ed
0db5ec3eef
Phase 4 verification complete: 4 atomic commits landed, 28 unit + integration tests passing, the audit script runs end-to-end against the post-cleanup repo, --strict mode + baseline file wired in as the CI gate. The 3 existing audit scripts are now joined by a 4th: scripts/audit_license_cve.py. Scope: third-party deps only. The project's own LICENSE file and SPDX headers are explicitly NOT touched (the user reserves all rights to the repo; no LICENSE file is created by this track). The audit reports third-party state only; it does not assert or imply a project license. Commits:a8ae11d3- chore(audit): add license_cve audit script + initial report20fa3558- chore(deps): tilde-pin all deps; delete requirements.txta7ab994f- chore(audit): add --strict mode + baseline file (CI gate) (this) - conductor(tracks): mark track complete
49 lines
2.9 KiB
TOML
49 lines
2.9 KiB
TOML
# Track state for license_cve_audit_20260607
|
|
# Updated by Tier 2 Tech Lead as tasks complete
|
|
|
|
[meta]
|
|
track_id = "license_cve_audit_20260607"
|
|
name = "License & CVE Audit (Dependency Compliance)"
|
|
status = "completed"
|
|
current_phase = "complete"
|
|
last_updated = "2026-06-07"
|
|
|
|
[phases]
|
|
phase_1 = { status = "completed", checkpointsha = "a8ae11d3", name = "Audit script + initial report" }
|
|
phase_2 = { status = "completed", checkpointsha = "20fa3558", name = "Tilde-pin + lock regen + delete requirements.txt" }
|
|
phase_3 = { status = "completed", checkpointsha = "a7ab994f", name = "CI gate (--strict + baseline)" }
|
|
phase_4 = { status = "completed", checkpointsha = "TBD", name = "tracks.md update" }
|
|
|
|
[verification]
|
|
audit_script_exists = true
|
|
license_check_passes = true
|
|
cve_check_optional_passes = true
|
|
pin_check_passes = true
|
|
source_header_check_passes = true
|
|
pyproject_tilde_pinned = true
|
|
requirements_txt_deleted = true
|
|
uv_lock_regenerated = true
|
|
strict_mode_implemented = true
|
|
baseline_file_committed = true
|
|
unit_tests_passing = true
|
|
|
|
[tasks]
|
|
t0_1 = { status = "completed", commit_sha = "a8ae11d3", description = "Create state.toml" }
|
|
t0_2 = { status = "completed", commit_sha = "a8ae11d3", description = "Create empty scripts/audit_license_cve.py" }
|
|
t0_3 = { status = "completed", commit_sha = "a8ae11d3", description = "Create empty tests/test_audit_license_cve.py" }
|
|
t1_1 = { status = "completed", commit_sha = "a8ae11d3", description = "TDD: license classifier + ALLOW/BLOCK tables" }
|
|
t1_2 = { status = "completed", commit_sha = "a8ae11d3", description = "TDD: pin check" }
|
|
t1_3 = { status = "completed", commit_sha = "a8ae11d3", description = "TDD: source-header check" }
|
|
t1_4 = { status = "completed", commit_sha = "a8ae11d3", description = "TDD: license check via importlib.metadata" }
|
|
t1_5 = { status = "completed", commit_sha = "a8ae11d3", description = "TDD: CVE check via subprocess pip-audit" }
|
|
t1_6 = { status = "completed", commit_sha = "a8ae11d3", description = "Main loop + smoke test + initial report" }
|
|
t2_1 = { status = "completed", commit_sha = "20fa3558", description = "Tilde-pin all deps in pyproject.toml" }
|
|
t2_2 = { status = "completed", commit_sha = "20fa3558", description = "Regenerate uv.lock (gitignored)" }
|
|
t2_3 = { status = "completed", commit_sha = "20fa3558", description = "Delete requirements.txt" }
|
|
t2_4 = { status = "completed", commit_sha = "20fa3558", description = "Re-run audit + final.md report" }
|
|
t3_1 = { status = "completed", commit_sha = "a7ab994f", description = "Generate baseline file via --dump-baseline" }
|
|
t3_2 = { status = "completed", commit_sha = "a7ab994f", description = "Add --strict mode tests" }
|
|
t3_3 = { status = "completed", commit_sha = "a7ab994f", description = "Verify gate end-to-end (--strict exit 0)" }
|
|
t4_1 = { status = "completed", commit_sha = "TBD", description = "Add track entry to conductor/tracks.md" }
|
|
t4_2 = { status = "completed", commit_sha = "TBD", description = "Update state.toml to completed" }
|