Argentum

GitHub Actions defaults to read-only permissions (contents:read, metadata:read) for all workflows without explicit permissions. This is GitHub's built-in behavior. All project workflows explicitly declare required permissions for clarity.

Git tags following SemVer pattern: v0.0.7, v0.0.8, etc.
Each release tagged in git with unique version identifier.
Releases published at https://github.com/AG064/argentum/releases

Changelog is present in release notes.

• npm (package.json + package-lock.json) for Node.js/TypeScript dependencies
• Cargo (Cargo.toml + Cargo.lock) for Rust/Tauri desktop dependencies
• Dockerfile: RUN npm install pulls from package.json lockfile
• Standard lockfile tracking ensures reproducible builds

Sigstore cosign signing pipeline added to release.yml. Pipeline uses GitHub OIDC for keyless signing (no manual key management). All release artifacts from next release (v0.0.8+) will include cryptographic signatures.

• package.json + package-lock.json for Node.js dependencies (npm install)
• Cargo.toml + Cargo.lock for Rust/Tauri dependencies
• docs/releases/v*.md describe security-relevant dependency updates in changelog
• Dockerfile pins npm to 11.15.0 explicitly
• osv-scanner.toml for vulnerability tracking
• npm audit in CI pipeline
• Security advisories tracked via GitHub Security Advisories (https://github.com/AG064/argentum/security/advisories)

CONTRIBUTING.md now includes accurate build instructions:

• npm install for dependencies
• npm run build for production build
• npm run dev for watch mode
• npm run docker:build for Docker image
• npm run rebuild for clean rebuild
• Desktop app optional section with prepare:llama-server, desktop:dev, desktop:build
• All required libraries, SDKs, and dependencies documented

Created MEMBERS.md listing AG064 as lead maintainer with access to all sensitive resources.

MEMBERS.md now includes Roles & Responsibilities table + Access Inventory listing all sensitive resources.

CONTRIBUTING.md includes:

• PR Checklist: typecheck, lint, tests, clean commits
• Coding standards via ESLint
• Conventional Commits format
• Testing requirements (test suite exists)
• "Things That Won't Get Merged" clearly states requirements

• GitHub Terms of Service cover contribution rights when submitting via GitHub UI
• CONTRIBUTING.md includes: "By contributing, you agree your work will be licensed under MIT"
• This serves as the contribution assertion

• Branch protection enabled on development (require PR + 1 approval)
• CI workflow runs on push/PR: typecheck + lint + tests must pass
• CodeQL, Scorecard, Trivy workflows run on push to development/main
• All status checks configured as required, not optional

• ci.yml: runs npm run typecheck && npm run lint && npm run test:ci on every push/PR
• npm run test:ci uses Jest with coverage (text-summary, lcov)
• Contributors can run locally: npm test, npm run test:unit, npm run test:integration
• Test results visible in GitHub Actions UI for all contributors
• Consistent environment: GitHub Actions ubuntu-latest

docs/architecture.md describes system design with actions and actors

• Subsystems: Agent Core, Memory, Channels (Telegram, Discord, WhatsApp)
• Security layer: Policy engine, credential manager
• Feature system: pluggable features in src/features/
• Data flow diagrams and component interactions documented
• Updated with each major release

docs/API.md documents all external software interfaces:

• Agent API, Memory API, Channel API, Config API, Security API
• REST endpoints for integration
• WebSocket events
• CLI commands
• Data formats and schemas
• Updated for each release

SECURITY.md now includes comprehensive Security Risks & Threat Model section with:

• 11 risk categories covering credential, authentication, injection, data, network, supply chain, DoS, channel-specific, desktop app, and operational risks
• 60+ risk entries with Likelihood/Impact/Mitigation assessments
• Threat actor categories (external attacker, malicious contributor, insider, bots)
• Specific to v0.0.7 release: llama.cpp local server, Telegram integration, streaming reasoning attack surfaces
• Updated with each release

SECURITY.md "Reporting Security Issues" section includes:

• GitHub Security Advisories для private reporting
• Maintainer contact: AG064 (GitHub)
• Expected response: acknowledgment within 24-48 hours, fix timeline based on severity
• Clear method for reporting vulnerabilities
• Coordinated disclosure process documented

SECURITY.md "Reporting Security Issues" section:

• GitHub Security Advisories: https://github.com/AG064/argentum/security/advisories/new
  (private, VCS-native reporting mechanism)
• Direct maintainer contact via GitHub
• 24-48 hour acknowledgment timeframe
• No public disclosure required for private reports

• GitHub Security Advisories: public at https://github.com/AG064/argentum/security/advisories
  (shows all reported CVEs with affected versions, severity, remediation)
• Release notes in docs/releases/v*.md include security-relevant fixes under ## Changelog
• SECURITY_DEPENDENCY_NOTES.md documents known dependency vulnerabilities