The previous layout placed epic folders directly under docs/work/
alongside prds/ and _system/. Tightening: epics now live in their
own docs/work/epics/ subfolder, peer to prds/ and _system/. Same
shape as the existing prds/ bucket.
Final docs/work/ layout:
README.md
prds/<slug>.prd.md
_system/_state.json
epics/<slug>/_epic.md + <story-folder>/_story.md
Renames (git mv preserves history):
- docs/work/binder-wrap-helper/
-> docs/work/epics/binder-wrap-helper/
- docs/work/library-evaluation-policy/
-> docs/work/epics/library-evaluation-policy/
- docs/work/ci-security-and-supply-chain/
-> docs/work/epics/ci-security-and-supply-chain/
Tooling updates:
- state-builder.mjs walks workRoot/epics/ directly; SKIP_FOLDERS
obsoleted (no more sibling folders to filter out).
- dispatch.mjs's findNextTask, tickStoryBulletInEpic, and
flipEpicDoneIfAllStoriesDone all join with "epics" segment.
- prd-ship.mjs's deriveShippingCommits walks workRoot/epics/ and
git-logs docs/work/epics/<epic>/.
- decomposer.prompt.md emits epics under docs/work/epics/<epic-id>/.
- handoff + grill-with-docs glossary references updated.
- Glossary entry for Epic updated.
Reserved future shape: when a task-tracker integration (ClickUp,
Linear) ships, the epics/ subfolder hosts <task-id>-<slug>/
folders. Today it just hosts bare slugs.
31 lines
1.8 KiB
Markdown
31 lines
1.8 KiB
Markdown
---
|
|
id: ci-security-and-supply-chain
|
|
prd: docs/work/prds/ci-security-and-supply-chain.prd.md
|
|
title: CI security + supply-chain enforcement stack
|
|
type: epic
|
|
status: done
|
|
features: [scripts, tooling, docs]
|
|
created: 2026-05-14T00:00:00Z
|
|
updated: 2026-05-14T19:21:52.308Z
|
|
---
|
|
|
|
## Goal
|
|
|
|
Implement a four-pillar CI security stack — Renovate-managed bumps + Action SHA pinning, Socket-based supply-chain-behavior detection, continuous trace revalidation extending ADR-022, and baseline GitHub-native gates — composed via a single failure-mode hierarchy that the sandcastle reviewer prompt enforces machine-readably for agent-driven PRs. Codifies ADR-023.
|
|
|
|
## Why
|
|
|
|
The repo's security posture has zero security tooling. ADR-022 + the library-evaluation epic close the adoption-time gate for new dependencies but not the drift gate. Six post-adoption threats remain uncovered: CVE disclosures, supply-chain behavior compromise, maintainer-account compromise, GitHub Actions supply-chain (major-tag pinning), license drift, and EU-residency drift. This epic closes all six via the four-pillar stack.
|
|
|
|
## Stories
|
|
|
|
- [x] [01 — Trace schema extensions (socketRisk + lastRevalidated)](01-trace-schema-extensions/_story.md)
|
|
- [x] [02 — Socket integration (skill + CI)](02-socket-integration/_story.md)
|
|
- [x] [03 — Renovate adoption](03-renovate-adoption/_story.md)
|
|
- [x] [04 — Major-bump re-evaluation flow](04-major-bump-reevaluation/_story.md)
|
|
- [x] [05 — Trace revalidation workflow](05-trace-revalidation-workflow/_story.md)
|
|
- [x] [06 — CodeQL workflow + pnpm audit signatures](06-codeql-and-audit-signatures/_story.md)
|
|
- [x] [07 — Gitleaks pre-commit hook](07-gitleaks-precommit/_story.md)
|
|
- [x] [08 — Sandcastle reviewer prompt update](08-reviewer-prompt-update/_story.md)
|
|
- [x] [09 — CI security guide + CLAUDE.md](09-ci-security-guide-and-docs/_story.md)
|