|
65 | 65 | "repo_distributed_justification": "git is a fully distributed VCS (each clone contains the full history and every operation works offline). Repo at https://github.com/RandomCodeSpace/snipIT is git-native.", |
66 | 66 |
|
67 | 67 | "version_unique_status": "Met", |
68 | | - "version_unique_justification": "snipIT is a single-script project distributed via `git clone` of the main branch — the unique version identifier is the commit SHA on main, which is globally unique by git's content-addressable design and is the version recorded in any install. No tagged releases yet (single .ps1 with no compile/build step); when a tag-release flow is added, semver tags will be the user-facing identifier.", |
| 68 | + "version_unique_justification": "snipIT v0.1.0 is the first tagged release — annotated, SSH-signed git tag `v0.1.0` on main, paired with GitHub Release `v0.1.0` at https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0. The tag is globally unique by git's content-addressable design and is the user-facing version identifier. CHANGELOG.md `[v0.1.0] - 2026-04-26` captures the release contents.", |
| 69 | + "version_unique_url": "https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0", |
69 | 70 |
|
70 | 71 | "version_semver_status": "Met", |
71 | | - "version_semver_justification": "CHANGELOG.md header explicitly commits the project to Semantic Versioning 2.0.0: 'this project adheres to Semantic Versioning 2.0.0' (https://semver.org/spec/v2.0.0.html). All future tags will be `vMAJOR.MINOR.PATCH` per SemVer. snipIT has no tagged releases yet — the [Unreleased] section captures pre-tag work; on first tag cut, the heading becomes `[vX.Y.Z] - YYYY-MM-DD` and a fresh [Unreleased] opens.", |
72 | | - "version_semver_url": "https://github.com/RandomCodeSpace/snipIT/blob/main/CHANGELOG.md", |
| 72 | + "version_semver_justification": "CHANGELOG.md header explicitly commits the project to Semantic Versioning 2.0.0: 'this project adheres to Semantic Versioning 2.0.0' (https://semver.org/spec/v2.0.0.html). The first tagged release is `v0.1.0` (https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0) — `vMAJOR.MINOR.PATCH` SemVer-shaped. Future tags continue the same format; CHANGELOG.md `[v0.1.0] - 2026-04-26` is the canonical entry.", |
| 73 | + "version_semver_url": "https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0", |
73 | 74 |
|
74 | 75 | "version_tags_status": "Met", |
75 | | - "version_tags_justification": "CHANGELOG.md states 'Version numbers below correspond to git tags on main.' Each release will be cut as an annotated, GPG/SSH-signed git tag (`vX.Y.Z`). The signed-tag requirement is codified in shared/runbooks/engineering-standards.md §8 ('Commit identity and signed commits'): `tag.gpgsign=true` is set repo-locally by scripts/setup-git-signed.sh and enforced by branch protection on main. snipIT has no tagged releases yet — the [Unreleased] section captures pre-tag work.", |
76 | | - "version_tags_url": "https://github.com/RandomCodeSpace/snipIT/blob/main/CHANGELOG.md", |
| 76 | + "version_tags_justification": "CHANGELOG.md states 'Version numbers below correspond to git tags on main.' First release is the annotated, SSH-signed git tag `v0.1.0` (https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0), cut from the `release(RAN-66): cut snipIT v0.1.0` PR squash commit. The signed-tag requirement is codified in shared/runbooks/engineering-standards.md §8 ('Commit identity and signed commits'): `tag.gpgsign=true` is set repo-locally by scripts/setup-git-signed.sh; branch protection on main enforces verified signatures.", |
| 77 | + "version_tags_url": "https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0", |
77 | 78 |
|
78 | 79 | "release_notes_status": "Met", |
79 | | - "release_notes_justification": "CHANGELOG.md at repo root, Keep-a-Changelog 1.1.0 format with `[Unreleased]` collecting pre-tag work and per-version sections opened on each tag. Captures Added / Changed / Fixed / Security entries for every merge to main. Until the first tag is cut (tracked under Scorecard `Packaging` in CLAUDE.md), the `[Unreleased]` section is the release-notes surface; on tag, the heading is replaced with the version + date and a fresh `[Unreleased]` opens. SECURITY.md §Changelog separately tracks disclosure-policy version history.", |
80 | | - "release_notes_url": "https://github.com/RandomCodeSpace/snipIT/blob/main/CHANGELOG.md", |
| 80 | + "release_notes_justification": "CHANGELOG.md at repo root, Keep-a-Changelog 1.1.0 format. First tagged release `[v0.1.0] - 2026-04-26` captures the OpenSSF Best Practices `passing` baseline + supporting documentation surface under Added / Changed / Fixed / Security subsections. The corresponding GitHub Release at https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0 surfaces the same notes on the Releases page. A fresh `[Unreleased]` section sits at the top to collect post-v0.1.0 work; on each subsequent tag the `[Unreleased]` heading is replaced with the version + date and a new `[Unreleased]` opens.", |
| 81 | + "release_notes_url": "https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0", |
81 | 82 |
|
82 | 83 | "release_notes_vulns_status": "Met", |
83 | | - "release_notes_vulns_justification": "CHANGELOG.md reserves a dedicated `### Security` subsection inside every release entry (and the `[Unreleased]` working set) for non-trivial security fixes. The header text states explicitly: 'Each release MUST list any non-trivial security fixes under a dedicated Security subsection so downstream consumers can decide whether to upgrade.' Zero fixes to date — the current `[Unreleased]` Security subsection is honestly marked 'No security-relevant fixes shipped yet under this release line.' When a fix ships, the entry will reference the GHSA advisory + CVE per SECURITY.md §What you can expect.", |
| 84 | + "release_notes_vulns_justification": "CHANGELOG.md reserves a dedicated `### Security` subsection inside every release entry (and the `[Unreleased]` working set) for non-trivial security fixes. The header text states explicitly: 'Each release MUST list any non-trivial security fixes under a dedicated Security subsection so downstream consumers can decide whether to upgrade.' v0.1.0 ships with zero security-relevant fixes — its Security subsection is honestly marked: 'No security-relevant fixes shipped under v0.1.0. The OSS-CLI security stack landed in `.github/workflows/security.yml` is the gating channel for all future fixes; advisories will appear in this section under each release where they apply, alongside a GHSA link.' The GitHub Release notes at https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0 mirror this content.", |
| 85 | + "release_notes_vulns_url": "https://github.com/RandomCodeSpace/snipIT/releases/tag/v0.1.0", |
84 | 86 |
|
85 | 87 | "report_process_status": "Met", |
86 | 88 | "report_process_justification": "SECURITY.md §Reporting a vulnerability documents the private channel for security issues (GitHub private vulnerability report at /security/advisories/new, or `ak.nitrr13@gmail.com` with `[snipIT security]` subject; 72-hour ack SLA, 7-day triage, 90-day coordinated disclosure). CONTRIBUTING.md §Reporting documents the public channel for functional bugs and feature requests — GitHub Issues at https://github.com/RandomCodeSpace/snipIT/issues. Both channels are linked from README.md.", |
|
0 commit comments