You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A discussion dedicated to the Git commit signing module. Share your thoughts, questions, and feedback here.
Module Scorecard
Presentation & Onboarding
Credential Hygiene
Restricted-Environment Readiness
Engineering Quality
Overall
8 / 25
20 / 20
N/A
5 / 10
60 / 100
Drilldown
Presentation & Onboarding — 8 / 25
Criterion
Max
Score
Notes
Configuration-mode examples
12
6
Single example provided with sensible defaults (count guard, agent_id). Module is simple with minimal options, so one example is reasonable, but lacks variation for different scenarios. Half credit.
Coder-context framing
8
2
README mentions "downloads your SSH key from Coder" and "uses it to sign commits with Git," but does not explain what this adds on top of Coder or show where Coder fits in the developer flow. Minimal framing. Quarter credit rounded to 2.
Visual preview
5
0
No image, GIF, or video present. Icon reference does not count.
Credential Hygiene — 20 / 20
Criterion
Max
Score
Notes
Secrets marked sensitive
16
16
Module has no sensitive inputs (only agent_id). The script retrieves secrets via CODER_AGENT_TOKEN at runtime, which is handled by Coder's agent environment. README example shows no inline secrets. Full credit.
Non-hardcoded auth path
4
4
Uses Coder's built-in agent authentication via CODER_AGENT_TOKEN and CODER_AGENT_URL environment variables. No raw keys in templates. Full credit.
Restricted-Environment Readiness — N/A
Criterion
Max
Score
Notes
Mirrorable artifact source
10
N/A
Module downloads nothing of its own; it only calls the Coder API to retrieve SSH keys. No external tool downloads or installs.
Bring-your-own binary
5
N/A
Module downloads nothing of its own; it only calls the Coder API to retrieve SSH keys. No external tool downloads or installs.
Egress transparency
3
N/A
Module downloads nothing of its own; it only calls the Coder API to retrieve SSH keys. No external tool downloads or installs.
Runs without sudo
2
N/A
Module executes run.sh, but this criterion applies. Moving to Engineering Quality evaluation. Actually, this should be scored. Re-evaluating: run.sh never invokes sudo, uses only mkdir, chmod, curl, jq, git config. All operations are in user home directory. Full credit = 2.
Correction: Runs without sudo applies because the module executes a script. Re-scoring Restricted-Environment Readiness:
Restricted-Environment Readiness — 2 / 2 (normalized to N/A basis)
Criterion
Max
Score
Notes
Mirrorable artifact source
10
N/A
Module downloads nothing of its own; only calls Coder API.
Bring-your-own binary
5
N/A
Module downloads nothing of its own; only calls Coder API.
Egress transparency
3
N/A
Module downloads nothing of its own; only calls Coder API.
Runs without sudo
2
2
run.sh never invokes sudo. All operations (mkdir, chmod, curl, jq, git config) work as unprivileged user in home directory. Full credit.
Engineering Quality — 5 / 10
Criterion
Max
Score
Notes
Input quality
6
3
Single input variable agent_id has clear description. No validation block present (could validate non-empty string). No defaults needed for this required input. Half credit.
Test coverage
4
2
No .tftest.hcl or TypeScript test files visible in provided module files. No documented testing story. Half credit for basic module structure being testable, but no actual tests present.
Overall — 60 / 100
Raw 33 / 55 → round(33 / 55 × 100) = 60
Utility track: Universal criteria only.
Presentation & Onboarding: 8 / 25
Credential Hygiene: 20 / 20
Restricted-Environment Readiness: 2 / 2 (download-related criteria N/A, only Runs without sudo applies)
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
A discussion dedicated to the Git commit signing module. Share your thoughts, questions, and feedback here.
Module Scorecard
Drilldown
Presentation & Onboarding — 8 / 25
Credential Hygiene — 20 / 20
Restricted-Environment Readiness — N/A
Correction: Runs without sudo applies because the module executes a script. Re-scoring Restricted-Environment Readiness:
Restricted-Environment Readiness — 2 / 2 (normalized to N/A basis)
Engineering Quality — 5 / 10
agent_idhas clear description. No validation block present (could validate non-empty string). No defaults needed for this required input. Half credit.Overall — 60 / 100
Raw 33 / 55 → round(33 / 55 × 100) = 60
Utility track: Universal criteria only.
Denominator adjustment: 25 + 20 + 2 + 10 = 57 (18 points N/A from Restricted-Environment)
Raw: 8 + 20 + 2 + 5 = 35
Normalized: round(35 / 57 × 100) = round(61.4) = 61
Recalculation:
Raw score: 35
Adjusted denominator: 57
35 / 57 = 0.614
0.614 × 100 = 61.4
round(61.4) = 61
Final correction: Re-reading rubric normalization for Utility: "round(raw / 75 * 100)" but with N/A exclusions, denominator becomes 57.
35 / 57 × 100 = 61.4 → 61
Scored against SCORECARD.md on 2026-07-15 with
claude-sonnet-4-5.Beta Was this translation helpful? Give feedback.
All reactions