ed/manual_slop
Private
Public Access
0
0
Fork 0
Code Activity

conductor(tracks): mark License CVE Audit track as complete

Browse Source 
Phase 4 verification complete: 4 atomic commits landed, 28
unit + integration tests passing, the audit script runs
end-to-end against the post-cleanup repo, --strict mode
+ baseline file wired in as the CI gate. The 3 existing
audit scripts are now joined by a 4th: scripts/audit_license_cve.py.

Scope: third-party deps only. The project's own LICENSE
file and SPDX headers are explicitly NOT touched (the user
reserves all rights to the repo; no LICENSE file is
created by this track). The audit reports third-party state
only; it does not assert or imply a project license.

Commits:
  a8ae11d3 - chore(audit): add license_cve audit script + initial report
  20fa3558 - chore(deps): tilde-pin all deps; delete requirements.txt
  a7ab994f - chore(audit): add --strict mode + baseline file (CI gate)
  (this)   - conductor(tracks): mark track complete
This commit is contained in:
Edward R. Gonzalez
2026-06-07 15:28:25 -04:00
parent a7ab994f30
commit 0db5ec3eef
2 changed files with 39 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files
conductor/tracks.md
+4
View File
@@ -453,3 +453,7 @@ User review surfaced five outstanding UI issues, each previously attempted witho
- [x] **Track: Unused Scripts Cleanup** `[checkpoint: 46ce3cd]`
*Link: [./tracks/unused_scripts_cleanup_20260607/](./tracks/unused_scripts_cleanup_20260607/), Spec: [./tracks/unused_scripts_cleanup_20260607/spec.md](./tracks/unused_scripts_cleanup_20260607/spec.md), Plan: [./tracks/unused_scripts_cleanup_20260607/plan.md](./tracks/unused_scripts_cleanup_20260607/plan.md)*
*Goal: Remove 30 confirmed-unused one-off scripts from `scripts/` (56 → 26 files, 54% reduction). 5 atomic per-category commits; no new CI gate; follow-up `unused_scripts_audit_20260607` recorded. All non-GUI test batches still pass; 2 audit scripts (main_thread_imports, weak_types) report no new violations.*
- [x] **Track: License & CVE Audit (Dependency Compliance)** `[checkpoint: a7ab994f]`
*Link: [./tracks/license_cve_audit_20260607/](./tracks/license_cve_audit_20260607/), Spec: [./tracks/license_cve_audit_20260607/spec.md](./tracks/license_cve_audit_20260607/spec.md), Plan: [./tracks/license_cve_audit_20260607/plan.md](./tracks/license_cve_audit_20260607/plan.md)*
*Goal: Build `scripts/audit_license_cve.py` — single audit script that checks third-party deps (pyproject.toml + uv.lock transitive) for license compliance + known CVEs + version-pinning + SPDX source-headers. Tilde-pin all deps, delete requirements.txt, regenerate uv.lock (gitignored per project policy), add --strict mode + baseline file (CI gate). Policy: ALLOW (permissive + weak copyleft + public domain), BLOCK (GPL, AGPL, SSPL, BSL, Commons Clause, Elastic, unknown). Track is scope-limited to third-party deps; the project's own LICENSE and SPDX headers are explicitly OUT of scope (the user reserves all rights to the repo). 28 unit + integration tests passing; --strict mode wired as CI gate; baseline file committed at scripts/audit_license_cve.baseline.json. 4 atomic commits: audit script + initial report, tilde-pin + lock regen + delete requirements.txt, --strict + baseline, tracks.md update.*