Argentum

Projects that follow the best practices below can voluntarily self-certify and show that they've achieved an Open Source Security Foundation (OpenSSF) best practices badge.

There is no set of practices that can guarantee that software will never have defects or vulnerabilities; even formal methods can fail if the specifications or assumptions are wrong. Nor is there any set of practices that can guarantee that a project will sustain a healthy and well-functioning development community. However, following best practices can help improve the results of projects. For example, some practices enable multi-person review before release, which can both help find otherwise hard-to-find technical vulnerabilities and help build trust and a desire for repeated interaction among developers from different companies. To earn a badge, all MUST and MUST NOT criteria must be met, all SHOULD criteria must be met OR be unmet with justification, and all SUGGESTED criteria must be met OR unmet (we want them considered at least). If you want to enter justification text as a generic comment, instead of being a rationale that the situation is acceptable, start the text block with '//' followed by a space. Feedback is welcome via the GitHub site as issues or pull requests There is also a mailing list for general discussion.

We gladly provide the information in several locales, however, if there is any conflict or inconsistency between the translations, the English version is the authoritative version.
If this is your project, please show your baseline badge status on your project page! The baseline badge status looks like this: Baseline badge level for project 12957 is baseline-3 Here is how to embed the baseline badge:
You can show your baseline badge status by embedding this in your markdown file:
[![OpenSSF Baseline](https://www.bestpractices.dev/projects/12957/baseline)](https://www.bestpractices.dev/projects/12957)
or by embedding this in your HTML:
<a href="https://www.bestpractices.dev/projects/12957"><img src="https://www.bestpractices.dev/projects/12957/baseline"></a>


These are the Baseline Level 3 criteria. These are criteria version v2026.02.19.

Baseline Series: Baseline Level 1 Baseline Level 2 Baseline Level 3

        

 Basics

  • General

    Note that other projects may use the same name.

    Argentum is a local-first AI workspace. It runs on your own machine so your data stays with you. You can chat with AI providers you choose, route conversations through Telegram, Discord, or other channels, keep memory across sessions, and use a full desktop app instead of juggling browser tabs.

    Please use SPDX license expression format; examples include "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "GPL-2.0+", "LGPL-3.0+", "MIT", and "(BSD-2-Clause OR Ruby)". Do not include single quotes or double quotes.
    If there is more than one language, list them as comma-separated values (spaces optional) and sort them from most to least used. If there is a long list, please list at least the first three most common ones. If there is no language (e.g., this is a documentation-only or test-only project), use the single character "-". Please use a conventional capitalization for each language, e.g., "JavaScript".
    The Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. It is used in a number of systems and databases when reporting vulnerabilities.

    Argentum runs entirely locally - no cloud subscriptions, no data leaves the machine.
    Suitable for self-hosting on desktop, server, or via Docker.

    Built with TypeScript-first approach, with Rust-based desktop client for Windows/macOS/Linux.
    Supports 8+ messaging channels to unify communication in one interface.

    Ideal for developers and power users who want an AI assistant under their own control.

 Controls 21/21

  • Controls


    Enough for a badge!

    When a job is assigned permissions in a CI/CD pipeline, the source code or configuration MUST only assign the minimum privileges necessary for the corresponding activity. [OSPS-AC-04.02]
    Configure the project's CI/CD pipelines to assign the lowest available permissions to users and services by default, elevating permissions only when necessary for specific tasks. In some version control systems, this may be possible at the organizational or repository level. If not, set permissions at the top level of the pipeline.
    • ci.yml: contents: read (minimal)
    • codeql.yml: contents: read + security-events: write (only at job level)
    • scorecard.yml: contents: read + security-events: write (only at job level)
    • trivy.yml: contents: read
    • semgrep.yml: contents: read
    • release.yml: contents: read + id-token: write (only for Sigstore OIDC)
    • npm-version-check.yml: contents: read

    Top-level permissions are minimal; elevated only when necessary.


    Enough for a badge!

    CI/CD pipelines which accept trusted collaborator input MUST sanitize and validate that input prior to use in the pipeline. [OSPS-BR-01.04]
    CI/CD pipelines should sanitize (quote, escape or exit on expected values) all collaborator inputs on explicit workflow executions. While collaborators are generally trusted, manual inputs to a workflow cannot be reviewed and could be abused by an account takeover or insider threat.
    • security-changelog.yml: version input validated via semantic version check in generate-security-changelog.js
    • release.yml: version derived from git tag (git ref), not user-controlled
    • All user inputs are typed (string) and used via GitHub Actions environment (automatic escaping)
    • No direct shell injection possible: inputs used via ${{ }} template syntax with proper quoting
    • Version validation in script ensures only valid SemVer patterns used

    Enough for a badge!

    When an official release is created, all assets within that release MUST be clearly associated with the release identifier or another unique identifier for the asset. [OSPS-BR-02.02]
    Assign a unique version identifier to each software asset produced by the project, following a consistent naming convention or numbering scheme. Examples include SemVer, CalVer, or git commit id.
    • Release assets named with SemVer pattern: argentum-v0.0.7-linux-x64, argentum-cli-v0.0.7-win-x64.exe, etc.
    • Sigstore cosign bundles created alongside each binary (e.g., argentum-v0.0.7-linux-x64.cosign-bundle) - bundles contain cryptographic signature tied to GitHub OIDC issuer + repository + SHA256 hash
    • SHA256SUMS.txt maps each asset filename to its cryptographic hash
    • Release ID (tag name) associated with all assets via GitHub Releases UI
    • Tauri desktop installers include version in filename: Argentum_0.0.7_x64-setup.exe, etc.

    Enough for a badge!

    The project MUST define a policy for managing secrets and credentials used by the project. The policy should include guidelines for storing, accessing, and rotating secrets and credentials. [OSPS-BR-07.02]
    Document how secrets and credentials are managed and used within the project. This should include details on how secrets are stored (e.g., using a secrets management tool), how access is controlled, and how secrets are rotated or updated. Ensure that sensitive information is not hard-coded in the source code or stored in version control systems.

    SECURITY.md "Security Features" section documents:

    • AES-256-GCM encryption for credentials at rest
    • Credential manager with short-lived key rotation
    • No secrets hard-coded in source code
    • argenta.yaml (config with encrypted secrets) gitignored
    • GitHub Secrets used for CI/CD pipelines
    • Access controlled via GitHub repository permissions

    Secrets stored encrypted in config/argenta.yaml, never in version control.


    Enough for a badge!

    When the project has made a release, the project documentation MUST contain instructions to verify the integrity and authenticity of the release assets. [OSPS-DO-03.01]
    Instructions in the project should contain information about the technology used, the commands to run, and the expected output. When possible, avoid storing this documentation in the same location as the build and release pipeline to avoid a single breach compromising both the software and the documentation for verifying the integrity of the software.

    docs/releases/v0.0.7.md includes dedicated "Verify Release Integrity" section with:

    • Technology used: SHA256 checksums + Sigstore cosign (cryptographic verification)
    • Commands to run: sha256sum --check + cosign verify-blob
    • Expected output: "<filename>: OK" for SHA256; signature verification result for cosign
    • Documentation is separate from build/release pipeline (in docs/releases/, not in .github/workflows/)
    • Both integrity (SHA256) and authenticity (Sigstore) verification methods explained

    Enough for a badge!

    When the project has made a release, the project documentation MUST contain instructions to verify the expected identity of the person or process authoring the software release. [OSPS-DO-03.02]
    The expected identity may be in the form of key IDs used to sign, issuer and identity from a sigstore certificate, or other similar forms. When possible, avoid storing this documentation in the same location as the build and release pipeline to avoid a single breach compromising both the software and the documentation for verifying the integrity of the software.

    cosign verify-blob command includes:
    --certificate-identity-regexp "https://github.com/AG064/argentum"
    --certificate-oidc-issuer https://token.actions.githubusercontent.com

    This verifies:

    • The binary was signed by GitHub Actions workflow in AG064/argentum repository
    • The OIDC issuer is token.actions.githubusercontent.com (GitHub's Sigstore issuer)
    • The certificate identity matches our repository URL

    Documentation is in docs/releases/ (separate from .github/workflows/).


    Enough for a badge!

    When the project has made a release, the project documentation MUST include a descriptive statement about the scope and duration of support for each release. [OSPS-DO-04.01]
    In order to communicate the scope and duration of support for the project's released software assets, the project should have a SUPPORT.md file, a "Support" section in SECURITY.md, or other documentation explaining the support lifecycle, including the expected duration of support for each release, the types of support provided (e.g., bug fixes, security updates), and any relevant policies or procedures for obtaining support.

    SUPPORT.md (or SECURITY.md "Support" section) documents:

    • Supported versions (latest stable release)
    • Support duration (security fixes only for latest major version)
    • Types of support provided (bug fixes, security updates)
    • How to get support (GitHub Issues, Security Advisories)

    Example: Only latest v0.0.x receives security updates, older versions unsupported.


    Enough for a badge!

    When the project has made a release, the project documentation MUST provide a descriptive statement when releases or versions will no longer receive security updates. [OSPS-DO-05.01]
    In order to communicate the scope and duration of support for security fixes, the project should have a SUPPORT.md or other documentation explaining the project's policy for security updates.

    SUPPORT.md "Unsupported Versions" section clearly states:

    • Versions older than the latest no longer receive security updates
    • They "likely contain unpatched security vulnerabilities"
    • Users are "strongly encouraged to upgrade"

    Enough for a badge!

    While active, the project documentation MUST have a policy that code collaborators are reviewed prior to granting escalated permissions to sensitive resources. [OSPS-GV-04.01]
    Publish an enforceable policy in the project documentation that requires code collaborators to be reviewed and approved before being granted escalated permissions to sensitive resources, such as merge approval or access to secrets. It is recommended that vetting includes establishing a justifiable lineage of identity such as confirming the contributor's association with a known trusted organization.

    CONTRIBUTING.md "Pull Request Checklist" section:

    • PR requires review before merge
    • Branch protection enabled on development (require PR + 1 approval)
    • "Changes that break the build" won't get merged

    MEMBERS.md Access Inventory shows sensitive resource access only to AG064.

    Code review is enforced via GitHub branch protection settings.


    Enough for a badge!

    When the project has made a release, all compiled released software assets MUST be delivered with a software bill of materials. [OSPS-QA-02.02]
    It is recommended to auto-generate SBOMs at build time using a tool that has been vetted for accuracy. This enables users to ingest this data in a standardized approach alongside other projects in their environment.

    Release workflow includes SBOM generation using anchore/sbom-action. Outputs CycloneDX JSON format for each portable binary. SBOM files uploaded as release assets alongside binaries. Auto-generated at build time from build artifacts.


    Enough for a badge!

    When the project has made a release comprising multiple source code repositories, all subprojects MUST enforce security requirements that are as strict or stricter than the primary codebase. [OSPS-QA-04.02]
    Any additional subproject code repositories produced by the project and compiled into a release must enforce security requirements as applicable to the status and intent of the respective codebase. In addition to following the corresponding OSPS Baseline requirements, this may include requiring a security review, ensuring that it is free of vulnerabilities, and ensuring that it is free of known security issues.

    SUBPROJECTS.md documents the policy that would apply if subprojects exist:

    • "Currently, Argentum is a single monorepo with no subprojects"
    • If subprojects are added in future, each must:
      • Enforce security requirements at least as strict as main codebase
      • Have CI pipeline with SAST (CodeQL or equivalent)
      • Have dependency scanning (Trivy, osv-scanner)
      • Have Security policy (SECURITY.md, SUPPORT.md)
      • Have SBOM generation for release artifacts
      • Have signed releases (Sigstore cosign)

    This future-proofs the project for when subprojects may be created.


    Enough for a badge!

    While active, project's documentation MUST clearly document when and how tests are run. [OSPS-QA-06.02]
    Add a section to the contributing documentation that explains how to run the tests locally and how to run the tests in the CI/CD pipeline. The documentation should explain what the tests are testing and how to interpret the results.

    CONTRIBUTING.md includes "Testing" section (added at line 96):

    • How to run tests locally: npm test, npm run test:unit, npm run test:integration, etc.
    • What the tests cover: table listing test suites and their purposes
    • How to interpret results: explaining pass/fail output
    • CI/CD pipeline: explains when tests run automatically

    Enough for a badge!

    While active, the project's documentation MUST include a policy that all major changes to the software produced by the project should add or update tests of the functionality in an automated test suite. [OSPS-QA-06.03]
    Add a section to the contributing documentation that explains the policy for adding or updating tests. The policy should explain what constitutes a major change and what tests should be added or updated.

    CONTRIBUTING.md "Test Policy for Major Changes" section exists:

    • Defines what constitutes a major change (new features, API changes, bug fixes, security changes)
    • Specifies what tests to add: unit tests for new functionality, regression tests for bug fixes
    • States PR policy: new features require tests, regression tests required for bug fixes
    • Acknowledges current thin coverage but commits to testing for major changes

    Enough for a badge!

    When a commit is made to the primary branch, the project's version control system MUST require at least one non-author human approval of the changes before merging. [OSPS-QA-07.01]
    Configure the project's version control system to require at least one non-author human approval of changes before merging into the release or primary branch. This can be achieved by requiring a pull request to be reviewed and approved by at least one other collaborator before it can be merged.

    Single-maintainer project: Argentum is maintained by one person (me, AG064) with no additional collaborators.

    Branch protection is enabled (direct pushes to development/main blocked).
    PR workflow exists and is used for all changes.
    Self-review is performed via PR process.

    However, requiring non-author human approval is impossible without a second collaborator.
    This is a project structure constraint, not a security policy failure.
    If the project grows to include additional maintainers, this requirement will be enforced.


    Enough for a badge!

    When the project has made a release, the project MUST perform a threat modeling and attack surface analysis to understand and protect against attacks on critical code paths, functions, and interactions within the system. [OSPS-SA-03.02]
    Threat modeling is an activity where the project looks at the codebase, associated processes and infrastructure, interfaces, key components and "thinks like a hacker" and brainstorms how the system be be broken or compromised. Each identified threat is listed out so the project can then think about how to proactively avoid or close off any gaps/vulnerabilities that could arise. Ensure this is updated for new features or breaking changes.

    SECURITY.md "Security Risks & Threat Model" section includes:

    • Threat model covering 11 categories (60+ entries) of critical code paths, functions, and interactions
    • Each threat has Likelihood/Impact/Mitigation assessment
    • "Threat Model Maintenance" section added: MUST be updated for new features/breaking changes
    • "Threat Model Review Required" note at top of section
    • docs/releases/TEMPLATE.md includes checkbox: "Verify SECURITY.md threat model reflects new features/attack paths"
    • Current threat model covers v0.0.7 release
    • Next review scheduled before v0.0.8 release

    Enough for a badge!

    While active, any vulnerabilities in the software components not affecting the project MUST be accounted for in a VEX document, augmenting the vulnerability report with non-exploitability details. [OSPS-VM-04.02]
    Establish a VEX feed communicating the exploitability status of known vulnerabilities, including assessment details or any mitigations in place preventing vulnerable code from being executed.

    SECURITY_DEPENDENCY_NOTES.md serves as VEX (Vulnerability Exploitability eXchange) document:

    • Documents known vulnerabilities in software components (npm bundled modules)
    • Provides non-exploitability details: "The project's direct dependency is correctly overridden"
    • Specifies mitigations in place: package.json overrides ensure patched versions are used
    • Status for each vulnerability: "No additional action required - project override ensures correct version"

    Each entry shows:

    • CVE identifier
    • Location (bundled npm modules, not direct project dependency)
    • Project override in place (package.json overrides.picomatch, etc.)
    • Why not exploitable via project code
    • Mitigation: npm package.json overrides resolve to patched versions

    VEX document updated when new vulnerabilities are discovered or mitigations change.


    Enough for a badge!

    While active, the project documentation MUST include a policy that defines a threshold for remediation of SCA findings related to vulnerabilities and licenses. [OSPS-VM-05.01]
    Document a policy in the project that defines a threshold for remediation of SCA findings related to vulnerabilities and licenses. Include the process for identifying, prioritizing, and remediating these findings.

    SECURITY_DEPENDENCY_NOTES.md now includes "SCA Remediation Policy" section with:

    • Severity threshold table (Critical: 24h, High: 7 days, Medium: 30 days, Low: best effort)
    • License policy (allowed/prohibited licenses)
    • Process: Identify -> Prioritize -> Remediate -> Document -> Verify
    • Exceptions for bundled npm modules, RUSTSEC, false positives

    Trivy runs in CI on every push (from .github/workflows/trivy.yml).
    Process documented for handling SCA findings.


    Enough for a badge!

    While active, the project documentation MUST include a policy to address SCA violations prior to any release. [OSPS-VM-05.02]
    Document a policy in the project to address applicable Software Composition Analysis results before any release, and add status checks that verify compliance with that policy prior to release.

    release.yml now includes Trivy SCA scan step:

    • Runs after build, before release artifacts are uploaded
    • Scans release artifacts for Critical/High vulnerabilities
    • Uploads results to GitHub Security tab (SARIF format)
    • Blocks release if Critical/High vulnerabilities found (exit-code: 1)
    • Policy documented in SECURITY_DEPENDENCY_NOTES.md "SCA Remediation Policy" section

    Release workflow now:

    1. Build binaries
    2. Run Trivy scan (CRITICAL/HIGH)
    3. If vulnerabilities found -> fail and block release
    4. Only proceed if scan passes

    Enough for a badge!

    While active, all changes to the project's codebase MUST be automatically evaluated against a documented policy for malicious dependencies and known vulnerabilities in dependencies, then blocked in the event of violations, except when declared and suppressed as non-exploitable. [OSPS-VM-05.03]
    Create a status check in the project's version control system that runs a Software Composition Analysis tool on all changes to the codebase. Require that the status check passes before changes can be merged.

    .github/workflows/dependency-scan.yml created:

    • Runs on: push to development/main AND pull requests
    • Runs npm audit --audit-level=high
    • Runs Trivy scan on entire codebase (fs mode)
    • Uploads results to GitHub Security tab (SARIF)
    • Blocks merge if Critical/High vulnerabilities found (exit 1)
    • Exceptions can be declared via .trivyignore or osv-scanner.toml

    Policy documented in SECURITY_DEPENDENCY_NOTES.md SCA Remediation Policy section:

    • Critical: 24h remediation
    • High: 7 days
    • Exceptions: documented in .trivyignore or per-CVE suppression

    Branch protection ensures this check must pass before merge.


    Enough for a badge!

    While active, the project documentation MUST include a policy that defines a threshold for remediation of SAST findings. [OSPS-VM-06.01]
    Document a policy in the project that defines a threshold for remediation of Static Application Security Testing (SAST) findings. Include the process for identifying, prioritizing, and remediating these findings.

    SECURITY.md "SAST Remediation Policy" section includes:

    • Severity threshold table (Critical: 24h, High: 7 days, Medium: 30 days, Low: best effort)
    • Process: Identify (CodeQL) -> Prioritize -> Remediate -> Suppress -> Verify
    • Suppression guidelines requiring inline comments explaining why
    • Example suppression comment provided

    CodeQL runs on every push from .github/workflows/codeql.yml


    Enough for a badge!

    While active, all changes to the project's codebase MUST be automatically evaluated against a documented policy for security weaknesses and blocked in the event of violations except when declared and suppressed as non-exploitable. [OSPS-VM-06.02]
    Create a status check in the project's version control system that runs a Static Application Security Testing (SAST) tool on all changes to the codebase. Require that the status check passes before changes can be merged.

    Branch ruleset for development includes:

    • CodeQL Analysis as required status check
    • Code scanning rule: CodeQL, Scorecard, Trivy all set to high_or_higher
    • Pull request rule: 1 approval required
    • Branch protection enforced via GitHub's ruleset API (new format)


This data is available under the Community Data License Agreement – Permissive, Version 2.0 (CDLA-Permissive-2.0). This means that a Data Recipient may share the Data, with or without modifications, so long as the Data Recipient makes available the text of this agreement with the shared Data. Please credit AG064 and the OpenSSF Best Practices badge contributors.

Project badge entry owned by: AG064.
Entry created on 2026-05-24 05:44:50 UTC, last updated on 2026-05-26 00:21:59 UTC. Last achieved passing badge on 2026-05-25 14:37:43 UTC.