docs: add sale readiness due diligence packet#524
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a repo-controlled sale-readiness due diligence packet (2026-07-02 snapshot) and aligns the security dependency policy with the current observed Rust glib advisory owner chain and its documented exception rationale.
Changes:
- Added
docs/security/2026-07-02-sale-readiness-due-diligence.mdcapturing an evidence snapshot, closure criteria, and execution order for sale-readiness due diligence. - Updated the
RUSTSEC-2024-0429(glib 0.18.5) exception indocs/security/dependency-policy.mdwith the currentcargo tree --target all -i glibowner chain and Dependabot disposition context.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| docs/security/dependency-policy.md | Updates the documented Rust glib advisory exception details with the current dependency chain and dismissal context. |
| docs/security/2026-07-02-sale-readiness-due-diligence.md | New due diligence packet documenting evidence snapshot, closure criteria, and next execution order for sale-readiness work. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Follow-up after CI failure on Local verification on commit
|
OpenCode Review Overview
Changed-File Evidence Mapflowchart LR
PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
Evidence --> S1["Docs (4 files)"]
S1 --> I1["operator or user guidance"]
I1 --> R1["Review risk: Docs (4 files)"]
R1 --> V1["docs review"]
|
|
Security refresh applied from #525 to clear the shared cargo-audit blocker. Evidence:
Security Notes:
|
|
2026-07-02 KST sale-readiness checkpoint refreshed. What changed:
Local verification on
Security Notes: this is evidence/documentation only; it does not weaken any required check, release artifact gate, RustSec exception guard, or OpenSSF follow-up requirement. |
|
2026-07-03 06:46 KST update: pushed bc086eb to clarify buyer data-room evidence semantics. The packet now distinguishes presence-only artifacts from final validated evidence with artifact, evidenceType, validatedBy, validFor, and openGap fields.\n\nValidation passed locally on the PR branch:\n- python3 scripts/checks/verify_docs.py\n- python3 scripts/checks/verify_security_notes.py\n- python3 scripts/checks/verify_supply_chain.py\n- git diff --check\n\nFigma Code Connect was not used. |
|
2026-07-03 06:58 KST update: pushed 6a14994 to add commercial KPI and pilot evidence gates to the due-diligence packet. The packet now ties the 20억 KRW readiness discussion to buyer-demo activation, analysis value, export value, pilot conversion, and ARR pacing evidence without claiming those gaps are already final.\n\nValidation passed locally on the PR branch:\n- python3 scripts/checks/verify_docs.py\n- python3 scripts/checks/verify_security_notes.py\n- python3 scripts/checks/verify_supply_chain.py\n- git diff --check\n\nFigma Code Connect was not used. |
|
2026-07-03 07:04 KST update: pushed What changed:
Validation passed locally on the PR branch:
FigJam board |
Summary
glibadvisory chain.cargo tree --target all -i glibowner chain observed during the due-diligence pass.Notes
This does not claim the repository is sale-ready yet. It records the concrete closure criteria and execution order needed before making that claim. Figma Code Connect remains explicitly out of scope.
Verification
python3 scripts/checks/verify_docs.pypython3 scripts/checks/verify_supply_chain.pypython3 scripts/checks/security_gates.pygit diff --check