Skip to content

docs(infra): security audit follow-ups — design + 4 implementation plans#514

Merged
Detair merged 2 commits into
mainfrom
docs/security-audit-design
Apr 11, 2026
Merged

docs(infra): security audit follow-ups — design + 4 implementation plans#514
Detair merged 2 commits into
mainfrom
docs/security-audit-design

Conversation

@Detair

@Detair Detair commented Apr 11, 2026

Copy link
Copy Markdown
Owner

Summary

Documentation-only PR. Adds the design spec and 4 implementation plans for the remaining items from the post-#512 security audit.

Files

File Purpose
docs/superpowers/specs/2026-04-11-security-audit-followups-design.md Spec covering all 4 topics
docs/superpowers/plans/2026-04-11-cleanup-guard-test-flake.md Topic 4 implementation plan (14 tasks)
docs/superpowers/plans/2026-04-11-client-devtime-advisories.md Topic 1 implementation plan (5 tasks)
docs/superpowers/plans/2026-04-11-osv-scanner-ci.md Topic 2 implementation plan (2 tasks)
docs/superpowers/plans/2026-04-11-scap-fork-cleanup.md Topic 3 implementation plan (3 tasks)

Topics

  1. Devtime advisories — apply bun overrides on a regular branch (PR fix(security): audit follow-up — advisory ignores, client dep patches, cleanup #513 hit a worktree-specific bug)
  2. osv-scanner CI job — independent advisory source via OSV database
  3. scap fork cleanup — re-test upstream main, drop the Detair fork if it now builds
  4. CI #900/900 flake — root caused to CleanupGuard::drop blocking join with no timeout. Stopgap (bounded join) + proper fix (explicit cleanup().await migration across 16 files / ~136 sites)

Recommended implementation order

Topic 4 → Topic 1 → Topic 2 → Topic 3.

Topic 4 first because it's actively blocking CI on every PR. Topic 2 depends on Topic 1 being green (so the new osv-scan job doesn't fail day 1).

Review process

  • Spec: 3 review iterations with spec-document-reviewer
  • Each plan: 1-2 review iterations with plan-document-reviewer
  • Topic 2 plan caught a real issue: `google/osv-scanner-action@v2` doesn't exist upstream (no v2 floating tag) — pinned to `@v2.3.5`

Test plan

This is documentation only. No code changes, no test impact. The plans themselves contain the test plans for their respective implementations.

🤖 Generated with Claude Code

Detair and others added 2 commits April 11, 2026 20:03
@Detair @claude
docs(infra): add security audit follow-ups design
651ad81 
Four independent sub-projects from the post-#512 audit:

1. Devtime advisories — retry overrides on a regular branch (was bun
   worktree bug in #513), fall back to lockstep dep updates
2. osv-scanner CI job — independent advisory source via OSV database,
   scheduled weekly + on PRs/main
3. scap fork cleanup — re-test upstream main HEAD; if Linux now builds,
   drop the Detair fork; otherwise open a narrow upstream PR
4. CI #900/900 flake — root caused to CleanupGuard's no-timeout join
   in Drop. Stopgap (bounded join) + proper fix (#[must_use] type-state
   + explicit cleanup().await migration).

Each topic gets its own implementation plan and PR.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Detair @claude
docs(infra): add 4 implementation plans for security audit follow-ups
6ecad15 
One plan per spec topic, all independent and shippable separately.
Recommended implementation order (per spec): Topic 4 → 1 → 2 → 3.

- 2026-04-11-cleanup-guard-test-flake.md (Topic 4, 14 tasks) — fix the
  CleanupGuard CI flake. Layer 1 stopgap (bounded join), Layer 2 explicit
  cleanup() method + ~136 test-site migration across 16 files, Layer 3
  panic activation deferred to follow-up issue.

- 2026-04-11-client-devtime-advisories.md (Topic 1, 5 tasks) — apply
  package.json overrides on a regular branch (not worktree, to avoid
  PR #513's bun bug). Plan A overrides + Plan B lockstep dep updates
  fallback + mermaid lazy-load investigation.

- 2026-04-11-osv-scanner-ci.md (Topic 2, 2 tasks) — add osv-scanner
  job to existing security.yml. Pinned to v2.3.5 (no v2 floating tag
  exists upstream). HIGH+ severity gate. SARIF upload to Security tab.

- 2026-04-11-scap-fork-cleanup.md (Topic 3, 3 tasks) — test if upstream
  CapSoftware/scap main HEAD now builds vc-client on Linux. If yes,
  drop Detair fork (Task 2). If no, open narrow upstream PR (Task 3,
  requires user authorization).

All 4 plans peer-reviewed and approved by spec-document-reviewer.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Detair Detair merged commit a32a5a0 into main Apr 11, 2026
14 of 15 checks passed
@Detair Detair mentioned this pull request Apr 11, 2026
Merged
7 tasks
@Detair Detair deleted the docs/security-audit-design branch April 12, 2026 00:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Detair