Vanta v0.4.0
Vanta v0.4.0 — Security + Modularity
A security-skills pack you can run on any repo, every fixable CVE cleared, and a codebase-wide modularity pass — all behavior-preserving (full suite green throughout).
Install / upgrade: curl -fsSL https://raw.githubusercontent.com/jpoindexter/Vanta/main/bootstrap.sh | bash — the installer pulls this release's prebuilt kernel automatically. Only git required.
✨ Added
security-skillspack —secret-scan,dependency-audit,sast-scan,security-preflight: grounded SKILL.md runbooks plus a runnablescan.shone-command gate (secrets → dependency CVEs → SAST, no agent required). Bundled into Vanta and published standalone at jpoindexter/security-skills.- Live provider-recovery proof —
scripts/reliability-recovery.shverifies the transient-retry actually recovers (not just stops) on a real stalled provider call;VANTA_CODEX_BASE_URLmakes the codex endpoint overridable.
🔒 Fixed (security)
- Shipped runtime is clean — 0 secrets across 2,003 commits, 0 runtime CVEs, kernel zero-dependency.
- Every
vanta-tsdev-tooling CVE cleared (incl. a vitest 9.8 critical) by migrating to vitest 3 / vite 6 + an esbuild override →osv-scannerreports 0 vulnerabilities. - Docs site: serialize-javascript RCE/DoS → override
7.0.6; uuid bounds bug → override11.1.1(docusaurus buildverified). The full triage is recorded inSECURITY.md §7b.
🧱 Modularity (no behavior change)
- The size gate now has zero exemptions — the
factory/*autonomous-loop code was brought into compliance, with theis_protected_pathkernel-mirror kept byte-identical. - 65 source files modularized under the 200-line soft target (70 → 5) across 6 verified waves — pure-helper / parser / sub-concern extractions, public exports re-exported so importers and tests needed zero edits. The 5 remaining files are deliberately-cohesive registries / type-systems, left whole on purpose.
✅ Verified
Full suite 977 files / 11,132 tests green · 67 kernel tests · tsc clean · size gate clean across 1,272 files · release build OK.
Full changelog: CHANGELOG.md · compare v0.3.0...v0.4.0