From 4a1b8ee54fc1bf9c93ab8d28cdc6fca95094519d Mon Sep 17 00:00:00 2001 From: JuliaEdom Date: Thu, 16 Jul 2026 01:44:37 +0300 Subject: [PATCH] =?UTF-8?q?docs(security):=20Gate=202=20=E2=80=94=20Depend?= =?UTF-8?q?abot=20security=20updates=20+=2015=20required=20checks?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Repo settings (already applied via GitHub API): - vulnerability alerts + automated security fixes enabled - branch protection required checks 13→15 (+sdk-ts, +lock-check) Living docs and dependabot header comment now match the API-verified state. --- .github/dependabot.yml | 14 ++++++++------ CHANGELOG.md | 11 +++++++++++ README.md | 4 ++-- docs/release-readiness.md | 10 ++++++---- 4 files changed, 27 insertions(+), 12 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 2932f73..7d05a50 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,15 +8,17 @@ version: 2 # # Dependabot version updates (the schedule below) are a different feature # from Dependabot SECURITY updates. Security updates are a separate -# repo-level toggle, and audit P1-3 (2026-07-11) confirmed via the GitHub -# API that it is currently DISABLED on this repo — an advisory on any -# ecosystem below waits for the next scheduled run like any other bump; it -# does not open a PR "immediately" as an earlier version of this comment -# claimed. Enabling it is a repo-settings change gated on the repo owner: +# repo-level toggle. Gate 2 (2026-07-16) enabled both vulnerability alerts +# and automated security fixes on this repo: # +# gh api --method PUT repos/brownjuly2003-code/agentflow/vulnerability-alerts # gh api --method PUT repos/brownjuly2003-code/agentflow/automated-security-fixes # -# This file cannot flip that toggle by itself. +# Advisories now open a security-update PR immediately; the weekly schedule +# below still covers ordinary version bumps. This file cannot flip the +# toggle by itself — verify with: +# +# gh api repos/brownjuly2003-code/agentflow --jq .security_and_analysis updates: # ── Python: root runtime (agentflow-runtime) ─────────────────────── diff --git a/CHANGELOG.md b/CHANGELOG.md index 8868bba..b614e5c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,17 @@ All notable changes to AgentFlow are documented in this file. ## [Unreleased] +### Supply chain — Gate 2: Dependabot security updates + required-check gap closed + +- **Dependabot security updates enabled** on the repo (vulnerability alerts + + automated security fixes). Advisories open a PR immediately; weekly + version updates in `.github/dependabot.yml` stay for ordinary bumps. +- **Branch protection required checks: 13 → 15** — added `sdk-ts` and + `lock-check` so the TypeScript SDK CI job and the `uv.lock` / + `requirements-docker.lock` gate cannot be skipped on `main`. +- Living docs (`README`, `docs/release-readiness.md`) and the dependabot + header comment updated to match the API-verified state. + ### Observability — /v1/slo reports SLIs, not rescaled aggregates (audit P2-2) - **`current` is now a real SLI**: the share of good units among valid units diff --git a/README.md b/README.md index 4875c04..3041762 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ Consumers are whoever needs the number now: humans, dashboards, downstream servi - **At scale on its own data** — 4 years of the synthetic legend's history (**51.2 M rows, 2.87 M orders, 10.66 M Chestny Znak marking codes**) generated deterministically into the real raw-vault DDL; analyst queries answer in 20–730 ms and all 17 generator-spec invariants hold, including a full-scan GS1 check-digit validation — [S13 report](docs/perf/scale-own-data-2026-07-11.md), `python scripts/benchmark_scale_own_data.py` - **Lineage as a contract** — all six metrics declare their source events, serving table, and a 2.5 s p95 staleness budget in versioned contracts, exposed through `/v1/catalog` and `/v1/contracts` and pinned by tests against the actual write path - **Published release line through `v2.0.0`** on PyPI (`agentflow-runtime`, `agentflow-client`) and npm (`@yuliaedomskikh/agentflow-client`) via OIDC Trusted Publishers with SLSA provenance on every artifact -- **Tested and gated** — 1,500+ unit tests plus a broad Windows no-Docker suite; CI enforces 13 required status checks (lint, schema, unit, integration, helm, perf, terraform, bandit, safety, npm-audit, trivy, contract, build-smoke) through branch protection +- **Tested and gated** — 1,500+ unit tests plus a broad Windows no-Docker suite; CI enforces 15 required status checks (lint, schema, unit, integration, helm, perf, terraform, bandit, safety, npm-audit, trivy, contract, build-smoke, sdk-ts, lock-check) through branch protection - **Dual SDK parity** across Python and TypeScript — retries, circuit breakers, batching, pagination, contract pinning, idempotency keys, `as_of` historical reads — over sub-second entity lookups (p50 `38–55 ms`, p99 `167 ms` on local hardware) - **Security in the hot path** — a tenant boundary that lives in each serving table's write key and is applied at a single read chokepoint ([ADR-004](docs/decisions/004-tenant-id-column-over-schema-per-tenant.md); proven against DuckDB and live ClickHouse 25.3 — see [STATUS](docs/STATUS.md#proven)), parameterized queries, `sqlglot` AST validation for NL-to-SQL, fail-closed auth, secret scrubbing, and a Bandit gate for new findings - **Production-shaped extras** — two CDC paths (hardened Debezium/Kafka Connect + a ClickHouse per-branch fan-out), on-call [runbooks](docs/runbooks/README.md), and a [narrated demo](docs/dv2-multi-branch/) of the DV2 multi-branch warehouse @@ -156,7 +156,7 @@ python scripts/bandit_diff.py .bandit-baseline.json .tmp/bandit-current.json **`v2.0.0` is the current release line** — PyPI `agentflow-runtime` / `agentflow-client` and npm `@yuliaedomskikh/agentflow-client`, all published via OIDC Trusted Publishers with SLSA provenance attestations. -CI on `main` is green across all 13 required checks. The living +CI on `main` is green across all 15 required checks. The living engineering status — what is proven, what is in progress, what is next — is tracked in [docs/STATUS.md](docs/STATUS.md). diff --git a/docs/release-readiness.md b/docs/release-readiness.md index d396c4a..2df870c 100644 --- a/docs/release-readiness.md +++ b/docs/release-readiness.md @@ -6,7 +6,7 @@ (`@yuliaedomskikh/agentflow-client`) via OIDC Trusted Publishers with SLSA provenance attestations — see [dv2-multi-branch/RELEASE_STATUS.md](dv2-multi-branch/RELEASE_STATUS.md) for -registry links and upload evidence. `main` is protected by 13 required status +registry links and upload evidence. `main` is protected by 15 required status checks and is green. ## Summary @@ -53,11 +53,13 @@ and documented in ## CI gates -`main` is protected with 13 required status checks — `lint`, `test-unit`, +`main` is protected with 15 required status checks — `lint`, `test-unit`, `test-integration`, `perf-check`, `helm-schema-live`, `schema-check`, `terraform-validate`, `bandit`, `safety`, `npm-audit`, `trivy`, `contract`, -`build-smoke`. Branch protection requires every one of them; force-pushes and -deletions are disabled. +`build-smoke`, `sdk-ts`, `lock-check`. Branch protection requires every one of +them; force-pushes and deletions are disabled. Dependabot security updates +(vulnerability alerts + automated security fixes) are enabled alongside the +weekly version-update schedule in `.github/dependabot.yml`. ## Scope