Skip to content

feat: security-sensitive bootstrap mode (0.13.0)#151

Merged
stackbilt-admin merged 2 commits into
mainfrom
codex/security-sensitive-bootstrap
May 19, 2026
Merged

feat: security-sensitive bootstrap mode (0.13.0)#151
stackbilt-admin merged 2 commits into
mainfrom
codex/security-sensitive-bootstrap

Conversation

@stackbilt-admin
Copy link
Copy Markdown
Member

@stackbilt-admin stackbilt-admin commented May 19, 2026

Summary

  • Adds charter bootstrap --security-sensitive flag that seeds a SECURITY.md disclosure template, hard-fail drift deny patterns (timing equality, optional security bindings, auth TODOs, token JSON exposure), and a doctor check that warns when no security* or l4* test file is found
  • charter drift now surfaces security-deny violations as BLOCKER severity with a new securityBlockers field in JSON output; CI mode exits non-zero on any blocker regardless of drift score
  • Consolidates build command deprecation warnings (login, run, architect, scaffold) into a shared printBuildCommandDeprecationWarning helper, suppressible via CHARTER_NO_DEPRECATION_WARNING=1 or --no-deprecation-warning
  • Bumps all @stackbilt/* packages to 0.13.0 (minor — additive only, no breaking changes)

Test plan

  • charter bootstrap --security-sensitive --yes --preset worker --skip-install --skip-doctor creates SECURITY.md and .charter/patterns/security-deny.json
  • charter doctor in a security-sensitive repo warns on missing security test files, passes once one exists
  • charter drift --ci in a security-sensitive repo exits 1 when a timing-equality or other deny pattern is matched
  • Deprecation warning fires on charter login, run, architect, scaffold; suppressed with CHARTER_NO_DEPRECATION_WARNING=1
  • Existing bootstrap tests pass

🤖 Generated with Claude Code

This was referenced May 19, 2026
Closed
Closed
Closed
Kurt Overmier and others added 2 commits May 19, 2026 04:55
@claude
feat: security-sensitive bootstrap mode + unified build command depre…
59f5e5c 
…cation warnings (0.13.0)

- `charter bootstrap --security-sensitive` seeds SECURITY.md, hard-fail drift deny patterns, and a doctor check for security test coverage
- `charter drift` surfaces security-deny violations as BLOCKER severity with a new `securityBlockers` JSON field; CI mode fails on any blocker
- Build commands (login, run, architect, scaffold) now share a single `printBuildCommandDeprecationWarning` helper; suppressed via CHARTER_NO_DEPRECATION_WARNING=1 or --no-deprecation-warning

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@claude
fix: review feedback — merge score, cross-dep ranges, createdAt, chan…
788d9b7 
…gelog

- mergeReports no longer recomputes score; preserves base.score from scanForDrift
- Internal cross-dep ranges updated from ^0.12.1 to ^0.13.0 across all packages
- loadSecurityDenyPatterns reads createdAt from pattern file instead of new Date()
- CHANGELOG: add deprecation-warning refactor to Changed section; add [0.13.0] compare link

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@stackbilt-admin stackbilt-admin force-pushed the codex/security-sensitive-bootstrap branch from c3e608e to 788d9b7 Compare May 19, 2026 09:55
@stackbilt-admin stackbilt-admin merged commit 11e0c95 into main May 19, 2026
@stackbilt-admin stackbilt-admin deleted the codex/security-sensitive-bootstrap branch May 19, 2026 09:55
This was referenced May 19, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@stackbilt-admin