Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 8 additions & 6 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,15 +8,17 @@ version: 2
#
# Dependabot version updates (the schedule below) are a different feature
# from Dependabot SECURITY updates. Security updates are a separate
# repo-level toggle, and audit P1-3 (2026-07-11) confirmed via the GitHub
# API that it is currently DISABLED on this repo — an advisory on any
# ecosystem below waits for the next scheduled run like any other bump; it
# does not open a PR "immediately" as an earlier version of this comment
# claimed. Enabling it is a repo-settings change gated on the repo owner:
# repo-level toggle. Gate 2 (2026-07-16) enabled both vulnerability alerts
# and automated security fixes on this repo:
#
# gh api --method PUT repos/brownjuly2003-code/agentflow/vulnerability-alerts
# gh api --method PUT repos/brownjuly2003-code/agentflow/automated-security-fixes
#
# This file cannot flip that toggle by itself.
# Advisories now open a security-update PR immediately; the weekly schedule
# below still covers ordinary version bumps. This file cannot flip the
# toggle by itself — verify with:
#
# gh api repos/brownjuly2003-code/agentflow --jq .security_and_analysis

updates:
# ── Python: root runtime (agentflow-runtime) ───────────────────────
Expand Down
11 changes: 11 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,17 @@ All notable changes to AgentFlow are documented in this file.

## [Unreleased]

### Supply chain — Gate 2: Dependabot security updates + required-check gap closed

- **Dependabot security updates enabled** on the repo (vulnerability alerts +
automated security fixes). Advisories open a PR immediately; weekly
version updates in `.github/dependabot.yml` stay for ordinary bumps.
- **Branch protection required checks: 13 → 15** — added `sdk-ts` and
`lock-check` so the TypeScript SDK CI job and the `uv.lock` /
`requirements-docker.lock` gate cannot be skipped on `main`.
- Living docs (`README`, `docs/release-readiness.md`) and the dependabot
header comment updated to match the API-verified state.

### Observability — /v1/slo reports SLIs, not rescaled aggregates (audit P2-2)

- **`current` is now a real SLI**: the share of good units among valid units
Expand Down
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ Consumers are whoever needs the number now: humans, dashboards, downstream servi
- **At scale on its own data** — 4 years of the synthetic legend's history (**51.2 M rows, 2.87 M orders, 10.66 M Chestny Znak marking codes**) generated deterministically into the real raw-vault DDL; analyst queries answer in 20–730 ms and all 17 generator-spec invariants hold, including a full-scan GS1 check-digit validation — [S13 report](docs/perf/scale-own-data-2026-07-11.md), `python scripts/benchmark_scale_own_data.py`
- **Lineage as a contract** — all six metrics declare their source events, serving table, and a 2.5 s p95 staleness budget in versioned contracts, exposed through `/v1/catalog` and `/v1/contracts` and pinned by tests against the actual write path
- **Published release line through `v2.0.0`** on PyPI (`agentflow-runtime`, `agentflow-client`) and npm (`@yuliaedomskikh/agentflow-client`) via OIDC Trusted Publishers with SLSA provenance on every artifact
- **Tested and gated** — 1,500+ unit tests plus a broad Windows no-Docker suite; CI enforces 13 required status checks (lint, schema, unit, integration, helm, perf, terraform, bandit, safety, npm-audit, trivy, contract, build-smoke) through branch protection
- **Tested and gated** — 1,500+ unit tests plus a broad Windows no-Docker suite; CI enforces 15 required status checks (lint, schema, unit, integration, helm, perf, terraform, bandit, safety, npm-audit, trivy, contract, build-smoke, sdk-ts, lock-check) through branch protection
- **Dual SDK parity** across Python and TypeScript — retries, circuit breakers, batching, pagination, contract pinning, idempotency keys, `as_of` historical reads — over sub-second entity lookups (p50 `38–55 ms`, p99 `167 ms` on local hardware)
- **Security in the hot path** — a tenant boundary that lives in each serving table's write key and is applied at a single read chokepoint ([ADR-004](docs/decisions/004-tenant-id-column-over-schema-per-tenant.md); proven against DuckDB and live ClickHouse 25.3 — see [STATUS](docs/STATUS.md#proven)), parameterized queries, `sqlglot` AST validation for NL-to-SQL, fail-closed auth, secret scrubbing, and a Bandit gate for new findings
- **Production-shaped extras** — two CDC paths (hardened Debezium/Kafka Connect + a ClickHouse per-branch fan-out), on-call [runbooks](docs/runbooks/README.md), and a [narrated demo](docs/dv2-multi-branch/) of the DV2 multi-branch warehouse
Expand Down Expand Up @@ -156,7 +156,7 @@ python scripts/bandit_diff.py .bandit-baseline.json .tmp/bandit-current.json
**`v2.0.0` is the current release line** — PyPI `agentflow-runtime` /
`agentflow-client` and npm `@yuliaedomskikh/agentflow-client`, all
published via OIDC Trusted Publishers with SLSA provenance attestations.
CI on `main` is green across all 13 required checks. The living
CI on `main` is green across all 15 required checks. The living
engineering status — what is proven, what is in progress, what is next —
is tracked in [docs/STATUS.md](docs/STATUS.md).

Expand Down
10 changes: 6 additions & 4 deletions docs/release-readiness.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
(`@yuliaedomskikh/agentflow-client`) via OIDC Trusted Publishers with SLSA
provenance attestations — see
[dv2-multi-branch/RELEASE_STATUS.md](dv2-multi-branch/RELEASE_STATUS.md) for
registry links and upload evidence. `main` is protected by 13 required status
registry links and upload evidence. `main` is protected by 15 required status
checks and is green.

## Summary
Expand Down Expand Up @@ -53,11 +53,13 @@ and documented in

## CI gates

`main` is protected with 13 required status checks — `lint`, `test-unit`,
`main` is protected with 15 required status checks — `lint`, `test-unit`,
`test-integration`, `perf-check`, `helm-schema-live`, `schema-check`,
`terraform-validate`, `bandit`, `safety`, `npm-audit`, `trivy`, `contract`,
`build-smoke`. Branch protection requires every one of them; force-pushes and
deletions are disabled.
`build-smoke`, `sdk-ts`, `lock-check`. Branch protection requires every one of
them; force-pushes and deletions are disabled. Dependabot security updates
(vulnerability alerts + automated security fixes) are enabled alongside the
weekly version-update schedule in `.github/dependabot.yml`.

## Scope

Expand Down