docs(security): OSV-Scanner is the chosen vuln gate; close #36 as won't-fix

[admin-jadecli]

Summary

Per operator decision 2026-05-15: GitHub Advanced Security / Code Scanning is a paid feature. The repo deliberately uses google/osv-scanner-action as its dependency-vuln gate instead. Closes #36 as won't-fix (alt path chosen).

Why this is fine

OSV-Scanner provides equivalent dependency-vuln gating:

• ✅ Runs on every PR (scan-pr job)
• ✅ Runs on push to main + weekly cron (scan-main job)
• ✅ Fail-on-vuln gates merges via the action's exit code
• ❌ Skipped: SARIF upload to the Security-tab UI (paid feature)

The gate behavior is unchanged; only the visualization differs.

Changes

File	Change
.github/workflows/osv-scanner.yml	Rewrite the upload-sarif: false comment to reflect the deliberate choice (was: "pending operator toggle"; now: "deliberately disabled, alt path chosen")
docs/unblock-sequence.md	Phase 0.2 marked deliberately-skipped; optimal-ordering table updated (0 min instead of 2 min); #36 noted as won't-fix

Test plan

• npm run verify — green
• OSV-Scanner workflow unchanged in behavior (no YAML logic touched, only the comment)

Closes

• [runbook] Enable Code scanning + flip upload-sarif:true #36

Refs

O1

https://claude.ai/code/session_9d8f8432-101f-466f-9c31-b1021ea934e7

---

Generated by Claude Code

[github-actions]

Neon branch ready: preview/pr-105-claude/issue-36-osv-scanner-alt-path

Connection strings (pooled + unpooled) are emitted as job outputs for downstream steps. They are NOT printed in the workflow log — see Neon Console (project: divine-cloud-27295848) if you need to inspect them.

[github-actions]

Neon Schema Diff summary

Schema diff between the compare branch (preview/pr-105-claude/issue-36-osv-scanner-alt-path) and the base branch (production).

• Base branch: production (br-raspy-glitter-aqer8zst)
• Compare branch: preview/pr-105-claude/issue-36-osv-scanner-alt-path (br-icy-voice-aqkkm44t)
• Database: neondb

Index: neondb-schema.sql
===================================================================
--- neondb-schema.sql	Branch production
+++ neondb-schema.sql	Branch preview/pr-105-claude/issue-36-osv-scanner-alt-path
@@ -196,8 +196,25 @@
 
 ALTER TABLE neon_auth.verification OWNER TO neon_auth;
 
 --
+-- Name: vendor_pages; Type: TABLE; Schema: public; Owner: neondb_owner
+--
+
+CREATE TABLE public.vendor_pages (
+    vendor text NOT NULL,
+    path text NOT NULL,
+    content text NOT NULL,
+    content_hash text NOT NULL,
+    etag text,
+    last_modified text,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL
+);
+
+
+ALTER TABLE public.vendor_pages OWNER TO neondb_owner;
+
+--
 -- Name: account account_pkey; Type: CONSTRAINT; Schema: neon_auth; Owner: neon_auth
 --
 
 ALTER TABLE ONLY neon_auth.account
@@ -300,8 +317,16 @@
     ADD CONSTRAINT verification_pkey PRIMARY KEY (id);
 
 
 --
+-- Name: vendor_pages vendor_pages_pkey; Type: CONSTRAINT; Schema: public; Owner: neondb_owner
+--
+
+ALTER TABLE ONLY public.vendor_pages
+    ADD CONSTRAINT vendor_pages_pkey PRIMARY KEY (vendor, path);
+
+
+--
 -- Name: account_userId_idx; Type: INDEX; Schema: neon_auth; Owner: neon_auth
 --
 
 CREATE INDEX "account_userId_idx" ON neon_auth.account USING btree ("userId");
@@ -356,8 +381,22 @@
 CREATE INDEX verification_identifier_idx ON neon_auth.verification USING btree (identifier);
 
 
 --
+-- Name: vendor_pages_updated_at_idx; Type: INDEX; Schema: public; Owner: neondb_owner
+--
+
+CREATE INDEX vendor_pages_updated_at_idx ON public.vendor_pages USING btree (updated_at DESC);
+
+
+--
+-- Name: vendor_pages_vendor_idx; Type: INDEX; Schema: public; Owner: neondb_owner
+--
+
+CREATE INDEX vendor_pages_vendor_idx ON public.vendor_pages USING btree (vendor);
+
+
+--
 -- Name: account account_userId_fkey; Type: FK CONSTRAINT; Schema: neon_auth; Owner: neon_auth
 --
 
 ALTER TABLE ONLY neon_auth.account

This comment was last updated at Fri, 15 May 2026 07:17:50 GMT