agentic-dev-template

fraqtal/agentic-dev-template

Fork 0

Commit Graph

Author	SHA1	Message	Date
Danijel Martinek	08bc19293a	ci(release): attach CycloneDX SBOM to every GitHub release Amends release-please.yml with conditional steps that run only when release-please cuts a release: - checkout + pnpm install to give @cyclonedx/cyclonedx-npm the full resolved workspace graph - pnpm dlx @cyclonedx/cyclonedx-npm generates a CycloneDX 1.6 JSON SBOM named sbom-<tag>.cdx.json; --ignore-npm-errors is required because npm ls exits non-zero for dev-deps-of-dev-deps pnpm correctly elides - softprops/action-gh-release@<SHA> (v3.0.0, Renovate-managed) attaches the file to the GitHub release as a downloadable asset Adds ADR-023 §9 amendment documenting the step shape, rationale for pnpm dlx (avoids lockfile per ADR-022), --ignore-npm-errors behaviour, SHA pinning per ADR-023 §1, and the extended failure-mode table. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-20 11:31:08 +00:00
Danijel Martinek	bae4b66fa4	refactor(work): drop date prefixes + move _state.json into _system/ Convention shift: epic folders + PRD filenames + frontmatter id fields are now bare slugs. The created: timestamp (Phase 2) carries the date; folder names don't repeat it. A future <task-id>-<slug> shape (e.g. ClickUp) lands cleanly when that integration ships. Renames (git mv preserves history): - docs/work/2026-05-13-binder-wrap-helper/ -> docs/work/binder-wrap-helper/ - docs/work/2026-05-14-library-evaluation-policy/ -> docs/work/library-evaluation-policy/ - docs/work/2026-05-14-ci-security-and-supply-chain/ -> docs/work/ci-security-and-supply-chain/ - docs/work/prds/2026-05-13-binder-wrap-helper.prd.md -> docs/work/prds/binder-wrap-helper.prd.md - docs/work/prds/2026-05-13-coverage-architecture.prd.md -> docs/work/prds/coverage-architecture.prd.md - docs/work/prds/2026-05-14-library-evaluation-policy.prd.md -> docs/work/prds/library-evaluation-policy.prd.md - docs/work/prds/2026-05-14-ci-security-and-supply-chain.prd.md -> docs/work/prds/ci-security-and-supply-chain.prd.md Frontmatter updates inside the renamed files: epic id, epic prd, story epic, PRD id, PRD builds-on all drop date prefixes. System folder + state file move: - New docs/work/_system/ holds framework-managed state. - docs/work/_state.json -> docs/work/_system/_state.json. - state-builder.mjs adds _system to SKIP_FOLDERS. - cli.mjs + state-sync-guard.mjs + .husky/pre-commit point at the new path. template-reset-v1 epic deleted entirely (one-off cleanup epic from the pre-date-convention era; status was already done). Generator-template updates (so new artifacts ship in the right shape): - .sandcastle/decomposer.prompt.md emits bare-slug folder names + ISO created: timestamp. - .claude/skills/to-prd/SKILL.md template uses bare-slug filename + bare-slug id field + ISO created: timestamp. Doc reference updates: glossary, runbook, agent-first-workflow- and-conformance, reviewer prompt, ADR-020, ADR-022, ADR-023 all point at the new paths/slugs.	2026-05-14 21:16:51 +02:00
Danijel Martinek	90341ff475	docs: introduce CI security + supply-chain stack (ADR-023 + PRD) - ADR-023 codifies the four-pillar enforcement stack: Renovate for bumps + Action SHA pinning via pinGitHubActionDigests, Socket.dev as a 9th hard filter in evaluate-library (free App + self-hosted socket-cli + reviewer-prompt enforcement), weekly trace revalidation cron with two-tier divergence action (rolling dashboard issue + per-dep re-evaluation issues), and the baseline GitHub-native gates (CodeQL, pnpm audit signatures, gitleaks pre-commit + native push protection). Failure-mode hierarchy is the single source of truth referenced by the sandcastle reviewer. - Section 6 amends ADR-022 in place: major-bump re-evaluation trigger (minor/patch bumps skip), last-revalidated frontmatter field (preserves original date for adoption provenance), and Socket as the 9th hard filter. ADR-022 stays unedited; both ADRs read as a composed policy. - PRD at docs/work/prds/2026-05-14-ci-security-and-supply-chain.prd.md seeds the implementation epic; explicit sequencing -- depends on the in-flight library-evaluation epic's stories 01/02/04/06 landing first. - Glossary gains "Trace revalidation" + "Major-bump re-evaluation" entries referenced by both ADRs. Catalyst: 2026-05-14 audit confirmed zero security tooling in the repo + GitHub Actions pinned to major-version tags (the tj-actions/ changed-files attack class). ADR-022 closes the adoption-time gate; ADR-023 closes the post-adoption drift gate.	2026-05-14 18:47:25 +02:00

Author

SHA1

Message

Date

Danijel Martinek

08bc19293a

ci(release): attach CycloneDX SBOM to every GitHub release

Amends release-please.yml with conditional steps that run only when
release-please cuts a release:
- checkout + pnpm install to give @cyclonedx/cyclonedx-npm the full
  resolved workspace graph
- pnpm dlx @cyclonedx/cyclonedx-npm generates a CycloneDX 1.6 JSON SBOM
  named sbom-<tag>.cdx.json; --ignore-npm-errors is required because
  npm ls exits non-zero for dev-deps-of-dev-deps pnpm correctly elides
- softprops/action-gh-release@<SHA> (v3.0.0, Renovate-managed) attaches
  the file to the GitHub release as a downloadable asset

Adds ADR-023 §9 amendment documenting the step shape, rationale for
pnpm dlx (avoids lockfile per ADR-022), --ignore-npm-errors behaviour,
SHA pinning per ADR-023 §1, and the extended failure-mode table.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-20 11:31:08 +00:00

Danijel Martinek

bae4b66fa4

refactor(work): drop date prefixes + move _state.json into _system/

Convention shift: epic folders + PRD filenames + frontmatter id
fields are now bare slugs. The created: timestamp (Phase 2) carries
the date; folder names don't repeat it. A future <task-id>-<slug>
shape (e.g. ClickUp) lands cleanly when that integration ships.

Renames (git mv preserves history):
- docs/work/2026-05-13-binder-wrap-helper/
    -> docs/work/binder-wrap-helper/
- docs/work/2026-05-14-library-evaluation-policy/
    -> docs/work/library-evaluation-policy/
- docs/work/2026-05-14-ci-security-and-supply-chain/
    -> docs/work/ci-security-and-supply-chain/
- docs/work/prds/2026-05-13-binder-wrap-helper.prd.md
    -> docs/work/prds/binder-wrap-helper.prd.md
- docs/work/prds/2026-05-13-coverage-architecture.prd.md
    -> docs/work/prds/coverage-architecture.prd.md
- docs/work/prds/2026-05-14-library-evaluation-policy.prd.md
    -> docs/work/prds/library-evaluation-policy.prd.md
- docs/work/prds/2026-05-14-ci-security-and-supply-chain.prd.md
    -> docs/work/prds/ci-security-and-supply-chain.prd.md

Frontmatter updates inside the renamed files: epic id, epic prd,
story epic, PRD id, PRD builds-on all drop date prefixes.

System folder + state file move:
- New docs/work/_system/ holds framework-managed state.
- docs/work/_state.json -> docs/work/_system/_state.json.
- state-builder.mjs adds _system to SKIP_FOLDERS.
- cli.mjs + state-sync-guard.mjs + .husky/pre-commit point at the
  new path.

template-reset-v1 epic deleted entirely (one-off cleanup epic from
the pre-date-convention era; status was already done).

Generator-template updates (so new artifacts ship in the right
shape):
- .sandcastle/decomposer.prompt.md emits bare-slug folder names +
  ISO created: timestamp.
- .claude/skills/to-prd/SKILL.md template uses bare-slug filename +
  bare-slug id field + ISO created: timestamp.

Doc reference updates: glossary, runbook, agent-first-workflow-
and-conformance, reviewer prompt, ADR-020, ADR-022, ADR-023 all
point at the new paths/slugs.

2026-05-14 21:16:51 +02:00

Danijel Martinek

90341ff475

docs: introduce CI security + supply-chain stack (ADR-023 + PRD)

- ADR-023 codifies the four-pillar enforcement stack: Renovate for
  bumps + Action SHA pinning via pinGitHubActionDigests, Socket.dev
  as a 9th hard filter in evaluate-library (free App + self-hosted
  socket-cli + reviewer-prompt enforcement), weekly trace
  revalidation cron with two-tier divergence action (rolling
  dashboard issue + per-dep re-evaluation issues), and the baseline
  GitHub-native gates (CodeQL, pnpm audit signatures, gitleaks
  pre-commit + native push protection). Failure-mode hierarchy is
  the single source of truth referenced by the sandcastle reviewer.
- Section 6 amends ADR-022 in place: major-bump re-evaluation
  trigger (minor/patch bumps skip), last-revalidated frontmatter
  field (preserves original date for adoption provenance), and
  Socket as the 9th hard filter. ADR-022 stays unedited; both ADRs
  read as a composed policy.
- PRD at docs/work/prds/2026-05-14-ci-security-and-supply-chain.prd.md
  seeds the implementation epic; explicit sequencing -- depends on
  the in-flight library-evaluation epic's stories 01/02/04/06
  landing first.
- Glossary gains "Trace revalidation" + "Major-bump re-evaluation"
  entries referenced by both ADRs.

Catalyst: 2026-05-14 audit confirmed zero security tooling in the
repo + GitHub Actions pinned to major-version tags (the tj-actions/
changed-files attack class). ADR-022 closes the adoption-time gate;
ADR-023 closes the post-adoption drift gate.

2026-05-14 18:47:25 +02:00

3 Commits