docs(security): embed required URLs inline in .bestpractices.json justifications#122
Merged
Conversation
…tifications bestpractices.dev has no separate URL field — for criteria where met_url_required is true, the URL must appear inside the justification text, or the badge reports "URL required, but no URL found". The file kept URLs only in vestigial _url keys (which the badge form / autofill robot does not consume) while the justifications merely said "see the URL below". Embed each URL inline in the justification for all 8 url-required criteria (contribution, contribution_requirements, license_location, release_notes, report_process, report_archive, vulnerability_report_process, vulnerability_report_private) so the file is a self-sufficient golden source. Statuses unchanged (all Met); _url keys retained. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01LDQVJrixs2nJoea67a8pEG
|
aksOps
added a commit
that referenced
this pull request
Jun 18, 2026
#123) The live OpenSSF record (https://www.bestpractices.dev/projects/12646.json) is now passing (badge_level=passing, 100%). Reconcile the repo golden source to match the authoritative live schema: - Drop 29 vestigial per-criterion <crit>_url keys. The live record has NO per-criterion URL field (only the top-level homepage_url / repo_url / badge_url / project_page_url), confirming the URL must live inline in the justification -- which it now does for all url-required criteria (PR #122). The 4 real top-level URL metadata fields are kept. - Correct _comment to document the inline-URL reality (no separate per-criterion URL field) and drop the false "<key>_url where required" clause. - Simplify report_archive link to /issues to match the live passing value. - Refresh self_assessment_date to 2026-06-18. Kept our richer project-specific justifications rather than overwriting them with bestpractices.dev's auto-generated boilerplate (and a stray OSPS tag); both validate and the badge stays passing. Claude-Session: https://claude.ai/code/session_01LDQVJrixs2nJoea67a8pEG Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
aksOps
added a commit
that referenced
this pull request
Jun 19, 2026
…abelled, searchable map (#124) * docs(security): sync .bestpractices.json to live passing state (12646) The live OpenSSF record (https://www.bestpractices.dev/projects/12646.json) is now passing (badge_level=passing, 100%). Reconcile the repo golden source to match the authoritative live schema: - Drop 29 vestigial per-criterion <crit>_url keys. The live record has NO per-criterion URL field (only the top-level homepage_url / repo_url / badge_url / project_page_url), confirming the URL must live inline in the justification -- which it now does for all url-required criteria (PR #122). The 4 real top-level URL metadata fields are kept. - Correct _comment to document the inline-URL reality (no separate per-criterion URL field) and drop the false "<key>_url where required" clause. - Simplify report_archive link to /issues to match the live passing value. - Refresh self_assessment_date to 2026-06-18. Kept our richer project-specific justifications rather than overwriting them with bestpractices.dev's auto-generated boilerplate (and a stray OSPS tag); both validate and the badge stays passing. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01LDQVJrixs2nJoea67a8pEG * perf(graphrag,mcp,storage,ui): scale topology to 100-200 services + labelled, searchable map Hardens both the SQLite (single-node) and Postgres (scaled) paths for a rolling 7-day window over 100-200 services, and makes the service map usable at that scale. Backend - graphrag: add edgesByFrom/edgesByTo/opsByService adjacency indexes to ServiceStore, maintained at UpsertCallEdge/UpsertOperation/EnsureCallEdge. CallEdgesFrom/To and the new OperationsForService become O(deg) lookups, so ServiceMap drops from O(N*E+N*ops) to O(N+E+ops) and ImpactAnalysis BFS from O(N^2) to O(N+E). ServiceMap at 200 svc / 800 edges benchmarks ~53us. - storage: replace the near-useless bare span.status index with composite (tenant_id, status, start_time); unify the trace/orphan-span purge onto the batched LIMIT loop for ALL drivers so SQLite no longer holds the single writer lock for the whole retention sweep and stalls ingest. - storage: add Postgres BRIN indexes on spans(start_time)/traces(timestamp) for the by-age retention DELETE; raise pool MaxIdleConns 10->25 and add ConnMaxIdleTime (DB_CONN_MAX_IDLE_TIME, default 10m). - config: default IngestPipelinePerTenantCap to ~30% of the resolved queue when unset (explicit =0 still disables) so one noisy tenant cannot fill the queue. MCP - emit compact JSON (Marshal vs MarshalIndent) across all tool responses. - honour the documented get_service_map "service" focus arg via depth-bounded ServiceMapAround; no focus -> full map (backward compatible). - cache trace_graph (immutable completed-trace topology; errors not cached). UI - service map dots now render a haloed, truncated, a11y label whose visibility is zoom-scaled by phyllotaxis criticality band (most-critical label first; emphasized/search-matched always label). - add a deferred client-side service search that highlights matches + neighbours and dims the rest, reusing the existing emphasis machinery, with match count, empty state, and clear. Tests: graphrag/mcp/storage/config/ingest suites green; UI builds + 339 UI tests pass; changed files lint-clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01EGHhZg96LhYRPQoG8x4nyP * fix(deps): bump undici 7.25.0 -> 7.28.0 (dev) to clear OSV advisories undici 7.25.0 — a transitive dev dependency via the Vite/test toolchain in ui/package-lock.json — is flagged by two newly-published advisories: GHSA-vmh5-mc38-953g (High, 7.4) and GHSA-pr7r-676h-xcf6 (Medium, 5.9), both fixed in 7.28.0. In-range bump (the parent already allows ^7.25.0), lockfile only. npm audit reports 0 vulnerabilities; tsc + vitest (339 tests) green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01LDQVJrixs2nJoea67a8pEG * style(storage): gofmt Span struct tag alignment The composite-index comment added mid-struct in this PR broke gofmt tag alignment on the Span block (golangci-lint gofmt failure). Pure formatting; no behaviour change. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01LDQVJrixs2nJoea67a8pEG * fix(ui): highlight matched services' edges on map search, not just nodes rfEdges computed the active path only from selection/impact, so a search accented matched NODES while their connections stayed at resting style — the 'searchable map' was half-done at 100-200 services where edges are the signal. Fold searchMatches into the edge active test (precedence: impact > search > selection, mirroring the node emphasis ladder) and into the memo deps. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01LDQVJrixs2nJoea67a8pEG * fix(storage): sanitize DB_DRIVER before logging (CWE-117 / go/log-injection) CodeQL flagged factory.go:170 logging the operator-set DB_DRIVER string (rule go/log-injection, medium) — the merge-blocking unresolved code-scanning thread. Strip CR/LF via a local var before logging so a malformed value can't forge log lines; the counts/duration are non-injectable. Operator config (not a remote-input path), but fix-over-suppress per the security policy, and the local-var sanitizer is a barrier CodeQL recognises, clearing the alert at the source. Drops the now-redundant #nosec G706. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01LDQVJrixs2nJoea67a8pEG --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



What
Embed the required URL inline in the justification text for all 8
met_url_requiredcriteria in.bestpractices.json:contribution,contribution_requirements,license_location,release_notes,report_process,report_archive,vulnerability_report_process,vulnerability_report_private.Why
bestpractices.dev has no separate URL field — for URL-required
criteria the validator scans the justification for an
http(s)link.The file previously kept URLs only in
_urlkeys (which the badge formand autofill robot don't consume) while justifications said "see the URL
below", so the live badge reported "URL required, but no URL found".
Moving the URL into the justification makes
.bestpractices.jsonaself-sufficient golden source: a future autofill from this file
satisfies the criteria without relying on the non-consumed
_urlkeys.Scope / safety
_justificationstrings change (8 insertions, 8 deletions).Met;_urlkeys retained (redundant but harmless).which still needs the bestpractices.dev autofill re-run by the project
owner.
🤖 Generated with Claude Code
https://claude.ai/code/session_01LDQVJrixs2nJoea67a8pEG