Skip to content

Commit f35c5d0

Browse files
committed
Add security posture plan
1 parent 7b41ed3 commit f35c5d0

7 files changed

Lines changed: 179 additions & 5 deletions

File tree

README.md

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -60,6 +60,7 @@ Use these starter artifacts:
6060
- [Dependency license inventory](docs/DEPENDENCY_LICENSE_INVENTORY.md)
6161
- [Twelve month milestone plan](docs/TWELVE_MONTH_MILESTONE_PLAN.md)
6262
- [Spec change process](docs/SPEC_CHANGE_PROCESS.md)
63+
- [Security posture plan](docs/SECURITY_POSTURE_PLAN.md)
6364
- [AAIF proposal readiness self-audit](docs/AAIF_PROPOSAL_READINESS.md)
6465
- [AAIF portfolio recognition roadmap](docs/AAIF_PORTFOLIO_RECOGNITION_ROADMAP.md)
6566
- [Ecosystem contribution ledger](docs/ECOSYSTEM_CONTRIBUTION_LEDGER.md)
@@ -122,8 +123,8 @@ Bad use:
122123

123124
## Current Status
124125

125-
Version: `0.5.11`
126+
Version: `0.5.12`
126127

127-
Status: early OSS profile with public flagship examples, adopter guide, boundary template, scoring guide, ecosystem alignment brief, compatibility policy, adoption registry, external review guide, maintainer review kit, AAIF proposal readiness self-audit, and ecosystem contribution ledger.
128+
Status: early OSS profile with public flagship examples, adopter guide, boundary template, scoring guide, ecosystem alignment brief, compatibility policy, adoption registry, external review guide, maintainer review kit, AAIF proposal readiness self-audit, ecosystem contribution ledger, and security posture plan.
128129

129130
Next target: external technical feedback from agentic AI maintainers and AAIF/LF-style community forums.

ROADMAP.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,10 @@
7878

7979
- Add twelve month milestone plan and spec change process for public proposal-readiness review.
8080

81+
## 0.5.12
82+
83+
- Add security posture plan for reporting, secret safety, supply-chain hygiene, OpenSSF-style future checks, release gates, issue hygiene, and AI-assisted contribution boundaries.
84+
8185
## 0.6.0
8286

8387
- Add first external adoption example if a maintainer opts in.

docs/AAIF_PROPOSAL_READINESS.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -69,7 +69,7 @@ The correct current route is external technical feedback, small upstream contrib
6969
| Leadership and decision process | `GOVERNANCE.md` | Partial | Add documented maintainer and reviewer acceptance path. |
7070
| Roadmap | `ROADMAP.md`, `docs/TWELVE_MONTH_MILESTONE_PLAN.md` | Ready | Keep milestone outcomes evidence-based and update after external feedback. |
7171
| Portfolio recognition path | `docs/AAIF_PORTFOLIO_RECOGNITION_ROADMAP.md` | Partial | Turn the 90-day plan into external review and adoption evidence. |
72-
| Security posture | `SECURITY.md`, no sensitive runtime | Partial | Add OpenSSF Scorecard or Best Practices plan. |
72+
| Security posture | `SECURITY.md`, `docs/SECURITY_POSTURE_PLAN.md`, no sensitive runtime, dependency inventory | Partial | Enable OpenSSF Scorecard or Best Practices evidence after external review; keep current posture documented without certification claims. |
7373
| Website or docs portal | GitHub README/docs only | Partial | Add GitHub Pages or docs site after content stabilizes. |
7474
| Communications channels | GitHub issues and discussion | Partial | Keep Discord/LinkedIn activity as pointers back to GitHub evidence. |
7575
| Trademark and account transfer | No decision | Missing | User decision required before any formal proposal. |

docs/SECURITY_POSTURE_PLAN.md

Lines changed: 167 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,167 @@
1+
# Security Posture Plan
2+
3+
## Purpose
4+
5+
This plan explains how the Agentic Enterprise Readiness Profile handles security for an independent OSS profile repository.
6+
7+
It is written for maintainers, external reviewers, and AAIF/LF-style community reviewers who need to understand the security boundary before trying the profile against a real repository.
8+
9+
This document is not a certification, audit report, AAIF endorsement, Linux Foundation endorsement, or production-readiness claim.
10+
11+
## Current Security Scope
12+
13+
The repository currently contains:
14+
15+
- Markdown documentation
16+
- JSON schema
17+
- JSON examples
18+
- boundary-model examples
19+
- issue templates
20+
- a lightweight local validation script
21+
22+
The repository does not currently operate:
23+
24+
- a hosted service
25+
- a database
26+
- an authentication system
27+
- a payment flow
28+
- a model provider integration
29+
- a queue, worker, or background runtime
30+
- a production data store
31+
32+
Security risk is therefore concentrated in contributor behavior, documentation hygiene, schema integrity, release discipline, and supply-chain hygiene.
33+
34+
## Reporting Path
35+
36+
Security reporting follows `SECURITY.md`.
37+
38+
Use GitHub issues for non-sensitive security concerns such as missing guardrails, unclear secret-safety guidance, broken validation assumptions, or overly broad claims.
39+
40+
Do not open a public issue that includes:
41+
42+
- credentials
43+
- customer data
44+
- private vulnerability details
45+
- screenshots containing tokens
46+
- proprietary internal architecture
47+
- exploit instructions that materially increase risk
48+
49+
If sensitive detail is required, contact the maintainer privately first and only publish a sanitized public follow-up after the sensitive material is removed.
50+
51+
## Secret Safety Rules
52+
53+
Contributors must not commit real secrets, private customer evidence, private policy documents, or screenshots containing tokens.
54+
55+
Examples and templates must use:
56+
57+
- placeholder values
58+
- environment-variable names
59+
- secret-reference names
60+
- redacted excerpts
61+
- synthetic data
62+
63+
The profile should describe required secret boundaries without asking contributors to expose the actual secret values used by their own systems.
64+
65+
## Supply-Chain Posture
66+
67+
The repository is intentionally small and has no runtime service dependencies.
68+
69+
Current supply-chain controls:
70+
71+
- dependency and license posture is documented in `docs/DEPENDENCY_LICENSE_INVENTORY.md`
72+
- validation runs through the repository's GitHub Actions workflow
73+
- examples are checked against `schema/agentic-readiness.schema.json`
74+
- release notes state what changed and which checks ran
75+
- no vendored third-party code is expected in docs, examples, or templates
76+
77+
Before a release, maintainers should recheck:
78+
79+
- `npm test`
80+
- `git diff --check`
81+
- package metadata parsing
82+
- changed documentation for accidental secrets
83+
- changed examples against the JSON schema
84+
85+
## OpenSSF-Style Plan
86+
87+
This project should adopt external security hygiene signals in stages instead of claiming maturity too early.
88+
89+
Planned checks:
90+
91+
| Stage | Action | Evidence target |
92+
| --- | --- | --- |
93+
| 1 | Keep `SECURITY.md`, this posture plan, dependency inventory, release checklist, and validation workflow current. | Public docs and passing validation workflow. |
94+
| 2 | Enable OpenSSF Scorecard or an equivalent public security-health workflow once the repository shape stabilizes. | Public workflow result or issue explaining blocked checks. |
95+
| 3 | Review OpenSSF Best Practices criteria and document which items apply to a documentation/profile repository. | Public gap issue or checklist. |
96+
| 4 | Consider branch protection, signed releases, and stricter workflow permissions if external contributors or adopters increase. | Repository settings evidence where public, or maintainer note where settings are private. |
97+
98+
Until these checks are actually enabled and passing, the project must describe them as planned, not complete.
99+
100+
## Release Security Gates
101+
102+
Every release should answer:
103+
104+
- Did validation pass?
105+
- Did docs or examples introduce any real secrets?
106+
- Did dependency or license posture change?
107+
- Did the release checklist run?
108+
- Did the release notes avoid endorsement or production-readiness claims?
109+
- Did any security-relevant issue remain open, and is it documented?
110+
111+
Security-sensitive releases should prefer smaller changes and clearer evidence over large bundled edits.
112+
113+
## Issue And PR Hygiene
114+
115+
Maintainers should keep public review focused on concrete artifacts.
116+
117+
Good issues and PRs:
118+
119+
- identify one repository boundary, schema field, validator behavior, or documentation gap
120+
- avoid private screenshots or internal customer names
121+
- include a local proof path
122+
- state whether the evidence is static inspection, local validation, or live runtime proof
123+
- avoid promotional language
124+
125+
Poor issues and PRs:
126+
127+
- ask maintainers to review private data in public
128+
- claim AAIF, Linux Foundation, enterprise, or production status without evidence
129+
- add paid-service defaults without OSS alternatives
130+
- add broad marketing copy without improving repository safety or usability
131+
132+
## AI-Assisted Contribution Boundary
133+
134+
AI-assisted contributions are allowed when they are reviewed by a human maintainer before merge.
135+
136+
AI tools must not be used to:
137+
138+
- paste private secrets into prompts or issues
139+
- infer unsupported production-readiness claims
140+
- auto-post outreach at scale
141+
- open noisy PRs across many repositories
142+
- replace maintainer judgment on security-sensitive changes
143+
144+
Contributors should disclose AI assistance when it materially shaped a contribution and should keep the proof path reproducible by humans.
145+
146+
## Artifact Integrity
147+
148+
Release notes should link to:
149+
150+
- the release tag
151+
- the validation workflow run
152+
- the changed public docs
153+
- the issue or PR when the release responds to external feedback
154+
155+
This keeps the project reviewable without relying on private chat logs or unpublished claims.
156+
157+
## Recognition Boundary
158+
159+
This posture supports public review and responsible OSS contribution. It does not create:
160+
161+
- AAIF affiliation
162+
- Linux Foundation affiliation
163+
- OpenSSF certification
164+
- SOC 2, ISO, or enterprise security certification
165+
- production-readiness proof
166+
167+
Those claims require separate formal processes and independent evidence.

docs/TWELVE_MONTH_MILESTONE_PLAN.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ It is not a commitment from AAIF, the Linux Foundation, or any external maintain
1818

1919
| Window | Milestone | Evidence required | Recognition posture |
2020
| --- | --- | --- | --- |
21-
| Month 1 | External trial readiness | Adoption trial protocol, issue template, public trial issue, release checklist, dependency inventory | Independent review request only |
21+
| Month 1 | External trial readiness | Adoption trial protocol, issue template, public trial issue, release checklist, dependency inventory, security posture plan | Independent review request only |
2222
| Months 2-3 | First external feedback | At least two external comments, issues, or trial responses | Feedback received, not adoption |
2323
| Months 3-4 | Portfolio evidence expansion | Four more portfolio repositories with boundary models or readiness JSON | Testbed expansion, not production proof |
2424
| Months 4-6 | Spec stabilization pass | Spec-change process used for at least one profile or schema change | Process maturity, not standardization |
@@ -33,6 +33,7 @@ Current focus:
3333
- keep AAIF PRs reviewable and conflict-free
3434
- keep the contribution ledger current
3535
- ask for external trials through issue `#5`
36+
- keep security posture, secret-safety, and release-gate evidence current
3637
- avoid cold-tagging maintainers
3738
- convert feedback into profile changes
3839

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "agentic-enterprise-readiness-profile",
3-
"version": "0.5.11",
3+
"version": "0.5.12",
44
"private": false,
55
"type": "module",
66
"description": "Evidence-first readiness profile for agentic AI repositories.",

scripts/validate-readiness.mjs

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@ const requiredDocs = [
2020
"docs/DEPENDENCY_LICENSE_INVENTORY.md",
2121
"docs/TWELVE_MONTH_MILESTONE_PLAN.md",
2222
"docs/SPEC_CHANGE_PROCESS.md",
23+
"docs/SECURITY_POSTURE_PLAN.md",
2324
"docs/SCORING_GUIDE.md",
2425
".github/ISSUE_TEMPLATE/adoption_review.md",
2526
".github/ISSUE_TEMPLATE/adoption_trial.md",

0 commit comments

Comments
 (0)