.md, keeping only the high-signal claims (local-first, only metadata leaves with secret redaction, open protocol + signed binaries) so the README stays skimmable while the full policy lives next door. Made-with: Cursor
Promote the secret-handling discussion from a two-bullet sub-item under Security Model into a dedicated top-level "Secret Redaction" section. Keeps the Security Model summary crisp (one line each) and gives the secrets story the depth a JFrog-serious policy doc deserves. New section covers, all grounded in the real code in internal/concealer and internal/tracing/sanitize.go: - Detection: env-var globs (credential suffixes, vendor prefixes, specific names), Gitleaks regex rule set, and runtime AddSecret() for tokens surfaced mid-run. Aho-Corasick automaton for linear-time matching across the full registered set; sliding window for boundary-spanning streams. - Coverage: stdout/stderr, JSONL trace file, local SQLite tracking DB, and every exported OTel span attribute including cmd.line / cmd.args and span names; coverage pinned by sanitize_test.go cases. - Guarantees: single [REDACTED] placeholder with no partial-reveal modes, env values never persisted, fail-closed at the export boundary (every span goes through sanitizedSpan), zero-copy fast path when nothing matches. Made-with: Cursor
Swap the single .github/assets/boost-logo.png for a <picture> element with light and dark variants, matching the pattern used by sst/opencode and other leading OSS READMEs: - .github/assets/boost-logo-light.png - black "boost" wordmark, for light-mode readers (also the fallback <img> for clients that don't honor prefers-color-scheme). - .github/assets/boost-logo-dark.png - white "boost" wordmark, shown to readers whose system / GitHub theme is dark. Also wraps the logo in a link to the marketing site (https://jfrog.github.io/boost/) so clicking the hero asset lands on the product page - same affordance opencode provides. Made-with: Cursor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Refresh of the main
jfrog/boostREADME so it tells the full "one boost, everywhere" story, looks like a modern open-source project (more badges, grouped into two rows), and calls out how safe the product is for the machines it drops into. Adds a properSECURITY.mdand trims the README to point at it.What changed
Hero & branding
.github/assets/boost-logo.pngreplaces the old cover image.jfrog.github.io/boost) — same surfacing pattern Astro / Bun / Deno use for their main site.Sponsored by JFrogattribution under the badges.Story & narrative
Why Boost3-bullet list telling the "one binary, three surfaces" story (terminal / coding agent / CI).Before / afterleads with three value bullets (~15× fewer tokens, cache-backed reruns, OTel trace) before a tightenednpm cidiff.Usage examplesrewritten to span compression, cache, local test tracking, and CI log digest.Supported tools
Quick Start
jfrog/boost@v0+actions/checkout@v4+...(no more confusingnpm ci/npm testplaceholders).v1tov0.Beta notice
SECURITY.mdcover the legal surface without pasting the beta disclaimer at the top of the README.Security & Privacy — new
SECURITY.md+ short README sectionGrounded in real behavior from
internal/concealer/andinternal/tracing/sanitize.go:security@jfrog.comand GitHub Private Vulnerability Reporting (no public issues).v0.xbeta, upgrade withboost update).*_TOKEN/*_SECRET/AWS_*/ … + Gitleaks regex / OTLP-open).install.shchecksum,jfrog/boost@v0pinning guidance).SECURITY.md— keeps the README skimmable while the full policy lives next door.Preserved
Test plan
<details>Quick Start sections collapse, and theSECURITY.mdlink resolves.SECURITY.mdon GitHub and confirm the advisory-form link (/security/advisories/new) works once Private Vulnerability Reporting is enabled in repo settings.install.sh+uses: jfrog/boost@v0from the Quick Start end-to-end on a clean machine.Follow-ups (repo-admin actions, not part of this PR)
/security/advisories/newlink in SECURITY.md resolves for external reporters.