feat(scripts): extend trace schema with socketRisk and lastRevalidated
Add socketRisk (9th filter result) and lastRevalidated (nullable ISO date) to the library-decision trace schema. Downstream enforcement layers (evaluate-library skill, check.mjs major-bump mode, revalidate.mjs cron) all depend on these fields being validated at the schema layer first. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -6,6 +6,7 @@ decision: approved | rejected
|
||||
date: <YYYY-MM-DD>
|
||||
deciders: [<author>, ...]
|
||||
adr: adr-NNN | null
|
||||
lastRevalidated: null
|
||||
filter-results:
|
||||
license: <SPDX id>
|
||||
types: native | "@types/<x>" | none
|
||||
@@ -15,6 +16,7 @@ filter-results:
|
||||
eu-residency: ok | n/a | self-hostable | fail
|
||||
cve-scan: clean | "<advisory-id>" | fail
|
||||
named-consumer: pass | fail
|
||||
socketRisk: clean | flagged | <arbitrary-string>
|
||||
verification-commands:
|
||||
- <literal command that produced each filter result>
|
||||
accepted-cves: []
|
||||
@@ -84,6 +86,26 @@ Answer: "Who calls this code path today, or who is blocked waiting for it?"
|
||||
Hypothetical future callers are not consumers. This filter is the direct
|
||||
response to the 2026-05-14 OpenAPI near-miss (ADR-022 §Context).
|
||||
|
||||
## Filter: socketRisk
|
||||
|
||||
<!-- Result: clean | flagged | <arbitrary-string> -->
|
||||
|
||||
Run `socket npm:report <package>` (or check socket.dev) for supply-chain
|
||||
risk signals. `clean` = no issues detected. `flagged` = one or more high- or
|
||||
critical-severity signals (requires explicit risk-acceptance note here before
|
||||
approval). An arbitrary string records the specific risk label returned by the
|
||||
Socket CLI (e.g. `"obfuscated-code"`, `"install-script"`). The `lastRevalidated`
|
||||
frontmatter field is set to the ISO date of the most recent re-run.
|
||||
|
||||
## Field: lastRevalidated
|
||||
|
||||
<!-- Value: YYYY-MM-DD | null -->
|
||||
|
||||
ISO 8601 date of the last time the Socket supply-chain scan (and any other
|
||||
time-sensitive filter) was re-run against the current installed version.
|
||||
`null` = never revalidated since initial adoption (acceptable for fresh traces).
|
||||
Updated automatically by the weekly revalidation cron (Story 05).
|
||||
|
||||
## Prompt: replaces
|
||||
|
||||
<!-- Required: answer in either direction with justification -->
|
||||
|
||||
Reference in New Issue
Block a user