|
| 1 | +{ |
| 2 | + "_comment": "OpenSSF Best Practices answers for the 'passing' tier. The bestpractices.dev BadgeApp reads this file from the repo root (per docs/bestpractices-json.md upstream) when the project is registered there, and uses each <criterion>_status / <criterion>_justification pair as the proposed answer. To trigger re-ingestion after edits, the maintainer opens the project's edit page on bestpractices.dev and clicks 'Save (and continue) 🤖'. Status '?' means 'unknown' and is ignored — safe placeholder. .github/workflows/bestpractices.yml lints this file on every push to main so it stays parseable and on-schema.", |
| 3 | + |
| 4 | + "name": "ctm", |
| 5 | + "description": "Claude Tmux Manager — survive SSH drops, reattach from your phone.", |
| 6 | + "homepage_url": "https://github.com/RandomCodeSpace/ctm", |
| 7 | + "repo_url": "https://github.com/RandomCodeSpace/ctm", |
| 8 | + "license": "MIT", |
| 9 | + |
| 10 | + "description_good_status": "Met", |
| 11 | + "description_good_justification": "README opens with: 'Claude Tmux Manager — survive SSH drops, reattach from your phone.'", |
| 12 | + |
| 13 | + "interact_status": "Met", |
| 14 | + "interact_justification": "https://github.com/RandomCodeSpace/ctm/issues — GitHub Issues + Pull Requests are enabled.", |
| 15 | + |
| 16 | + "contribution_status": "Unmet", |
| 17 | + "contribution_justification": "CONTRIBUTING.md not yet authored. Tracked as follow-up; PRs are accepted via the standard GitHub flow in the meantime.", |
| 18 | + |
| 19 | + "contribution_requirements_status": "Unmet", |
| 20 | + "contribution_requirements_justification": "Will be documented in CONTRIBUTING.md once added.", |
| 21 | + |
| 22 | + "floss_license_status": "Met", |
| 23 | + "floss_license_justification": "https://github.com/RandomCodeSpace/ctm/blob/main/LICENSE — MIT License.", |
| 24 | + |
| 25 | + "floss_license_osi_status": "Met", |
| 26 | + "floss_license_osi_justification": "MIT is OSI-approved (https://opensource.org/license/mit).", |
| 27 | + |
| 28 | + "license_location_status": "Met", |
| 29 | + "license_location_justification": "https://github.com/RandomCodeSpace/ctm/blob/main/LICENSE — LICENSE file at repository root.", |
| 30 | + |
| 31 | + "documentation_basics_status": "Met", |
| 32 | + "documentation_basics_justification": "https://github.com/RandomCodeSpace/ctm/blob/main/README.md documents installation, configuration, and primary commands.", |
| 33 | + |
| 34 | + "documentation_interface_status": "Met", |
| 35 | + "documentation_interface_justification": "README has a Commands section listing every external interface (yolo, safe, attach, kill, list, ctm serve, etc.).", |
| 36 | + |
| 37 | + "sites_https_status": "Met", |
| 38 | + "sites_https_justification": "All project URLs are GitHub-hosted and use HTTPS.", |
| 39 | + |
| 40 | + "discussion_status": "Met", |
| 41 | + "discussion_justification": "https://github.com/RandomCodeSpace/ctm/issues — GitHub Issues serve as the discussion forum.", |
| 42 | + |
| 43 | + "english_status": "Met", |
| 44 | + "english_justification": "All documentation and source comments are in English.", |
| 45 | + |
| 46 | + "maintained_status": "Met", |
| 47 | + "maintained_justification": "Active development; commits in the past week.", |
| 48 | + |
| 49 | + "repo_public_status": "Met", |
| 50 | + "repo_public_justification": "Repository is public on GitHub.", |
| 51 | + |
| 52 | + "repo_track_status": "Met", |
| 53 | + "repo_track_justification": "Source under git version control.", |
| 54 | + |
| 55 | + "repo_interim_status": "Met", |
| 56 | + "repo_interim_justification": "Every commit on a feature branch is pushed to origin; main is updated on every PR merge.", |
| 57 | + |
| 58 | + "repo_distributed_status": "Met", |
| 59 | + "repo_distributed_justification": "git is a distributed VCS.", |
| 60 | + |
| 61 | + "version_unique_status": "Met", |
| 62 | + "version_unique_justification": "https://github.com/RandomCodeSpace/ctm/tags — each release is tagged with a unique semver tag.", |
| 63 | + |
| 64 | + "version_semver_status": "Met", |
| 65 | + "version_semver_justification": "Tags follow vMAJOR.MINOR.PATCH.", |
| 66 | + |
| 67 | + "version_tags_status": "Met", |
| 68 | + "version_tags_justification": "https://github.com/RandomCodeSpace/ctm/releases — releases are git-tagged.", |
| 69 | + |
| 70 | + "release_notes_status": "Met", |
| 71 | + "release_notes_justification": "Each GitHub Release includes auto-generated notes summarising changes since the previous tag.", |
| 72 | + |
| 73 | + "release_notes_vulns_status": "N/A", |
| 74 | + "release_notes_vulns_justification": "No publicly disclosed vulnerabilities to date.", |
| 75 | + |
| 76 | + "report_process_status": "Met", |
| 77 | + "report_process_justification": "Bug reports go through GitHub Issues; the README links to the Issues tab.", |
| 78 | + |
| 79 | + "report_tracker_status": "Met", |
| 80 | + "report_tracker_justification": "https://github.com/RandomCodeSpace/ctm/issues — GitHub Issues.", |
| 81 | + |
| 82 | + "report_responses_status": "Met", |
| 83 | + "report_responses_justification": "Issues are triaged by the maintainer on a best-effort basis.", |
| 84 | + |
| 85 | + "enhancement_responses_status": "Met", |
| 86 | + "enhancement_responses_justification": "Feature requests via Issues receive a response (accept / defer / decline) on a best-effort basis.", |
| 87 | + |
| 88 | + "report_archive_status": "Met", |
| 89 | + "report_archive_justification": "GitHub Issues retains a full archive of reports and responses.", |
| 90 | + |
| 91 | + "vulnerability_report_process_status": "Unmet", |
| 92 | + "vulnerability_report_process_justification": "SECURITY.md not yet authored. Tracked as follow-up; for now, security reports can be filed as a private security advisory on GitHub.", |
| 93 | + |
| 94 | + "vulnerability_report_private_status": "Met", |
| 95 | + "vulnerability_report_private_justification": "https://github.com/RandomCodeSpace/ctm/security/advisories/new — GitHub's private security advisories are enabled.", |
| 96 | + |
| 97 | + "vulnerability_report_response_status": "Met", |
| 98 | + "vulnerability_report_response_justification": "Maintainer commits to acknowledging vulnerability reports within 14 days; window will be formalised in SECURITY.md.", |
| 99 | + |
| 100 | + "build_status": "Met", |
| 101 | + "build_justification": "Standard `go build -tags sqlite_fts5` builds the binary; `pnpm build` builds the embedded UI.", |
| 102 | + |
| 103 | + "build_common_tools_status": "Met", |
| 104 | + "build_common_tools_justification": "Build uses Go 1.24+ and pnpm — both widely available, FLOSS, and free of registration.", |
| 105 | + |
| 106 | + "build_floss_tools_status": "Met", |
| 107 | + "build_floss_tools_justification": "Build toolchain is entirely FLOSS (Go, pnpm, Node.js).", |
| 108 | + |
| 109 | + "test_status": "Met", |
| 110 | + "test_justification": "918 Go tests across 27 packages, 206 UI tests across 29 files.", |
| 111 | + |
| 112 | + "test_invocation_status": "Met", |
| 113 | + "test_invocation_justification": "README documents `go test -tags sqlite_fts5 ./...` and `pnpm exec vitest run`.", |
| 114 | + |
| 115 | + "test_most_status": "Met", |
| 116 | + "test_most_justification": "https://sonarcloud.io/summary/overall?id=RandomCodeSpace_ctm — 85.2% line coverage.", |
| 117 | + |
| 118 | + "test_continuous_integration_status": "Met", |
| 119 | + "test_continuous_integration_justification": "https://github.com/RandomCodeSpace/ctm/actions — GitHub Actions runs Go build/test, UI typecheck/test, SonarCloud, CodeQL, and Scorecard on every push and PR.", |
| 120 | + |
| 121 | + "test_policy_status": "Met", |
| 122 | + "test_policy_justification": "New features must ship with tests; SonarCloud's new-code coverage gate fails PRs that drop coverage below threshold.", |
| 123 | + |
| 124 | + "tests_are_added_status": "Met", |
| 125 | + "tests_are_added_justification": "PRs adding functionality include unit and/or integration tests; enforced by the new-code coverage gate.", |
| 126 | + |
| 127 | + "tests_documented_added_status": "Met", |
| 128 | + "tests_documented_added_justification": "test_policy is enforced in PR review and by the coverage gate; recent PRs (#11–#14) demonstrate the practice.", |
| 129 | + |
| 130 | + "warnings_status": "Met", |
| 131 | + "warnings_justification": "go vet, gopls language-server checks, ESLint with strict TypeScript rules, and SonarCloud all run on every push.", |
| 132 | + |
| 133 | + "warnings_fixed_status": "Met", |
| 134 | + "warnings_fixed_justification": "Warnings surfaced by gopls / ESLint / Sonar are addressed (or explicitly Accepted with a justification) before merge.", |
| 135 | + |
| 136 | + "warnings_strict_status": "Met", |
| 137 | + "warnings_strict_justification": "TypeScript strict mode enabled in tsconfig.json; SonarCloud quality gate fails the build on new BLOCKER/CRITICAL findings.", |
| 138 | + |
| 139 | + "know_secure_design_status": "Met", |
| 140 | + "know_secure_design_justification": "Maintainer follows OWASP Top-10 guidance; the v0.3 spec set explicitly documented threat-model decisions for auth (V27 argon2id), session token storage, and the reverse-proxy origin check.", |
| 141 | + |
| 142 | + "know_common_errors_status": "Met", |
| 143 | + "know_common_errors_justification": "Maintainer is familiar with OWASP Top-10 and CWE/SANS Top-25 patterns and applies them at PR review.", |
| 144 | + |
| 145 | + "crypto_published_status": "Met", |
| 146 | + "crypto_published_justification": "Auth uses argon2id (RFC 9106) and standard library crypto/rand — both published and widely reviewed.", |
| 147 | + |
| 148 | + "crypto_call_status": "Met", |
| 149 | + "crypto_call_justification": "Password hashing routes through Go's golang.org/x/crypto/argon2 package; no hand-rolled crypto.", |
| 150 | + |
| 151 | + "crypto_floss_status": "Met", |
| 152 | + "crypto_floss_justification": "All crypto routines are from Go's stdlib or x/crypto — both FLOSS.", |
| 153 | + |
| 154 | + "crypto_keylength_status": "Met", |
| 155 | + "crypto_keylength_justification": "Argon2id parameters meet OWASP recommendations (memory >= 19 MiB, iterations >= 2, parallelism = 1). Session tokens are 256-bit random.", |
| 156 | + |
| 157 | + "crypto_working_status": "Met", |
| 158 | + "crypto_working_justification": "No known-broken algorithms (no MD5/SHA1 for integrity, no DES, no RC4).", |
| 159 | + |
| 160 | + "crypto_weaknesses_status": "Met", |
| 161 | + "crypto_weaknesses_justification": "No use of MD5, SHA1 (for integrity), DES, RC4, or ECB mode anywhere in the codebase.", |
| 162 | + |
| 163 | + "crypto_pfs_status": "N/A", |
| 164 | + "crypto_pfs_justification": "ctm binds 127.0.0.1 only; TLS termination is the operator's reverse-proxy responsibility (the README documents the dev.randomcodespace.dev fronting setup).", |
| 165 | + |
| 166 | + "crypto_password_storage_status": "Met", |
| 167 | + "crypto_password_storage_justification": "Passwords stored as argon2id hashes (V27 single-user auth); never logged or persisted in plaintext.", |
| 168 | + |
| 169 | + "crypto_random_status": "Met", |
| 170 | + "crypto_random_justification": "All session tokens generated via crypto/rand.", |
| 171 | + |
| 172 | + "delivery_mitm_status": "Met", |
| 173 | + "delivery_mitm_justification": "Releases delivered via HTTPS (GitHub Releases) with TLS-protected git fetch.", |
| 174 | + |
| 175 | + "delivery_unsigned_status": "Met", |
| 176 | + "delivery_unsigned_justification": "https://github.com/RandomCodeSpace/ctm/releases — release artifacts include SHA256 checksums via the release.yml workflow.", |
| 177 | + |
| 178 | + "vulnerabilities_fixed_60_days_status": "Met", |
| 179 | + "vulnerabilities_fixed_60_days_justification": "No publicly disclosed vulnerabilities to date; commitment is to address any future critical reports within 60 days.", |
| 180 | + |
| 181 | + "vulnerabilities_critical_fixed_status": "Met", |
| 182 | + "vulnerabilities_critical_fixed_justification": "Same — no critical vulnerabilities outstanding.", |
| 183 | + |
| 184 | + "no_leaked_credentials_status": "Met", |
| 185 | + "no_leaked_credentials_justification": "SonarCloud's secret-detection rules + GitHub's secret scanning run on every push; no credentials in commit history.", |
| 186 | + |
| 187 | + "static_analysis_status": "Met", |
| 188 | + "static_analysis_justification": "https://sonarcloud.io/summary/overall?id=RandomCodeSpace_ctm — SonarCloud (Go + TypeScript) and CodeQL (security) run on every push and PR.", |
| 189 | + |
| 190 | + "static_analysis_common_vulnerabilities_status": "Met", |
| 191 | + "static_analysis_common_vulnerabilities_justification": "CodeQL covers OWASP Top-10 vulnerability families; SonarCloud's security profile covers CWE Top-25.", |
| 192 | + |
| 193 | + "static_analysis_fixed_status": "Met", |
| 194 | + "static_analysis_fixed_justification": "Findings are either fixed in code or explicitly Accepted with a documented justification (see .github/workflows/sonar-bulk-accept.yml).", |
| 195 | + |
| 196 | + "static_analysis_often_status": "Met", |
| 197 | + "static_analysis_often_justification": "Static analysis runs on every push and PR — well exceeding the 'before each release' bar.", |
| 198 | + |
| 199 | + "dynamic_analysis_status": "N/A", |
| 200 | + "dynamic_analysis_justification": "ctm is a CLI / HTTP daemon; integration tests exercise the live HTTP surface, which is the realistic dynamic-analysis bar for this class of software.", |
| 201 | + |
| 202 | + "dynamic_analysis_unsafe_status": "N/A", |
| 203 | + "dynamic_analysis_unsafe_justification": "Go is memory-safe (no manual memory management, bounds-checked slices). The few unsafe.Pointer uses are inside the vendored sqlite3 driver.", |
| 204 | + |
| 205 | + "dynamic_analysis_enable_assertions_status": "N/A", |
| 206 | + "dynamic_analysis_enable_assertions_justification": "Go has no compile-time assertion mechanism; runtime panics are used for invariant violations.", |
| 207 | + |
| 208 | + "dynamic_analysis_fixed_status": "N/A", |
| 209 | + "dynamic_analysis_fixed_justification": "Same as dynamic_analysis." |
| 210 | +} |
0 commit comments