Skip to content

docs: add sale readiness due diligence packet#524

Open
seonghobae wants to merge 14 commits into
developfrom
codex/2b-sale-readiness-due-diligence
Open

docs: add sale readiness due diligence packet#524
seonghobae wants to merge 14 commits into
developfrom
codex/2b-sale-readiness-due-diligence

Conversation

@seonghobae

Copy link
Copy Markdown
Collaborator

Summary

  • Adds a 2026-07-02 sale-readiness due diligence packet for the 20억 KRW readiness track.
  • Captures the live evidence snapshot for open PR routing, Dependabot, Scorecard code-scanning alerts, OpenSSF Best Practices project 13428, Figma metadata mismatch, JS audit, and the Rust glib advisory chain.
  • Updates the dependency policy with the current cargo tree --target all -i glib owner chain observed during the due-diligence pass.

Notes

This does not claim the repository is sale-ready yet. It records the concrete closure criteria and execution order needed before making that claim. Figma Code Connect remains explicitly out of scope.

Verification

  • python3 scripts/checks/verify_docs.py
  • python3 scripts/checks/verify_supply_chain.py
  • python3 scripts/checks/security_gates.py
  • git diff --check

Copilot AI review requested due to automatic review settings July 2, 2026 06:13

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a repo-controlled sale-readiness due diligence packet (2026-07-02 snapshot) and aligns the security dependency policy with the current observed Rust glib advisory owner chain and its documented exception rationale.

Changes:

  • Added docs/security/2026-07-02-sale-readiness-due-diligence.md capturing an evidence snapshot, closure criteria, and execution order for sale-readiness due diligence.
  • Updated the RUSTSEC-2024-0429 (glib 0.18.5) exception in docs/security/dependency-policy.md with the current cargo tree --target all -i glib owner chain and Dependabot disposition context.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
docs/security/dependency-policy.md Updates the documented Rust glib advisory exception details with the current dependency chain and dismissal context.
docs/security/2026-07-02-sale-readiness-due-diligence.md New due diligence packet documenting evidence snapshot, closure criteria, and next execution order for sale-readiness work.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread docs/security/dependency-policy.md Outdated
@seonghobae

Copy link
Copy Markdown
Collaborator Author

Follow-up after CI failure on ci / build-and-test: restored the glib exception removal-criteria sentence that tests/test_supply_chain_policy.py::test_dependency_policy_documents_rust_glib_legacy_exception requires.

Local verification on commit 5287f32:

  • uv run pytest services/analysis-engine/tests/test_supply_chain_policy.py::test_dependency_policy_documents_rust_glib_legacy_exception
  • python3 scripts/checks/verify_docs.py
  • python3 scripts/checks/verify_supply_chain.py
  • python3 scripts/checks/security_gates.py
  • git diff --check

@opencode-agent

opencode-agent Bot commented Jul 2, 2026

Copy link
Copy Markdown

OpenCode Review Overview

  • Head SHA: bc086eb2f0bb0360cd8b4fec94cd8c0b6cc96b89
  • Workflow run: 28623717010
  • Workflow attempt: 1
  • Gate result: APPROVE (exit 0)

Changed-File Evidence Map

flowchart LR
  PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
  Evidence --> S1["Docs (4 files)"]
  S1 --> I1["operator or user guidance"]
  I1 --> R1["Review risk: Docs (4 files)"]
  R1 --> V1["docs review"]
Loading

@seonghobae seonghobae enabled auto-merge (squash) July 2, 2026 10:32
@seonghobae

Copy link
Copy Markdown
Collaborator Author

Security refresh applied from #525 to clear the shared cargo-audit blocker.

Evidence:

  • Added the anyhow lockfile refresh plus quick-xml cargo-audit/OSV policy documentation on top of this PR head; pushed head 689e35b.
  • python3 scripts/checks/verify_supply_chain.py: passed.
  • cargo audit from apps/desktop/src-tauri: passed locally with the repo-owned audit config.
  • python3 scripts/checks/security_gates.py: passed.
  • git diff --check HEAD~2..HEAD: passed.

Security Notes:

  • No security gate was disabled or downgraded.
  • anyhow is refreshed to 1.0.103 for RUSTSEC-2026-0190.
  • RUSTSEC-2026-0194/0195 for quick-xml 0.39.4 remain documented as upstream-owned Tauri/plist and rfd/wayland-scanner transitive exceptions in repo-controlled cargo-audit/OSV configuration; remove the exception when compatible upstream crates move to quick-xml >=0.41.0.
  • docs: add sale readiness due diligence packet #524's more specific glib owner-chain due-diligence text was preserved while adding the quick-xml exception text.

@seonghobae

Copy link
Copy Markdown
Collaborator Author

2026-07-02 KST sale-readiness checkpoint refreshed.

What changed:

  • Updated the due-diligence packet from the earlier 62-PR snapshot to the current 34-open-PR live state.
  • Recorded unresolved review threads: 0, auto-merge missing: 0, failed/error checks: 0, and current-head checks pending on all open PRs.
  • Recorded FigJam section 13:900 on board WEvhutQSFZITe0RUsZgzC2 as the latest no-Code-Connect security/readiness checkpoint.
  • Recorded OpenSSF Best Practices project 13428 live state: in_progress, passing:null, name:null, license:null, homepage_url:"", 193 unknown status fields, and 2 unmet status fields.

Local verification on 01b2c3e:

  • npm run check:docs
  • npm run check:security-notes
  • npm run check:supply-chain
  • git diff --check

Security Notes: this is evidence/documentation only; it does not weaken any required check, release artifact gate, RustSec exception guard, or OpenSSF follow-up requirement.

@seonghobae

Copy link
Copy Markdown
Collaborator Author

2026-07-03 06:46 KST update: pushed bc086eb to clarify buyer data-room evidence semantics. The packet now distinguishes presence-only artifacts from final validated evidence with artifact, evidenceType, validatedBy, validFor, and openGap fields.\n\nValidation passed locally on the PR branch:\n- python3 scripts/checks/verify_docs.py\n- python3 scripts/checks/verify_security_notes.py\n- python3 scripts/checks/verify_supply_chain.py\n- git diff --check\n\nFigma Code Connect was not used.

@seonghobae

Copy link
Copy Markdown
Collaborator Author

2026-07-03 06:58 KST update: pushed 6a14994 to add commercial KPI and pilot evidence gates to the due-diligence packet. The packet now ties the 20억 KRW readiness discussion to buyer-demo activation, analysis value, export value, pilot conversion, and ARR pacing evidence without claiming those gaps are already final.\n\nValidation passed locally on the PR branch:\n- python3 scripts/checks/verify_docs.py\n- python3 scripts/checks/verify_security_notes.py\n- python3 scripts/checks/verify_supply_chain.py\n- git diff --check\n\nFigma Code Connect was not used.

@seonghobae

seonghobae commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator Author

2026-07-03 07:04 KST update: pushed fe32c73 to add buyer-data-room commercial evidence artifacts.

What changed:

  • Added docs/business/bandscope-commercial-model.md with a bottom-up ARR formula and 3-5억 KRW ARR scenario table.
  • Added docs/business/pilot-evidence-template.md with pilot record fields, redaction checks, and the minimum 3-5 pilot sale-readiness set.
  • Updated docs/security/2026-07-02-sale-readiness-due-diligence.md so the commercial model and pilot template are listed as presence-only evidence until real pilot records and Product Design screenshots exist.

Validation passed locally on the PR branch:

  • python3 scripts/checks/verify_docs.py
  • python3 scripts/checks/verify_security_notes.py
  • python3 scripts/checks/verify_supply_chain.py
  • git diff --check

FigJam board WEvhutQSFZITe0RUsZgzC2 was updated with sticky 63:2817 to mirror this checkpoint. Figma Code Connect was not used.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants