Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 3 additions & 32 deletions .bestpractices.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"$schema": "https://bestpractices.coreinfrastructure.org/projects.schema.json",
"_comment": "OpenSSF Best Practices self-assessment for RandomCodeSpace/otelcontext. Project page: https://www.bestpractices.dev/en/projects/12646. This file follows the canonical flat per-criterion schema described in coreinfrastructure/best-practices-badge:docs/bestpractices-json.md so the autofill robot can pre-fill the criteria page on board flip. Each <key>_status / <key>_justification (and <key>_url where required) mirrors the answers submitted to bestpractices.dev. Refresh whenever criteria scoring changes (RAN-58).",
"_comment": "OpenSSF Best Practices self-assessment for RandomCodeSpace/otelcontext. Project page: https://www.bestpractices.dev/en/projects/12646. This file follows the canonical flat per-criterion schema described in coreinfrastructure/best-practices-badge:docs/bestpractices-json.md so the autofill robot can pre-fill the criteria page on board flip. Each <key>_status / <key>_justification mirrors the answers submitted to bestpractices.dev; for url-required criteria the URL is embedded inline in the justification (bestpractices.dev has no separate per-criterion URL field). Refresh whenever criteria scoring changes (RAN-58).",
"project_id": 12646,
"name": "otelcontext",
"description": "Self-hosted OTLP observability platform in a single Go binary \u2014 OTLP gRPC + HTTP ingest, GraphRAG-powered root-cause analysis, multi-tenant storage, and a built-in MCP server for AI agents.",
Expand All @@ -12,101 +12,78 @@
"project_page_url": "https://www.bestpractices.dev/en/projects/12646",
"description_good_status": "Met",
"description_good_justification": "See README.md. otelcontext is a self-hosted OTLP observability platform in a single Go binary \u2014 OTLP gRPC + HTTP ingest, GraphRAG-powered root-cause analysis, multi-tenant storage, and a built-in MCP server for AI agents.",
"description_good_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/README.md",
"interact_status": "Met",
"interact_justification": "GitHub Issues for bug reports and discussion, SECURITY.md for private vulnerability disclosure (GitHub Security Advisories). Both linked from README.",
"interact_url": "https://github.com/RandomCodeSpace/otelcontext/issues",
"contribution_status": "Met",
"contribution_justification": "Contribution process documented in CONTRIBUTING.md (PR template, conventional commits, test + vet + lint requirements): https://github.com/RandomCodeSpace/otelcontext/blob/main/CONTRIBUTING.md",
"contribution_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/CONTRIBUTING.md",
"contribution_requirements_status": "Met",
"contribution_requirements_justification": "CONTRIBUTING.md documents PR requirements: `go test -race ./...` passing, `go vet ./...` clean, golangci-lint clean, Semgrep + OSV-Scanner + Trivy + Gitleaks security stack green, Conventional Commit style. See https://github.com/RandomCodeSpace/otelcontext/blob/main/CONTRIBUTING.md",
"contribution_requirements_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/CONTRIBUTING.md",
"floss_license_status": "Met",
"floss_license_justification": "MIT \u2014 https://opensource.org/licenses/MIT",
"floss_license_osi_status": "Met",
"floss_license_osi_justification": "MIT is OSI-approved.",
"license_location_status": "Met",
"license_location_justification": "LICENSE.md at repository root: https://github.com/RandomCodeSpace/otelcontext/blob/main/LICENSE.md",
"license_location_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/LICENSE.md",
"documentation_basics_status": "Met",
"documentation_basics_justification": "README.md covers what otelcontext is, how to run it, ports/protocols (OTLP gRPC :4317, HTTP :8080), database driver options, TLS bootstrap, and authentication. CLAUDE.md documents the architecture (ingestion, GraphRAG, MCP, storage, configuration).",
"documentation_basics_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/README.md",
"documentation_interface_status": "Met",
"documentation_interface_justification": "OTLP wire protocol surface (gRPC + HTTP /v1/{traces,logs,metrics}) follows the OpenTelemetry OTLP spec. MCP tool catalogue (21 tools, JSON-RPC 2.0 + SSE) documented in CLAUDE.md. REST API surface and configuration env vars documented in CLAUDE.md.",
"documentation_interface_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/CLAUDE.md",
"sites_https_status": "Met",
"sites_https_justification": "All project links (README badges, docs, release downloads) use HTTPS via github.com.",
"discussion_status": "Met",
"discussion_justification": "GitHub Issues serves as the public discussion forum for bug reports and feature proposals.",
"discussion_url": "https://github.com/RandomCodeSpace/otelcontext/issues",
"english_status": "Met",
"english_justification": "All source comments, documentation, commit messages, and issue discussions are in English.",
"maintained_status": "Met",
"maintained_justification": "Active development on `main`. Recent fixes landed in commits 89de89a (RAN-56 HIGH/CRITICAL CVE patch), f433139 (RAN-53 OpenSSF stack), 4e0a4a2 (RAN-22). Dependabot weekly + security updates enabled.",
"maintained_url": "https://github.com/RandomCodeSpace/otelcontext/commits/main",
"repo_public_status": "Met",
"repo_public_justification": "Repository is public.",
"repo_public_url": "https://github.com/RandomCodeSpace/otelcontext",
"repo_track_status": "Met",
"repo_track_justification": "Git, hosted on GitHub.",
"repo_track_url": "https://github.com/RandomCodeSpace/otelcontext",
"repo_interim_status": "Met",
"repo_interim_justification": "All commits merged to `main` are publicly visible via GitHub. No batch or secret merges; small, reviewable PRs (e.g. PR #29..#34 land per-RAN-ticket).",
"repo_distributed_status": "Met",
"repo_distributed_justification": "Git is a distributed VCS; every clone holds full history.",
"version_unique_status": "Met",
"version_unique_justification": "Each release carries a unique semver tag (e.g. v0.0.11-beta.15) and an immutable git SHA.",
"version_unique_url": "https://github.com/RandomCodeSpace/otelcontext/tags",
"version_semver_status": "Met",
"version_semver_justification": "MAJOR.MINOR.PATCH-prerelease.N (e.g. v0.0.11-beta.15) \u2014 pre-release semver per https://semver.org. Pre-1.0 development phase.",
"version_semver_url": "https://github.com/RandomCodeSpace/otelcontext/tags",
"version_tags_status": "Met",
"version_tags_justification": "Tagged releases are published on GitHub.",
"version_tags_url": "https://github.com/RandomCodeSpace/otelcontext/tags",
"release_notes_status": "Met",
"release_notes_justification": "GitHub auto-generates release notes from PR titles for each tag; releases are listed at https://github.com/RandomCodeSpace/otelcontext/releases . Pre-1.0 cadence ships beta tags from main.",
"release_notes_url": "https://github.com/RandomCodeSpace/otelcontext/releases",
"release_notes_vulns_status": "Met",
"release_notes_vulns_justification": "Security fixes are landed in tagged commits with `fix(security):` Conventional-Commit prefix and surface in the auto-generated release notes (e.g. commit 89de89a `fix(security): patch HIGH/CRITICAL vulns flagged by OSV+Trivy on PR #34 (RAN-56)`).",
"report_process_status": "Met",
"report_process_justification": "SECURITY.md documents how to report bugs (GitHub Issues) vs vulnerabilities (private GitHub Security Advisory or email fallback to ak.nitrr13@gmail.com with `[otelcontext security]` subject prefix). See https://github.com/RandomCodeSpace/otelcontext/blob/main/SECURITY.md",
"report_process_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/SECURITY.md",
"report_tracker_status": "Met",
"report_tracker_justification": "GitHub Issues is the public bug tracker.",
"report_tracker_url": "https://github.com/RandomCodeSpace/otelcontext/issues",
"report_responses_status": "Met",
"report_responses_justification": "Maintainer responds to reported issues within 14 days; SECURITY.md commits to a 5 business-day acknowledgement for security reports and a 10 business-day triage decision for High/Critical issues.",
"enhancement_responses_status": "Met",
"enhancement_responses_justification": "Enhancement requests are triaged via GitHub Issues; maintainer responds within 14 days.",
"report_archive_status": "Met",
"report_archive_justification": "GitHub Issues is the public, searchable archive of bug reports, open and closed: https://github.com/RandomCodeSpace/otelcontext/issues?q=is%3Aissue . GitHub Security Advisories archives coordinated-disclosure reports.",
"report_archive_url": "https://github.com/RandomCodeSpace/otelcontext/issues?q=is%3Aissue",
"report_archive_justification": "GitHub Issues is the public, searchable archive of bug reports, open and closed: https://github.com/RandomCodeSpace/otelcontext/issues . GitHub Security Advisories archives coordinated-disclosure reports.",
"vulnerability_report_process_status": "Met",
"vulnerability_report_process_justification": "SECURITY.md is the canonical disclosure entry point: preferred channel is a private GitHub Security Advisory, with email fallback. Acknowledgement SLA 5 business days; triage SLA 10 business days for High/Critical; default embargo 90 days or first patched release. See https://github.com/RandomCodeSpace/otelcontext/blob/main/SECURITY.md",
"vulnerability_report_process_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/SECURITY.md",
"vulnerability_report_private_status": "Met",
"vulnerability_report_private_justification": "GitHub private vulnerability reporting is the preferred channel; advisories are filed at https://github.com/RandomCodeSpace/otelcontext/security/advisories/new",
"vulnerability_report_private_url": "https://github.com/RandomCodeSpace/otelcontext/security/advisories/new",
"vulnerability_report_response_status": "Met",
"vulnerability_report_response_justification": "SECURITY.md commits to acknowledgement within 5 business days and a fix triage decision within 10 business days for High/Critical.",
"build_status": "Met",
"build_justification": "Single-command build: `go build -o otelcontext .` (or `make build`). CI builds every PR via `.github/workflows/ci.yml`.",
"build_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/.github/workflows/ci.yml",
"build_common_tools_status": "Met",
"build_common_tools_justification": "Go toolchain (go 1.25.9 per go.mod) + Node/npm 20+ for the embedded React UI. Both are widely available and standard.",
"build_floss_tools_status": "Met",
"build_floss_tools_justification": "Go (BSD-3-Clause), Node/npm (MIT/ISC), GNU Make (GPL). All FLOSS.",
"test_status": "Met",
"test_justification": "Automated test suite under internal/* runs on every push (`go test -race ./...`). Coverage spans graphrag, ingest, storage, queue, vectordb, telemetry, tls, compress, config, api.",
"test_url": "https://github.com/RandomCodeSpace/otelcontext/actions/workflows/ci.yml",
"test_invocation_status": "Met",
"test_invocation_justification": "`go test -race ./...` \u2014 documented in CONTRIBUTING.md and exercised by `.github/workflows/ci.yml`.",
"test_most_status": "Met",
"test_most_justification": "Tests cover the core packages: internal/graphrag (drain, builder, investigation, migrate, tenant), internal/ingest (otlp_grpc_limits, otlp_e2e, otlp_http_gzip), internal/storage, internal/queue (dlq), internal/vectordb, internal/tls (selfsigned, filelock), internal/api, internal/telemetry, internal/config, internal/compress.",
"test_continuous_integration_status": "Met",
"test_continuous_integration_justification": "CI runs full test suite (`go test -race -timeout 180s ./...`) on every PR and every push to main.",
"test_continuous_integration_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/.github/workflows/ci.yml",
"test_policy_status": "Met",
"test_policy_justification": "CONTRIBUTING.md requires tests for new features and regression tests for bug fixes; PR review enforces it.",
"tests_are_added_status": "Met",
Expand All @@ -115,7 +92,6 @@
"tests_documented_added_justification": "CONTRIBUTING.md documents the test-with-every-change expectation.",
"warnings_status": "Met",
"warnings_justification": "`go vet ./...` and `golangci-lint` (.golangci.yml) run on every CI build; any warning fails the build.",
"warnings_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/.golangci.yml",
"warnings_fixed_status": "Met",
"warnings_fixed_justification": "All vet/lint warnings resolved on `main`; no suppressions without justification.",
"warnings_strict_status": "Met",
Expand All @@ -124,7 +100,6 @@
"know_secure_design_justification": "Maintainer applies defense-in-depth: per-tenant context propagation across HTTP/gRPC/MCP layers (internal/api/tenant_middleware.go, internal/ingest/otlp.go), tenant-scoped reads in internal/storage and internal/graphrag, signed-commit setup for `main` (scripts/setup-git-signed.sh), strict TLS (sslmode require/verify-ca/verify-full enforced when DB_AZURE_AUTH=true in internal/storage), parameterised queries via GORM, secrets via env (no in-repo secrets enforced by gitleaks).",
"know_common_errors_status": "Met",
"know_common_errors_justification": "Familiar with OWASP Top 10 and CWE-22/78/79/89/918. Semgrep `p/owasp-top-ten` + `p/security-audit` + `p/golang` rulesets run on every PR; OSV-Scanner against go.mod + ui/package-lock.json blocks merge on High/Critical.",
"know_common_errors_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/.github/workflows/security.yml",
"crypto_published_status": "Met",
"crypto_published_justification": "Only published algorithms used: Go crypto/tls, crypto/rand, crypto/sha256. No custom crypto.",
"crypto_call_status": "Met",
Expand All @@ -149,15 +124,12 @@
"delivery_unsigned_justification": "Source is delivered exclusively via HTTPS-served git from github.com. No unsigned binary delivery channel: pre-1.0 betas are tagged commits (verifiable by SHA), and binary build is in the user's pipeline (`go build`) \u2014 there is no pre-built binary distribution in scope. Signed-commit hardening on `main` is configured via scripts/setup-git-signed.sh.",
"vulnerabilities_fixed_60_days_status": "Met",
"vulnerabilities_fixed_60_days_justification": "Most recent example: commit 89de89a (`fix(security): patch HIGH/CRITICAL vulns flagged by OSV+Trivy on PR #34 (RAN-56)`) landed within 60 days of the OSV/Trivy advisory. Dependabot + OSV-Scanner + Trivy run weekly.",
"vulnerabilities_fixed_60_days_url": "https://github.com/RandomCodeSpace/otelcontext/security/advisories",
"vulnerabilities_critical_fixed_status": "Met",
"vulnerabilities_critical_fixed_justification": "Zero High/Critical open. RAN-56 patched all OSV+Trivy HIGH/CRITICAL findings on PR #34 (commit 89de89a).",
"no_leaked_credentials_status": "Met",
"no_leaked_credentials_justification": "Gitleaks job in `.github/workflows/security.yml` scans the full git history on every PR and push; merge blocked on any finding. GitHub repo-level secret scanning + push protection enabled.",
"no_leaked_credentials_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/.github/workflows/security.yml",
"static_analysis_status": "Met",
"static_analysis_justification": "Semgrep (p/security-audit + p/owasp-top-ten + p/golang) + golangci-lint run on every PR and push. Merge blocked on `--severity ERROR`.",
"static_analysis_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/.github/workflows/security.yml",
"static_analysis_common_vulnerabilities_status": "Met",
"static_analysis_common_vulnerabilities_justification": "Semgrep `p/owasp-top-ten` and `p/security-audit` rulesets cover CWE-22/78/79/89/918 and the broader OWASP Top 10. `p/golang` adds Go-specific issue patterns.",
"static_analysis_fixed_status": "Met",
Expand All @@ -166,13 +138,12 @@
"static_analysis_often_justification": "Semgrep + golangci-lint run on every push to main and every PR; Dependabot weekly cadence catches advisory drift between commits.",
"dynamic_analysis_status": "Met",
"dynamic_analysis_justification": "`go test -race -timeout 180s ./...` runs in CI on every PR (.github/workflows/ci.yml). The race detector instruments concurrency-heavy paths (graphrag event workers, retention scheduler, DLQ replay) and fails the build on any race.",
"dynamic_analysis_url": "https://github.com/RandomCodeSpace/otelcontext/blob/main/.github/workflows/ci.yml",
"dynamic_analysis_unsafe_status": "N/A",
"dynamic_analysis_unsafe_justification": "N/A \u2014 Go is memory-safe. The codebase contains no `unsafe.Pointer` in application code; only stdlib-internal use via the standard libraries.",
"dynamic_analysis_enable_assertions_status": "Met",
"dynamic_analysis_enable_assertions_justification": "Go panics-on-invariants are used at boundary conditions (e.g. config validation in internal/config). The `-race` detector is the Go equivalent of runtime concurrency assertions and is enabled in CI.",
"dynamic_analysis_fixed_status": "Met",
"dynamic_analysis_fixed_justification": "Race-detector and `go test` failures gate every PR; no known unfixed dynamic-analysis findings on `main`.",
"self_assessment_date": "2026-04-26",
"self_assessment_date": "2026-06-18",
"self_assessment_author": "TechLead (RAN-58)"
}