|
| 1 | +# OpenSSF Best Practices Badge — Passing-level answer sheet |
| 2 | + |
| 3 | +**Project:** Threadplane (`cacheplane/angular-agent-framework`) |
| 4 | +**Purpose:** fill-in sheet for the bestpractices.dev "passing" questionnaire. Each criterion → answer + evidence. Status as of 2026-06-20. |
| 5 | + |
| 6 | +**How to submit (owner action):** |
| 7 | +1. Sign in at <https://www.bestpractices.dev> with GitHub. |
| 8 | +2. "Add a new project" → repo URL `https://github.com/cacheplane/angular-agent-framework`. Many fields auto-detect. |
| 9 | +3. For each criterion below, set the answer (Met / N/A) and paste the justification/URL. |
| 10 | +4. Once all MUST criteria are **Met/N/A**, the badge shows **passing**. Add the badge to `README.md`: |
| 11 | + `[](https://www.bestpractices.dev/projects/<ID>)` |
| 12 | +5. OSSF Scorecard's `CII-Best-Practices` check reads it on the next scan. |
| 13 | + |
| 14 | +Project description for the form: *"An open-source, Angular-native framework for building AI agent UIs — streaming chat, durable threads, interrupts, subagents, planning, memory, and generative UI for LangGraph, AG-UI, A2UI, and custom backends."* |
| 15 | + |
| 16 | +--- |
| 17 | + |
| 18 | +## Basics |
| 19 | +| Criterion | Answer | Evidence | |
| 20 | +|---|---|---| |
| 21 | +| description_good | Met | README.md + <https://threadplane.ai> describe the purpose plainly | |
| 22 | +| interact | Met | README (install/use), `CONTRIBUTING.md` (How to contribute), docs site | |
| 23 | +| contribution | Met | `CONTRIBUTING.md` → "How to contribute" (issues → branch → PR) | |
| 24 | +| floss_license | Met | MIT (OSI-approved) — `LICENSE` | |
| 25 | +| license_location | Met | `LICENSE` at repo root; `license` in each `package.json` | |
| 26 | +| documentation_basics | Met | README + docs at <https://threadplane.ai>; `SECURITY.md` | |
| 27 | +| documentation_interface | Met | API reference docs (generated) on the docs site | |
| 28 | +| sites_https | Met | threadplane.ai serves HTTPS/TLS (HTTP 200) | |
| 29 | +| discussion | Met | GitHub Issues — searchable, URL-addressable: <https://github.com/cacheplane/angular-agent-framework/issues> | |
| 30 | +| maintained | Met | Actively maintained — daily commits/releases | |
| 31 | + |
| 32 | +## Change Control |
| 33 | +| Criterion | Answer | Evidence | |
| 34 | +|---|---|---| |
| 35 | +| repo_public | Met | Public GitHub repo | |
| 36 | +| repo_track | Met | Git (authors + timestamps) | |
| 37 | +| repo_interim | Met | Work lands via PRs/commits, not only tagged releases | |
| 38 | +| version_unique | Met | Synchronized SemVer tags `vX.Y.Z` (e.g. v0.0.52) | |
| 39 | +| release_notes | Met | Each GitHub Release has auto-generated notes (`gh release create --generate-notes`) | |
| 40 | +| release_notes_vulns | N/A | No CVE fixes shipped to date; will note CVEs in release notes if/when applicable | |
| 41 | + |
| 42 | +## Reporting |
| 43 | +| Criterion | Answer | Evidence | |
| 44 | +|---|---|---| |
| 45 | +| report_process | Met | `CONTRIBUTING.md` directs bug reports to GitHub Issues | |
| 46 | +| report_responses | Met | Maintainer responds to issues (self-asserted) | |
| 47 | +| report_archive | Met | GitHub Issues = public, searchable archive | |
| 48 | +| vulnerability_report_process | Met | `SECURITY.md` + GitHub private vulnerability reporting (enabled) | |
| 49 | + |
| 50 | +## Quality |
| 51 | +| Criterion | Answer | Evidence | |
| 52 | +|---|---|---| |
| 53 | +| build | Met | Nx build (`npx nx run-many -t build`); CI builds on every PR | |
| 54 | +| test | Met | Automated suites via Nx/Vitest (`npx nx test <project>`) | |
| 55 | +| test_policy | Met | `CONTRIBUTING.md` → "Testing": new functionality + fixes must add tests | |
| 56 | +| tests_are_added | Met | Recent PRs add `*.spec.ts` / type-spec tests alongside changes | |
| 57 | +| warnings | Met | ESLint enabled across projects; CI runs `lint` | |
| 58 | +| warnings_fixed | Met | Lint runs in CI/publish path; warnings addressed (e.g. langgraph empty-generator fix) | |
| 59 | + |
| 60 | +## Security |
| 61 | +| Criterion | Answer | Evidence | |
| 62 | +|---|---|---| |
| 63 | +| know_secure_design | Met | Maintainer understands secure design (self-asserted) | |
| 64 | +| know_common_errors | Met | Self-asserted; supply-chain hardening (OSSF Scorecard, provenance, signing) demonstrates it | |
| 65 | +| crypto_published | Met¹ | `@threadplane/licensing` verifies Ed25519 signatures — a published algorithm | |
| 66 | +| crypto_keylength | Met¹ | Ed25519 meets NIST minimums | |
| 67 | +| crypto_working | Met¹ | Ed25519 is not a broken algorithm | |
| 68 | +| crypto_random | Met/N/A¹ | Libraries **verify** signatures (public-key); key generation is out of scope of the published libs | |
| 69 | +| delivery_mitm | Met | npm over HTTPS + SLSA provenance; git over HTTPS/SSH | |
| 70 | +| vulnerabilities_fixed_60_days | Met | Published `@threadplane/*` are dependency-free (chat pulls 2 `@cacheplane/*`); no known unpatched vulns in shipped code | |
| 71 | + |
| 72 | +¹ **Owner: confirm the crypto answers.** The published libs only *verify* Ed25519 license signatures (no key generation). If you'd rather, the badge allows answering the crypto group "N/A — project does not implement its own cryptography" with that justification. |
| 73 | + |
| 74 | +## Analysis |
| 75 | +| Criterion | Answer | Evidence | |
| 76 | +|---|---|---| |
| 77 | +| static_analysis | Met | CodeQL (`.github/workflows/codeql.yml`) on every push/PR + weekly | |
| 78 | +| static_analysis_fixed | Met | CodeQL findings triaged via GitHub code scanning | |
| 79 | + |
| 80 | +--- |
| 81 | + |
| 82 | +## Pre-submit gaps closed (2026-06-20) |
| 83 | +- `contribution` + `report_process`: added "How to contribute" to `CONTRIBUTING.md`. |
| 84 | +- `test_policy`: added "Testing" policy to `CONTRIBUTING.md`. |
| 85 | + |
| 86 | +## The only owner judgment call |
| 87 | +The **crypto** criteria (¹). Everything else is Met with the evidence above — this should pass on first submission. |
0 commit comments