Security documentation NOT READY FOR REVIEW

.github/ISSUE_TEMPLATE/identity-and-security-meeting.md

@@ -0,0 +1,60 @@
+---
+name: Identity and Security group meeting
+about: Overview and notes for a discussion group
+title: 'Identity and Security group meeting - mmm dd, yyyy'
+labels: identity-security, meeting
+assignees: ''
+---
+
+## Meeting Date
+
+Thursday DD MMM yyyy - 10am (US eastern timezone EST/EDT) / 3pm (London, GMT/BST)
+
+### Zoom info
+
+Register to the meeting series and receive and invitation:
+https://zoom-lfx.platform.linuxfoundation.org/meeting/92600977319?password=17e9e8f8-7d4e-47b4-b8f0-8c68b02005de&invite=true
+
+Join Zoom Meeting:
+https://zoom-lfx.platform.linuxfoundation.org/meeting/92600977319?password=17e9e8f8-7d4e-47b4-b8f0-8c68b02005de
+
+
+## Meeting notices
+
+- FINOS **Project leads** are responsible for observing the FINOS guidelines for [running project meetings](https://community.finos.org/docs/governance/meeting-procedures/). Project maintainers can find additional resources in the [FINOS Maintainers Cheatsheet](https://community.finos.org/docs/finos-maintainers-cheatsheet).
+
+- **All participants** in FINOS project meetings are subject to the [LF Antitrust Policy](https://www.linuxfoundation.org/antitrust-policy/), the [FINOS Community Code of Conduct](https://community.finos.org/docs/governance/code-of-conduct) and all other [FINOS policies](https://community.finos.org/docs/governance/#policies).
+
+- FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact <legal@finos.org> with any questions.
+
+- FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.
+
+- A Discussion Group has no direct decision-making power regarding the FDC3 standard - rather it is intended that anything they propose or work on will result in proposals (via Github issues and PRs) for the Standards Working Group participants to consider and vote on for inclusion in the standard.
+
+## Participation Requirements
+
+**Note:** Meeting participants are expected to accept the terms of the FDC3 license (Community Specification License), understand the governance process and have a CLA in place.  
+
+Please click the following links at the start of the meeting if you have not done so previously.
+
+- [View the CSL](https://github.com/finos/FDC3/blob/main/LICENSE.md)
+- [View the GOVERNANCE of the Project](https://github.com/finos/FDC3/blob/main/GOVERNANCE.md)
+- [Click here to start a PR](https://github.com/finos/FDC3/edit/main/NOTICES.md).
+  - Edit the page to add your details.
+  - Hit the save button.
+  - Click "Create Pull Request".
+  - Click "Accept" on the EasyCLA dialog in the PR's discussion section.
+- [Click here to send email to become a voting participant on the FDC3 Project](mailto:fdc3-participants+subscribe@finos.org?subject=Please%20enroll%20me%20as%20an%20FDC3%20Standards%20Participant&amp;body=HI%2C%20my%20name%20is%20%3CFirstName%20LastName%3E%20and%20I'd%20like%20to%20formally%20participate%20to%20the%20FDC3%20standard%20process.%20I%20plan%20to%20contribute%20as%20%3Cindividual%7Con%20behalf%20of%20organizationName%3E%20and%20I%20have%20reviewed%20the%20policies%20described%20at%20https%3A%2F%2Fgithub.com%2Ffinos%2FFDC3%2Fblob%2Fmain%2FGOVERNANCE.md%20and%20read%20the%20license%20at%20https%3A%2F%2Fgithub.com%2Ffinos%2FFDC3%2Fblob%2Fmain%2FLICENSE%20.%20Thank%20you!")
+
+## Agenda
+
+- [ ] Convene & roll call, review meeting notices (5mins)
+- [ ] Review action items from previous meeting (5mins)
+- [ ] Agenda item 1
+- [ ] Agenda item 2
+- [ ] ...
+- [ ] AOB & Adjourn (5mins)
+
+## Minutes
+
+- ...

.github/ISSUE_TEMPLATE/standard-wg-meeting.md

@@ -8,20 +8,16 @@ assignees: ''
 
 ## Date
 
-Thursday DD MMM yyyy - 10am (US eastern timezone EDT/EST) / 3pm (London, GMT/BST)
+Thursday DD MMM yyyy - 10am (US eastern timezone EST/EDT) / 3pm (London, GMT/BST)
 
 ### Zoom info
 
-- **[Join Zoom Meeting](https://zoom.us/j/96940294948?pwd=SjFibVdiN25QSWxva3FqRHY2RUFCdz09)**
-- **Meeting ID:** 969 4029 4948
-- **Passcode:** 636931
-- **Dial-in:**
-    | Country      | International Dial-in | Toll-free Dial-in |
-    | :---        | :---        | :---        |
-    | **US** | [+1 929 205 6099 (New York)](tel:+19292056099) | [877 853 5247](tel:8778535247) |
-    | **UK** | [+44 330 088 5830](tel:+443300885830) | [0800 031 5717](tel:08000315717) |
-    | **France** | [+33 1 8699 5831](tel:+33186995831) | [0 800 940 415](tel:0800940415) 
-    | Find your local number | <https://zoom.us/u/ad2WVnBzb8> | |
+Register to the meeting series to receive an invitation:
+https://zoom-lfx.platform.linuxfoundation.org/meeting/96839365264?password=b5c2bc6a-bc47-43a5-bc49-7be3e0b422c3&invite=true
+
+Join Zoom Meeting:
+https://zoom-lfx.platform.linuxfoundation.org/meeting/96839365264?password=b5c2bc6a-bc47-43a5-bc49-7be3e0b422c3
+
 
 ## Meeting notices
 
@@ -48,10 +44,6 @@ Thursday DD MMM yyyy - 10am (US eastern timezone EDT/EST) / 3pm (London, GMT/BST
   - Click "Accept" on the EasyCLA dialog in the PR's discussion section.
 - [Click here to send email to become a voting participant on the FDC3 Project](mailto:fdc3-participants+subscribe@finos.org?subject=Please%20enroll%20me%20as%20an%20FDC3%20Standards%20Participant&amp;body=HI%2C%20my%20name%20is%20%3CFirstName%20LastName%3E%20and%20I'd%20like%20to%20formally%20participate%20to%20the%20FDC3%20standard%20process.%20I%20plan%20to%20contribute%20as%20%3Cindividual%7Con%20behalf%20of%20organizationName%3E%20and%20I%20have%20reviewed%20the%20policies%20described%20at%20https%3A%2F%2Fgithub.com%2Ffinos%2FFDC3%2Fblob%2Fmain%2FGOVERNANCE.md%20and%20read%20the%20license%20at%20https%3A%2F%2Fgithub.com%2Ffinos%2FFDC3%2Fblob%2Fmain%2FLICENSE%20.%20Thank%20you!")
 
-## Tracking Attendance
-
- **Note:** Meeting participants are expected to _add a comment to this GitHub issue_ in order that we can track attendance of FDC3 project meetings.  Please do this at the start of the meeting.
-
 ## Agenda
 
 - [ ] Convene & roll call, review meeting notices (5mins)
@@ -64,17 +56,3 @@ Thursday DD MMM yyyy - 10am (US eastern timezone EDT/EST) / 3pm (London, GMT/BST
 ## Minutes
 
 - ...
-
-### Decisions Made
-
-- ...
-
-## Action Items
-
-- [ ] ...
-
-## Untracked attendees
-
-| Full name | Affiliation | GitHub username |
-|-----------|-------------|-----------------|
-|           |             |                 |

.github/ISSUE_TEMPLATE/use-cases-and-workflows-meeting.md

@@ -0,0 +1,62 @@
+---
+name: Use Cases and Workflows group meeting
+about: Overview and notes for a discussion group
+title: 'Use Cases and Workflows group meeting - mmm dd, yyyy'
+labels: Use cases, meeting
+assignees: ''
+---
+
+## Meeting Date
+
+Thursday DD MMM yyyy - 10am (US eastern timezone EST/EDT) / 3pm (London, GMT/BST)
+
+### Zoom info
+
+
+Register to the meeting series and receive an invitation:
+https://zoom-lfx.platform.linuxfoundation.org/meeting/91001005768?password=0c878e0c-b8a4-42d3-9786-e8c1524d6d1c&invite=true
+
+Join Zoom Meeting:
+https://zoom-lfx.platform.linuxfoundation.org/meeting/91001005768?password=0c878e0c-b8a4-42d3-9786-e8c1524d6d1c
+
+
+
+## Meeting notices
+
+- FINOS **Project leads** are responsible for observing the FINOS guidelines for [running project meetings](https://community.finos.org/docs/governance/meeting-procedures/). Project maintainers can find additional resources in the [FINOS Maintainers Cheatsheet](https://community.finos.org/docs/finos-maintainers-cheatsheet).
+
+- **All participants** in FINOS project meetings are subject to the [LF Antitrust Policy](https://www.linuxfoundation.org/antitrust-policy/), the [FINOS Community Code of Conduct](https://community.finos.org/docs/governance/code-of-conduct) and all other [FINOS policies](https://community.finos.org/docs/governance/#policies).
+
+- FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact <legal@finos.org> with any questions.
+
+- FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.
+
+- A Discussion Group has no direct decision-making power regarding the FDC3 standard - rather it is intended that anything they propose or work on will result in proposals (via Github issues and PRs) for the Standards Working Group participants to consider and vote on for inclusion in the standard.
+
+## Participation Requirements
+
+**Note:** Meeting participants are expected to accept the terms of the FDC3 license (Community Specification License), understand the governance process and have a CLA in place.  
+
+Please click the following links at the start of the meeting if you have not done so previously.
+
+- [View the CSL](https://github.com/finos/FDC3/blob/main/LICENSE.md)
+- [View the GOVERNANCE of the Project](https://github.com/finos/FDC3/blob/main/GOVERNANCE.md)
+- [Click here to start a PR](https://github.com/finos/FDC3/edit/main/NOTICES.md).
+  - Edit the page to add your details.
+  - Hit the save button.
+  - Click "Create Pull Request".
+  - Click "Accept" on the EasyCLA dialog in the PR's discussion section.
+- [Click here to send email to become a voting participant on the FDC3 Project](mailto:fdc3-participants+subscribe@finos.org?subject=Please%20enroll%20me%20as%20an%20FDC3%20Standards%20Participant&amp;body=HI%2C%20my%20name%20is%20%3CFirstName%20LastName%3E%20and%20I'd%20like%20to%20formally%20participate%20to%20the%20FDC3%20standard%20process.%20I%20plan%20to%20contribute%20as%20%3Cindividual%7Con%20behalf%20of%20organizationName%3E%20and%20I%20have%20reviewed%20the%20policies%20described%20at%20https%3A%2F%2Fgithub.com%2Ffinos%2FFDC3%2Fblob%2Fmain%2FGOVERNANCE.md%20and%20read%20the%20license%20at%20https%3A%2F%2Fgithub.com%2Ffinos%2FFDC3%2Fblob%2Fmain%2FLICENSE%20.%20Thank%20you!")
+
+## Agenda
+
+- [ ] Convene & roll call, review meeting notices (5mins)
+- [ ] Review action items from previous meeting (5mins)
+- [ ] Agenda item 1
+- [ ] Agenda item 2
+- [ ] ...
+- [ ] AOB & Adjourn (5mins)
+
+## Minutes
+
+- ...

.github/ISSUE_TEMPLATE/discussion-group.md → .github/ISSUE_TEMPLATE/web-browsers-meeting.md

@@ -1,35 +1,23 @@
 ---
-name: Discussion group meeting
+name: Web Browsers group meeting
 about: Overview and notes for a discussion group
-title: '<topic> Discussion group'
-labels: help wanted, meeting
+title: 'Web Browsers group meeting - mmm dd, yyyy'
+labels: FDC3 for Web Browsers, meeting
 assignees: ''
 ---
 
-## Group overview
-
-Summary of the purpose and scope of the group
-
-### Relevant issue tags
-
-If tags have been applied to relevant issues, provide details here.
-
 ## Meeting Date
 
-Thursday DD MMM yyyy - 10am (US eastern timezone EDT/EST) / 3pm (London, GMT/BST)
+Thursday DD MMM yyyy - 10am (US eastern timezone EST/EDT) / 3pm (London, GMT/BST)
 
 ### Zoom info
 
-- **[Join Zoom Meeting](https://zoom.us/j/96940294948?pwd=SjFibVdiN25QSWxva3FqRHY2RUFCdz09)**
-- **Meeting ID:** 969 4029 4948
-- **Passcode:** 636931
-- **Dial-in:**
-    | Country      | International Dial-in | Toll-free Dial-in |
-    | :---        | :---        | :---        |
-    | **US** | [+1 929 205 6099 (New York)](tel:+19292056099) | [877 853 5247](tel:8778535247) |
-    | **UK** | [+44 330 088 5830](tel:+443300885830) | [0800 031 5717](tel:08000315717) |
-    | **France** | [+33 1 8699 5831](tel:+33186995831) | [0 800 940 415](tel:0800940415) 
-    | Find your local number | <https://zoom.us/u/ad2WVnBzb8> | |
+
+Register to the meeting series to receive an invitation:
+https://zoom-lfx.platform.linuxfoundation.org/meeting/96615992377?password=88ed4841-afa2-41a6-8de3-e246967e5566&invite=true
+
+Join Zoom Meeting:
+https://zoom-lfx.platform.linuxfoundation.org/meeting/96615992377?password=88ed4841-afa2-41a6-8de3-e246967e5566
 
 ## Meeting notices
 
@@ -58,10 +46,6 @@ Please click the following links at the start of the meeting if you have not don
   - Click "Accept" on the EasyCLA dialog in the PR's discussion section.
 - [Click here to send email to become a voting participant on the FDC3 Project](mailto:fdc3-participants+subscribe@finos.org?subject=Please%20enroll%20me%20as%20an%20FDC3%20Standards%20Participant&amp;body=HI%2C%20my%20name%20is%20%3CFirstName%20LastName%3E%20and%20I'd%20like%20to%20formally%20participate%20to%20the%20FDC3%20standard%20process.%20I%20plan%20to%20contribute%20as%20%3Cindividual%7Con%20behalf%20of%20organizationName%3E%20and%20I%20have%20reviewed%20the%20policies%20described%20at%20https%3A%2F%2Fgithub.com%2Ffinos%2FFDC3%2Fblob%2Fmain%2FGOVERNANCE.md%20and%20read%20the%20license%20at%20https%3A%2F%2Fgithub.com%2Ffinos%2FFDC3%2Fblob%2Fmain%2FLICENSE%20.%20Thank%20you!")
 
-## Tracking Attendance
-
-**Note:** Meeting participants are expected to _add a comment to this GitHub issue_ in order that we can track attendance of FDC3 project meetings.  Please do this at the start of the meeting.
-
 ## Agenda
 
 - [ ] Convene & roll call, review meeting notices (5mins)

.github/workflows/coverage.yml

@@ -46,7 +46,9 @@ jobs:
     - name: Create test summary
       uses: test-summary/action@dist
       with:
-        paths: "**/test-results.xml"
+        paths: |
+          packages/*/test-results.xml
+          toolbox/**/test-results.xml
         show: "fail, skip"
         output: test-summary.md
       if: always()
@@ -67,6 +69,7 @@ jobs:
         search_artifacts: true
 
     - name: Report Coverage
+      if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
       uses: sidx1024/report-nyc-coverage-github-action@v1.2.7
       with:
         coverage_file: "nyc-coverage-report/coverage-summary.json"

.gitignore

@@ -28,4 +28,7 @@ cucumber-report.html
 nyc-coverage-report/
 .history/
 .rollup.cache
-tsconfig.tsbuildinfo
+tsconfig.tsbuildinfo
+**/html-report/
+packages/fdc3-security/junit.xml
+.vscode/launch.json

.husky/pre-commit

@@ -1,2 +1,2 @@
 #!/bin/sh
-npx lint-staged
+npx lint-staged 

.semgrepignore

@@ -1,11 +1,14 @@
 website/**
 
 # Just used for build so ignoring
-s2tQuicktypeUtil.js
+s2tQuicktypeUtil.cjs
 t2sQuicktypeUtil.js
 
 # API schema set for localhost gets picked up by semgrep rule
 schemas/bridgingAsyncAPI/bridgingAsyncAPI.json
 
 # demo apps get picked up for not having integrity headers
 toolbox/fdc3-for-web/demo/src/client/apps/**
+
+# Test utilities using controlled paths (false positive for path traversal)
+packages/testing/src/steps/generic.impl.ts

.vscode/settings.json

@@ -1,3 +1,5 @@
 {
-    "typescript.tsdk": "node_modules/typescript/lib"
+    "typescript.tsdk": "node_modules/typescript/lib",
+    "editor.tabSize": 2,
+    "editor.insertSpaces": true
 }