-
Notifications
You must be signed in to change notification settings - Fork 0
security: add a dependency audit command and CI gate #330
Copy link
Copy link
Open
Labels
blockedWork cannot proceed until a blocker is resolved.Work cannot proceed until a blocker is resolved.phase-1Phase 1 — Polish & StabilityPhase 1 — Polish & StabilitypipelineCore pipeline toolingCore pipeline toolingsecuritySecurity and secrets managementSecurity and secrets managementtech-debtTechnical debtTechnical debttestsTest coverage, smoke checks, and acceptance automationTest coverage, smoke checks, and acceptance automationtype:taskImplementation taskImplementation task
Description
Metadata
Metadata
Assignees
Labels
blockedWork cannot proceed until a blocker is resolved.Work cannot proceed until a blocker is resolved.phase-1Phase 1 — Polish & StabilityPhase 1 — Polish & StabilitypipelineCore pipeline toolingCore pipeline toolingsecuritySecurity and secrets managementSecurity and secrets managementtech-debtTechnical debtTechnical debttestsTest coverage, smoke checks, and acceptance automationTest coverage, smoke checks, and acceptance automationtype:taskImplementation taskImplementation task
Summary
Add one explicit security-verification command and CI gate for root npm, frontend npm, and locked Python dependencies.
Context
package.json,.github/workflows/ci.yml, Python audit tooling/configuration, and focused workflow testsnpm run verify:securityperforms the documented networked dependency checks and CI fails on actionable high-severity findings.Implementation Notes
npm audit fix --forceor silently suppress an advisory.npm run verifyfrom networkedverify:securityin documentation and CI.Acceptance Criteria
npm run verify:securityruns root production npm audit, frontend production npm audit, frontend full-tree audit, andpip-auditagainst the CI lock.Tests/Evals
Verification
npm run verifynpm run verify:securitypython3 -m pytest tests/agentic/test_workflows.py -qgit status --shortafter verification shows no generated or lockfile changes.Agent Instructions
codex/issue-<this-issue>-dependency-security-gate.mainis green.Human Checkpoints
Out of Scope
Linear
Not applicable. Rafiki delivery is GitHub-only; do not create or update a Linear issue.