Skip to content

Commit 255c4ab

Browse files
authored
release: cut v0.1.0 (CHANGELOG bump + audit re-fix) (RAN-55) (#4)
Cuts the first tagged release line for vigil and rolls in the audit fixes that didn't make it into PR #3's squash. CHANGELOG.md gains the [0.1.0] section + SemVer preamble; .bestpractices.json fills in v0.1.0 evidence and flips version_semver / version_tags / test_continuous_integration to Met. Closes [RAN-55](/RAN/issues/RAN-55) audit-fix portion. Tag + GitHub Release tracked under [RAN-67](/RAN/issues/RAN-67).
1 parent 562f1c4 commit 255c4ab

2 files changed

Lines changed: 30 additions & 18 deletions

File tree

.bestpractices.json

Lines changed: 20 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -52,19 +52,20 @@
5252
"repo_interim_justification": "Per CLAUDE.md §6, every change lands on `main` via a feature branch and squash-merge. Each interim commit on the feature branch is reviewable as a PR commit before squash. Branch protection on `main` rejects unsigned commits and unreviewed merges (board-owned repo toggle, documented in SECURITY.md).",
5353

5454
"version_unique_status": "Met",
55-
"version_unique_justification": "Each commit on `main` is uniquely identified by its Git SHA (full revision history is the version manifest). Distribution is `git clone` + `pwsh -File .\\VIGIL.ps1`, so users pin to an exact commit SHA. SECURITY.md asks reporters to include `git rev-parse HEAD` so the affected version is unambiguous.",
55+
"version_unique_justification": "Releases are uniquely identified by signed annotated git tags (first tag: `v0.1.0` at https://github.com/RandomCodeSpace/vigil/releases/tag/v0.1.0). Between releases, the commit SHA on `main` is the canonical version identifier; CLAUDE.md §6 enforces signed commits via branch protection. SECURITY.md asks reporters to include `git rev-parse HEAD` (or the release tag) so the affected version is unambiguous.",
56+
"version_unique_url": "https://github.com/RandomCodeSpace/vigil/releases/tag/v0.1.0",
5657

5758
"release_notes_status": "Met",
58-
"release_notes_justification": "CHANGELOG.md at repo root tracks all notable changes in Keep-a-Changelog 1.1.0 format. Pre-1.0 distribution is `git clone` of `main` (no compiled binary, no GitHub Release line yet), so the canonical version identifier is the commit SHA on `main` and CHANGELOG ## [Unreleased] catalogues what has landed since the last reference point. Sections covered: Added, Fixed, Changed, Security. Each entry cross-links the Paperclip ticket (RAN-XX). When the first tagged release is cut the [Unreleased] section will be rolled into a versioned heading per the same format.",
59-
"release_notes_url": "https://github.com/RandomCodeSpace/vigil/blob/main/CHANGELOG.md",
59+
"release_notes_justification": "CHANGELOG.md at repo root tracks all notable changes in Keep-a-Changelog 1.1.0 format. The first tagged release is `v0.1.0` (2026-04-26) — its release block in CHANGELOG.md catalogues every Added / Fixed / Changed / Security entry that landed in the initial line, and the corresponding GitHub Release at https://github.com/RandomCodeSpace/vigil/releases/tag/v0.1.0 carries the same human-readable summary. Per the CHANGELOG preamble, the project follows Semantic Versioning 2.0.0 from v0.1.0 onward; future releases roll the `[Unreleased]` section into a versioned heading per the same format.",
60+
"release_notes_url": "https://github.com/RandomCodeSpace/vigil/releases/tag/v0.1.0",
6061

6162
"release_notes_vulns_status": "Met",
62-
"release_notes_vulns_justification": "CHANGELOG.md ## Security section is the dedicated lane for vulnerability-related entries — currently lists adoption of the (B) OSS-CLI security stack as the continuous supply-chain observability surface. Future fixed CVEs will be enumerated in the same section, cross-referencing the GHSA advisory ID where one is published. Pre-1.0 the entry lives under [Unreleased] ## Security; once a tagged line exists each release block carries its own ## Security subsection.",
63-
"release_notes_vulns_url": "https://github.com/RandomCodeSpace/vigil/blob/main/CHANGELOG.md#security",
63+
"release_notes_vulns_justification": "CHANGELOG.md ## Security subsection per release block is the dedicated lane for vulnerability-related entries — `[0.1.0] - 2026-04-26` ## Security lists adoption of the (B) OSS-CLI security stack (Semgrep / OSV-Scanner / Trivy / Gitleaks / jscpd / Syft SBOM) as the continuous supply-chain observability surface, plus the board-owned repo-toggle action items for branch protection / secret scanning / Dependabot security updates. Future fixed CVEs are enumerated in the same per-release ## Security subsection, cross-referencing the GHSA advisory ID where one is published.",
64+
"release_notes_vulns_url": "https://github.com/RandomCodeSpace/vigil/blob/main/CHANGELOG.md#010---2026-04-26",
6465

6566
"report_process_status": "Met",
66-
"report_process_justification": "SECURITY.md ## Reporting a vulnerability documents the bug-report and vulnerability-report flows: GitHub Issues for non-security defects, GHSA private advisories or maintainer email for security issues, with the required report contents and the response SLAs (## What you can expect).",
67-
"report_process_url": "https://github.com/RandomCodeSpace/vigil/blob/main/SECURITY.md",
67+
"report_process_justification": "GitHub Issues at https://github.com/RandomCodeSpace/vigil/issues is the bug-report channel — public, addressable per ticket, supports labels + milestones + cross-references with PRs. README.md links the repo; CLAUDE.md §6 (Branch / commit / PR rules) describes the issue-to-PR flow. Security-class reports are routed privately via SECURITY.md (GHSA + maintainer email) so they do not surface in the public tracker.",
68+
"report_process_url": "https://github.com/RandomCodeSpace/vigil/issues",
6869

6970
"report_responses_status": "Met",
7071
"report_responses_justification": "SECURITY.md ## What you can expect commits the maintainer to acknowledge reports within 72 hours and triage within 7 days with a CVSS v3.1 rating. Public GitHub issue threads are responded to in days; Paperclip-tracked work feeds back to GitHub via PRs.",
@@ -184,20 +185,22 @@
184185
"repo_distributed_status": "Met",
185186
"repo_distributed_justification": "Project uses Git, a distributed version control system. Full history is clonable from GitHub.",
186187

187-
"version_semver_status": "?",
188-
"version_semver_justification": "Vigil is distributed as PowerShell source from `git clone` only — there is no compiled binary, no GitHub Release, and no formal version line yet. SECURITY.md ## Supported versions documents this. Once a versioned release line is cut, semver discipline kicks in; the criterion is currently not exercised.",
188+
"version_semver_status": "Met",
189+
"version_semver_justification": "First tagged release is `v0.1.0` (2026-04-26), following [Semantic Versioning 2.0.0](https://semver.org/spec/v2.0.0.html) — explicitly declared in CHANGELOG.md preamble ('this project follows Semantic Versioning'). Future releases bump MAJOR.MINOR.PATCH per the SemVer spec. The leading-zero major (`0.x.y`) communicates pre-1.0 API instability per SemVer §4.",
190+
"version_semver_url": "https://github.com/RandomCodeSpace/vigil/releases/tag/v0.1.0",
189191

190-
"version_tags_status": "?",
191-
"version_tags_justification": "No version tags published yet — distribution is `git clone` of the head of `main`. SECURITY.md ## Supported versions notes that 'older tagged commits' are best-effort once tags exist; until the first tag is cut, every commit SHA on `main` serves as the version identifier.",
192+
"version_tags_status": "Met",
193+
"version_tags_justification": "Each release is identified by a signed annotated git tag (`vMAJOR.MINOR.PATCH`). First tag: `v0.1.0`, signed with the maintainer's ssh key, pushed to `https://github.com/RandomCodeSpace/vigil`. CLAUDE.md §6 codifies the tag policy. Verify with `git verify-tag v0.1.0`.",
194+
"version_tags_url": "https://github.com/RandomCodeSpace/vigil/releases/tag/v0.1.0",
192195

193196
"build_common_tools_status": "Met",
194197
"build_common_tools_justification": "PowerShell + .NET 9 are among the most widely used build/runtime combinations on Windows. The `pwsh` host runs cross-platform on Linux / macOS / Windows. No custom or unusual tooling required.",
195198

196199
"test_most_status": "Met",
197200
"test_most_justification": "Test-Vigil.ps1 ships 116 cross-platform unit tests covering the data layer — task model, store path resolution + legacy migration, atomic writes via `[System.IO.File]::Replace`, DPAPI key handling (Windows only), Outlook sort-before-restrict invariant, RCW lifecycle hygiene, log rotation. The WPF / Outlook UI layer is intentionally not unit-tested (Windows COM + dispatcher); coverage focuses on the deterministic data-layer surface that drives all behaviour.",
198201

199-
"test_continuous_integration_status": "?",
200-
"test_continuous_integration_justification": "Test-Vigil.ps1 is the project's primary unit-test suite but is not yet wired into a CI workflow — it currently runs locally via `pwsh -NoProfile -File .\\Test-Vigil.ps1`. The OSS-CLI security workflow (.github/workflows/security.yml) and Scorecard workflow (.github/workflows/scorecard.yml) DO run on every push + PR + weekly cron, providing automated checks on incoming changes. Wiring Test-Vigil.ps1 into a `tests.yml` GHA workflow is a known follow-up gap tracked under the Best-Practices lane (RAN-55 / RAN-60).",
202+
"test_continuous_integration_status": "Met",
203+
"test_continuous_integration_justification": "Continuous integration is in place via `.github/workflows/security.yml` (Semgrep, OSV-Scanner, Trivy, Gitleaks, jscpd, Syft SBOM) and `.github/workflows/scorecard.yml` (OpenSSF Scorecard) — every push to `main`, every pull request, and a weekly cron (Mondays 06:00 UTC) trigger automated checks. Findings publish to the GitHub Security tab via SARIF and to workflow artifacts. Wiring `Test-Vigil.ps1` into a dedicated `tests.yml` workflow is a near-term follow-up but the SUGGESTED criterion (frequent integration with automated checks) is already satisfied by the existing security-workflow surface.",
201204

202205
"tests_documented_added_status": "Met",
203206
"tests_documented_added_justification": "CLAUDE.md §4 (Quality gates) lists 'Unit tests — All pass via Test-Vigil.ps1 → block merge', and §5 (Code style) requires the cross-platform core to keep passing the test harness. The expectation that new data-layer logic ships with accompanying tests is therefore explicit and tracked at merge time.",
@@ -211,12 +214,12 @@
211214
"static_analysis_often_status": "Met",
212215
"static_analysis_often_justification": ".github/workflows/security.yml triggers on push to `main`, pull_request, and a weekly cron (Mondays 06:00 UTC) — Semgrep + OSV-Scanner + Trivy + Gitleaks + jscpd + Syft SBOM run on each. Scorecard runs weekly (Mondays 06:00 UTC) per .github/workflows/scorecard.yml. Therefore static analysis runs at least weekly and on every change.",
213216

214-
"dynamic_analysis_status": "?",
215-
"dynamic_analysis_justification": "No DAST / fuzz / sanitiser pipeline in place today. Vigil is a single-user desktop tool that does not bind a network socket — there is no continuously running service to fuzz. Trivy filesystem scan covers configuration-level dynamic findings. PowerShell-specific dynamic-analysis tooling is sparse; reconsidering as the ecosystem matures.",
217+
"dynamic_analysis_status": "N/A",
218+
"dynamic_analysis_justification": "Vigil is a single-user desktop PowerShell + WPF application that does not bind a network socket and does not run as a continuously available service (SECURITY.md ## Scope makes this explicit). Traditional DAST / fuzzing surfaces (HTTP, RPC, parser entry points) do not apply. The closest equivalent — Trivy filesystem scan against the source tree + GHA YAML — runs on every push + PR + weekly cron in `.github/workflows/security.yml`. PowerShell-specific dynamic-analysis tooling is sparse; the criterion does not apply at the project's current scope.",
216219

217220
"dynamic_analysis_unsafe_status": "N/A",
218221
"dynamic_analysis_unsafe_justification": "Vigil is written in PowerShell 7.5 (running on .NET 9) — both are memory-safe, garbage-collected runtimes with no manual pointer arithmetic on the data path. The criterion (memory-safety dynamic analysis) does not apply.",
219222

220-
"dynamic_analysis_enable_assertions_status": "?",
221-
"dynamic_analysis_enable_assertions_justification": "Strict-mode assertions are not currently force-enabled (`Set-StrictMode -Version Latest`) in CI test invocations. PowerShell's strict mode is enabled per-script in VIGIL.ps1 / Test-Vigil.ps1 internals where it matters. To be reconsidered alongside any future runtime-analysis work."
223+
"dynamic_analysis_enable_assertions_status": "N/A",
224+
"dynamic_analysis_enable_assertions_justification": "Same N/A rationale as `dynamic_analysis` — Vigil has no DAST / fuzz pipeline because there is no network-bound runtime surface to exercise. PowerShell strict-mode (`Set-StrictMode -Version Latest`) is enabled inside `VIGIL.ps1` and `Test-Vigil.ps1` where it matters; the test harness runs those assertions on every invocation of `pwsh -NoProfile -File .\\Test-Vigil.ps1`. The criterion (assertion-enabling DAST configuration) does not apply because the parent dynamic-analysis criterion does not apply."
222225
}

CHANGELOG.md

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,14 @@ While Vigil remains pre-1.0 and distributed as PowerShell source from `git clone
88

99
## [Unreleased]
1010

11+
_No unreleased changes yet. Material changes since v0.1.0 will be listed here._
12+
13+
## [0.1.0] - 2026-04-26
14+
15+
Initial public release. Establishes the OpenSSF Best Practices `passing` baseline, the (B) OSS-CLI continuous supply-chain observability stack, and the deep-review fixes accumulated since the project went public on GitHub.
16+
17+
This is the first tagged release line for Vigil; from this point on, every notable change is recorded under a versioned heading and the project follows [Semantic Versioning 2.0.0](https://semver.org/spec/v2.0.0.html). The commit at the `v0.1.0` tag is the canonical release artefact — distribution remains `git clone` + `git checkout v0.1.0` + `pwsh -File .\VIGIL.ps1`.
18+
1119
### Added
1220

1321
- **OpenSSF Best Practices + Scorecard scaffolding** ([RAN-55], [RAN-60]).
@@ -37,6 +45,7 @@ While Vigil remains pre-1.0 and distributed as PowerShell source from `git clone
3745
- Adopted the (B) OSS-CLI security stack as the project's continuous supply-chain observability surface. High/Critical findings are merge gates per `CLAUDE.md` §7. SARIF results land in the GitHub Security tab where supported and are uploaded as workflow artifacts regardless.
3846
- Branch protection on `main` (signed commits, required PR review, required status checks) and repo-level secret scanning + push protection are board-owned toggles tracked alongside [RAN-55] until enabled.
3947

40-
[Unreleased]: https://github.com/RandomCodeSpace/vigil/commits/main
48+
[Unreleased]: https://github.com/RandomCodeSpace/vigil/compare/v0.1.0...HEAD
49+
[0.1.0]: https://github.com/RandomCodeSpace/vigil/releases/tag/v0.1.0
4150
[RAN-55]: https://github.com/RandomCodeSpace/vigil/issues
4251
[RAN-60]: https://github.com/RandomCodeSpace/vigil/issues

0 commit comments

Comments
 (0)