From dc4eed645d389ee239a8c3dabe835216bf8a4343 Mon Sep 17 00:00:00 2001 From: Musiker15 Date: Mon, 25 May 2026 17:42:54 +0200 Subject: [PATCH] docs: fix stale repo URLs + refresh README for post-beta state MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two motivations bundled because both touch the same set of files: 1. The project moved from the `musiker15/*` personal namespace to the `MSK-Scripts` organisation. README badges, install snippets, security-reporting links, CONTRIBUTING clone command, CHANGELOG compare links, and the systemd unit's Documentation= URL all still pointed at the old `github.com/musiker15/mskanban` and `ghcr.io/musiker15/mskanban` — confirmed 404 / wrong owner (`release.yml` actually pushes to `ghcr.io/${{ github.repository_owner }}` which resolves to MSK-Scripts). Same fix in docs/public-launch.md and docs/deployment/mskanban.service. CODE_OF_CONDUCT.md was the odd one out, using `conduct@musiker15.de` while SECURITY.md uses `security@msk-scripts.de`. Aligned both on the brand domain. Note: I deliberately kept `github.com/musiker15` (the maintainer handle, not the project) and `cloud.musiker15.de` (personal Nextcloud) — those are personal, not stale. 2. README's feature highlights, view count, and status table were pre-v0.1.0-beta: - "Four views per board" → "Five views" (Timeline / Gantt landed post-beta in #49, see CHANGELOG [Unreleased]) - "TOTP today, WebAuthn / Passkeys planned" → both shipped - Added: Milestones, Burn-Down chart, Timeline (Gantt), board- level presence (Yjs awareness), Automation engine v1 with ADR 0010 - Status table: phase 10 ✅ (v0.1.0-beta released 2026-05-24); added a "post-beta" row listing the unreleased features - Replaced the broken `docs/crypto/` link with a pointer to ADR 0003 + threat-model - Added a one-line pointer to the user-facing docs site at docu.msk-scripts.de/ecosystem/mskanban Co-Authored-By: Claude Opus 4.7 (1M context) Signed-off-by: Musiker15 --- CHANGELOG.md | 10 +++--- CLAUDE.md | 2 +- CODE_OF_CONDUCT.md | 4 +-- CONTRIBUTING.md | 10 +++--- README.md | 52 ++++++++++++++++++++++---------- SECURITY.md | 12 ++++---- docs/deployment/mskanban.service | 6 ++-- docs/public-launch.md | 6 ++-- 8 files changed, 61 insertions(+), 41 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 831e6b0..6d6582e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -193,9 +193,9 @@ and this project adheres to [Semantic Versioning 2.0](https://semver.org/spec/v2 ## [0.1.0-beta] — 2026-05-25 First public beta. Docker image published at -`ghcr.io/musiker15/mskanban:v0.1.0-beta`, signed via cosign keyless +`ghcr.io/msk-scripts/mskanban:v0.1.0-beta`, signed via cosign keyless (GitHub OIDC), with CycloneDX + SPDX SBOMs attached to the -[GitHub Release](https://github.com/musiker15/mskanban/releases/tag/v0.1.0-beta). +[GitHub Release](https://github.com/MSK-Scripts/mskanban/releases/tag/v0.1.0-beta). All ten roadmap phases (0 – 10) complete; 56 routes; 94/94 tests green; `pnpm audit --prod` clean. @@ -1351,6 +1351,6 @@ Verified locally - Project bootstrap. Repository initialised, documentation skeleton in place. -[Unreleased]: https://github.com/musiker15/mskanban/compare/v0.1.0-beta...HEAD -[0.1.0-beta]: https://github.com/musiker15/mskanban/compare/v0.0.0...v0.1.0-beta -[0.0.0]: https://github.com/musiker15/mskanban/releases/tag/v0.0.0 +[Unreleased]: https://github.com/MSK-Scripts/mskanban/compare/v0.1.0-beta...HEAD +[0.1.0-beta]: https://github.com/MSK-Scripts/mskanban/compare/v0.0.0...v0.1.0-beta +[0.0.0]: https://github.com/MSK-Scripts/mskanban/releases/tag/v0.0.0 diff --git a/CLAUDE.md b/CLAUDE.md index 37feb81..604c867 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -966,7 +966,7 @@ volumes: ```bash # Einmalig: -git clone https://github.com/musiker15/mskanban.git +git clone https://github.com/MSK-Scripts/mskanban.git cd mskanban cp .env.development.example .env.local # Werte sind passend zur Dev-Compose-Datei pnpm install diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index 32c2d6c..1ce5a85 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -16,9 +16,9 @@ This Code of Conduct applies within all community spaces of the MSKanban project Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the project maintainers responsible for enforcement at: -**conduct@musiker15.de** +**conduct@msk-scripts.de** -This inbox is separate from `security@musiker15.de` and is monitored only by the maintainers. All complaints will be reviewed and investigated promptly and fairly. All community leaders are obligated to respect the privacy and security of the reporter of any incident. +This inbox is separate from `security@msk-scripts.de` and is monitored only by the maintainers. All complaints will be reviewed and investigated promptly and fairly. All community leaders are obligated to respect the privacy and security of the reporter of any incident. ## Enforcement Guidelines diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 5af0473..ce32d41 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -15,13 +15,13 @@ reset…) deliberately don't exist. ## 🧭 Where to start - **First contribution?** Look for issues tagged - [`good first issue`](https://github.com/musiker15/mskanban/issues?q=label%3A%22good+first+issue%22). -- **Bug?** Open a [bug report](https://github.com/musiker15/mskanban/issues/new?template=bug.yml). + [`good first issue`](https://github.com/MSK-Scripts/mskanban/issues?q=label%3A%22good+first+issue%22). +- **Bug?** Open a [bug report](https://github.com/MSK-Scripts/mskanban/issues/new?template=bug.yml). Include reproduction steps, expected vs. actual, version (image tag or git SHA), and whether you can reproduce against `docker/docker-compose.dev.yml`. - **Feature idea?** Open a - [feature request](https://github.com/musiker15/mskanban/issues/new?template=feature.yml) + [feature request](https://github.com/MSK-Scripts/mskanban/issues/new?template=feature.yml) and tag it `discussion` if you want feedback before writing code. - **Security issue?** **Do not open a public issue.** See [`SECURITY.md`](SECURITY.md) for private reporting. @@ -36,7 +36,7 @@ reset…) deliberately don't exist. # - pnpm 9 (corepack enable && corepack prepare pnpm@latest --activate) # - Docker + Compose v2 -git clone https://github.com/musiker15/mskanban.git +git clone https://github.com/MSK-Scripts/mskanban.git cd mskanban pnpm install @@ -178,7 +178,7 @@ private branch and disclose coordinated. Details in UI strings live in `src/messages/.json`. The two seed locales are `en` and `de`; adding a new locale is welcome. -Open a [translation issue](https://github.com/musiker15/mskanban/issues/new?template=translation.yml) +Open a [translation issue](https://github.com/MSK-Scripts/mskanban/issues/new?template=translation.yml) first so we can coordinate. Or just submit a PR with the new `src/messages/.json` and we'll merge it. diff --git a/README.md b/README.md index 044f71c..52a09b2 100644 --- a/README.md +++ b/README.md @@ -4,10 +4,10 @@ **Zero-knowledge, self-hostable, real-time Kanban — open source under AGPL-3.0.** -[![CI](https://github.com/musiker15/mskanban/actions/workflows/ci.yml/badge.svg)](https://github.com/musiker15/mskanban/actions/workflows/ci.yml) -[![CodeQL](https://github.com/musiker15/mskanban/actions/workflows/codeql.yml/badge.svg)](https://github.com/musiker15/mskanban/actions/workflows/codeql.yml) +[![CI](https://github.com/MSK-Scripts/mskanban/actions/workflows/ci.yml/badge.svg)](https://github.com/MSK-Scripts/mskanban/actions/workflows/ci.yml) +[![CodeQL](https://github.com/MSK-Scripts/mskanban/actions/workflows/codeql.yml/badge.svg)](https://github.com/MSK-Scripts/mskanban/actions/workflows/codeql.yml) [![License: AGPL-3.0-or-later](https://img.shields.io/badge/License-AGPL%203.0-blue.svg)](LICENSE) -[![Container](https://img.shields.io/badge/container-ghcr.io%2Fmusiker15%2Fmskanban-blue)](https://github.com/musiker15/mskanban/pkgs/container/mskanban) +[![Container](https://img.shields.io/badge/container-ghcr.io%2Fmsk--scripts%2Fmskanban-blue)](https://github.com/MSK-Scripts/mskanban/pkgs/container/mskanban) @@ -41,8 +41,13 @@ opaque ciphertext and the metadata it strictly needs to route requests The differentiator is **zero-knowledge**: a Trello-style UX with the "server can't read your data" guarantee of Bitwarden / Standard Notes. -Read the [crypto whitepaper](docs/crypto/) and the -[threat model](docs/threat-model.md) for the details. +Read the [zero-knowledge ADR](docs/architecture/0003-zero-knowledge-e2ee.md) +and the [threat model](docs/threat-model.md) for the details. + +**Full user-facing documentation** lives at +[**docu.msk-scripts.de/ecosystem/mskanban**](https://docu.msk-scripts.de/ecosystem/mskanban) +— overview, installation, feature tour, REST API reference, privacy +deep-dive, FAQ. --- @@ -71,7 +76,7 @@ docker run -d --name mskanban \ -e WEBAUTHN_RP_ID='kanban.example.com' \ -e WEBAUTHN_RP_NAME='MSKanban' \ -e WEBAUTHN_RP_ORIGIN='https://kanban.example.com' \ - ghcr.io/musiker15/mskanban:latest + ghcr.io/msk-scripts/mskanban:latest ``` You bring your own MariaDB (10.11+) and Redis (7+); the @@ -81,9 +86,9 @@ together behind Apache. **Verify** the image before you run it (you should, every time): ```bash -cosign verify ghcr.io/musiker15/mskanban:latest \ +cosign verify ghcr.io/msk-scripts/mskanban:latest \ --certificate-identity-regexp \ - 'https://github.com/musiker15/mskanban/\.github/workflows/release\.yml@refs/tags/.*' \ + 'https://github.com/MSK-Scripts/mskanban/\.github/workflows/release\.yml@refs/tags/.*' \ --certificate-oidc-issuer https://token.actions.githubusercontent.com ``` @@ -142,13 +147,22 @@ ADRs 0003, 0004, 0007, 0009) and [`docs/threat-model.md`](docs/threat-model.md). ## 🧰 Feature highlights - **Boards, columns, cards** with drag-and-drop (keyboard-equivalent - per WCAG 2.1.1), labels, assignees, checklists, custom fields, - card templates. -- **Four views per board**: Kanban / Calendar / Table / Analytics - (cycle time, lead time, CFD, aging WIP, throughput) — all computed - client-side on decrypted data. + per WCAG 2.1.1), labels, assignees, **start + due dates**, checklists, + custom fields, card templates. +- **Milestones** group cards into deliverables with an optional date + window — drives the burn-down chart and timeline grouping. +- **Five views per board**: Kanban / Calendar / **Timeline (Gantt)** / + Table / Analytics. Analytics ships cycle time, lead time, CFD, aging + WIP, throughput, **burn-down per milestone** — all computed client- + side on decrypted data. - **Real-time collaboration** via Yjs CRDTs. Card descriptions sync - between users; the relay server only sees ciphertext bytes. + between users; **board-level presence** (Yjs awareness) shows who else + is online with an avatar stack + per-card "is viewing" dots. The + relay server only sees ciphertext bytes — even presence payloads. +- **Automation engine** ([ADR 0010](docs/architecture/0010-automation-engine.md)) + — declarative `{when, do}` rules per board, fully E2EE. Server sees + only the plaintext trigger envelope (`trigger_type` + `trigger_meta`) + whitelisted on every write; rule bodies live in `enc_rule`. - **Offline-first PWA** with IndexedDB snapshot cache and a live online/offline indicator. - **Activity feed + notifications** (server-visible metadata only). @@ -156,7 +170,7 @@ ADRs 0003, 0004, 0007, 0009) and [`docs/threat-model.md`](docs/threat-model.md). delivery queue with exponential backoff + DLQ surfaced in the UI. - **Import** from MSKanban JSON, Trello JSON, generic CSV. **Export** to JSON and Markdown. -- **2FA**: TOTP today, WebAuthn / Passkeys planned. +- **2FA**: TOTP **and** WebAuthn / Passkeys (both shipped). - **GDPR**: account-level export + crypto-shred deletion baked in. --- @@ -187,6 +201,11 @@ ADR 0006 for the reasoning. ## 📍 Status +`v0.1.0-beta` — released 2026-05-24, signed via cosign keyless OIDC. +All ten original roadmap phases shipped; post-beta features (milestones, +timeline, presence, automation) ship under `[Unreleased]` in +[`CHANGELOG.md`](CHANGELOG.md) and become `v0.2.0` when batched. + | Phase | What | Status | |---|---|---| | 0–3 | Setup + foundation + auth + core Kanban (plaintext MVP) | ✅ | @@ -196,7 +215,8 @@ ADR 0006 for the reasoning. | 7 | Analytics | ✅ | | 8 | Integrations & I/O (export, import, webhooks) | ✅ | | 9 | Hardening (CSP nonces, webhook DLQ, SBOM, Cosign) | ✅ | -| **10** | **Public Beta** (this release) | 🟡 | +| 10 | Public Beta (`v0.1.0-beta`) | ✅ | +| **post-beta** | Milestones, Burn-Down, Timeline, Presence, Automation v1 | ✅ shipped, not yet tagged | Tracker, roadmap and the running design log live in [`CLAUDE.md`](CLAUDE.md) (German — the rest of the docs and code are diff --git a/SECURITY.md b/SECURITY.md index ead1b3b..4ff9752 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -12,7 +12,7 @@ Please **do not** open a public GitHub issue for security problems. Report privately, in this order of preference: 1. **GitHub Private Vulnerability Reporting** — - [github.com/musiker15/mskanban → Security → Report a vulnerability](https://github.com/musiker15/mskanban/security/advisories/new). + [github.com/MSK-Scripts/mskanban → Security → Report a vulnerability](https://github.com/MSK-Scripts/mskanban/security/advisories/new). 2. **E-mail** — `security@msk-scripts.de`. Please encrypt sensitive details with our PGP key (fingerprint in `.well-known/security.txt`; the same key is published at @@ -70,9 +70,9 @@ We sign every pushed image with `cosign sign --yes` under GitHub's OIDC issuer — there is no long-lived signing key to compromise. To verify: ```bash -cosign verify ghcr.io/musiker15/mskanban: \ +cosign verify ghcr.io/msk-scripts/mskanban: \ --certificate-identity-regexp \ - 'https://github.com/musiker15/mskanban/\.github/workflows/release\.yml@refs/tags/.*' \ + 'https://github.com/MSK-Scripts/mskanban/\.github/workflows/release\.yml@refs/tags/.*' \ --certificate-oidc-issuer https://token.actions.githubusercontent.com ``` @@ -85,8 +85,8 @@ Generated automatically via `actions/attest-build-provenance`. View on the release page's Sigstore tab, or: ```bash -gh attestation verify oci://ghcr.io/musiker15/mskanban: \ - --owner musiker15 +gh attestation verify oci://ghcr.io/msk-scripts/mskanban: \ + --owner MSK-Scripts ``` ### 3. Software Bill of Materials (CycloneDX + SPDX) @@ -131,7 +131,7 @@ two maintainers look at it. ## 📜 Past Advisories See the -[Security tab](https://github.com/musiker15/mskanban/security/advisories) +[Security tab](https://github.com/MSK-Scripts/mskanban/security/advisories) for the chronological list of patched issues. — Maintainer: Moritz Kohm (`@musiker15`). diff --git a/docs/deployment/mskanban.service b/docs/deployment/mskanban.service index 57f6030..a0abba8 100644 --- a/docs/deployment/mskanban.service +++ b/docs/deployment/mskanban.service @@ -14,15 +14,15 @@ [Unit] Description=MSKanban (Next.js production server) -Documentation=https://github.com/musiker15/mskanban +Documentation=https://github.com/msk-scripts/mskanban After=network-online.target mariadb.service redis-server.service Wants=network-online.target Requires=mariadb.service [Service] Type=simple -User=musiker15 -Group=musiker15 +User=mskanban +Group=mskanban WorkingDirectory=/opt/mskanban # `next start` (not standalone) – matches msk-shop convention diff --git a/docs/public-launch.md b/docs/public-launch.md index f5f0006..3608e37 100644 --- a/docs/public-launch.md +++ b/docs/public-launch.md @@ -21,12 +21,12 @@ announcement. Anything unchecked is a release blocker. ## 📦 Release pipeline - [ ] Tagging `vX.Y.Z` triggers the `release.yml` workflow -- [ ] Container pushed to `ghcr.io/musiker15/mskanban` with semver + +- [ ] Container pushed to `ghcr.io/msk-scripts/mskanban` with semver + `latest` tags -- [ ] `cosign verify ghcr.io/musiker15/mskanban:vX.Y.Z` passes +- [ ] `cosign verify ghcr.io/msk-scripts/mskanban:vX.Y.Z` passes (keyless OIDC, this repo's release.yml as the trusted identity) - [ ] SLSA build-provenance attestation attached - (`gh attestation verify oci://… --owner musiker15`) + (`gh attestation verify oci://… --owner MSK-Scripts`) - [ ] `sbom.cdx.json` + `sbom.spdx.json` uploaded as release assets - [ ] `grype sbom:./sbom.cdx.json` shows no high/critical CVE