From bfa00c7f1b95ccccd407c979526424754407a3c8 Mon Sep 17 00:00:00 2001 From: Sonu Kapoor Date: Fri, 26 Jun 2026 10:45:00 +0200 Subject: [PATCH 1/2] docs: convert trust boundaries ASCII diagram to Mermaid --- website/docs/security-assurance-case.md | 42 ++++++++++++------------- 1 file changed, 20 insertions(+), 22 deletions(-) diff --git a/website/docs/security-assurance-case.md b/website/docs/security-assurance-case.md index 789b139..c237c21 100644 --- a/website/docs/security-assurance-case.md +++ b/website/docs/security-assurance-case.md @@ -55,28 +55,26 @@ The scope of these claims is the CLI itself. They do not extend to the security ## Trust boundaries -``` - ┌────────────────────────────────────────────────────────────┐ - │ Developer machine │ - │ │ - │ ┌──────────────┐ ┌─────────────┐ ┌─────────────┐ │ - │ │ Lockfile + │───>│ │<───│ Local │ │ - │ │ package.json │ │ CVE Lite │ │ advisory DB │ │ - │ └──────────────┘ │ CLI │ │ (offline) │ │ - │ │ │ └─────────────┘ │ - │ ┌──────────────┐ │ │ ┌─────────────┐ │ - │ │ CLI args │───>│ │<───│ OSV cache │ │ - │ └──────────────┘ │ │ │ (online) │ │ - │ └──────┬──────┘ └─────────────┘ │ - │ │ │ - │ ▼ │ - │ Stdout / report │ - └─────────────────────────┬────────────────────────────────-─┘ - │ (only outbound: hardcoded endpoints) - ┌──────────────┼──────────────┐ - ▼ ▼ ▼ - api.osv.dev storage.googleapis registry.npmjs.org - /osv-vulnerabilities +```mermaid +flowchart TD + subgraph dev["Developer machine"] + lockfile["Lockfile + package.json"] + args["CLI args"] + cli["CVE Lite CLI"] + localdb["Local advisory DB (offline)"] + osvcache["OSV cache (online)"] + output["Stdout / report"] + + lockfile --> cli + args --> cli + localdb --> cli + osvcache --> cli + cli --> output + end + + cli -->|"only outbound: hardcoded endpoints"| osv["api.osv.dev"] + cli --> gcs["storage.googleapis.com/osv-vulnerabilities"] + cli --> npm["registry.npmjs.org"] ``` **Boundaries and what crosses them:** From 1d53b68d47d7f66fc70df357053c61c78eb18ff4 Mon Sep 17 00:00:00 2001 From: Sonu Kapoor Date: Fri, 26 Jun 2026 10:50:00 +0200 Subject: [PATCH 2/2] docs: fix trust boundaries diagram layout - separate external endpoints into own subgraph --- website/docs/security-assurance-case.md | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/website/docs/security-assurance-case.md b/website/docs/security-assurance-case.md index c237c21..5e16a49 100644 --- a/website/docs/security-assurance-case.md +++ b/website/docs/security-assurance-case.md @@ -56,13 +56,13 @@ The scope of these claims is the CLI itself. They do not extend to the security ## Trust boundaries ```mermaid -flowchart TD +flowchart TB subgraph dev["Developer machine"] lockfile["Lockfile + package.json"] args["CLI args"] - cli["CVE Lite CLI"] localdb["Local advisory DB (offline)"] osvcache["OSV cache (online)"] + cli["CVE Lite CLI"] output["Stdout / report"] lockfile --> cli @@ -72,9 +72,16 @@ flowchart TD cli --> output end - cli -->|"only outbound: hardcoded endpoints"| osv["api.osv.dev"] - cli --> gcs["storage.googleapis.com/osv-vulnerabilities"] - cli --> npm["registry.npmjs.org"] + subgraph ext["External endpoints — outbound only, hardcoded"] + direction LR + osv["api.osv.dev"] + gcs["storage.googleapis.com/osv-vulnerabilities"] + npm["registry.npmjs.org"] + end + + cli --> osv + cli --> gcs + cli --> npm ``` **Boundaries and what crosses them:**