Skip to content

security: add a dependency audit command and CI gate #330

Description

@WalksWithASwagger

Summary

Add one explicit security-verification command and CI gate for root npm, frontend npm, and locked Python dependencies.

Context

  • Blocked by build: add a reproducible hashed Python 3.11 CI lock #329.
  • Roadmap phase: Phase 1 - dependency health
  • Relevant files: root package.json, .github/workflows/ci.yml, Python audit tooling/configuration, and focused workflow tests
  • Current behavior: deterministic tests run, but dependency vulnerability checks are incomplete or split across ad hoc commands; the frontend graph is not consistently audited.
  • Desired behavior: npm run verify:security performs the documented networked dependency checks and CI fails on actionable high-severity findings.

Implementation Notes

  • Audit the root production npm graph, the frontend production graph, and the hashed Python CI lock.
  • Include frontend build dependencies in a separate visible check because Vite-related advisories can live outside the production-only tree.
  • Do not use npm audit fix --force or silently suppress an advisory.
  • Separate deterministic npm run verify from networked verify:security in documentation and CI.

Acceptance Criteria

  • npm run verify:security runs root production npm audit, frontend production npm audit, frontend full-tree audit, and pip-audit against the CI lock.
  • CI invokes the command in a clearly named dependency-security step.
  • High-severity findings fail unless a specific, scoped, documented exception is reviewed.
  • Any upstream-only deprecation is named and tracked without forcing an unrelated framework upgrade.
  • No audit command mutates lockfiles or installs globally.
  • The deterministic local verification command remains network-independent.

Tests/Evals

  • Add workflow/script tests that protect command composition and failure propagation.
  • Use registry/network access only for the audits themselves; never invoke providers.

Verification

  • npm run verify
  • npm run verify:security
  • python3 -m pytest tests/agentic/test_workflows.py -q
  • git status --short after verification shows no generated or lockfile changes.

Agent Instructions

  • Use branch codex/issue-<this-issue>-dependency-security-gate.
  • Do not start until build: add a reproducible hashed Python 3.11 CI lock #329 is merged and main is green.
  • Never use forced audit remediation or broad dependency upgrades.
  • If an advisory cannot be resolved safely, report it with exact dependency-path evidence and stop.

Human Checkpoints

  • Maintainer review is required before accepting any temporary high-severity exception.

Out of Scope

  • Major framework upgrades.
  • GitHub Action pinning, Dependabot, CodeQL, or dependency-review workflows.
  • Automated dependency merging.
  • Provider calls or credential changes.

Linear

Not applicable. Rafiki delivery is GitHub-only; do not create or update a Linear issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    blockedWork cannot proceed until a blocker is resolved.phase-1Phase 1 — Polish & StabilitypipelineCore pipeline toolingsecuritySecurity and secrets managementtech-debtTechnical debttestsTest coverage, smoke checks, and acceptance automationtype:taskImplementation task

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions