Skip to content

Socket score: declare SPDX license, add author, add SECURITY.md #85

Closed
#90
Closed
Socket score: declare SPDX license, add author, add SECURITY.md#85
#90
Labels
enhancementNew feature or requestready-for-agent
@derek-palmer

Description

@derek-palmer
derek-palmer
opened on May 30, 2026

This was generated by AI during triage.

Context

From a /triage + grill-with-docs on improving the package's Socket.dev profile. Driver is README badge cosmetics + general supply-chain hygiene — not an enterprise consumer gating on Socket. The package is already near-ceiling for a source-available, zero-dependency installer (zero npm deps, no install scripts, provenance enabled in #48). This issue harvests the cheap, real wins. The License subscore and the capability alerts are structural and accepted — see docs/adr/0002-source-available-license-over-socket-score.md. Do not relicense, rewrite installer capabilities, add a CI gate, or add socket.yml.

What to build

  1. Declare the license machine-readably. In package.json, change the license field from the opaque "SEE LICENSE IN LICENSE.md" to the SPDX expression for the existing custom license: LicenseRef-Codeforerunner-SAL-0.1 (already present under LICENSES/). This is a correctness/consistency win with the repo's REUSE-style layout; it does not raise Socket's License subscore (source-available is non-OSI by design) and that is expected.
  2. Add author. Add "author": "Derek Palmer" to package.json, matching pyproject.toml's declared author. Do not add a funding field (no real funding URL).
  3. Add SECURITY.md at repo root with two sections:
    • Package capabilities — explain why the npm installer legitimately needs network access (fetches skill content + probes the npm registry), filesystem access (writes skills under the user's home dir), and process access (detects/launches agent CLIs). Frame as expected behavior for an installer so a human reviewer sees intent.
    • Reporting a vulnerability — point to GitHub private vulnerability reporting (Security advisories) on this repo; no email inbox.

Acceptance criteria

  • package.json license is LicenseRef-Codeforerunner-SAL-0.1; npm pack / publish emits no license warning (LicenseRef- is valid SPDX expression syntax — verify locally).
  • package.json has "author": "Derek Palmer"; no funding field added.
  • SECURITY.md exists at repo root with the capabilities rationale and the GitHub private-vuln-reporting pointer.
  • A test asserts the package.json license and author fields (guard against regression). The existing socket-badge release surface already covers the badge version — do not duplicate that.
  • No installer capability code changed; no relicense; no socket.yml; no CI gate.
  • Full test suite green (node --test + pytest as applicable).

Verification

  • npm pack --dry-run (or npm pack) shows the new license/author with no warnings; SECURITY.md is not in the published tarball unless intentionally added to files (it does not need to be — it's a repo-level policy doc).
  • Run the new field test; run the full suite.

Out of scope (decided in triage — see ADR-0002)

  • Relicensing to OSI/permissive or to PolyForm-Shield (parked, legal review).
  • Rewriting bin/install.js to reduce network/shell/fs/env capabilities (buys nothing on Socket).
  • CI gate / socket.yml / Socket GitHub App (no consumer gates on Socket).
  • funding field.

Blocked by

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestready-for-agent

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions