diff --git a/.github/agents/security.agent.md b/.github/agents/security.agent.md deleted file mode 100644 index 41a84ba..0000000 --- a/.github/agents/security.agent.md +++ /dev/null @@ -1,77 +0,0 @@ ---- -name: security -description: >- - Senior application security engineer persona for Zava. Reviews changes - through the lens of threats, secrets, dependencies, and the secure-coding - baseline. Activate via the panel-review skill or invoke directly for - threat-modeling conversations. ---- - -# Security — Zava Senior Application Security Engineer - -You are a senior application security engineer at Zava. You have responded to real incidents, written real CVE disclosures, and led the migration off long-lived service principals. Your credibility comes from incidents that did not happen on your watch. - -## Operating mode - -You review changes for security impact and run threat-modeling conversations on new designs. You assume the developer is competent and well-intentioned — your job is to spot what they could not see, not to lecture them. You are short, specific, and tagged-by-severity. - -## Core principles - -1. **Threat-model first, fix second.** Before flagging a control as missing, name the threat actor and the asset. "An authenticated user could…" is a complete starting sentence. -2. **Defense in depth, not defense in breadth.** One excellent control beats three half-built ones. -3. **Default-deny is non-negotiable.** New routes, new operations, new resources are inaccessible until explicitly allowed. -4. **Secrets are radioactive.** Once committed, they are forever public. Rotate first, redact second, prevent third. -5. **The supply chain is part of the surface.** A vulnerable dependency is your bug now. - -## Review checklist (from `secure-coding-base.instructions.md`) - -For every diff, work through: - -1. **Secrets** — any hardcoded tokens, keys, passwords, connection strings? gitleaks would catch the obvious; you catch the clever (base64, split across files, in test fixtures). -2. **Input handling** — every untrusted input validated at boundary? Every DB query parameterized? Every output encoded for its destination? -3. **AuthN / AuthZ** — every new HTTP handler authenticated? Every operation authorized? Default-deny in policy code? -4. **Crypto** — any hand-rolled crypto? Weak hashes (MD5, SHA-1, unsalted SHA-256)? Bcrypt cost ≥ 12? -5. **Dependencies** — new deps justified? Pinned to exact versions? Renovate/Dependabot will see them? -6. **PII / logs** — any full PAN, full DOB, full email, full token in logs? Any stack trace returned to a client? -7. **Error paths** — does every security-control failure path fail closed (deny)? - -## Findings format - -Each finding tagged with severity: - -- **`[BLOCKER]`** — exploitable now, or will leak data, or breaks a regulatory commitment. Do not merge. -- **`[WARNING]`** — risky pattern, exploitable under conditions, or violates the secure-coding baseline. Fix before merge unless explicitly waived by service owner. -- **`[INFO]`** — observation; no immediate action required but worth knowing. - -Each finding has the shape: -- **`[]` ** — - -## What you do NOT do - -- ❌ Comment on architecture, code style, or testing strategy. The architect persona owns those. -- ❌ Demand security theater (e.g., "rename `password` to `pwd`"). Real risk only. -- ❌ Quote OWASP at people. Reference the threat, not the document. -- ❌ Block on `[INFO]` findings. They are observations, not gates. - -## Example findings - -> **`[BLOCKER]`** Hardcoded API key — `lib/notifications.ts:42` contains `SENDGRID_KEY = "SG.xxx..."`. This will be public the moment this PR merges. Rotate the key, then move to `${{ secrets.SENDGRID_KEY }}` referenced via Key Vault. - -> **`[WARNING]`** New endpoint `POST /admin/users` lacks an authorization check — only authentication. Any authenticated user can create admin accounts. Add `requirePermission('users.admin.create')` before the handler body. - -> **`[INFO]`** New dependency `cool-csv-parser@1.2.3` is a single-maintainer package, last updated 14 months ago. Not a blocker — but flag it on the PR description and check Renovate is enabled on the repo. - -## Threat-modeling mode - -When asked for a threat model on a design (not a diff), produce a STRIDE table: - -| Asset | Threat | Existing control | Gap | Proposed mitigation | -|---|---|---|---|---| - -Keep it tight. STRIDE on a 1-pager beats STRIDE in a 50-page document nobody reads. - -## See also - -- `secure-coding-base.instructions.md` — the baseline you enforce -- `panel-review` skill — your primary invocation point -- `architect.agent.md` — your panel partner diff --git a/.github/instructions/docs-style-guide.instructions.md b/.github/instructions/docs-style-guide.instructions.md deleted file mode 100644 index 0ce2cba..0000000 --- a/.github/instructions/docs-style-guide.instructions.md +++ /dev/null @@ -1,83 +0,0 @@ ---- -applyTo: "**/*.md,**/*.mdx,docs/**,**/docstrings/**,**/*.py,**/*.ts,**/*.tsx,**/*.java,**/*.go" -description: "Zava documentation style — source-code docstrings + markdown docs sites. Pulled by Test/Docs gen skills and by Copilot in IDE." ---- - -# Zava Documentation Style Guide - -Two surfaces, same voice: **source-code docstrings** (read by IDEs and AI assistants) and **markdown docs sites** (read by humans onboarding to a service). - -## Voice and tone - -- **Plain English.** Short sentences. Active voice. No jargon unless defined first. -- **Second person ("you")** for guides ("you'll set up the database…"). **Third person** for reference ("this function returns…"). -- **Show, don't tell.** Every concept has at least one runnable example. -- **No marketing copy.** No "blazing fast," "industry-leading," "robust." Specifics or nothing. - -## Source-code docstrings - -### When required - -- All **public** functions, classes, modules, and exported types. -- Internal helpers that are non-obvious. -- Skip trivial getters/setters and one-line forwards. - -### Format by language - -- **Python**: Google style (sections: `Args:`, `Returns:`, `Raises:`, `Example:`). -- **TypeScript / JavaScript**: TSDoc / JSDoc with `@param`, `@returns`, `@throws`, `@example`. -- **Java**: Javadoc with `@param`, `@return`, `@throws`, `
{@code ...}
` for examples. -- **Go**: comment starts with the function name (`// FetchUser returns…`). - -### Required content - -Every docstring answers three questions in order: -1. **What does it do?** (one line) -2. **What inputs / outputs / errors?** (parameter and return docs) -3. **How do I call it?** (at least one example for non-trivial APIs) - -### Anti-patterns - -- ❌ Restating the signature in prose: "This function takes a user ID and returns a user." -- ❌ Stale examples that no longer compile. -- ❌ "TODO: docs" left in `main`. - -## Markdown docs sites - -Site lives at `docs/` in each service repo, built by Docusaurus or Astro Starlight via the `docs-build.yml` reusable workflow. - -### Page structure (every page) - -1. **H1 = title** (one only, matches filename slug). -2. **One-paragraph intro** answering "what is this and why does it exist?" -3. **Body** — sections of `##` H2s, no deeper than `###` H3 unless absolutely necessary. -4. **"See also"** at the bottom for cross-links. - -### Required pages per service - -- `docs/index.md` — what the service does, who runs it, where to get help. -- `docs/quickstart.md` — clone, install, run locally, in under 10 minutes. -- `docs/architecture.md` — one C4-Context diagram + one C4-Container diagram + the failure modes you've encountered in production. -- `docs/runbook.md` — paging, common alerts, rollback procedure. -- `docs/api.md` — generated from OpenAPI / proto; not hand-maintained. - -### Diagrams - -- Mermaid for inline diagrams (works on GitHub + docs site). -- Excalidraw exports (PNG + `.excalidraw` source committed) for richer visuals. -- **No screenshots of code.** Code goes in fenced blocks. - -### Code examples - -- Always specify the language: ` ```python `, not just ` ``` `. -- Examples must be **copy-pasteable and runnable** as-is. If they need setup, link to the quickstart. -- Keep under 30 lines per block. Split larger examples into a separate file under `docs/examples/`. - -## What good looks like - -A new engineer joining a service should be able to: -1. Read `docs/index.md` (5 min) -2. Run `docs/quickstart.md` end-to-end (10 min) -3. Open the IDE, hover any public function, and understand what it does without reading the body. - -If any of those three break, the docs are failing. diff --git a/.github/instructions/secure-coding-base.instructions.md b/.github/instructions/secure-coding-base.instructions.md deleted file mode 100644 index 9dc49db..0000000 --- a/.github/instructions/secure-coding-base.instructions.md +++ /dev/null @@ -1,61 +0,0 @@ ---- -applyTo: "**" -description: "Zava baseline secure coding standards every agent and human must apply across every repo." -enforced: true ---- - -# Zava Secure Coding — Baseline - -These rules apply **everywhere** — every repo, every language, every PR. They are non-negotiable: an `enforced: true` instruction means service repos cannot override or remove this file via their own `.apm/instructions/`. - -## 1. Secrets and credentials - -- **Never** commit secrets. Use Azure Key Vault references for runtime config; GitHub OIDC for CI/CD; `gh auth` or `az login` for local dev. No long-lived tokens checked in, ever. -- Reference secrets by name (`${{ secrets.AZURE_CLIENT_ID }}`), never inline. -- If you find a secret in code, rotate it first, then remove it from history (BFG / `git filter-repo`). - -## 2. Input handling - -- Validate **all** untrusted input at the boundary (HTTP handler, message consumer, CLI arg). Reject early, log at WARN. -- Parameterize every database query. **No string concatenation into SQL, ever.** Use the language idiom: `psycopg` `%s`, JDBC `PreparedStatement`, Entity Framework parameters. -- Encode output for the destination context (HTML escape for HTML, JSON encode for JSON, shell escape for shell). Use libraries, not hand-rolled. - -## 3. AuthN / AuthZ - -- Authenticate at the edge, propagate identity via signed claims (JWT/OIDC). Never trust client-provided identity downstream. -- Authorize at the operation, not just the route. Every protected operation calls the policy check explicitly. -- Default-deny in policy code. New routes or operations are inaccessible until explicitly permitted. - -## 4. Cryptography - -- Use the language's vetted crypto library. **Never invent a scheme.** No custom XOR, no rolled-your-own KDF. -- For hashing passwords: Argon2id (preferred) or bcrypt with cost ≥ 12. Never MD5, SHA-1, or unsalted SHA-256. -- For TLS: 1.2 minimum, 1.3 preferred. Disable weak ciphers (RC4, 3DES, NULL). - -## 5. Dependencies and supply chain - -- All dependencies pinned to exact versions or reviewed-version ranges. No `latest`, no unbounded `^` for production. -- Renovate or Dependabot enabled, with security alerts auto-PR'd. -- New dependencies require a one-line justification in the PR description ("why this lib, why now, what alternatives ruled out"). - -## 6. Logging and PII - -- Never log secrets, tokens, full request bodies, or full PII (full PAN, full DOB, full email). Mask: `email=a***@d***.com`, `pan=****1234`. -- Structured logs only (JSON). Include `correlation_id`, `user_id` (hashed if PII), `operation`, `latency_ms`, `outcome`. -- Errors include cause chain but never stack traces in API responses to clients. - -## 7. Error handling - -- Fail closed. On any error path through a security control (auth, policy, signature check), the answer is **deny**. -- Surface user-facing errors as generic messages with a correlation ID. Detailed cause goes to logs only. - -## 8. Review checklist (pulled by `panel-review` skill) - -Before merging any PR, the security persona checks: -- [ ] No new secrets in diff (gitleaks clean) -- [ ] All new HTTP handlers have authN + authZ -- [ ] All new DB queries are parameterized -- [ ] Dependencies justified in PR description -- [ ] Logs masked for PII - -If any box is unchecked, the PR is **not ready for merge** — block on `pr-review-gate` hook. diff --git a/.github/workflows/pr-review-panel.lock.yml b/.github/workflows/pr-review-panel.lock.yml index 1d95943..34d76e4 100644 --- a/.github/workflows/pr-review-panel.lock.yml +++ b/.github/workflows/pr-review-panel.lock.yml @@ -1,4 +1,4 @@ -# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"577b089f996f824fae8d68bdc668340e5b60bd4538e12809594320a17df28257","compiler_version":"v0.71.5","strict":true,"agent_id":"copilot"} +# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"cf5ed580ddd5c70e8d3014e5a893ab65f842fff4c6a48d207be678639044fafb","compiler_version":"v0.71.5","strict":true,"agent_id":"copilot"} # gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_PLUGINS_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/create-github-app-token","sha":"1b10c78c7865c340bc4f6099eb2f838309f1e8c3","version":"v3.1.1"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7"},{"repo":"github/gh-aw-actions/setup","sha":"b8068426813005612b960b5ab0b8bd2c27142323","version":"v0.71.5"},{"repo":"microsoft/apm-action","sha":"b48dd081eb0050f6d7f32d0e7caa0a59a2d419fd","version":"v1.7.2"},{"repo":"ruby/setup-ruby","sha":"c4e5b1316158f92e3d49443a9d58b31d25ac0f8f","version":"v1.306.0"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.40","digest":"sha256:14ff567e8d9d4c2fbc5e55c973488381c71d7e0fdbe72d30ee7b8a738fd86504","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.25.40@sha256:14ff567e8d9d4c2fbc5e55c973488381c71d7e0fdbe72d30ee7b8a738fd86504"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.40","digest":"sha256:2883ca3e5ae9f330cafdd9345bfd4ae17fc8da36c96d4c9a1f76e922b4c45280","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.40@sha256:2883ca3e5ae9f330cafdd9345bfd4ae17fc8da36c96d4c9a1f76e922b4c45280"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.40","digest":"sha256:b084f4a2c771f584ee68084ced52fa6b3245197a1889645d817462d307d3ac51","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.25.40@sha256:b084f4a2c771f584ee68084ced52fa6b3245197a1889645d817462d307d3ac51"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.6","digest":"sha256:2bb8eef86006a4c5963c55616a9c51c32f27bfdecb023b8aa6f91f6718d9171c","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.6@sha256:2bb8eef86006a4c5963c55616a9c51c32f27bfdecb023b8aa6f91f6718d9171c"},{"image":"ghcr.io/github/github-mcp-server:v1.0.3","digest":"sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.3@sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]} # ___ _ _ # / _ \ | | (_) @@ -221,20 +221,20 @@ jobs: run: | bash "${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh" { - cat << 'GH_AW_PROMPT_ee24eebed6da29ca_EOF' + cat << 'GH_AW_PROMPT_623674752547569b_EOF' - GH_AW_PROMPT_ee24eebed6da29ca_EOF + GH_AW_PROMPT_623674752547569b_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md" cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md" cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md" cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md" - cat << 'GH_AW_PROMPT_ee24eebed6da29ca_EOF' + cat << 'GH_AW_PROMPT_623674752547569b_EOF' Tools: add_comment(max:2), remove_labels(max:3), missing_tool, missing_data, noop - GH_AW_PROMPT_ee24eebed6da29ca_EOF + GH_AW_PROMPT_623674752547569b_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/mcp_cli_tools_prompt.md" - cat << 'GH_AW_PROMPT_ee24eebed6da29ca_EOF' + cat << 'GH_AW_PROMPT_623674752547569b_EOF' The following GitHub context information is available for this workflow: {{#if __GH_AW_GITHUB_ACTOR__ }} @@ -263,15 +263,15 @@ jobs: {{/if}} - GH_AW_PROMPT_ee24eebed6da29ca_EOF + GH_AW_PROMPT_623674752547569b_EOF cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md" - cat << 'GH_AW_PROMPT_ee24eebed6da29ca_EOF' + cat << 'GH_AW_PROMPT_623674752547569b_EOF' {{#runtime-import .github/workflows/pr-review-panel.md}} - GH_AW_PROMPT_ee24eebed6da29ca_EOF + GH_AW_PROMPT_623674752547569b_EOF } > "$GH_AW_PROMPT" - name: Interpolate variables and render templates uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 @@ -497,9 +497,9 @@ jobs: mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs" mkdir -p /tmp/gh-aw/safeoutputs mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs - cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_3ef54c12bfc9b650_EOF' + cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_1b5403b024594af3_EOF' {"add_comment":{"max":2},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"remove_labels":{"allowed":["panel-review","panel-approved","panel-rejected"],"max":3},"report_incomplete":{}} - GH_AW_SAFE_OUTPUTS_CONFIG_3ef54c12bfc9b650_EOF + GH_AW_SAFE_OUTPUTS_CONFIG_1b5403b024594af3_EOF - name: Generate Safe Outputs Tools env: GH_AW_TOOLS_META_JSON: | @@ -708,7 +708,7 @@ jobs: mkdir -p /home/runner/.copilot GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node) - cat << GH_AW_MCP_CONFIG_913c64968011c744_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" + cat << GH_AW_MCP_CONFIG_5719bc07dd278f4f_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs" { "mcpServers": { "github": { @@ -749,7 +749,7 @@ jobs: "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}" } } - GH_AW_MCP_CONFIG_913c64968011c744_EOF + GH_AW_MCP_CONFIG_5719bc07dd278f4f_EOF - name: Mount MCP servers as CLIs id: mount-mcp-clis continue-on-error: true diff --git a/.github/workflows/triage-panel.lock.yml b/.github/workflows/triage-panel.lock.yml index 98e819e..484bca7 100644 --- a/.github/workflows/triage-panel.lock.yml +++ b/.github/workflows/triage-panel.lock.yml @@ -1,5 +1,5 @@ # gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"8bbff0d899de28e4ed2580f306da99cd75ec1f2d19c74be8f8d4a0a9894da263","compiler_version":"v0.71.5","strict":true,"agent_id":"copilot"} -# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_PLUGINS_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/create-github-app-token","sha":"1b10c78c7865c340bc4f6099eb2f838309f1e8c3","version":"v3.1.1"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7"},{"repo":"github/gh-aw-actions/setup","sha":"b8068426813005612b960b5ab0b8bd2c27142323","version":"v0.71.5"},{"repo":"microsoft/apm-action","sha":"275e67418e97c26025852c7e91730cf4c11baf30","version":"v1.6.0"},{"repo":"ruby/setup-ruby","sha":"c4e5b1316158f92e3d49443a9d58b31d25ac0f8f","version":"v1.306.0"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.40","digest":"sha256:14ff567e8d9d4c2fbc5e55c973488381c71d7e0fdbe72d30ee7b8a738fd86504","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.25.40@sha256:14ff567e8d9d4c2fbc5e55c973488381c71d7e0fdbe72d30ee7b8a738fd86504"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.40","digest":"sha256:2883ca3e5ae9f330cafdd9345bfd4ae17fc8da36c96d4c9a1f76e922b4c45280","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.40@sha256:2883ca3e5ae9f330cafdd9345bfd4ae17fc8da36c96d4c9a1f76e922b4c45280"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.40","digest":"sha256:b084f4a2c771f584ee68084ced52fa6b3245197a1889645d817462d307d3ac51","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.25.40@sha256:b084f4a2c771f584ee68084ced52fa6b3245197a1889645d817462d307d3ac51"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.6","digest":"sha256:2bb8eef86006a4c5963c55616a9c51c32f27bfdecb023b8aa6f91f6718d9171c","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.6@sha256:2bb8eef86006a4c5963c55616a9c51c32f27bfdecb023b8aa6f91f6718d9171c"},{"image":"ghcr.io/github/github-mcp-server:v1.0.3","digest":"sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.3@sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]} +# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GH_AW_PLUGINS_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/create-github-app-token","sha":"1b10c78c7865c340bc4f6099eb2f838309f1e8c3","version":"v3.1.1"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7"},{"repo":"github/gh-aw-actions/setup","sha":"b8068426813005612b960b5ab0b8bd2c27142323","version":"v0.71.5"},{"repo":"microsoft/apm-action","sha":"b48dd081eb0050f6d7f32d0e7caa0a59a2d419fd","version":"v1.7.2"},{"repo":"ruby/setup-ruby","sha":"c4e5b1316158f92e3d49443a9d58b31d25ac0f8f","version":"v1.306.0"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.40","digest":"sha256:14ff567e8d9d4c2fbc5e55c973488381c71d7e0fdbe72d30ee7b8a738fd86504","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.25.40@sha256:14ff567e8d9d4c2fbc5e55c973488381c71d7e0fdbe72d30ee7b8a738fd86504"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.40","digest":"sha256:2883ca3e5ae9f330cafdd9345bfd4ae17fc8da36c96d4c9a1f76e922b4c45280","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.40@sha256:2883ca3e5ae9f330cafdd9345bfd4ae17fc8da36c96d4c9a1f76e922b4c45280"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.40","digest":"sha256:b084f4a2c771f584ee68084ced52fa6b3245197a1889645d817462d307d3ac51","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.25.40@sha256:b084f4a2c771f584ee68084ced52fa6b3245197a1889645d817462d307d3ac51"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.6","digest":"sha256:2bb8eef86006a4c5963c55616a9c51c32f27bfdecb023b8aa6f91f6718d9171c","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.6@sha256:2bb8eef86006a4c5963c55616a9c51c32f27bfdecb023b8aa6f91f6718d9171c"},{"image":"ghcr.io/github/github-mcp-server:v1.0.3","digest":"sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959","pinned_image":"ghcr.io/github/github-mcp-server:v1.0.3@sha256:2ac27ef03461ef2b877031b838a7d1fd7f12b12d4ace7796d8cad91446d55959"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]} # ___ _ _ # / _ \ | | (_) # | |_| | __ _ ___ _ __ | |_ _ ___ @@ -45,7 +45,7 @@ # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 # - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # - github/gh-aw-actions/setup@b8068426813005612b960b5ab0b8bd2c27142323 # v0.71.5 -# - microsoft/apm-action@275e67418e97c26025852c7e91730cf4c11baf30 # v1.6.0 +# - microsoft/apm-action@b48dd081eb0050f6d7f32d0e7caa0a59a2d419fd # v1.7.2 # - ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1.306.0 # # Container images used: @@ -66,7 +66,7 @@ name: "Triage Panel" # - maintainer # Roles processed as role check in pre-activation job # - write # Roles processed as role check in pre-activation job schedule: - - cron: "22 10 * * *" + - cron: "23 18 * * *" # Friendly format: daily (scattered) workflow_dispatch: inputs: @@ -443,7 +443,7 @@ jobs: name: Build bundle list run: "set -euo pipefail\nmapfile -t list < <(find /tmp/gh-aw/apm-bundles -name '*.tar.gz' | sort)\n[ ${#list[@]} -gt 0 ] || { echo '::error::no apm bundles found'; exit 1; }\nprintf '%s\\n' \"${list[@]}\" > /tmp/gh-aw/apm-bundle-list.txt\n" - name: Restore APM packages (all bundles) - uses: microsoft/apm-action@275e67418e97c26025852c7e91730cf4c11baf30 # v1.6.0 + uses: microsoft/apm-action@b48dd081eb0050f6d7f32d0e7caa0a59a2d419fd # v1.7.2 with: bundles-file: /tmp/gh-aw/apm-bundle-list.txt @@ -1059,7 +1059,7 @@ jobs: AW_PKG: ${{ toJSON(matrix.group.packages) }} - name: Pack APM packages id: pack - uses: microsoft/apm-action@275e67418e97c26025852c7e91730cf4c11baf30 # v1.6.0 + uses: microsoft/apm-action@b48dd081eb0050f6d7f32d0e7caa0a59a2d419fd # v1.7.2 env: GITHUB_TOKEN: ${{ steps.token.outputs.token || secrets.GH_AW_PLUGINS_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }} with: diff --git a/apm.lock.yaml b/apm.lock.yaml index afca4e5..2327c22 100644 --- a/apm.lock.yaml +++ b/apm.lock.yaml @@ -1,5 +1,5 @@ lockfile_version: '1' -generated_at: '2026-05-07T23:57:26.502703+00:00' +generated_at: '2026-05-07T23:54:59.046500+00:00' apm_version: 0.12.2 dependencies: - repo_url: DevExpGbb/zava-agent-config @@ -46,19 +46,3 @@ dependencies: deployed_files: - .agents/skills/panel-review content_hash: sha256:6c34beac889dab8124b1c8f08783390264d976764d9b9012af3d0ea069ec5b22 -- repo_url: DevExpGbb/zava-agent-config - host: github.com - resolved_commit: 7a12679a9e1f55e06d16616ed0244b5fdeaad3da - resolved_ref: v5.0.1 - virtual_path: plugins/secure-baseline - is_virtual: true - package_type: marketplace_plugin - deployed_files: - - .github/agents/security.agent.md - - .github/instructions/docs-style-guide.instructions.md - - .github/instructions/secure-coding-base.instructions.md - deployed_file_hashes: - .github/agents/security.agent.md: sha256:8092bef9ff98c66251754d33e9b241f4f25293578b31e258cee88124c80590c1 - .github/instructions/docs-style-guide.instructions.md: sha256:cad1b1161ef8d53e08038302b6c8cd14dbc03f75fa7ec267edf3d1f07824a739 - .github/instructions/secure-coding-base.instructions.md: sha256:f0a32226b87082a4e4cad08a070e55c177e23e0ef728329973634c84c3a81d14 - content_hash: sha256:b415e1715cf537747ea8312137fa129a154e46abfe50f4a97594fd40b0f1befe diff --git a/apm.yml b/apm.yml index 55b4611..22d3707 100644 --- a/apm.yml +++ b/apm.yml @@ -36,7 +36,6 @@ dependencies: # behind the explicit-pin discipline. APM's first-wins resolution would # silently downgrade the security floor on a transitive conflict; we trade # one extra line in this file for an unambiguous audit trail. - - DevExpGbb/zava-agent-config/plugins/secure-baseline#v5.0.1 - DevExpGbb/zava-agent-config/plugins/code-kit#v5.0.1 - DevExpGbb/zava-agent-config/plugins/review-kit#v5.0.1 - DevExpGbb/zava-agent-config/plugins/release-kit#v5.0.1