-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.bestpractices.json
More file actions
233 lines (164 loc) · 13.2 KB
/
Copy path.bestpractices.json
File metadata and controls
233 lines (164 loc) · 13.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
{
"$schema": "https://bestpractices.coreinfrastructure.org/projects.schema.json",
"_comment": "OpenSSF Best Practices answers for the 'passing' tier. The bestpractices.dev BadgeApp reads this file from the repo root (per docs/bestpractices-json.md upstream) when the project is registered there, and uses each <criterion>_status / <criterion>_justification pair as the proposed answer. To trigger re-ingestion after edits, the maintainer opens the project's edit page on bestpractices.dev and clicks 'Save (and continue) 🤖'. Status '?' means 'unknown' and is ignored — safe placeholder. .github/workflows/bestpractices.yml lints this file on every push to main so it stays parseable and on-schema.",
"project_id": 12716,
"name": "ctm",
"description": "Codex Tmux Manager — survive SSH drops, reattach from your phone.",
"homepage_url": "https://github.com/RandomCodeSpace/ctm",
"repo_url": "https://github.com/RandomCodeSpace/ctm",
"license": "MIT",
"level": "passing",
"badge_url": "https://www.bestpractices.dev/projects/12716/badge",
"project_page_url": "https://www.bestpractices.dev/en/projects/12716",
"evidence": {
"license_file": "LICENSE",
"contributing_guide": "CONTRIBUTING.md",
"vulnerability_report_process": "SECURITY.md",
"release_notes": "CHANGELOG.md",
"build_reproducible": "Makefile + go build ./...",
"ci_workflow": ".github/workflows/ci.yml",
"release_workflow": ".github/workflows/release.yml",
"supply_chain_scorecard": ".github/workflows/scorecard.yml",
"static_analysis_sonar": "sonar-project.properties + SonarCloud quality gate",
"bestpractices_lint": ".github/workflows/bestpractices.yml",
"private_vulnerability_reporting": "GitHub repo setting (security advisories enabled)",
"secret_scanning": "GitHub repo setting (secret_scanning + push_protection enabled)"
},
"audit": {
"self_assessment_date": "2026-05-01",
"scorecard_dashboard": "https://scorecard.dev/viewer/?uri=github.com/RandomCodeSpace/ctm",
"sonarcloud_dashboard": "https://sonarcloud.io/summary/overall?id=RandomCodeSpace_ctm"
},
"description_good_status": "Met",
"description_good_justification": "README opens with: 'Codex Tmux Manager — survive SSH drops, reattach from your phone.'",
"interact_status": "Met",
"interact_justification": "GitHub Issues + Pull Requests are enabled.",
"contribution_status": "Met",
"contribution_justification": "https://github.com/RandomCodeSpace/ctm/blob/main/CONTRIBUTING.md",
"contribution_requirements_status": "Met",
"contribution_requirements_justification": "CONTRIBUTING.md documents PR requirements: branch naming, scoped PRs, tests required for new logic, conventional-commit subjects, all checks passing (go vet, go test -race, govulncheck, SonarCloud, OpenSSF Scorecard). https://github.com/RandomCodeSpace/ctm/blob/main/CONTRIBUTING.md#coding-standards",
"floss_license_status": "Met",
"floss_license_justification": "MIT License.",
"floss_license_osi_status": "Met",
"floss_license_osi_justification": "MIT is OSI-approved.",
"license_location_status": "Met",
"license_location_justification": "https://github.com/RandomCodeSpace/ctm/blob/main/LICENSE",
"documentation_interface_status": "Met",
"documentation_interface_justification": "README has a Commands section listing every external interface (yolo, yolo!, safe, attach, kill, killall, last, ls, new, pick, rename, switch, detach, forget, doctor, check, install, uninstall, version).",
"sites_https_status": "Met",
"sites_https_justification": "All project URLs are GitHub-hosted and use HTTPS.",
"discussion_status": "Met",
"discussion_justification": "GitHub Issues serve as the discussion forum.",
"english_status": "Met",
"english_justification": "All documentation and source comments are in English.",
"maintained_status": "Met",
"maintained_justification": "Active development; commits in the past week.",
"repo_public_status": "Met",
"repo_public_justification": "Repository is public on GitHub.",
"repo_track_status": "Met",
"repo_track_justification": "Source under git version control.",
"repo_interim_status": "Met",
"repo_interim_justification": "Every commit on a feature branch is pushed to origin; main is updated on every PR merge.",
"repo_distributed_status": "Met",
"repo_distributed_justification": "git is a distributed VCS.",
"version_unique_status": "Met",
"version_unique_justification": "Each release is tagged with a unique semver tag.",
"version_semver_status": "Met",
"version_semver_justification": "Tags follow vMAJOR.MINOR.PATCH.",
"version_tags_status": "Met",
"version_tags_justification": "Releases are git-tagged.",
"release_notes_status": "Met",
"release_notes_justification": "https://github.com/RandomCodeSpace/ctm/blob/main/CHANGELOG.md",
"release_notes_vulns_status": "N/A",
"release_notes_vulns_justification": "No publicly disclosed vulnerabilities to date.",
"report_process_status": "Met",
"report_process_justification": "https://github.com/RandomCodeSpace/ctm/blob/main/CONTRIBUTING.md#reporting-bugs-or-asking-questions",
"report_tracker_status": "Met",
"report_tracker_justification": "GitHub Issues.",
"report_responses_status": "Met",
"report_responses_justification": "Issues are triaged by the maintainer on a best-effort basis.",
"enhancement_responses_status": "Met",
"enhancement_responses_justification": "Feature requests via Issues receive a response (accept / defer / decline) on a best-effort basis.",
"report_archive_status": "Met",
"report_archive_justification": "https://github.com/RandomCodeSpace/ctm/issues?q=is%3Aissue",
"vulnerability_report_process_status": "Met",
"vulnerability_report_process_justification": "https://github.com/RandomCodeSpace/ctm/blob/main/SECURITY.md",
"vulnerability_report_private_status": "Met",
"vulnerability_report_private_justification": "https://github.com/RandomCodeSpace/ctm/security/advisories/new",
"vulnerability_report_response_status": "Met",
"vulnerability_report_response_justification": "Formal response targets in SECURITY.md: acknowledge within 14 days, initial assessment within 30 days, fix High/Critical within 60 days, default 90-day disclosure window.",
"build_status": "Met",
"build_justification": "Standard `go build ./...` builds the binary; `make build` is the documented entry point.",
"build_common_tools_status": "Met",
"build_common_tools_justification": "Build uses Go 1.25+ and the GNU `make` driver — both widely available, FLOSS, and free of registration.",
"build_floss_tools_status": "Met",
"build_floss_tools_justification": "Build toolchain is entirely FLOSS (Go, GNU make).",
"test_status": "Met",
"test_justification": "336 Go tests across 19 packages exercise CLI helpers, the agent registry, codex-impl spawn/discover paths, session migrations, tmux client argv builders, and the integration smoke pack.",
"test_invocation_status": "Met",
"test_invocation_justification": "CONTRIBUTING.md documents `go test ./...` and `make regression` (race + govulncheck).",
"test_most_status": "Met",
"test_most_justification": "Line coverage tracked via SonarCloud's Go quality gate; coverage data uploaded by .github/workflows/sonar.yml on every push.",
"test_continuous_integration_status": "Met",
"test_continuous_integration_justification": "GitHub Actions runs Go build/test (ci.yml), SonarCloud (sonar.yml), and Scorecard (scorecard.yml) on every push and PR.",
"test_policy_status": "Met",
"test_policy_justification": "New features must ship with tests; SonarCloud's new-code coverage gate fails PRs that drop coverage below threshold.",
"tests_are_added_status": "Met",
"tests_are_added_justification": "PRs adding functionality include unit and/or integration tests; enforced by the new-code coverage gate.",
"tests_documented_added_status": "Met",
"tests_documented_added_justification": "test_policy is enforced in PR review and by the coverage gate.",
"warnings_status": "Met",
"warnings_justification": "go vet, gopls language-server checks, and SonarCloud all run on every push.",
"warnings_fixed_status": "Met",
"warnings_fixed_justification": "Warnings surfaced by gopls or Sonar are addressed (or explicitly Accepted with a justification) before merge.",
"warnings_strict_status": "Met",
"warnings_strict_justification": "SonarCloud quality gate fails the build on new BLOCKER/CRITICAL findings; `go vet` failures are CI-fatal.",
"know_secure_design_status": "Met",
"know_secure_design_justification": "Maintainer follows OWASP Top-10 guidance. Threat-model decisions are documented in SECURITY.md; the v0.3 release explicitly removed all networked surface (HTTP daemon, auth, webhook delivery) so the remaining attack surface is the local CLI plus its on-disk state under `~/.config/ctm/` and `~/.codex/sessions/`.",
"know_common_errors_status": "Met",
"know_common_errors_justification": "Maintainer is familiar with OWASP Top-10 and CWE/SANS Top-25 patterns and applies them at PR review.",
"crypto_published_status": "N/A",
"crypto_published_justification": "ctm performs no cryptographic operations beyond UUID generation since the v0.3 removal of the auth daemon.",
"crypto_call_status": "N/A",
"crypto_call_justification": "No cryptographic primitive calls remain after the auth/session-token subsystem was removed in v0.3.",
"crypto_floss_status": "Met",
"crypto_floss_justification": "The only crypto call left in the codebase is `crypto/rand` (Go stdlib, FLOSS) for UUID generation in internal/session.",
"crypto_keylength_status": "N/A",
"crypto_keylength_justification": "No keyed cryptographic operations remain.",
"crypto_working_status": "Met",
"crypto_working_justification": "No known-broken algorithms anywhere in the codebase (no MD5/SHA1 for integrity, no DES, no RC4).",
"crypto_weaknesses_status": "Met",
"crypto_weaknesses_justification": "No use of MD5, SHA1 (for integrity), DES, RC4, or ECB mode anywhere in the codebase.",
"crypto_pfs_status": "N/A",
"crypto_pfs_justification": "ctm has no network listener since v0.3; TLS / PFS are not relevant.",
"crypto_password_storage_status": "N/A",
"crypto_password_storage_justification": "ctm stores no user passwords since the V27 single-user auth daemon was removed in v0.3.",
"crypto_random_status": "Met",
"crypto_random_justification": "Session UUIDs (the only random IDs ctm generates) come from `crypto/rand` via internal/session/uuid.go.",
"delivery_mitm_status": "Met",
"delivery_mitm_justification": "Releases delivered via HTTPS (GitHub Releases) with TLS-protected git fetch.",
"delivery_unsigned_status": "Met",
"delivery_unsigned_justification": "Release artifacts include SHA256 checksums via the release.yml workflow.",
"vulnerabilities_fixed_60_days_status": "Met",
"vulnerabilities_fixed_60_days_justification": "No publicly disclosed vulnerabilities to date; commitment is to address any future critical reports within 60 days.",
"vulnerabilities_critical_fixed_status": "Met",
"vulnerabilities_critical_fixed_justification": "Same — no critical vulnerabilities outstanding.",
"no_leaked_credentials_status": "Met",
"no_leaked_credentials_justification": "SonarCloud's secret-detection rules + GitHub's secret scanning run on every push; no credentials in commit history.",
"static_analysis_status": "Met",
"static_analysis_justification": "SonarCloud (Go) runs on every push and PR via .github/workflows/sonar.yml; `go vet` runs in CI; `govulncheck` runs as part of `make regression`.",
"static_analysis_common_vulnerabilities_status": "Met",
"static_analysis_common_vulnerabilities_justification": "SonarCloud's security profile covers CWE Top-25; `govulncheck` reports any reachable CVE in the Go module graph.",
"static_analysis_fixed_status": "Met",
"static_analysis_fixed_justification": "Findings are either fixed in code or explicitly Accepted with a documented justification.",
"static_analysis_often_status": "Met",
"static_analysis_often_justification": "Static analysis runs on every push and PR — well exceeding the 'before each release' bar.",
"dynamic_analysis_status": "Met",
"dynamic_analysis_justification": "`go test -race ./...` runs Go's runtime data-race detector on every PR and release. The race detector instruments memory accesses across goroutines and panics on a detected race; ctm uses goroutines for the post-spawn agent-session-id discovery path, so the race detector remains the realistic dynamic-analysis tool even after the daemon was removed.",
"dynamic_analysis_unsafe_status": "N/A",
"dynamic_analysis_unsafe_justification": "Go is memory-safe (no manual memory management; bounds-checked slices; nil-checked pointer dereferences). Race-detector coverage above provides the meaningful dynamic-safety check.",
"dynamic_analysis_enable_assertions_status": "Met",
"dynamic_analysis_enable_assertions_justification": "Go's runtime always enables bounds checking, nil-pointer panics, and `go test -race` adds happens-before assertions across goroutines. Test builds run with the race detector enabled; production builds inherit the language-level checks but omit the race detector.",
"dynamic_analysis_fixed_status": "Met",
"dynamic_analysis_fixed_justification": "Any race-detector finding fails CI and must be fixed before merge."
}