docs: restructure README following opena2a-cli template#45
Merged
Conversation
Plain markdown left-aligned (logo inlined, not centered). First runnable command + simulated output land within the first 30 lines so a new user sees value before scrolling. Commands grouped by job (assess / encrypt / vault / operate) instead of one mixed code block plus a paragraph list, so a reader can scan to the right table directly. The replacement "Which command do I want" intent table consolidates the old "What It Does" + "Common Commands" + "Use Cases" sections. New "Verifying releases" section documents the actual trust signal shipped today: `SHA256SUMS.txt` attached to each GitHub Release. The workflows have `--provenance` + `id-token: write` scaffolding but published artifacts on npm 0.3.4 and PyPI 1.4.3 currently carry no SLSA attestations or Sigstore signatures, so the README does not claim them yet. Drops the centered slogan "Life is hard but cryptography doesn't have to be." and the hardcoded "Python SDK v1.4.3" version string. Census ecosystem count corrected to 11 + NVD (matches `cryptoserve census` help output; the previous "npm, PyPI, crates.io, Go, Maven" listed only five). 246 -> 209 lines.
|
Claude finished @thebenignhacker's task —— View job Security-Focused PR ReviewCompleted security analysis of README.md documentation changes. Tasks
Security Analysis ResultsThis PR contains documentation-only changes to README.md. I've reviewed all code examples, commands, and links against the 12-point security checklist: ✅ No Security Issues FoundChecks Performed:
Logic Bugs (Items 10-12): N/A - No scoring, gating, or filter logic in this documentation change Reviewed Code Examples:
External Links: All links point to official project domains or GitHub resources:
Notable Security Improvements in PR:
ConclusionThis is a safe documentation restructure with no security concerns. The PR actually improves security awareness by:
FINDINGS_COUNT=0 |
|
Manual review required. This PR did not meet auto-merge criteria:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
SHA256SUMS.txton each GitHub Release. Workflows have--provenance+id-token: writescaffolding but published artifacts on npm 0.3.4 and PyPI 1.4.3 carry no SLSA attestations or Sigstore signatures, so the README does not claim them yet.Python SDK v1.4.3line that would age instantly.census --helpoutput.Verification done before drafting
npm view cryptoserve dist.attestationsreturns missing on 0.3.4; PyPI 1.4.3 wheels showhas_sig: false. README claims onlySHA256SUMS.txtparity, which is verifiable.Object.keys(ALGORITHM_DB).length == 131. README says "131 algorithms".go, python, java, rust, c) covering 6 languages (JS/TS via manifest scanner, Java/Kotlin and C/C++ as combined profiles). README says "6 languages" with the explicit list.docs/cli.md,docs/security/index.md, etc.) exists in the tree.grep -cP '—' README.mdreturns 0. Style Check workflow should pass.Test plan
npx cryptoserve scan .block lands above the fold on a standard laptop viewport.Follow-ups (not in this PR)
npm view ... dist.attestationsandpython -m sigstore verify.docs/use-cases/is worth creating (OpenA2A has it; this PR omits it to avoid linking to nonexistent files).