From 68d047b1ec735a2a454882a09cdc5ca1de4053f4 Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Thu, 2 Jul 2026 15:13:18 +0900 Subject: [PATCH 01/12] docs: add sale readiness due diligence packet --- ...2026-07-02-sale-readiness-due-diligence.md | 163 ++++++++++++++++++ docs/security/dependency-policy.md | 2 +- 2 files changed, 164 insertions(+), 1 deletion(-) create mode 100644 docs/security/2026-07-02-sale-readiness-due-diligence.md diff --git a/docs/security/2026-07-02-sale-readiness-due-diligence.md b/docs/security/2026-07-02-sale-readiness-due-diligence.md new file mode 100644 index 00000000..414bf970 --- /dev/null +++ b/docs/security/2026-07-02-sale-readiness-due-diligence.md @@ -0,0 +1,163 @@ +# 2026-07-02 Sale Readiness Due Diligence Packet + +This packet captures the current evidence needed to move BandScope toward a +20억 KRW sale-readiness discussion. It is not a valuation claim. It is the +repo-controlled checklist for closing the security, release, Figma, and PR +evidence gaps that a strategic buyer or technical diligence reviewer would ask +about first. + +## Current Evidence Snapshot + +Collected on 2026-07-02 KST from GitHub, Best Practices, Figma metadata, and +local repository commands. + +| Area | Current evidence | Sale-readiness interpretation | +| --- | --- | --- | +| GitHub repository | `ContextualWisdomLab/bandscope`, public MIT repo, default branch `develop` | Public diligence surface exists. | +| Open PR queue | 61 open PRs from GitHub REST API | Queue needs product/security routing; review process is not a blocker. | +| Dependabot | One open alert: `glib`, Rust, `GHSA-wrw7-89jp-8q8g`, medium | Must be closed, dismissed with durable rationale, or removed by upstream update before buyer diligence. | +| Code scanning | Two open Scorecard alerts: `VulnerabilitiesID` high and `CIIBestPracticesID` low | Must close or be replaced by explicit accepted-risk evidence. | +| OpenSSF Best Practices | Project `13428`, repo URL `https://github.com/ContextualWisdomLab/bandscope`, baseline `0`, passing `Unmet`, silver `Unmet` | Baseline badge work is a due-diligence blocker. | +| Figma handoff | Figma file `zthWmqfNKUgJBECvv002Qk` currently exposes only top-level page `00 Cover` via metadata | Repo handoff docs and actual Figma content are inconsistent. | +| JavaScript audit | `npm audit --workspaces --audit-level=high` reports 0 vulnerabilities | JS workspace is not the current high-risk advisory lane. | +| Rust advisory chain | `cargo tree --target all -i glib` resolves `glib 0.18.5` through the Tauri/wry/webkit2gtk/gtk GTK3 stack | Repo-controlled exception exists, but GitHub alert remains an external signal. | + +## PR Execution Tracks + +The 61 open PRs should be handled by track, not oldest-first. + +| Track | Count | First closure target | +| --- | ---: | --- | +| Due diligence governance | 1 | PR #502, OpenSSF readiness baseline | +| Due diligence security | 15 | Canonicalize path traversal, information leakage, DoS, and command-injection PRs | +| Buyer-demo product | 6 | PR #483 transcription, PR #499 practice progress, PR #481 export | +| Design UX | 8 | YouTube input safety and disabled-state clarity after Figma state matrix repair | +| Quality performance | 12 | PR #401 YouTube import reliability before cosmetic render micro-optimizations | +| Quality tests | 7 | Analysis-engine and workspace tests that support buyer-demo claims | +| Dependencies | 12 | Build/security dependency bumps before UI-only bumps | + +Regenerate the detailed PR routing table from the GitHub API before execution +or publication, because the queue is expected to move while this work is in +review. The table above is the 2026-07-02 evidence snapshot, not a durable +source of truth for future queue counts. + +## Closure Criteria + +### 1. Security And Supply Chain + +- Dependabot open alerts: `0`, or every remaining alert has a repo-controlled + exception with advisory ID, owner chain, exploitability rationale, + compensating controls, and removal trigger. +- Code scanning open alerts: `0`, or every remaining alert has explicit + accepted-risk evidence. +- `scripts/checks/verify_supply_chain.py` passes. +- `npm audit --workspaces --audit-level=high` passes. +- Cargo audit/OSV exceptions remain encoded in: + - `apps/desktop/src-tauri/.cargo/audit.toml` + - `apps/desktop/src-tauri/osv-scanner.toml` + - `docs/security/dependency-policy.md` + - `scripts/checks/verify_supply_chain.py` + +### 2. OpenSSF Best Practices + +- Best Practices project `13428` reaches baseline 100%. +- PR #502 or its canonical successor lands on `develop`. +- Evidence exists for repository basics, license, contribution process, + security reporting, build/test invocation, CI, release notes, vulnerability + handling, and current documentation. +- Scorecard `CIIBestPracticesID` no longer reports open. + +### 3. Buyer-Demo v0.2 + +- A reviewer can run a 15-minute demo from local audio or YouTube URL through: + source selection, analysis progress, ready workspace, role review, + bass transcription or groove map, practice progress, and cue/chart/handoff + export. +- Empty, loading, error, and ready states are all covered by tests or Product + Design screenshots. +- Error messages remain path/URL/secret redacted. + +### 4. Figma Without Code Connect + +- Figma Code Connect stays out of scope. +- The Figma file contains the expected handoff pages or their updated names: + component contract, screen blueprints, workspace state matrix, readiness + audit, and buyer-demo flow. +- Repo mirrors in `docs/design-system/` match the live Figma metadata and + screenshots. +- If Figma remains inaccessible or stale, the release notes call that out as a + design-resource gap rather than claiming visual parity. + +### 5. Package Boundary + +- Keep monorepo first. +- Stabilize `services/analysis-engine` as the `bandscope-analysis` Python + package API. +- Stabilize `packages/shared-types` as the runtime schema contract. +- Split a repo, package, subtree, or submodule only when an external SDK, + different license boundary, or distinct release cadence appears. + +## Security Notes + +### Attack Surface + +This packet covers repository security posture, dependency advisories, Figma +handoff accuracy, PR queue handling, release evidence, local file intake, +YouTube URL intake, subprocess analysis, cache/temp storage, and export +behavior. + +### Trust Boundary + +Relevant boundaries are the GitHub repository and security alerts, the Rust +Tauri/wry/webkit2gtk dependency graph, Figma design metadata, local user audio +files, remote YouTube metadata, native subprocess execution, app-owned +cache/temp roots, and exported cue/chart/handoff files. + +### Realistic Threats + +- A buyer or security reviewer treats open GitHub alerts as unresolved risk. +- A vulnerable dependency is dismissed without a clear owner chain and removal + trigger. +- Figma handoff docs claim implementation guidance that is not present in the + accessible Figma file. +- PR queue churn mixes security fixes with unrelated feature or UI changes. +- Error, log, or export paths leak local paths, URLs, secrets, or untrusted + metadata. + +### Mitigations + +- Keep vulnerability exceptions in repo-controlled config and documentation. +- Re-check GitHub Dependabot and code-scanning alerts before every sale-readiness + claim. +- Process security and OpenSSF PRs before buyer-demo feature PRs. +- Preserve narrow URL/file/subprocess allowlists from `docs/security/app-security.md`. +- Keep Figma Code Connect out of CI and use Figma only as editable design and + audit evidence. + +### Remaining Risk + +The `glib 0.18.5` advisory is still open in GitHub Dependabot even though the +repo has a controlled Cargo/OSV exception. That is acceptable only as a +short-term diligence gap. The final sale-readiness target is either a patched +upstream chain or a reviewed external alert disposition that points back to the +repo-controlled exception. + +### Test Points + +- `gh api repos/ContextualWisdomLab/bandscope/dependabot/alerts` +- `gh api repos/ContextualWisdomLab/bandscope/code-scanning/alerts` +- `curl -fsSL https://www.bestpractices.dev/projects/13428.json` +- `cargo tree --target all -i glib` +- `npm audit --workspaces --audit-level=high` +- `python3 scripts/checks/verify_supply_chain.py` +- Figma metadata read for file `zthWmqfNKUgJBECvv002Qk` + +## Next Execution Order + +1. Land or replace PR #502 with an evidence-backed OpenSSF baseline update. +2. Decide the GitHub-facing disposition for the open `glib` Dependabot alert. +3. Canonicalize the P0 security PRs that touch path traversal, information + leakage, and command-injection risks. +4. Restore Figma handoff pages before merging broad UX tooltip/state PRs. +5. Merge buyer-demo product PRs in the order transcription, practice progress, + export, then supporting workspace views. diff --git a/docs/security/dependency-policy.md b/docs/security/dependency-policy.md index d3a9680e..a34dc38f 100644 --- a/docs/security/dependency-policy.md +++ b/docs/security/dependency-policy.md @@ -103,7 +103,7 @@ Current controlled exceptions: - No Python vulnerability exceptions are active. `GHSA-5239-wwwm-4pmq` (`Pygments <2.20.0`) was removed by locking `Pygments` to `2.20.0`; the CI `security-audit` workflow must run `pip-audit --local --strict` against the synced `uv` environment without a targeted ignore for that advisory. - Cargo audit warnings for legacy `gtk3` vulnerabilities (e.g. `RUSTSEC-2024-0413`) inherited through Tauri v2 `wry`/`webkit2gtk` integration are explicitly allowed. These are deep framework dependencies with no alternative, so they are documented exceptions and ignored by default. -- `RUSTSEC-2024-0429` for `glib 0.18.5` is allowed only for the `VariantStrIter` advisory inherited through the Tauri/wry/webkit2gtk/gtk GTK3 stack. A compatible lockfile refresh can move the desktop stack to `tauri 2.11.3`, `wry 0.55.1`, `tao 0.35.3`, `muda 0.19.3`, and related transitive patches, but it still does not move this stack to patched `glib >=0.20.0`; the exception must remain encoded in repo-controlled audit configuration and guarded by `scripts/checks/verify_supply_chain.py`, and it must be removed when upstream drops or patches the chain. +- `RUSTSEC-2024-0429` for `glib 0.18.5` is allowed only for the `VariantStrIter` advisory inherited through the Tauri/wry/webkit2gtk/gtk GTK3 stack. As of the 2026-07-02 due-diligence pass, `cargo tree --target all -i glib` resolves the chain through `tauri 2.11.4`, `tauri-runtime-wry 2.11.4`, `wry 0.55.1`, `webkit2gtk 2.0.2`, and `gtk 0.18.2`, but it still does not move this stack to patched `glib >=0.20.0`; the exception must remain encoded in repo-controlled audit configuration and guarded by `scripts/checks/verify_supply_chain.py`, and it must be removed when upstream drops or patches the chain. Retired third-party deprecation and advisory signal: From dd404bcf4d2ee5d625c7a64edbbf0fe5f2a89997 Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Thu, 2 Jul 2026 15:16:46 +0900 Subject: [PATCH 02/12] docs: record glib alert disposition --- .../2026-07-02-sale-readiness-due-diligence.md | 18 ++++++++++-------- docs/security/dependency-policy.md | 2 +- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/docs/security/2026-07-02-sale-readiness-due-diligence.md b/docs/security/2026-07-02-sale-readiness-due-diligence.md index 414bf970..b8173306 100644 --- a/docs/security/2026-07-02-sale-readiness-due-diligence.md +++ b/docs/security/2026-07-02-sale-readiness-due-diligence.md @@ -15,12 +15,12 @@ local repository commands. | --- | --- | --- | | GitHub repository | `ContextualWisdomLab/bandscope`, public MIT repo, default branch `develop` | Public diligence surface exists. | | Open PR queue | 61 open PRs from GitHub REST API | Queue needs product/security routing; review process is not a blocker. | -| Dependabot | One open alert: `glib`, Rust, `GHSA-wrw7-89jp-8q8g`, medium | Must be closed, dismissed with durable rationale, or removed by upstream update before buyer diligence. | +| Dependabot | Alert #1: `glib`, Rust, `GHSA-wrw7-89jp-8q8g`, medium; dismissed on 2026-07-02 as `tolerable_risk` with repo-controlled rationale | GitHub-facing disposition is closed; patched upstream chain is still the preferred final state. | | Code scanning | Two open Scorecard alerts: `VulnerabilitiesID` high and `CIIBestPracticesID` low | Must close or be replaced by explicit accepted-risk evidence. | | OpenSSF Best Practices | Project `13428`, repo URL `https://github.com/ContextualWisdomLab/bandscope`, baseline `0`, passing `Unmet`, silver `Unmet` | Baseline badge work is a due-diligence blocker. | | Figma handoff | Figma file `zthWmqfNKUgJBECvv002Qk` currently exposes only top-level page `00 Cover` via metadata | Repo handoff docs and actual Figma content are inconsistent. | | JavaScript audit | `npm audit --workspaces --audit-level=high` reports 0 vulnerabilities | JS workspace is not the current high-risk advisory lane. | -| Rust advisory chain | `cargo tree --target all -i glib` resolves `glib 0.18.5` through the Tauri/wry/webkit2gtk/gtk GTK3 stack | Repo-controlled exception exists, but GitHub alert remains an external signal. | +| Rust advisory chain | `cargo tree --target all -i glib` resolves `glib 0.18.5` through the Tauri/wry/webkit2gtk/gtk GTK3 stack | Repo-controlled exception and Dependabot disposition now align. | ## PR Execution Tracks @@ -136,11 +136,12 @@ cache/temp roots, and exported cue/chart/handoff files. ### Remaining Risk -The `glib 0.18.5` advisory is still open in GitHub Dependabot even though the -repo has a controlled Cargo/OSV exception. That is acceptable only as a -short-term diligence gap. The final sale-readiness target is either a patched -upstream chain or a reviewed external alert disposition that points back to the -repo-controlled exception. +The `glib 0.18.5` advisory remains in the Rust dependency graph even though +Dependabot alert #1 is dismissed as `tolerable_risk`. That disposition is +acceptable only while the owner chain remains limited to the Tauri/wry/ +webkit2gtk/gtk GTK3 stack and `scripts/checks/verify_supply_chain.py` keeps +guarding the exception scope. The final sale-readiness target is still a +patched upstream chain. ### Test Points @@ -155,7 +156,8 @@ repo-controlled exception. ## Next Execution Order 1. Land or replace PR #502 with an evidence-backed OpenSSF baseline update. -2. Decide the GitHub-facing disposition for the open `glib` Dependabot alert. +2. Keep the `glib` Dependabot disposition evidence current until upstream + removes or patches the GTK3 chain. 3. Canonicalize the P0 security PRs that touch path traversal, information leakage, and command-injection risks. 4. Restore Figma handoff pages before merging broad UX tooltip/state PRs. diff --git a/docs/security/dependency-policy.md b/docs/security/dependency-policy.md index a34dc38f..bbfe696e 100644 --- a/docs/security/dependency-policy.md +++ b/docs/security/dependency-policy.md @@ -103,7 +103,7 @@ Current controlled exceptions: - No Python vulnerability exceptions are active. `GHSA-5239-wwwm-4pmq` (`Pygments <2.20.0`) was removed by locking `Pygments` to `2.20.0`; the CI `security-audit` workflow must run `pip-audit --local --strict` against the synced `uv` environment without a targeted ignore for that advisory. - Cargo audit warnings for legacy `gtk3` vulnerabilities (e.g. `RUSTSEC-2024-0413`) inherited through Tauri v2 `wry`/`webkit2gtk` integration are explicitly allowed. These are deep framework dependencies with no alternative, so they are documented exceptions and ignored by default. -- `RUSTSEC-2024-0429` for `glib 0.18.5` is allowed only for the `VariantStrIter` advisory inherited through the Tauri/wry/webkit2gtk/gtk GTK3 stack. As of the 2026-07-02 due-diligence pass, `cargo tree --target all -i glib` resolves the chain through `tauri 2.11.4`, `tauri-runtime-wry 2.11.4`, `wry 0.55.1`, `webkit2gtk 2.0.2`, and `gtk 0.18.2`, but it still does not move this stack to patched `glib >=0.20.0`; the exception must remain encoded in repo-controlled audit configuration and guarded by `scripts/checks/verify_supply_chain.py`, and it must be removed when upstream drops or patches the chain. +- `RUSTSEC-2024-0429` for `glib 0.18.5` is allowed only for the `VariantStrIter` advisory inherited through the Tauri/wry/webkit2gtk/gtk GTK3 stack. As of the 2026-07-02 due-diligence pass, `cargo tree --target all -i glib` resolves the chain through `tauri 2.11.4`, `tauri-runtime-wry 2.11.4`, `wry 0.55.1`, `webkit2gtk 2.0.2`, and `gtk 0.18.2`, but it still does not move this stack to patched `glib >=0.20.0`; Dependabot alert #1 was dismissed as `tolerable_risk` with this repo-controlled rationale; the exception must remain encoded in repo-controlled audit configuration and guarded by `scripts/checks/verify_supply_chain.py`, and it must be removed when upstream drops or patches the chain. Retired third-party deprecation and advisory signal: From feccb3dae5d6c61c4d31261f9204311ca4c9fc3b Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Thu, 2 Jul 2026 15:23:37 +0900 Subject: [PATCH 03/12] docs: update sale readiness execution status --- ...2026-07-02-sale-readiness-due-diligence.md | 29 ++++++++++++------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/docs/security/2026-07-02-sale-readiness-due-diligence.md b/docs/security/2026-07-02-sale-readiness-due-diligence.md index b8173306..597005ee 100644 --- a/docs/security/2026-07-02-sale-readiness-due-diligence.md +++ b/docs/security/2026-07-02-sale-readiness-due-diligence.md @@ -14,21 +14,22 @@ local repository commands. | Area | Current evidence | Sale-readiness interpretation | | --- | --- | --- | | GitHub repository | `ContextualWisdomLab/bandscope`, public MIT repo, default branch `develop` | Public diligence surface exists. | -| Open PR queue | 61 open PRs from GitHub REST API | Queue needs product/security routing; review process is not a blocker. | +| Open PR queue | 62 open PRs from GitHub REST API after closing superseded PR #502 and opening PR #524/#525 | Queue needs product/security routing; review process is not a blocker. | | Dependabot | Alert #1: `glib`, Rust, `GHSA-wrw7-89jp-8q8g`, medium; dismissed on 2026-07-02 as `tolerable_risk` with repo-controlled rationale | GitHub-facing disposition is closed; patched upstream chain is still the preferred final state. | -| Code scanning | Two open Scorecard alerts: `VulnerabilitiesID` high and `CIIBestPracticesID` low | Must close or be replaced by explicit accepted-risk evidence. | -| OpenSSF Best Practices | Project `13428`, repo URL `https://github.com/ContextualWisdomLab/bandscope`, baseline `0`, passing `Unmet`, silver `Unmet` | Baseline badge work is a due-diligence blocker. | +| Code scanning | Two open Scorecard alerts: #30 `VulnerabilitiesID` high for `RUSTSEC-2026-0190`, and #29 `CIIBestPracticesID` low | PR #525 addresses #30; issue #526 tracks the external OpenSSF badge work for #29. | +| OpenSSF Best Practices | Project `13428`, repo URL `https://github.com/ContextualWisdomLab/bandscope`, baseline `0`, passing `Unmet`, silver `Unmet`; issue #526 tracks completion | Baseline badge work is a due-diligence blocker outside normal PR-only flow. | | Figma handoff | Figma file `zthWmqfNKUgJBECvv002Qk` currently exposes only top-level page `00 Cover` via metadata | Repo handoff docs and actual Figma content are inconsistent. | | JavaScript audit | `npm audit --workspaces --audit-level=high` reports 0 vulnerabilities | JS workspace is not the current high-risk advisory lane. | | Rust advisory chain | `cargo tree --target all -i glib` resolves `glib 0.18.5` through the Tauri/wry/webkit2gtk/gtk GTK3 stack | Repo-controlled exception and Dependabot disposition now align. | ## PR Execution Tracks -The 61 open PRs should be handled by track, not oldest-first. +The open PRs should be handled by track, not oldest-first. This table started +from the 61-PR snapshot and must be regenerated before batch execution. | Track | Count | First closure target | | --- | ---: | --- | -| Due diligence governance | 1 | PR #502, OpenSSF readiness baseline | +| Due diligence governance | 1 | Issue #526, OpenSSF Best Practices project `13428` | | Due diligence security | 15 | Canonicalize path traversal, information leakage, DoS, and command-injection PRs | | Buyer-demo product | 6 | PR #483 transcription, PR #499 practice progress, PR #481 export | | Design UX | 8 | YouTube input safety and disabled-state clarity after Figma state matrix repair | @@ -61,7 +62,8 @@ source of truth for future queue counts. ### 2. OpenSSF Best Practices - Best Practices project `13428` reaches baseline 100%. -- PR #502 or its canonical successor lands on `develop`. +- Issue #526 closes with external Best Practices evidence; PR #502 stays closed + unless replaced by a non-duplicate workflow or documentation change. - Evidence exists for repository basics, license, contribution process, security reporting, build/test invocation, CI, release notes, vulnerability handling, and current documentation. @@ -143,6 +145,10 @@ webkit2gtk/gtk GTK3 stack and `scripts/checks/verify_supply_chain.py` keeps guarding the exception scope. The final sale-readiness target is still a patched upstream chain. +Scorecard alert #30 remains open until PR #525 merges and Scorecard reruns on +`develop`. Scorecard alert #29 remains open until Best Practices project +`13428` is completed on bestpractices.dev and the Scorecard signal refreshes. + ### Test Points - `gh api repos/ContextualWisdomLab/bandscope/dependabot/alerts` @@ -155,11 +161,12 @@ patched upstream chain. ## Next Execution Order -1. Land or replace PR #502 with an evidence-backed OpenSSF baseline update. -2. Keep the `glib` Dependabot disposition evidence current until upstream +1. Merge PR #525 after checks pass to remove `RUSTSEC-2026-0190`. +2. Complete issue #526 on bestpractices.dev for OpenSSF project `13428`. +3. Keep the `glib` Dependabot disposition evidence current until upstream removes or patches the GTK3 chain. -3. Canonicalize the P0 security PRs that touch path traversal, information +4. Canonicalize the P0 security PRs that touch path traversal, information leakage, and command-injection risks. -4. Restore Figma handoff pages before merging broad UX tooltip/state PRs. -5. Merge buyer-demo product PRs in the order transcription, practice progress, +5. Restore Figma handoff pages before merging broad UX tooltip/state PRs. +6. Merge buyer-demo product PRs in the order transcription, practice progress, export, then supporting workspace views. From 5287f325d4a39436e0f323044459036487b44b8b Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Thu, 2 Jul 2026 15:40:37 +0900 Subject: [PATCH 04/12] docs: restore glib exception removal criteria --- docs/security/dependency-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/security/dependency-policy.md b/docs/security/dependency-policy.md index bbfe696e..7af6abb3 100644 --- a/docs/security/dependency-policy.md +++ b/docs/security/dependency-policy.md @@ -103,7 +103,7 @@ Current controlled exceptions: - No Python vulnerability exceptions are active. `GHSA-5239-wwwm-4pmq` (`Pygments <2.20.0`) was removed by locking `Pygments` to `2.20.0`; the CI `security-audit` workflow must run `pip-audit --local --strict` against the synced `uv` environment without a targeted ignore for that advisory. - Cargo audit warnings for legacy `gtk3` vulnerabilities (e.g. `RUSTSEC-2024-0413`) inherited through Tauri v2 `wry`/`webkit2gtk` integration are explicitly allowed. These are deep framework dependencies with no alternative, so they are documented exceptions and ignored by default. -- `RUSTSEC-2024-0429` for `glib 0.18.5` is allowed only for the `VariantStrIter` advisory inherited through the Tauri/wry/webkit2gtk/gtk GTK3 stack. As of the 2026-07-02 due-diligence pass, `cargo tree --target all -i glib` resolves the chain through `tauri 2.11.4`, `tauri-runtime-wry 2.11.4`, `wry 0.55.1`, `webkit2gtk 2.0.2`, and `gtk 0.18.2`, but it still does not move this stack to patched `glib >=0.20.0`; Dependabot alert #1 was dismissed as `tolerable_risk` with this repo-controlled rationale; the exception must remain encoded in repo-controlled audit configuration and guarded by `scripts/checks/verify_supply_chain.py`, and it must be removed when upstream drops or patches the chain. +- `RUSTSEC-2024-0429` for `glib 0.18.5` is allowed only for the `VariantStrIter` advisory inherited through the Tauri/wry/webkit2gtk/gtk GTK3 stack. The previously documented baseline (`tauri 2.11.3`, `wry 0.55.1`, `tao 0.35.3`, and `muda 0.19.3`) did not resolve the inherited GTK3 owner chain. As of the 2026-07-02 due-diligence pass, `cargo tree --target all -i glib` resolves the chain through `tauri 2.11.4`, `tauri-runtime-wry 2.11.4`, `wry 0.55.1`, `webkit2gtk 2.0.2`, and `gtk 0.18.2`, but it still does not move this stack to patched `glib >=0.20.0`. A compatible lockfile refresh can move the desktop stack to a patched `glib >=0.20.0` only when the upstream Tauri/wry GTK3 integration drops or patches the chain. Dependabot alert #1 was dismissed as `tolerable_risk` with this repo-controlled rationale; the exception must remain encoded in repo-controlled audit configuration and guarded by `scripts/checks/verify_supply_chain.py`, and it must be removed when upstream drops or patches the chain. Retired third-party deprecation and advisory signal: From 1a3b9a6b28b9c7ac5387e4c4e715592be4e7195b Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Thu, 2 Jul 2026 15:20:17 +0900 Subject: [PATCH 05/12] fix: update anyhow for RustSec 2026-0190 --- apps/desktop/src-tauri/Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/desktop/src-tauri/Cargo.lock b/apps/desktop/src-tauri/Cargo.lock index 4d9ae737..0df254ea 100644 --- a/apps/desktop/src-tauri/Cargo.lock +++ b/apps/desktop/src-tauri/Cargo.lock @@ -28,9 +28,9 @@ dependencies = [ [[package]] name = "anyhow" -version = "1.0.102" +version = "1.0.103" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c" +checksum = "2a4385e2e34eb35d6b3efe798b9eb88096925d87726c0798709bf56d9ed84af3" [[package]] name = "atk" From 689e35b5ade050342a75bf1fe0b72cac723c1877 Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Thu, 2 Jul 2026 19:45:56 +0900 Subject: [PATCH 06/12] fix: document quick-xml advisory exceptions --- apps/desktop/src-tauri/.cargo/audit.toml | 2 ++ apps/desktop/src-tauri/osv-scanner.toml | 8 ++++++++ docs/security/dependency-policy.md | 1 + 3 files changed, 11 insertions(+) diff --git a/apps/desktop/src-tauri/.cargo/audit.toml b/apps/desktop/src-tauri/.cargo/audit.toml index 9fc2a4f3..861e0aa5 100644 --- a/apps/desktop/src-tauri/.cargo/audit.toml +++ b/apps/desktop/src-tauri/.cargo/audit.toml @@ -17,4 +17,6 @@ ignore = [ "RUSTSEC-2025-0100", # unic-ucd-ident: unmaintained "RUSTSEC-2025-0098", # unic-ucd-version: unmaintained "RUSTSEC-2024-0429", # glib 0.18.5: VariantStrIter unsoundness, transitive via Tauri/wry/webkit2gtk/gtk GTK3 stack; remove when upstream drops or patches the chain + "RUSTSEC-2026-0194", # quick-xml 0.39.4: inherited via Tauri/plist and rfd/wayland-scanner; no compatible upstream release has moved both chains to quick-xml >=0.41.0 yet + "RUSTSEC-2026-0195", # quick-xml 0.39.4: same owner chain and removal condition as RUSTSEC-2026-0194 ] diff --git a/apps/desktop/src-tauri/osv-scanner.toml b/apps/desktop/src-tauri/osv-scanner.toml index 16b3b20e..c8fc5e44 100644 --- a/apps/desktop/src-tauri/osv-scanner.toml +++ b/apps/desktop/src-tauri/osv-scanner.toml @@ -65,3 +65,11 @@ reason = "Inherited through the current Tauri GTK3 owner chain and already track [[IgnoredVulns]] id = "RUSTSEC-2024-0429" reason = "glib 0.18.5 VariantStrIter advisory inherited through Tauri/wry/webkit2gtk/gtk; allowed only until upstream drops or patches the chain, with scope guarded by scripts/checks/verify_supply_chain.py." + +[[IgnoredVulns]] +id = "RUSTSEC-2026-0194" +reason = "quick-xml 0.39.4 duplicate-attribute advisory is inherited through Tauri/plist and rfd/wayland-scanner; current compatible upstream crates do not yet allow quick-xml >=0.41.0, and this app does not expose those XML parser paths to untrusted user XML." + +[[IgnoredVulns]] +id = "RUSTSEC-2026-0195" +reason = "quick-xml 0.39.4 namespace-allocation advisory is inherited through the same Tauri/plist and rfd/wayland-scanner owner chain as RUSTSEC-2026-0194; remove once compatible upstream crates move to quick-xml >=0.41.0." diff --git a/docs/security/dependency-policy.md b/docs/security/dependency-policy.md index 7af6abb3..71c544d3 100644 --- a/docs/security/dependency-policy.md +++ b/docs/security/dependency-policy.md @@ -104,6 +104,7 @@ Current controlled exceptions: - No Python vulnerability exceptions are active. `GHSA-5239-wwwm-4pmq` (`Pygments <2.20.0`) was removed by locking `Pygments` to `2.20.0`; the CI `security-audit` workflow must run `pip-audit --local --strict` against the synced `uv` environment without a targeted ignore for that advisory. - Cargo audit warnings for legacy `gtk3` vulnerabilities (e.g. `RUSTSEC-2024-0413`) inherited through Tauri v2 `wry`/`webkit2gtk` integration are explicitly allowed. These are deep framework dependencies with no alternative, so they are documented exceptions and ignored by default. - `RUSTSEC-2024-0429` for `glib 0.18.5` is allowed only for the `VariantStrIter` advisory inherited through the Tauri/wry/webkit2gtk/gtk GTK3 stack. The previously documented baseline (`tauri 2.11.3`, `wry 0.55.1`, `tao 0.35.3`, and `muda 0.19.3`) did not resolve the inherited GTK3 owner chain. As of the 2026-07-02 due-diligence pass, `cargo tree --target all -i glib` resolves the chain through `tauri 2.11.4`, `tauri-runtime-wry 2.11.4`, `wry 0.55.1`, `webkit2gtk 2.0.2`, and `gtk 0.18.2`, but it still does not move this stack to patched `glib >=0.20.0`. A compatible lockfile refresh can move the desktop stack to a patched `glib >=0.20.0` only when the upstream Tauri/wry GTK3 integration drops or patches the chain. Dependabot alert #1 was dismissed as `tolerable_risk` with this repo-controlled rationale; the exception must remain encoded in repo-controlled audit configuration and guarded by `scripts/checks/verify_supply_chain.py`, and it must be removed when upstream drops or patches the chain. +- `RUSTSEC-2026-0194` and `RUSTSEC-2026-0195` for `quick-xml 0.39.4` are allowed only while the current compatible upstream owner chains still require vulnerable `quick-xml`: `plist 1.9.0` through Tauri, and `wayland-scanner 0.31.10` through Linux `rfd`/Wayland dependencies. `quick-xml >=0.41.0` is patched, but `plist 1.9.0` requires `quick-xml ^0.39.2` and the current `wayland-scanner` release also has no compatible patched path. BandScope does not expose either owner chain as a user-controlled XML ingestion surface; the exception must stay encoded in repo-controlled cargo-audit and OSV configuration, and must be removed once compatible upstream crates publish a patched dependency path. Retired third-party deprecation and advisory signal: From 01b2c3e82e4f66dd840fa69c15379ac75f4e50d1 Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Thu, 2 Jul 2026 21:32:07 +0900 Subject: [PATCH 07/12] docs: refresh sale readiness checkpoint --- ...2026-07-02-sale-readiness-due-diligence.md | 85 ++++++++++++------- 1 file changed, 54 insertions(+), 31 deletions(-) diff --git a/docs/security/2026-07-02-sale-readiness-due-diligence.md b/docs/security/2026-07-02-sale-readiness-due-diligence.md index 597005ee..6f25a5a7 100644 --- a/docs/security/2026-07-02-sale-readiness-due-diligence.md +++ b/docs/security/2026-07-02-sale-readiness-due-diligence.md @@ -8,39 +8,45 @@ about first. ## Current Evidence Snapshot -Collected on 2026-07-02 KST from GitHub, Best Practices, Figma metadata, and -local repository commands. +Collected on 2026-07-02 KST from GitHub, Best Practices, Figma/FigJam +metadata, and local repository commands. | Area | Current evidence | Sale-readiness interpretation | | --- | --- | --- | | GitHub repository | `ContextualWisdomLab/bandscope`, public MIT repo, default branch `develop` | Public diligence surface exists. | -| Open PR queue | 62 open PRs from GitHub REST API after closing superseded PR #502 and opening PR #524/#525 | Queue needs product/security routing; review process is not a blocker. | -| Dependabot | Alert #1: `glib`, Rust, `GHSA-wrw7-89jp-8q8g`, medium; dismissed on 2026-07-02 as `tolerable_risk` with repo-controlled rationale | GitHub-facing disposition is closed; patched upstream chain is still the preferred final state. | -| Code scanning | Two open Scorecard alerts: #30 `VulnerabilitiesID` high for `RUSTSEC-2026-0190`, and #29 `CIIBestPracticesID` low | PR #525 addresses #30; issue #526 tracks the external OpenSSF badge work for #29. | -| OpenSSF Best Practices | Project `13428`, repo URL `https://github.com/ContextualWisdomLab/bandscope`, baseline `0`, passing `Unmet`, silver `Unmet`; issue #526 tracks completion | Baseline badge work is a due-diligence blocker outside normal PR-only flow. | -| Figma handoff | Figma file `zthWmqfNKUgJBECvv002Qk` currently exposes only top-level page `00 Cover` via metadata | Repo handoff docs and actual Figma content are inconsistent. | +| Open PR queue | 34 open PRs. Unresolved review threads: `0`. Auto-merge missing: `0`. Failed/error checks: `0`. Current-head checks pending on all 34 PRs. | Queue is now routed and unblocked by review state; new CI failures, not review process, are the active execution risk. | +| Dependabot | `0` open alerts after alert #1 (`glib`, Rust, `GHSA-wrw7-89jp-8q8g`, medium) was dismissed on 2026-07-02 as `tolerable_risk` with repo-controlled rationale | GitHub-facing disposition is closed; patched upstream chain is still the preferred final state. | +| Code scanning | Two open Scorecard alerts on `develop`: #30 `VulnerabilitiesID` high for `RUSTSEC-2026-0190`, and #29 `CIIBestPracticesID` low | PR #525 and all other open PR heads now carry the RustSec policy update; alert #30 remains open until merge plus Scorecard refresh. Issue #526 tracks the external OpenSSF badge work for #29. | +| OpenSSF Best Practices | Project `13428`, repo URL `https://github.com/ContextualWisdomLab/bandscope`, badge `in_progress`, `passing:null`, `name:null`, `license:null`, `homepage_url:""`, 193 unknown status fields, 2 unmet status fields | Baseline badge work is a due-diligence blocker outside normal PR-only flow and must be completed in bestpractices.dev. | +| Figma/FigJam handoff | FigJam board `WEvhutQSFZITe0RUsZgzC2` section `13:900` records the 2026-07-02 21:20 KST security-audit refresh without Code Connect. Figma design file `zthWmqfNKUgJBECvv002Qk` remains the design-system source referenced by `docs/design-system/`. | Live design evidence exists, but final sale-readiness still needs Product Design screenshots for ready/error/export flows and any Figma file drift rechecked before visual PRs merge. | | JavaScript audit | `npm audit --workspaces --audit-level=high` reports 0 vulnerabilities | JS workspace is not the current high-risk advisory lane. | | Rust advisory chain | `cargo tree --target all -i glib` resolves `glib 0.18.5` through the Tauri/wry/webkit2gtk/gtk GTK3 stack | Repo-controlled exception and Dependabot disposition now align. | ## PR Execution Tracks -The open PRs should be handled by track, not oldest-first. This table started -from the 61-PR snapshot and must be regenerated before batch execution. +The open PRs should be handled by track, not oldest-first. This table is the +current 34-PR checkpoint after the RustSec policy was propagated to every open +PR head except the canonical #525 source branch, which already contains it. | Track | Count | First closure target | | --- | ---: | --- | -| Due diligence governance | 1 | Issue #526, OpenSSF Best Practices project `13428` | -| Due diligence security | 15 | Canonicalize path traversal, information leakage, DoS, and command-injection PRs | -| Buyer-demo product | 6 | PR #483 transcription, PR #499 practice progress, PR #481 export | -| Design UX | 8 | YouTube input safety and disabled-state clarity after Figma state matrix repair | -| Quality performance | 12 | PR #401 YouTube import reliability before cosmetic render micro-optimizations | -| Quality tests | 7 | Analysis-engine and workspace tests that support buyer-demo claims | -| Dependencies | 12 | Build/security dependency bumps before UI-only bumps | +| Due diligence governance | 2 | PR #524 sale-readiness packet and issue #526/OpenSSF Best Practices project `13428` | +| Due diligence security | 5 | PR #525 RustSec baseline, #527 project ID path guard, #537 traversal rejection, #538 error sanitization, #531 range parsing hardening | +| Buyer-demo product | 2 | PR #489 BPM display and #499 practice progress | +| Design UX | 3 | PR #528 YouTube URL cap, #529 clear button, #530 disabled nav tooltip/accessibility behavior | +| Quality performance | 5 | PR #367, #401, #482, #506, #523 | +| Quality tests | 6 | PR #395 and #532-#536 analysis/export/pitch/role/section coverage | +| Dependencies | 11 | PR #436, #437, #440-#446, #508, #510, #511 | Regenerate the detailed PR routing table from the GitHub API before execution or publication, because the queue is expected to move while this work is in -review. The table above is the 2026-07-02 evidence snapshot, not a durable -source of truth for future queue counts. +review. The table above is the 2026-07-02 21:20 KST evidence snapshot, not a +durable source of truth for future queue counts. + +Every current open PR head now carries the `anyhow 1.0.103` RustSec update and +the repo-controlled `quick-xml` audit/OSV exception policy. Local evidence +passed on each refreshed head: `scripts/checks/verify_supply_chain.py`, +`cargo audit`, `scripts/checks/security_gates.py`, and `git diff --check`. ## Closure Criteria @@ -64,9 +70,10 @@ source of truth for future queue counts. - Best Practices project `13428` reaches baseline 100%. - Issue #526 closes with external Best Practices evidence; PR #502 stays closed unless replaced by a non-duplicate workflow or documentation change. -- Evidence exists for repository basics, license, contribution process, - security reporting, build/test invocation, CI, release notes, vulnerability - handling, and current documentation. +- Evidence exists and is entered in bestpractices.dev for project name, + description, homepage or justification, license, repository basics, + contribution process, security reporting, build/test invocation, CI, release + notes, vulnerability handling, and current documentation. - Scorecard `CIIBestPracticesID` no longer reports open. ### 3. Buyer-Demo v0.2 @@ -87,6 +94,8 @@ source of truth for future queue counts. audit, and buyer-demo flow. - Repo mirrors in `docs/design-system/` match the live Figma metadata and screenshots. +- FigJam board `WEvhutQSFZITe0RUsZgzC2` keeps a current security/readiness + checkpoint section when repo state changes materially. - If Figma remains inaccessible or stale, the release notes call that out as a design-resource gap rather than claiming visual parity. @@ -145,9 +154,17 @@ webkit2gtk/gtk GTK3 stack and `scripts/checks/verify_supply_chain.py` keeps guarding the exception scope. The final sale-readiness target is still a patched upstream chain. -Scorecard alert #30 remains open until PR #525 merges and Scorecard reruns on -`develop`. Scorecard alert #29 remains open until Best Practices project -`13428` is completed on bestpractices.dev and the Scorecard signal refreshes. +Scorecard alert #30 remains open until PR #525 or an equivalent RustSec policy +head merges and Scorecard reruns on `develop`. Scorecard alert #29 remains open +until Best Practices project `13428` is completed on bestpractices.dev and the +Scorecard signal refreshes. + +All 34 open PRs still have current-head GitHub checks pending at this +checkpoint. #525 already has successful macOS amd64 and macOS arm64 build jobs, +but older #510/#511 evidence showed a macOS Intel DMG bundling failure before +the current RustSec propagation. Treat any new current-head DMG failure as a +release-readiness blocker and harden `.github/workflows/build-baseline.yml` +without weakening release artifact evidence. ### Test Points @@ -158,15 +175,21 @@ Scorecard alert #30 remains open until PR #525 merges and Scorecard reruns on - `npm audit --workspaces --audit-level=high` - `python3 scripts/checks/verify_supply_chain.py` - Figma metadata read for file `zthWmqfNKUgJBECvv002Qk` +- FigJam read for board `WEvhutQSFZITe0RUsZgzC2`, section `13:900` ## Next Execution Order -1. Merge PR #525 after checks pass to remove `RUSTSEC-2026-0190`. -2. Complete issue #526 on bestpractices.dev for OpenSSF project `13428`. -3. Keep the `glib` Dependabot disposition evidence current until upstream +1. Keep polling current-head GitHub checks for all 34 open PRs; fix any new + failure before merging lower-value product or dependency work. +2. Merge PR #525 or any equivalent branch carrying the same RustSec policy + after checks pass to remove `RUSTSEC-2026-0190` from `develop`. +3. Complete issue #526 on bestpractices.dev for OpenSSF project `13428`. +4. Keep the `glib` Dependabot disposition evidence current until upstream removes or patches the GTK3 chain. -4. Canonicalize the P0 security PRs that touch path traversal, information +5. Canonicalize the P0 security PRs that touch path traversal, information leakage, and command-injection risks. -5. Restore Figma handoff pages before merging broad UX tooltip/state PRs. -6. Merge buyer-demo product PRs in the order transcription, practice progress, - export, then supporting workspace views. +6. Capture Product Design screenshots for ready, error, export, and mobile + buyer-demo flows, then mirror any material findings in FigJam without Code + Connect. +7. Merge buyer-demo product PRs in the order BPM, practice progress, export, + then supporting workspace views. From dc8cc583f776b59296a321923ff4c70a500e6cb7 Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Thu, 2 Jul 2026 22:03:14 +0900 Subject: [PATCH 08/12] docs: refresh due diligence checkpoint --- ...2026-07-02-sale-readiness-due-diligence.md | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/docs/security/2026-07-02-sale-readiness-due-diligence.md b/docs/security/2026-07-02-sale-readiness-due-diligence.md index 6f25a5a7..9104899f 100644 --- a/docs/security/2026-07-02-sale-readiness-due-diligence.md +++ b/docs/security/2026-07-02-sale-readiness-due-diligence.md @@ -14,11 +14,11 @@ metadata, and local repository commands. | Area | Current evidence | Sale-readiness interpretation | | --- | --- | --- | | GitHub repository | `ContextualWisdomLab/bandscope`, public MIT repo, default branch `develop` | Public diligence surface exists. | -| Open PR queue | 34 open PRs. Unresolved review threads: `0`. Auto-merge missing: `0`. Failed/error checks: `0`. Current-head checks pending on all 34 PRs. | Queue is now routed and unblocked by review state; new CI failures, not review process, are the active execution risk. | +| Open PR queue | 34 open PRs. Unresolved review threads: `0`. Auto-merge missing: `0`. Failed/error checks: `0`. Current-head checks pending on all 34 PRs; 641 queued/pending check items at 2026-07-02 21:59 KST. | Queue is now routed and unblocked by review state; new CI failures, not review process, are the active execution risk. | | Dependabot | `0` open alerts after alert #1 (`glib`, Rust, `GHSA-wrw7-89jp-8q8g`, medium) was dismissed on 2026-07-02 as `tolerable_risk` with repo-controlled rationale | GitHub-facing disposition is closed; patched upstream chain is still the preferred final state. | | Code scanning | Two open Scorecard alerts on `develop`: #30 `VulnerabilitiesID` high for `RUSTSEC-2026-0190`, and #29 `CIIBestPracticesID` low | PR #525 and all other open PR heads now carry the RustSec policy update; alert #30 remains open until merge plus Scorecard refresh. Issue #526 tracks the external OpenSSF badge work for #29. | | OpenSSF Best Practices | Project `13428`, repo URL `https://github.com/ContextualWisdomLab/bandscope`, badge `in_progress`, `passing:null`, `name:null`, `license:null`, `homepage_url:""`, 193 unknown status fields, 2 unmet status fields | Baseline badge work is a due-diligence blocker outside normal PR-only flow and must be completed in bestpractices.dev. | -| Figma/FigJam handoff | FigJam board `WEvhutQSFZITe0RUsZgzC2` section `13:900` records the 2026-07-02 21:20 KST security-audit refresh without Code Connect. Figma design file `zthWmqfNKUgJBECvv002Qk` remains the design-system source referenced by `docs/design-system/`. | Live design evidence exists, but final sale-readiness still needs Product Design screenshots for ready/error/export flows and any Figma file drift rechecked before visual PRs merge. | +| Figma/FigJam handoff | FigJam board `WEvhutQSFZITe0RUsZgzC2` section `13:900` records the 2026-07-02 21:59 KST security-audit refresh without Code Connect. Figma design file `zthWmqfNKUgJBECvv002Qk` remains the design-system source referenced by `docs/design-system/`. | Live design evidence exists, but final sale-readiness still needs Product Design screenshots for ready/error/export flows and any Figma file drift rechecked before visual PRs merge. | | JavaScript audit | `npm audit --workspaces --audit-level=high` reports 0 vulnerabilities | JS workspace is not the current high-risk advisory lane. | | Rust advisory chain | `cargo tree --target all -i glib` resolves `glib 0.18.5` through the Tauri/wry/webkit2gtk/gtk GTK3 stack | Repo-controlled exception and Dependabot disposition now align. | @@ -26,7 +26,8 @@ metadata, and local repository commands. The open PRs should be handled by track, not oldest-first. This table is the current 34-PR checkpoint after the RustSec policy was propagated to every open -PR head except the canonical #525 source branch, which already contains it. +PR head, including the canonical #525 source branch and #523 restored-policy +head `02fe673`. | Track | Count | First closure target | | --- | ---: | --- | @@ -40,13 +41,17 @@ PR head except the canonical #525 source branch, which already contains it. Regenerate the detailed PR routing table from the GitHub API before execution or publication, because the queue is expected to move while this work is in -review. The table above is the 2026-07-02 21:20 KST evidence snapshot, not a +review. The table above is the 2026-07-02 21:59 KST evidence snapshot, not a durable source of truth for future queue counts. Every current open PR head now carries the `anyhow 1.0.103` RustSec update and -the repo-controlled `quick-xml` audit/OSV exception policy. Local evidence -passed on each refreshed head: `scripts/checks/verify_supply_chain.py`, -`cargo audit`, `scripts/checks/security_gates.py`, and `git diff --check`. +the repo-controlled `quick-xml` audit/OSV exception policy, with no inline +quick-xml ignore in `.github/workflows/security-audit.yml`. PR #523 was +repaired again at `02fe673` after bot commit `9413356` reverted the policy +files. Local evidence passed on #523: `scripts/checks/verify_supply_chain.py`, +`cargo audit`, `scripts/checks/security_gates.py`, `npm run check:supply-chain`, +`npm run check:security-notes`, and `git diff --check`; all open heads were +audited through GitHub contents API for the same policy shape. ## Closure Criteria From bc086eb2f0bb0360cd8b4fec94cd8c0b6cc96b89 Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Fri, 3 Jul 2026 06:48:25 +0900 Subject: [PATCH 09/12] docs: clarify buyer data room evidence semantics --- ...2026-07-02-sale-readiness-due-diligence.md | 23 ++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/docs/security/2026-07-02-sale-readiness-due-diligence.md b/docs/security/2026-07-02-sale-readiness-due-diligence.md index 9104899f..49d26b7b 100644 --- a/docs/security/2026-07-02-sale-readiness-due-diligence.md +++ b/docs/security/2026-07-02-sale-readiness-due-diligence.md @@ -14,7 +14,7 @@ metadata, and local repository commands. | Area | Current evidence | Sale-readiness interpretation | | --- | --- | --- | | GitHub repository | `ContextualWisdomLab/bandscope`, public MIT repo, default branch `develop` | Public diligence surface exists. | -| Open PR queue | 34 open PRs. Unresolved review threads: `0`. Auto-merge missing: `0`. Failed/error checks: `0`. Current-head checks pending on all 34 PRs; 641 queued/pending check items at 2026-07-02 21:59 KST. | Queue is now routed and unblocked by review state; new CI failures, not review process, are the active execution risk. | +| Open PR queue | 34 open PRs. Live 2026-07-03 06:46 KST routing: `BEHIND` 4, `BLOCKED` 30, `DIRTY` 0. Auto-merge missing: `0`. Completed failures are limited to #527/#528 coverage policy and #446/#367 Strix/OpenCode provider fallback tracks that are parked behind central `.github` PRs #291 and #292. | Queue is routed and no longer blocked by review state or queued checks. Source-backed completed failures and due-diligence evidence gaps are the active execution risk. | | Dependabot | `0` open alerts after alert #1 (`glib`, Rust, `GHSA-wrw7-89jp-8q8g`, medium) was dismissed on 2026-07-02 as `tolerable_risk` with repo-controlled rationale | GitHub-facing disposition is closed; patched upstream chain is still the preferred final state. | | Code scanning | Two open Scorecard alerts on `develop`: #30 `VulnerabilitiesID` high for `RUSTSEC-2026-0190`, and #29 `CIIBestPracticesID` low | PR #525 and all other open PR heads now carry the RustSec policy update; alert #30 remains open until merge plus Scorecard refresh. Issue #526 tracks the external OpenSSF badge work for #29. | | OpenSSF Best Practices | Project `13428`, repo URL `https://github.com/ContextualWisdomLab/bandscope`, badge `in_progress`, `passing:null`, `name:null`, `license:null`, `homepage_url:""`, 193 unknown status fields, 2 unmet status fields | Baseline badge work is a due-diligence blocker outside normal PR-only flow and must be completed in bestpractices.dev. | @@ -22,6 +22,27 @@ metadata, and local repository commands. | JavaScript audit | `npm audit --workspaces --audit-level=high` reports 0 vulnerabilities | JS workspace is not the current high-risk advisory lane. | | Rust advisory chain | `cargo tree --target all -i glib` resolves `glib 0.18.5` through the Tauri/wry/webkit2gtk/gtk GTK3 stack | Repo-controlled exception and Dependabot disposition now align. | +## Buyer Data Room Evidence Semantics + +Buyer data-room files must separate "present in the repository" from "final +evidence passed." A manifest, checklist, screenshot, or packet entry is useful +only if a reviewer can see what validated it and what still remains provisional. + +Use these fields when turning this packet into a data-room manifest, release +note, or acquisition audit: + +| Field | Meaning | BandScope examples | +| --- | --- | --- | +| `artifact` | The file, workflow artifact, release asset, issue, PR, or FigJam node being offered as evidence. | This packet, SBOM artifacts, OpenSSF project `13428`, buyer-demo screenshots, FigJam board `WEvhutQSFZITe0RUsZgzC2`. | +| `evidenceType` | `presence-only`, `validated`, `accepted-risk`, or `external-blocked`. | A markdown packet is `presence-only` until checks and owner evidence validate it; the `glib` disposition is `accepted-risk`; OpenSSF is `external-blocked` until bestpractices.dev is completed. | +| `validatedBy` | The command, workflow, release verification, issue, or human-owned external record that proves the artifact. | `scripts/checks/verify_supply_chain.py`, `npm audit --workspaces --audit-level=high`, current-head GitHub checks, release artifact manifest checks, issue #526. | +| `validFor` | The diligence question this artifact answers. | Security posture, release reproducibility, design handoff, pilot evidence, transfer readiness, or package-boundary rationale. | +| `openGap` | The concrete missing proof before a buyer can treat it as final evidence. | OpenSSF baseline completion, current-head CI failure closure, Product Design screenshots, or release SBOM/checksum retention. | + +Do not mark an item as final evidence just because the file exists. Final +evidence requires a current validation path, a named owner or source of truth, +and an explicit removal or refresh condition for accepted-risk items. + ## PR Execution Tracks The open PRs should be handled by track, not oldest-first. This table is the From 6a1499492ff7dfdda5eadab3f26e0fe5515b450c Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Fri, 3 Jul 2026 06:54:23 +0900 Subject: [PATCH 10/12] docs: add commercial KPI evidence gates --- .../2026-07-02-sale-readiness-due-diligence.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/docs/security/2026-07-02-sale-readiness-due-diligence.md b/docs/security/2026-07-02-sale-readiness-due-diligence.md index 49d26b7b..0617fa4a 100644 --- a/docs/security/2026-07-02-sale-readiness-due-diligence.md +++ b/docs/security/2026-07-02-sale-readiness-due-diligence.md @@ -43,6 +43,24 @@ Do not mark an item as final evidence just because the file exists. Final evidence requires a current validation path, a named owner or source of truth, and an explicit removal or refresh condition for accepted-risk items. +## Commercial KPI And Pilot Evidence Gates + +The 20억 KRW discussion depends on proof that BandScope can become a repeatable +local-first rehearsal product, not just a clean repository. Use these KPI gates +to decide whether an artifact supports sale readiness or is still provisional. + +| Gate | Target evidence | Validation path | Open gap | +| --- | --- | --- | --- | +| Buyer-demo activation | A new reviewer can complete source selection, analysis start, ready review, and export within 15 minutes. | Product Design screenshots for empty, selected, loading, error, ready, export, and mobile states; local smoke script or recorded demo notes. | Screenshots and demo transcript are still required before claiming final buyer-demo evidence. | +| Analysis value | Ready workspace shows tempo/BPM, role guidance, groove or bass structure, section roadmap, confidence, and priority sections. | Current-head product PRs #489 and #499 plus workspace state tests or screenshots. | Feature PRs must merge and be rechecked on `develop`. | +| Export value | Cue sheet, chart JSON, and handoff JSON are available only from a ready workspace and remain path/URL/secret redacted. | Export tests, Product Design ready/export screenshots, and release artifact evidence. | Final release package evidence must retain SBOM plus checksums or manifest sidecars. | +| Pilot conversion | 3-5 named pilot teams or equivalent buyer personas have a documented rehearsal workflow, pain point, and acceptance note. | Pilot evidence template or issue/CRM entry with date, role, workflow, and result. | No repo-backed pilot evidence is final yet; treat this as `presence-only` until pilot notes exist. | +| Commercial pacing | ARR path to 3-5억 KRW is backed by a simple bottom-up model: pilot count, conversion rate, annual price, and churn assumption. | A buyer-data-room model or validated spreadsheet linked from this packet. | No validated ARR model is in repo yet; do not cite valuation from this packet alone. | + +Targets are intentionally operational. If a metric cannot be validated from a +repo artifact, GitHub run, Figma screenshot, or named pilot record, it remains +an open data-room gap rather than a sale-readiness claim. + ## PR Execution Tracks The open PRs should be handled by track, not oldest-first. This table is the From fe32c73419bf164c4798fc36a9a37e24e4687b17 Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Fri, 3 Jul 2026 07:02:01 +0900 Subject: [PATCH 11/12] docs: add commercial model pilot evidence artifacts --- docs/business/bandscope-commercial-model.md | 68 +++++++++++++++++++ docs/business/pilot-evidence-template.md | 50 ++++++++++++++ ...2026-07-02-sale-readiness-due-diligence.md | 15 +++- 3 files changed, 130 insertions(+), 3 deletions(-) create mode 100644 docs/business/bandscope-commercial-model.md create mode 100644 docs/business/pilot-evidence-template.md diff --git a/docs/business/bandscope-commercial-model.md b/docs/business/bandscope-commercial-model.md new file mode 100644 index 00000000..eef2a160 --- /dev/null +++ b/docs/business/bandscope-commercial-model.md @@ -0,0 +1,68 @@ +# BandScope Commercial Model + +This model is a buyer-data-room artifact for the 20억 KRW sale-readiness +program. It is not a valuation claim. It defines the minimum bottom-up evidence +needed before BandScope can credibly discuss ARR in the 3-5억 KRW range. + +## Decision Frame + +BandScope is sale-discussion-ready only when a reviewer can connect product +evidence to a repeatable paid workflow: + +- a buyer-demo can be completed in 15 minutes +- pilot teams can explain the rehearsal pain BandScope removes +- export artifacts are useful enough to support a recurring team workflow +- security and release evidence are clean enough for desktop distribution +- the ARR model is based on named pilot conversion assumptions, not broad market + language + +## Bottom-Up ARR Formula + +```text +annual_recurring_revenue = + paid_team_count * annual_contract_value_krw * retained_account_rate +``` + +Use this simple formula until real billing data exists. Do not replace it with a +larger market-size story unless the model is backed by actual customer or buyer +pipeline evidence. + +## Scenario Table + +| Scenario | Paid teams | Annual contract value | Retained account rate | ARR | +| --- | ---: | ---: | ---: | ---: | +| Proof floor | 75 | 5,000,000 KRW | 80% | 300,000,000 KRW | +| Target case | 100 | 5,000,000 KRW | 80% | 400,000,000 KRW | +| Strong case | 125 | 5,000,000 KRW | 80% | 500,000,000 KRW | + +The 20억 KRW discussion is more defensible when BandScope can show a credible +path from current pilots to the target case. Until pilot evidence exists, this +table is `presence-only` commercial evidence. + +## Required Evidence + +| Evidence | Owner source | Final validation | +| --- | --- | --- | +| Buyer-demo proof | Product Design screenshots and demo notes | Empty, selected, loading, error, ready, export, and mobile states captured without Figma Code Connect. | +| Pilot proof | `docs/business/pilot-evidence-template.md` records | 3-5 named or safely aliased pilot teams with date, workflow, result, and acceptance note. | +| Product value proof | Product PRs for BPM, practice progress, role guidance, section roadmap, and export | Merged to `develop` with current-head checks and screenshots. | +| Release proof | GitHub release/build evidence | SBOM, checksum or manifest sidecars, Windows/macOS build evidence, and redacted export behavior. | +| Security proof | GitHub alerts and policy docs | Dependabot open alerts 0, code scanning closed or dispositioned, OpenSSF project 13428 completed. | + +## Guardrails + +- Do not cite this model as achieved ARR. +- Do not commit private customer names, private audio, contracts, emails, or + unreleased song metadata. +- Use customer aliases when pilot consent is not explicit. +- Keep churn, price, and conversion assumptions visible; do not hide them in a + spreadsheet. +- Treat every row as provisional until a named validation path exists. + +## Open Gaps + +- No pilot record has been validated in this repository yet. +- No Product Design screenshot set has been captured for the full buyer-demo + state matrix. +- The OpenSSF Best Practices project remains externally incomplete. +- Current product PRs still need to merge and be rechecked on `develop`. diff --git a/docs/business/pilot-evidence-template.md b/docs/business/pilot-evidence-template.md new file mode 100644 index 00000000..35df581f --- /dev/null +++ b/docs/business/pilot-evidence-template.md @@ -0,0 +1,50 @@ +# BandScope Pilot Evidence Template + +Use this template for buyer-data-room pilot evidence. A completed record proves +that a real team or buyer persona tried the workflow and gave usable feedback. +It does not require public customer identity; use aliases when needed. + +## Pilot Record + +| Field | Required content | +| --- | --- | +| Pilot alias | Safe team or persona name, not private identity unless consent exists. | +| Date | Demo, trial, or interview date. | +| Roles represented | Player, vocalist, band leader, publisher, educator, or other role. | +| Source type | Local audio, YouTube URL, saved project, or prepared demo fixture. | +| Rehearsal pain | The concrete job BandScope is expected to improve. | +| Workflow completed | Source selection, analysis start, ready review, role guidance, section roadmap, practice progress, and export. | +| Time to value | Minutes from first screen to useful rehearsal output. | +| Export used | Cue sheet, chart JSON, handoff JSON, screenshots, or none. | +| Acceptance note | What the pilot would need before repeat use or paid use. | +| Objection | Missing feature, trust issue, performance issue, unclear value, or price concern. | +| Follow-up owner | Person or issue responsible for next action. | +| Evidence type | `validated`, `presence-only`, `accepted-risk`, or `external-blocked`. | +| Redaction check | Confirmation that no private audio, private song metadata, secrets, URLs, or local file paths are included. | + +## Completion Rule + +A pilot record is `validated` only when all of these are true: + +- the workflow completed or the failure point is explicitly named +- the pilot alias and role are recorded +- the acceptance note is concrete enough to change product, pricing, or buyer + due-diligence work +- private material is redacted +- a follow-up owner or issue exists for unresolved objections + +If any item is missing, classify the record as `presence-only`. + +## Minimum Sale-Readiness Set + +Before citing pilot evidence in a 20억 KRW discussion, collect at least: + +- 3-5 pilot aliases +- one local-audio workflow +- one YouTube-intake workflow +- one export-focused workflow +- one recovery/error workflow +- one buyer or publisher persona + +This is intentionally small. It proves repeatability before broader market +sizing and avoids inventing demand from an unvalidated product surface. diff --git a/docs/security/2026-07-02-sale-readiness-due-diligence.md b/docs/security/2026-07-02-sale-readiness-due-diligence.md index 0617fa4a..dc5881a0 100644 --- a/docs/security/2026-07-02-sale-readiness-due-diligence.md +++ b/docs/security/2026-07-02-sale-readiness-due-diligence.md @@ -19,6 +19,7 @@ metadata, and local repository commands. | Code scanning | Two open Scorecard alerts on `develop`: #30 `VulnerabilitiesID` high for `RUSTSEC-2026-0190`, and #29 `CIIBestPracticesID` low | PR #525 and all other open PR heads now carry the RustSec policy update; alert #30 remains open until merge plus Scorecard refresh. Issue #526 tracks the external OpenSSF badge work for #29. | | OpenSSF Best Practices | Project `13428`, repo URL `https://github.com/ContextualWisdomLab/bandscope`, badge `in_progress`, `passing:null`, `name:null`, `license:null`, `homepage_url:""`, 193 unknown status fields, 2 unmet status fields | Baseline badge work is a due-diligence blocker outside normal PR-only flow and must be completed in bestpractices.dev. | | Figma/FigJam handoff | FigJam board `WEvhutQSFZITe0RUsZgzC2` section `13:900` records the 2026-07-02 21:59 KST security-audit refresh without Code Connect. Figma design file `zthWmqfNKUgJBECvv002Qk` remains the design-system source referenced by `docs/design-system/`. | Live design evidence exists, but final sale-readiness still needs Product Design screenshots for ready/error/export flows and any Figma file drift rechecked before visual PRs merge. | +| Commercial model | `docs/business/bandscope-commercial-model.md` and `docs/business/pilot-evidence-template.md` define the bottom-up ARR path, pilot evidence fields, and redaction rules. | Repo now has commercial evidence structure, but ARR and pilot rows remain `presence-only` until real pilot records and screenshots exist. | | JavaScript audit | `npm audit --workspaces --audit-level=high` reports 0 vulnerabilities | JS workspace is not the current high-risk advisory lane. | | Rust advisory chain | `cargo tree --target all -i glib` resolves `glib 0.18.5` through the Tauri/wry/webkit2gtk/gtk GTK3 stack | Repo-controlled exception and Dependabot disposition now align. | @@ -54,8 +55,8 @@ to decide whether an artifact supports sale readiness or is still provisional. | Buyer-demo activation | A new reviewer can complete source selection, analysis start, ready review, and export within 15 minutes. | Product Design screenshots for empty, selected, loading, error, ready, export, and mobile states; local smoke script or recorded demo notes. | Screenshots and demo transcript are still required before claiming final buyer-demo evidence. | | Analysis value | Ready workspace shows tempo/BPM, role guidance, groove or bass structure, section roadmap, confidence, and priority sections. | Current-head product PRs #489 and #499 plus workspace state tests or screenshots. | Feature PRs must merge and be rechecked on `develop`. | | Export value | Cue sheet, chart JSON, and handoff JSON are available only from a ready workspace and remain path/URL/secret redacted. | Export tests, Product Design ready/export screenshots, and release artifact evidence. | Final release package evidence must retain SBOM plus checksums or manifest sidecars. | -| Pilot conversion | 3-5 named pilot teams or equivalent buyer personas have a documented rehearsal workflow, pain point, and acceptance note. | Pilot evidence template or issue/CRM entry with date, role, workflow, and result. | No repo-backed pilot evidence is final yet; treat this as `presence-only` until pilot notes exist. | -| Commercial pacing | ARR path to 3-5억 KRW is backed by a simple bottom-up model: pilot count, conversion rate, annual price, and churn assumption. | A buyer-data-room model or validated spreadsheet linked from this packet. | No validated ARR model is in repo yet; do not cite valuation from this packet alone. | +| Pilot conversion | 3-5 named pilot teams or equivalent buyer personas have a documented rehearsal workflow, pain point, and acceptance note. | `docs/business/pilot-evidence-template.md` records or issue/CRM entry with date, role, workflow, and result. | No completed pilot record is final yet; treat the template as `presence-only` until pilot notes exist. | +| Commercial pacing | ARR path to 3-5억 KRW is backed by a simple bottom-up model: pilot count, conversion rate, annual price, and churn assumption. | `docs/business/bandscope-commercial-model.md` plus validated pilot conversion records. | The model exists, but it is provisional until pilot conversion and pricing evidence validate the assumptions. | Targets are intentionally operational. If a metric cannot be validated from a repo artifact, GitHub run, Figma screenshot, or named pilot record, it remains @@ -129,6 +130,10 @@ audited through GitHub contents API for the same policy shape. - Empty, loading, error, and ready states are all covered by tests or Product Design screenshots. - Error messages remain path/URL/secret redacted. +- `docs/business/pilot-evidence-template.md` has 3-5 completed pilot records + or linked issue/CRM equivalents with redaction checks. +- `docs/business/bandscope-commercial-model.md` has current pilot conversion + assumptions and is marked provisional until real pilot evidence exists. ### 4. Figma Without Code Connect @@ -218,6 +223,8 @@ without weakening release artifact evidence. - `cargo tree --target all -i glib` - `npm audit --workspaces --audit-level=high` - `python3 scripts/checks/verify_supply_chain.py` +- `docs/business/bandscope-commercial-model.md` +- `docs/business/pilot-evidence-template.md` - Figma metadata read for file `zthWmqfNKUgJBECvv002Qk` - FigJam read for board `WEvhutQSFZITe0RUsZgzC2`, section `13:900` @@ -235,5 +242,7 @@ without weakening release artifact evidence. 6. Capture Product Design screenshots for ready, error, export, and mobile buyer-demo flows, then mirror any material findings in FigJam without Code Connect. -7. Merge buyer-demo product PRs in the order BPM, practice progress, export, +7. Fill the pilot evidence template with 3-5 safely redacted pilot records and + update the commercial model assumptions from those records. +8. Merge buyer-demo product PRs in the order BPM, practice progress, export, then supporting workspace views. From 94fd6f1120cbc1f560cab98a0ce527538dec488c Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Fri, 3 Jul 2026 08:41:06 +0900 Subject: [PATCH 12/12] docs: refresh sale readiness security evidence --- ...2026-07-02-sale-readiness-due-diligence.md | 41 ++++++++++--------- 1 file changed, 22 insertions(+), 19 deletions(-) diff --git a/docs/security/2026-07-02-sale-readiness-due-diligence.md b/docs/security/2026-07-02-sale-readiness-due-diligence.md index dc5881a0..95c29473 100644 --- a/docs/security/2026-07-02-sale-readiness-due-diligence.md +++ b/docs/security/2026-07-02-sale-readiness-due-diligence.md @@ -14,12 +14,12 @@ metadata, and local repository commands. | Area | Current evidence | Sale-readiness interpretation | | --- | --- | --- | | GitHub repository | `ContextualWisdomLab/bandscope`, public MIT repo, default branch `develop` | Public diligence surface exists. | -| Open PR queue | 34 open PRs. Live 2026-07-03 06:46 KST routing: `BEHIND` 4, `BLOCKED` 30, `DIRTY` 0. Auto-merge missing: `0`. Completed failures are limited to #527/#528 coverage policy and #446/#367 Strix/OpenCode provider fallback tracks that are parked behind central `.github` PRs #291 and #292. | Queue is routed and no longer blocked by review state or queued checks. Source-backed completed failures and due-diligence evidence gaps are the active execution risk. | +| Open PR queue | 34 open PRs. Live 2026-07-03 08:33 KST REST fallback sweep checked every open PR head through `commits/{sha}/check-runs` after GitHub GraphQL rollups returned HTTP 504; it found `0` completed `failure`, `timed_out`, `action_required`, `startup_failure`, or `cancelled` rows. | Queue is routed and no longer blocked by review state or queued checks. Source-backed completed failures and due-diligence evidence gaps are the active execution risk. | | Dependabot | `0` open alerts after alert #1 (`glib`, Rust, `GHSA-wrw7-89jp-8q8g`, medium) was dismissed on 2026-07-02 as `tolerable_risk` with repo-controlled rationale | GitHub-facing disposition is closed; patched upstream chain is still the preferred final state. | -| Code scanning | Two open Scorecard alerts on `develop`: #30 `VulnerabilitiesID` high for `RUSTSEC-2026-0190`, and #29 `CIIBestPracticesID` low | PR #525 and all other open PR heads now carry the RustSec policy update; alert #30 remains open until merge plus Scorecard refresh. Issue #526 tracks the external OpenSSF badge work for #29. | -| OpenSSF Best Practices | Project `13428`, repo URL `https://github.com/ContextualWisdomLab/bandscope`, badge `in_progress`, `passing:null`, `name:null`, `license:null`, `homepage_url:""`, 193 unknown status fields, 2 unmet status fields | Baseline badge work is a due-diligence blocker outside normal PR-only flow and must be completed in bestpractices.dev. | -| Figma/FigJam handoff | FigJam board `WEvhutQSFZITe0RUsZgzC2` section `13:900` records the 2026-07-02 21:59 KST security-audit refresh without Code Connect. Figma design file `zthWmqfNKUgJBECvv002Qk` remains the design-system source referenced by `docs/design-system/`. | Live design evidence exists, but final sale-readiness still needs Product Design screenshots for ready/error/export flows and any Figma file drift rechecked before visual PRs merge. | -| Commercial model | `docs/business/bandscope-commercial-model.md` and `docs/business/pilot-evidence-template.md` define the bottom-up ARR path, pilot evidence fields, and redaction rules. | Repo now has commercial evidence structure, but ARR and pilot rows remain `presence-only` until real pilot records and screenshots exist. | +| Code scanning | Two open Scorecard alerts on `develop`: #30 `VulnerabilitiesID` for `RUSTSEC-2026-0190`, `RUSTSEC-2026-0194`, and `RUSTSEC-2026-0195`; #29 `CIIBestPracticesID` for an `InProgress` badge. Alert #30 still points at the 2026-06-29 Scorecard SARIF and #29 still points at the 2026-06-18 SARIF. | PR #525 merged the `anyhow` fix on 2026-07-02, but the latest published Scorecard run for `develop` predates that merge and the `quick-xml` findings remain controlled exceptions. #30 needs a default-branch Scorecard refresh and either closure or accepted-risk disposition for the remaining owner-chain exceptions. Issue #526 tracks the external OpenSSF badge work for #29. | +| OpenSSF Best Practices | Project `13428`, repo URL `https://github.com/ContextualWisdomLab/bandscope`, `badge_percentage_0=0`, `badge_percentage_1=0`, `badge_percentage_2=0`, `tiered_percentage=0`, `name:null`, `homepage_url:""`, `updated_at=2026-06-29T14:06:03.700Z` | Baseline badge work is a due-diligence blocker outside normal PR-only flow and must be completed in bestpractices.dev before Scorecard #29 can be expected to clear. | +| Figma/FigJam handoff | FigJam board `WEvhutQSFZITe0RUsZgzC2` now records queue, data-room, screenshot, mobile-demo, coverage/package, and #489 restored-evidence checkpoints through section `74:2829` without Code Connect. Figma design file `zthWmqfNKUgJBECvv002Qk` remains the design-system source referenced by `docs/design-system/`. | Live design evidence exists and current Product Design screenshots cover more buyer-demo states, but final sale-readiness still needs packaged-release proof, disabled-state/language polish, and any Figma file drift rechecked before visual PRs merge. | +| Commercial model | `docs/business/bandscope-commercial-model.md` and `docs/business/pilot-evidence-template.md` define the bottom-up ARR path, pilot evidence fields, and redaction rules. | Repo now has commercial evidence structure and local screenshot evidence, but ARR and pilot rows remain `presence-only` until real pilot records and release/export proof exist. | | JavaScript audit | `npm audit --workspaces --audit-level=high` reports 0 vulnerabilities | JS workspace is not the current high-risk advisory lane. | | Rust advisory chain | `cargo tree --target all -i glib` resolves `glib 0.18.5` through the Tauri/wry/webkit2gtk/gtk GTK3 stack | Repo-controlled exception and Dependabot disposition now align. | @@ -203,17 +203,20 @@ webkit2gtk/gtk GTK3 stack and `scripts/checks/verify_supply_chain.py` keeps guarding the exception scope. The final sale-readiness target is still a patched upstream chain. -Scorecard alert #30 remains open until PR #525 or an equivalent RustSec policy -head merges and Scorecard reruns on `develop`. Scorecard alert #29 remains open -until Best Practices project `13428` is completed on bestpractices.dev and the -Scorecard signal refreshes. - -All 34 open PRs still have current-head GitHub checks pending at this -checkpoint. #525 already has successful macOS amd64 and macOS arm64 build jobs, -but older #510/#511 evidence showed a macOS Intel DMG bundling failure before -the current RustSec propagation. Treat any new current-head DMG failure as a -release-readiness blocker and harden `.github/workflows/build-baseline.yml` -without weakening release artifact evidence. +Scorecard alert #30 remains open even after PR #525 merged because the published +Scorecard SARIF still predates the merge and the alert also includes the +repo-controlled `quick-xml` owner-chain exceptions. It must be refreshed on the +default branch and then closed or explicitly dispositioned against the remaining +accepted-risk evidence. Scorecard alert #29 remains open until Best Practices +project `13428` is completed on bestpractices.dev and the Scorecard signal +refreshes. + +All 34 open PRs still have review and/or queued-check gates pending at this +checkpoint, but the 2026-07-03 08:33 KST REST fallback sweep found no completed +current-head check-run failures. Treat any new completed current-head DMG +failure as a release-readiness blocker and harden +`.github/workflows/build-baseline.yml` without weakening release artifact +evidence. ### Test Points @@ -231,9 +234,9 @@ without weakening release artifact evidence. ## Next Execution Order 1. Keep polling current-head GitHub checks for all 34 open PRs; fix any new - failure before merging lower-value product or dependency work. -2. Merge PR #525 or any equivalent branch carrying the same RustSec policy - after checks pass to remove `RUSTSEC-2026-0190` from `develop`. + completed failure before merging lower-value product or dependency work. +2. Trigger or wait for a default-branch Scorecard refresh after #525's merge to + confirm `RUSTSEC-2026-0190` is gone from published Scorecard evidence. 3. Complete issue #526 on bestpractices.dev for OpenSSF project `13428`. 4. Keep the `glib` Dependabot disposition evidence current until upstream removes or patches the GTK3 chain.