Skip to content

Commit d32a43f

Browse files
bloveclaude
andauthored
docs: OpenSSF Best Practices passing-readiness (contribution + test policy + answer sheet) (#714)
Close the two passing-level gaps in CONTRIBUTING.md (contribution process + testing policy) and add a fill-in-ready answer sheet mapping every passing criterion to repo evidence, so the bestpractices.dev badge submission passes first try. Adds the last clean OSSF Scorecard point (CII-Best-Practices). Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 472bd49 commit d32a43f

2 files changed

Lines changed: 109 additions & 0 deletions

File tree

CONTRIBUTING.md

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,27 @@
11
# Contributing
22

3+
Threadplane is MIT-licensed and developed in the open. Contributions are welcome.
4+
5+
## How to contribute
6+
7+
1. **Found a bug or have a feature idea?** Open an issue at
8+
<https://github.com/cacheplane/angular-agent-framework/issues> describing the
9+
problem or proposal. Please search existing issues first.
10+
2. **Code changes:** fork the repository (or create a topic branch if you have
11+
access), make your change on a branch, and open a pull request against `main`.
12+
Keep pull requests focused on a single concern.
13+
3. Every pull request runs CI (lint, test, build) and receives an automated code
14+
review; the maintainer reviews and merges.
15+
4. **Security issues:** do not open a public issue — see [SECURITY.md](SECURITY.md)
16+
for the private vulnerability-reporting process.
17+
18+
## Testing
19+
20+
New functionality and bug fixes must include automated tests. Run a project's
21+
suite with `npx nx test <project>` (for example, `npx nx test chat`). CI runs
22+
`lint`, `test`, and `build` across the publishable libraries on every pull
23+
request, so changes that break or skip tests are caught before merge.
24+
325
## Signed commits
426

527
`main` requires signed commits. Configure SSH commit signing once:
Lines changed: 87 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,87 @@
1+
# OpenSSF Best Practices Badge — Passing-level answer sheet
2+
3+
**Project:** Threadplane (`cacheplane/angular-agent-framework`)
4+
**Purpose:** fill-in sheet for the bestpractices.dev "passing" questionnaire. Each criterion → answer + evidence. Status as of 2026-06-20.
5+
6+
**How to submit (owner action):**
7+
1. Sign in at <https://www.bestpractices.dev> with GitHub.
8+
2. "Add a new project" → repo URL `https://github.com/cacheplane/angular-agent-framework`. Many fields auto-detect.
9+
3. For each criterion below, set the answer (Met / N/A) and paste the justification/URL.
10+
4. Once all MUST criteria are **Met/N/A**, the badge shows **passing**. Add the badge to `README.md`:
11+
`[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/<ID>/badge)](https://www.bestpractices.dev/projects/<ID>)`
12+
5. OSSF Scorecard's `CII-Best-Practices` check reads it on the next scan.
13+
14+
Project description for the form: *"An open-source, Angular-native framework for building AI agent UIs — streaming chat, durable threads, interrupts, subagents, planning, memory, and generative UI for LangGraph, AG-UI, A2UI, and custom backends."*
15+
16+
---
17+
18+
## Basics
19+
| Criterion | Answer | Evidence |
20+
|---|---|---|
21+
| description_good | Met | README.md + <https://threadplane.ai> describe the purpose plainly |
22+
| interact | Met | README (install/use), `CONTRIBUTING.md` (How to contribute), docs site |
23+
| contribution | Met | `CONTRIBUTING.md` → "How to contribute" (issues → branch → PR) |
24+
| floss_license | Met | MIT (OSI-approved) — `LICENSE` |
25+
| license_location | Met | `LICENSE` at repo root; `license` in each `package.json` |
26+
| documentation_basics | Met | README + docs at <https://threadplane.ai>; `SECURITY.md` |
27+
| documentation_interface | Met | API reference docs (generated) on the docs site |
28+
| sites_https | Met | threadplane.ai serves HTTPS/TLS (HTTP 200) |
29+
| discussion | Met | GitHub Issues — searchable, URL-addressable: <https://github.com/cacheplane/angular-agent-framework/issues> |
30+
| maintained | Met | Actively maintained — daily commits/releases |
31+
32+
## Change Control
33+
| Criterion | Answer | Evidence |
34+
|---|---|---|
35+
| repo_public | Met | Public GitHub repo |
36+
| repo_track | Met | Git (authors + timestamps) |
37+
| repo_interim | Met | Work lands via PRs/commits, not only tagged releases |
38+
| version_unique | Met | Synchronized SemVer tags `vX.Y.Z` (e.g. v0.0.52) |
39+
| release_notes | Met | Each GitHub Release has auto-generated notes (`gh release create --generate-notes`) |
40+
| release_notes_vulns | N/A | No CVE fixes shipped to date; will note CVEs in release notes if/when applicable |
41+
42+
## Reporting
43+
| Criterion | Answer | Evidence |
44+
|---|---|---|
45+
| report_process | Met | `CONTRIBUTING.md` directs bug reports to GitHub Issues |
46+
| report_responses | Met | Maintainer responds to issues (self-asserted) |
47+
| report_archive | Met | GitHub Issues = public, searchable archive |
48+
| vulnerability_report_process | Met | `SECURITY.md` + GitHub private vulnerability reporting (enabled) |
49+
50+
## Quality
51+
| Criterion | Answer | Evidence |
52+
|---|---|---|
53+
| build | Met | Nx build (`npx nx run-many -t build`); CI builds on every PR |
54+
| test | Met | Automated suites via Nx/Vitest (`npx nx test <project>`) |
55+
| test_policy | Met | `CONTRIBUTING.md` → "Testing": new functionality + fixes must add tests |
56+
| tests_are_added | Met | Recent PRs add `*.spec.ts` / type-spec tests alongside changes |
57+
| warnings | Met | ESLint enabled across projects; CI runs `lint` |
58+
| warnings_fixed | Met | Lint runs in CI/publish path; warnings addressed (e.g. langgraph empty-generator fix) |
59+
60+
## Security
61+
| Criterion | Answer | Evidence |
62+
|---|---|---|
63+
| know_secure_design | Met | Maintainer understands secure design (self-asserted) |
64+
| know_common_errors | Met | Self-asserted; supply-chain hardening (OSSF Scorecard, provenance, signing) demonstrates it |
65+
| crypto_published | Met¹ | `@threadplane/licensing` verifies Ed25519 signatures — a published algorithm |
66+
| crypto_keylength | Met¹ | Ed25519 meets NIST minimums |
67+
| crypto_working | Met¹ | Ed25519 is not a broken algorithm |
68+
| crypto_random | Met/N/A¹ | Libraries **verify** signatures (public-key); key generation is out of scope of the published libs |
69+
| delivery_mitm | Met | npm over HTTPS + SLSA provenance; git over HTTPS/SSH |
70+
| vulnerabilities_fixed_60_days | Met | Published `@threadplane/*` are dependency-free (chat pulls 2 `@cacheplane/*`); no known unpatched vulns in shipped code |
71+
72+
¹ **Owner: confirm the crypto answers.** The published libs only *verify* Ed25519 license signatures (no key generation). If you'd rather, the badge allows answering the crypto group "N/A — project does not implement its own cryptography" with that justification.
73+
74+
## Analysis
75+
| Criterion | Answer | Evidence |
76+
|---|---|---|
77+
| static_analysis | Met | CodeQL (`.github/workflows/codeql.yml`) on every push/PR + weekly |
78+
| static_analysis_fixed | Met | CodeQL findings triaged via GitHub code scanning |
79+
80+
---
81+
82+
## Pre-submit gaps closed (2026-06-20)
83+
- `contribution` + `report_process`: added "How to contribute" to `CONTRIBUTING.md`.
84+
- `test_policy`: added "Testing" policy to `CONTRIBUTING.md`.
85+
86+
## The only owner judgment call
87+
The **crypto** criteria (¹). Everything else is Met with the evidence above — this should pass on first submission.

0 commit comments

Comments
 (0)