From 0db5ec3eef2e371cec1db90446ba31c9fc4358a7 Mon Sep 17 00:00:00 2001 From: Ed_ Date: Sun, 7 Jun 2026 15:28:25 -0400 Subject: [PATCH] conductor(tracks): mark License CVE Audit track as complete Phase 4 verification complete: 4 atomic commits landed, 28 unit + integration tests passing, the audit script runs end-to-end against the post-cleanup repo, --strict mode + baseline file wired in as the CI gate. The 3 existing audit scripts are now joined by a 4th: scripts/audit_license_cve.py. Scope: third-party deps only. The project's own LICENSE file and SPDX headers are explicitly NOT touched (the user reserves all rights to the repo; no LICENSE file is created by this track). The audit reports third-party state only; it does not assert or imply a project license. Commits: a8ae11d3 - chore(audit): add license_cve audit script + initial report 20fa3558 - chore(deps): tilde-pin all deps; delete requirements.txt a7ab994f - chore(audit): add --strict mode + baseline file (CI gate) (this) - conductor(tracks): mark track complete --- conductor/tracks.md | 4 ++ .../license_cve_audit_20260607/state.toml | 55 ++++++++++++------- 2 files changed, 39 insertions(+), 20 deletions(-) diff --git a/conductor/tracks.md b/conductor/tracks.md index f1bfe62a..56ef7342 100644 --- a/conductor/tracks.md +++ b/conductor/tracks.md @@ -453,3 +453,7 @@ User review surfaced five outstanding UI issues, each previously attempted witho - [x] **Track: Unused Scripts Cleanup** `[checkpoint: 46ce3cd]` *Link: [./tracks/unused_scripts_cleanup_20260607/](./tracks/unused_scripts_cleanup_20260607/), Spec: [./tracks/unused_scripts_cleanup_20260607/spec.md](./tracks/unused_scripts_cleanup_20260607/spec.md), Plan: [./tracks/unused_scripts_cleanup_20260607/plan.md](./tracks/unused_scripts_cleanup_20260607/plan.md)* *Goal: Remove 30 confirmed-unused one-off scripts from `scripts/` (56 → 26 files, 54% reduction). 5 atomic per-category commits; no new CI gate; follow-up `unused_scripts_audit_20260607` recorded. All non-GUI test batches still pass; 2 audit scripts (main_thread_imports, weak_types) report no new violations.* + +- [x] **Track: License & CVE Audit (Dependency Compliance)** `[checkpoint: a7ab994f]` + *Link: [./tracks/license_cve_audit_20260607/](./tracks/license_cve_audit_20260607/), Spec: [./tracks/license_cve_audit_20260607/spec.md](./tracks/license_cve_audit_20260607/spec.md), Plan: [./tracks/license_cve_audit_20260607/plan.md](./tracks/license_cve_audit_20260607/plan.md)* + *Goal: Build `scripts/audit_license_cve.py` — single audit script that checks third-party deps (pyproject.toml + uv.lock transitive) for license compliance + known CVEs + version-pinning + SPDX source-headers. Tilde-pin all deps, delete requirements.txt, regenerate uv.lock (gitignored per project policy), add --strict mode + baseline file (CI gate). Policy: ALLOW (permissive + weak copyleft + public domain), BLOCK (GPL, AGPL, SSPL, BSL, Commons Clause, Elastic, unknown). Track is scope-limited to third-party deps; the project's own LICENSE and SPDX headers are explicitly OUT of scope (the user reserves all rights to the repo). 28 unit + integration tests passing; --strict mode wired as CI gate; baseline file committed at scripts/audit_license_cve.baseline.json. 4 atomic commits: audit script + initial report, tilde-pin + lock regen + delete requirements.txt, --strict + baseline, tracks.md update.* diff --git a/conductor/tracks/license_cve_audit_20260607/state.toml b/conductor/tracks/license_cve_audit_20260607/state.toml index c2afa522..b389e842 100644 --- a/conductor/tracks/license_cve_audit_20260607/state.toml +++ b/conductor/tracks/license_cve_audit_20260607/state.toml @@ -4,30 +4,45 @@ [meta] track_id = "license_cve_audit_20260607" name = "License & CVE Audit (Dependency Compliance)" -status = "active" -current_phase = 0 +status = "completed" +current_phase = "complete" last_updated = "2026-06-07" [phases] -phase_1 = { status = "pending", checkpointsha = "", name = "Audit script + initial report" } -phase_2 = { status = "pending", checkpointsha = "", name = "Tilde-pin + lock regen + delete requirements.txt" } -phase_3 = { status = "pending", checkpointsha = "", name = "CI gate (--strict + baseline)" } -phase_4 = { status = "pending", checkpointsha = "", name = "tracks.md update" } +phase_1 = { status = "completed", checkpointsha = "a8ae11d3", name = "Audit script + initial report" } +phase_2 = { status = "completed", checkpointsha = "20fa3558", name = "Tilde-pin + lock regen + delete requirements.txt" } +phase_3 = { status = "completed", checkpointsha = "a7ab994f", name = "CI gate (--strict + baseline)" } +phase_4 = { status = "completed", checkpointsha = "TBD", name = "tracks.md update" } [verification] -audit_script_exists = false -license_check_passes = false -cve_check_optional_passes = false -pin_check_passes = false -source_header_check_passes = false -pyproject_tilde_pinned = false -requirements_txt_deleted = false -uv_lock_regenerated = false -strict_mode_implemented = false -baseline_file_committed = false -unit_tests_passing = false +audit_script_exists = true +license_check_passes = true +cve_check_optional_passes = true +pin_check_passes = true +source_header_check_passes = true +pyproject_tilde_pinned = true +requirements_txt_deleted = true +uv_lock_regenerated = true +strict_mode_implemented = true +baseline_file_committed = true +unit_tests_passing = true [tasks] -t0_1 = { status = "completed", commit_sha = "", description = "Create state.toml" } -t0_2 = { status = "in_progress", commit_sha = "", description = "Create empty scripts/audit_license_cve.py" } -t0_3 = { status = "in_progress", commit_sha = "", description = "Create empty tests/test_audit_license_cve.py" } +t0_1 = { status = "completed", commit_sha = "a8ae11d3", description = "Create state.toml" } +t0_2 = { status = "completed", commit_sha = "a8ae11d3", description = "Create empty scripts/audit_license_cve.py" } +t0_3 = { status = "completed", commit_sha = "a8ae11d3", description = "Create empty tests/test_audit_license_cve.py" } +t1_1 = { status = "completed", commit_sha = "a8ae11d3", description = "TDD: license classifier + ALLOW/BLOCK tables" } +t1_2 = { status = "completed", commit_sha = "a8ae11d3", description = "TDD: pin check" } +t1_3 = { status = "completed", commit_sha = "a8ae11d3", description = "TDD: source-header check" } +t1_4 = { status = "completed", commit_sha = "a8ae11d3", description = "TDD: license check via importlib.metadata" } +t1_5 = { status = "completed", commit_sha = "a8ae11d3", description = "TDD: CVE check via subprocess pip-audit" } +t1_6 = { status = "completed", commit_sha = "a8ae11d3", description = "Main loop + smoke test + initial report" } +t2_1 = { status = "completed", commit_sha = "20fa3558", description = "Tilde-pin all deps in pyproject.toml" } +t2_2 = { status = "completed", commit_sha = "20fa3558", description = "Regenerate uv.lock (gitignored)" } +t2_3 = { status = "completed", commit_sha = "20fa3558", description = "Delete requirements.txt" } +t2_4 = { status = "completed", commit_sha = "20fa3558", description = "Re-run audit + final.md report" } +t3_1 = { status = "completed", commit_sha = "a7ab994f", description = "Generate baseline file via --dump-baseline" } +t3_2 = { status = "completed", commit_sha = "a7ab994f", description = "Add --strict mode tests" } +t3_3 = { status = "completed", commit_sha = "a7ab994f", description = "Verify gate end-to-end (--strict exit 0)" } +t4_1 = { status = "completed", commit_sha = "TBD", description = "Add track entry to conductor/tracks.md" } +t4_2 = { status = "completed", commit_sha = "TBD", description = "Update state.toml to completed" }