Skip to content

docs: prepare OpenSSF Silver readiness evidence#200

Merged
Vishnu2707 merged 1 commit into
devfrom
docs/199-openssf-silver-readiness
Jul 18, 2026
Merged

docs: prepare OpenSSF Silver readiness evidence#200
Vishnu2707 merged 1 commit into
devfrom
docs/199-openssf-silver-readiness

Conversation

@TFT444

@TFT444 TFT444 commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator

Summary

Builds the repository-controlled foundation for OpenSSF Best Practices Silver issue #199 without claiming criteria that require owner or operational confirmation.

Governance and public evidence

  • adds governance, maintainer responsibility, continuity, 12-month roadmap, support and upgrade documentation
  • documents security requirements, threat model, trust boundaries and a structured assurance case
  • adds release-security, accessibility/i18n and vulnerability-credit records
  • adds a criterion-by-criterion Silver evidence register separating ready evidence, gaps, owner actions and likely N/A answers
  • records a preliminary six-month regression-test audit

Technical readiness

  • raises the API/scanner coverage gate from 25% to the Silver requirement of 80%
  • adds direct AzureClient management-wrapper tests; measured local coverage is 82.2%
  • changes frontend lint to fail on warnings and resolves the four existing React hook warnings
  • reconciles public documentation and website inventory with the current 51 rules and 51 playbooks
  • updates supported-version guidance

Owner actions deliberately not claimed

The following remain open for the project lead:

  • confirm real access continuity and bus factor, not only documented roles
  • approve and enforce DCO or another contribution authorization mechanism
  • select and operate release signing/attestation and important tag signing
  • confirm vulnerability acknowledgement history and regression-test evidence
  • complete accessibility, input-validation, algorithm-agility and reproducibility reviews
  • enter reviewed evidence into the official OpenSSF assessment

Validation

  • 382 tests passed with 82.2% API/scanner statement coverage (--cov-fail-under=80)
  • Ruff passes
  • frontend ESLint passes with zero warnings
  • frontend production build passes
  • website security tests pass
  • all workflow YAML parses successfully
  • website and repository rule inventories both report 51 rules
  • git diff --check passes

Advances #199

@github-actions

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@m-khan-97 m-khan-97 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed. Verified the thing I most wanted to check on an OpenSSF-evidence PR: no broken links. Every file the README newly points to (GOVERNANCE.md, MAINTAINERS.md, ROADMAP.md, SUPPORT.md, SECURITY_ACKNOWLEDGEMENTS.md, and the six new docs/*.md) is created within this same PR — I cross-checked the file list against the referenced paths and dev. Self-contained. SECURITY.md's supported-version bump to 0.3.x matches the actual v0.3.0 release. CI is green including backend-tests at the raised gate.

A few things worth surfacing before merge, none blocking:

  1. The coverage gate jump (25 → 80) is a real policy change riding in a "docs/evidence" PR. It passes here, which proves coverage genuinely clears 80% on this branch — good. But once this lands on dev, the other open PRs (#197, #198, #208, #210) were all validated at 25% and will be re-gated at 80% on their next run. The rule PRs add lots of tests so they're likely fine; just flagging the coordination so a small future PR (e.g. a 5-line fix with no test) doesn't get surprise-blocked. Worth a conscious "yes, we're committing to 80%" from the maintainers rather than it slipping in via docs.

  2. Rule count "51" will be stale immediately. #197 (+6) and #198 (+15) are in flight; the moment they merge the real count is 72, not 51. Not your bug — it's the perennial count-churn the ROADMAP itself calls out — but maybe hold the count update until the rule PRs settle, or expect a quick follow-up.

  3. docs/accessibility-and-i18n.md and docs/release-security.md are also created by #206 and #207 respectively. Whichever merges second will conflict. Worth coordinating ordering with TFT444.

  4. Mild scope note: this also touches four frontend files (Header/AILayer/DetailedScan/ChatPanel) and package.json — looks like the eslint-warning cleanups — slightly beyond "OpenSSF docs," but frontend CI passes so no concern.

Approving — the substance is solid and self-consistent. Just make items 1 and 3 conscious decisions rather than accidents.

@Vishnu2707
Vishnu2707 merged commit 6b3f8a8 into dev Jul 18, 2026
19 checks passed
@Vishnu2707
Vishnu2707 deleted the docs/199-openssf-silver-readiness branch July 18, 2026 00:32
@Vishnu2707

Copy link
Copy Markdown
Member

Approved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants