{"id":12646,"user_id":49640,"name":"otelcontext","description":"Self-hosted OTLP observability in a single Go binary. Traces, logs, metrics, GraphRAG root-cause, MCP for AI agents.","homepage_url":"","repo_url":"https://github.com/RandomCodeSpace/otelcontext","license":"MIT","homepage_url_status":"?","homepage_url_justification":null,"sites_https_status":"Met","sites_https_justification":"Given only https: URLs.","description_good_status":"Met","description_good_justification":"See README.md. otelcontext is a self-hosted OTLP observability platform in a single Go binary — OTLP gRPC + HTTP ingest, GraphRAG-powered root-cause analysis, multi-tenant storage, and a built-in MCP server for AI agents.","interact_status":"Met","interact_justification":"GitHub Issues for bug reports and discussion, SECURITY.md for private vulnerability disclosure (GitHub Security Advisories). Both linked from README.","contribution_status":"Met","contribution_justification":"Projects on GitHub by default use issues and pull requests, as encouraged by documentation such as \u003chttps://guides.github.com/activities/contributing-to-open-source/\u003e.","contribution_requirements_status":"Met","contribution_requirements_justification":"CONTRIBUTING.md documents PR requirements: `go test -race ./...` passing, `go vet ./...` clean, golangci-lint clean, Semgrep + OSV-Scanner + Trivy + Gitleaks security stack green, Conventional Commit style.\r\nhttps://github.com/RandomCodeSpace/otelcontext/blob/main/CONTRIBUTING.md","license_location_status":"Met","license_location_justification":"Non-trivial license location file in repository: \u003chttps://github.com/RandomCodeSpace/otelcontext/blob/main/LICENSE.md\u003e.","floss_license_status":"Met","floss_license_justification":"The MIT license is approved by the Open Source Initiative (OSI).","floss_license_osi_status":"Met","floss_license_osi_justification":"The MIT license is approved by the Open Source Initiative (OSI).","documentation_basics_status":"Met","documentation_basics_justification":"Some documentation basics file contents found.","documentation_interface_status":"Met","documentation_interface_justification":"OTLP wire protocol surface (gRPC + HTTP /v1/{traces,logs,metrics}) follows the OpenTelemetry OTLP spec. MCP tool catalogue (21 tools, JSON-RPC 2.0 + SSE) documented in CLAUDE.md. REST API surface and configuration env vars documented in CLAUDE.md.","repo_public_status":"Met","repo_public_justification":"Repository on GitHub, which provides public git repositories with URLs.","repo_track_status":"Met","repo_track_justification":"Repository on GitHub, which uses git. git can track the changes, who made them, and when they were made.","repo_interim_status":"Met","repo_interim_justification":"All commits merged to `main` are publicly visible via GitHub. No batch or secret merges; small, reviewable PRs (e.g. PR #29..#34 land per-RAN-ticket).","repo_distributed_status":"Met","repo_distributed_justification":"Repository on GitHub, which uses git. git is distributed.","version_unique_status":"Met","version_unique_justification":"Each release carries a unique semver tag (e.g. v0.0.11-beta.15) and an immutable git SHA.","version_semver_status":"Met","version_semver_justification":"MAJOR.MINOR.PATCH-prerelease.N (e.g. v0.0.11-beta.15) — pre-release semver per https://semver.org. Pre-1.0 development phase.","version_tags_status":"Met","version_tags_justification":"Tagged releases are published on GitHub.","release_notes_status":"Met","release_notes_justification":"No release notes file found.GitHub auto-generates release notes from PR titles for each tag; releases are listed at https://github.com/RandomCodeSpace/otelcontext/releases . Pre-1.0 cadence ships beta tags from main.","release_notes_vulns_status":"Met","release_notes_vulns_justification":"Security fixes are landed in tagged commits with `fix(security):` Conventional-Commit prefix and surface in the auto-generated release notes (e.g. commit 89de89a `fix(security): patch HIGH/CRITICAL vulns flagged by OSV+Trivy on PR #34 (RAN-56)`).","report_url_status":"?","report_url_justification":null,"report_tracker_status":"Met","report_tracker_justification":"GitHub Issues is the public bug tracker.","report_process_status":"Met","report_process_justification":"SECURITY.md documents how to report bugs (GitHub Issues) vs vulnerabilities (private GitHub Security Advisory or email fallback to ak.nitrr13@gmail.com with `[otelcontext security]` subject prefix). See https://github.com/RandomCodeSpace/otelcontext/blob/main/SECURITY.md","report_responses_status":"Met","report_responses_justification":"Maintainer responds to reported issues within 14 days; SECURITY.md commits to a 5 business-day acknowledgement for security reports and a 10 business-day triage decision for High/Critical issues.","enhancement_responses_status":"Met","enhancement_responses_justification":"Enhancement requests are triaged via GitHub Issues; maintainer responds within 14 days.","report_archive_status":"Met","report_archive_justification":"GitHub Issues is the public, searchable archive of bug reports, open and closed: https://github.com/RandomCodeSpace/otelcontext/issues . GitHub Security Advisories archives coordinated-disclosure reports.","vulnerability_report_process_status":"Met","vulnerability_report_process_justification":"SECURITY.md is the canonical disclosure entry point: preferred channel is a private GitHub Security Advisory, with email fallback. Acknowledgement SLA 5 business days; triage SLA 10 business days for High/Critical; default embargo 90 days or first patched release. See https://github.com/RandomCodeSpace/otelcontext/blob/main/SECURITY.md","vulnerability_report_private_status":"Met","vulnerability_report_private_justification":"GitHub private vulnerability reporting is the preferred channel; advisories are filed at https://github.com/RandomCodeSpace/otelcontext/security/advisories/new","vulnerability_report_response_status":"Met","vulnerability_report_response_justification":"SECURITY.md commits to acknowledgement within 5 business days and a fix triage decision within 10 business days for High/Critical.","build_status":"Met","build_justification":"Non-trivial build file in repository: \u003chttps://github.com/RandomCodeSpace/otelcontext/blob/main/Makefile\u003e.","build_common_tools_status":"Met","build_common_tools_justification":"Non-trivial build file in repository: \u003chttps://github.com/RandomCodeSpace/otelcontext/blob/main/Makefile\u003e.","build_floss_tools_status":"Met","build_floss_tools_justification":"Go (BSD-3-Clause), Node/npm (MIT/ISC), GNU Make (GPL). All FLOSS.","test_status":"Met","test_justification":"Automated test suite under internal/* runs on every push (`go test -race ./...`). Coverage spans graphrag, ingest, storage, queue, vectordb, telemetry, tls, compress, config, api.","test_invocation_status":"Met","test_invocation_justification":"`go test -race ./...` — documented in CONTRIBUTING.md and exercised by `.github/workflows/ci.yml`.","test_most_status":"Met","test_most_justification":"Tests cover the core packages: internal/graphrag (drain, builder, investigation, migrate, tenant), internal/ingest (otlp_grpc_limits, otlp_e2e, otlp_http_gzip), internal/storage, internal/queue (dlq), internal/vectordb, internal/tls (selfsigned, filelock), internal/api, internal/telemetry, internal/config, internal/compress.","test_policy_status":"Met","test_policy_justification":"CONTRIBUTING.md requires tests for new features and regression tests for bug fixes; PR review enforces it.","tests_are_added_status":"Met","tests_are_added_justification":"Recent PRs (#27, #29, #30, #31, #32, #33) each added tests alongside code changes (e.g. tenant_isolation_test.go added with PR #27 / #30).","tests_documented_added_status":"Met","tests_documented_added_justification":"CONTRIBUTING.md documents the test-with-every-change expectation.","warnings_status":"Met","warnings_justification":"`go vet ./...` and `golangci-lint` (.golangci.yml) run on every CI build; any warning fails the build.","warnings_fixed_status":"Met","warnings_fixed_justification":"All vet/lint warnings resolved on `main`; no suppressions without justification.","warnings_strict_status":"Met","warnings_strict_justification":"CI fails on any vet or golangci-lint warning — effectively -Werror.","know_secure_design_status":"Met","know_secure_design_justification":"Maintainer applies defense-in-depth: per-tenant context propagation across HTTP/gRPC/MCP layers (internal/api/tenant_middleware.go, internal/ingest/otlp.go), tenant-scoped reads in internal/storage and internal/graphrag, signed-commit setup for `main` (scripts/setup-git-signed.sh), strict TLS (sslmode require/verify-ca/verify-full enforced when DB_AZURE_AUTH=true in internal/storage), parameterised queries via GORM, secrets via env (no in-repo secrets enforced by gitleaks).","know_common_errors_status":"Met","know_common_errors_justification":"Familiar with OWASP Top 10 and CWE-22/78/79/89/918. Semgrep `p/owasp-top-ten` + `p/security-audit` + `p/golang` rulesets run on every PR; OSV-Scanner against go.mod + ui/package-lock.json blocks merge on High/Critical.","crypto_published_status":"Met","crypto_published_justification":"Only published algorithms used: Go crypto/tls, crypto/rand, crypto/sha256. No custom crypto.","crypto_call_status":"Met","crypto_call_justification":"All outbound HTTPS via Go stdlib crypto/tls; system trust store; TLS 1.2+. Strict TLS (`sslmode=require`/`verify-ca`/`verify-full`) is enforced for Postgres when DB_AZURE_AUTH=true.","crypto_floss_status":"Met","crypto_floss_justification":"Go standard library crypto (BSD-3-Clause). Azure SDK crypto (MIT).","crypto_keylength_status":"Met","crypto_keylength_justification":"Go stdlib defaults: RSA ≥ 2048-bit / P-256 ECDSA / SHA-256. Self-signed bootstrap (internal/tls/selfsigned.go) generates ECDSA P-256 certificates.","crypto_working_status":"Met","crypto_working_justification":"No MD5/SHA-1 for integrity. No DES/RC4. Only AEAD ciphers via stdlib defaults.","crypto_pfs_status":"Met","crypto_pfs_justification":"Go stdlib default TLS ciphersuites are AEAD + ECDHE — forward secrecy by default.","crypto_password_storage_status":"N/A","crypto_password_storage_justification":"N/A — otelcontext does not store user passwords. The platform authenticates clients via a shared bearer token (`API_KEY` env var) or via Azure Entra ID for the Postgres backend (DefaultAzureCredential token flow). No password hashing surface exists.","crypto_random_status":"Met","crypto_random_justification":"All randomness via crypto/rand (CSPRNG). No math/rand for security-sensitive values (verified via Semgrep + manual review).","delivery_mitm_status":"Met","delivery_mitm_justification":"Distribution channels use HTTPS exclusively. [osps_br_03_02]","delivery_unsigned_status":"Met","delivery_unsigned_justification":"Source is delivered exclusively via HTTPS-served git from github.com. No unsigned binary delivery channel: pre-1.0 betas are tagged commits (verifiable by SHA), and binary build is in the user's pipeline (`go build`) — there is no pre-built binary distribution in scope. Signed-commit hardening on `main` is configured via scripts/setup-git-signed.sh.","vulnerabilities_fixed_60_days_status":"Met","vulnerabilities_fixed_60_days_justification":"Most recent example: commit 89de89a (`fix(security): patch HIGH/CRITICAL vulns flagged by OSV+Trivy on PR #34 (RAN-56)`) landed within 60 days of the OSV/Trivy advisory. Dependabot + OSV-Scanner + Trivy run weekly.","vulnerabilities_critical_fixed_status":"Met","vulnerabilities_critical_fixed_justification":"Zero High/Critical open. RAN-56 patched all OSV+Trivy HIGH/CRITICAL findings on PR #34 (commit 89de89a).","static_analysis_status":"Met","static_analysis_justification":"Semgrep (p/security-audit + p/owasp-top-ten + p/golang) + golangci-lint run on every PR and push. Merge blocked on `--severity ERROR`.","static_analysis_common_vulnerabilities_status":"Met","static_analysis_common_vulnerabilities_justification":"Semgrep `p/owasp-top-ten` and `p/security-audit` rulesets cover CWE-22/78/79/89/918 and the broader OWASP Top 10. `p/golang` adds Go-specific issue patterns.","static_analysis_fixed_status":"Met","static_analysis_fixed_justification":"All Semgrep / golangci-lint findings resolved or explicitly justified on `main`. Zero open ERROR-severity Semgrep findings. RAN-56 closed all SCA HIGH/CRITICAL.","static_analysis_often_status":"Met","static_analysis_often_justification":"Semgrep + golangci-lint run on every push to main and every PR; Dependabot weekly cadence catches advisory drift between commits.","dynamic_analysis_status":"Met","dynamic_analysis_justification":"`go test -race -timeout 180s ./...` runs in CI on every PR (.github/workflows/ci.yml). The race detector instruments concurrency-heavy paths (graphrag event workers, retention scheduler, DLQ replay) and fails the build on any race.","dynamic_analysis_unsafe_status":"N/A","dynamic_analysis_unsafe_justification":"N/A — Go is memory-safe. The codebase contains no `unsafe.Pointer` in application code; only stdlib-internal use via the standard libraries.","dynamic_analysis_enable_assertions_status":"Met","dynamic_analysis_enable_assertions_justification":"Go panics-on-invariants are used at boundary conditions (e.g. config validation in internal/config). The `-race` detector is the Go equivalent of runtime concurrency assertions and is enabled in CI.","dynamic_analysis_fixed_status":"Met","dynamic_analysis_fixed_justification":"Race-detector and `go test` failures gate every PR; no known unfixed dynamic-analysis findings on `main`.","general_comments":"","created_at":"2026-04-25T11:05:17.603Z","updated_at":"2026-06-18T13:19:51.335Z","crypto_weaknesses_status":"Met","crypto_weaknesses_justification":"Go TLS defaults exclude weak primitives. Self-signed bootstrap uses ECDSA-P256 + SHA-256.","test_continuous_integration_status":"Met","test_continuous_integration_justification":"CI runs full test suite (`go test -race -timeout 180s ./...`) on every PR and every push to main.","cpe":"","discussion_status":"Met","discussion_justification":"GitHub supports discussions on issues and pull requests.","no_leaked_credentials_status":"Met","no_leaked_credentials_justification":"Gitleaks job in `.github/workflows/security.yml` scans the full git history on every PR and push; merge blocked on any finding. GitHub repo-level secret scanning + push protection enabled.","english_status":"Met","english_justification":"All source comments, documentation, commit messages, and issue discussions are in English.","hardening_status":"?","crypto_used_network_status":"?","crypto_tls12_status":"?","crypto_certificate_verification_status":"?","crypto_verification_private_status":"?","hardened_site_status":"?","installation_common_status":"?","build_reproducible_status":"?","badge_percentage_0":100,"achieved_passing_at":"2026-06-18T13:19:51.333Z","lost_passing_at":null,"last_reminder_at":null,"disabled_reminders":false,"implementation_languages":"Go, TypeScript, PowerShell, Makefile, Shell","lock_version":5,"badge_percentage_1":15,"dco_status":"?","governance_status":"?","code_of_conduct_status":"?","roles_responsibilities_status":"?","access_continuity_status":"?","bus_factor_status":"?","documentation_roadmap_status":"?","documentation_architecture_status":"?","documentation_security_status":"?","documentation_quick_start_status":"?","documentation_current_status":"?","documentation_achievements_status":"?","accessibility_best_practices_status":"?","internationalization_status":"?","sites_password_security_status":"?","maintenance_or_update_status":"?","vulnerability_report_credit_status":"?","vulnerability_response_process_status":"?","coding_standards_status":"?","coding_standards_enforced_status":"?","build_standard_variables_status":"?","build_preserve_debug_status":"?","build_non_recursive_status":"?","build_repeatable_status":"?","installation_standard_variables_status":"?","installation_development_quick_status":"?","external_dependencies_status":"?","dependency_monitoring_status":"?","updateable_reused_components_status":"?","interfaces_current_status":"?","automated_integration_testing_status":"?","regression_tests_added50_status":"?","test_statement_coverage80_status":"?","test_policy_mandated_status":"?","implement_secure_design_status":"?","input_validation_status":"?","crypto_algorithm_agility_status":"?","crypto_credential_agility_status":"?","signed_releases_status":"?","version_tags_signed_status":"?","badge_percentage_2":13,"contributors_unassociated_status":"?","copyright_per_file_status":"?","license_per_file_status":"?","small_tasks_status":"?","require_2FA_status":"?","secure_2FA_status":"?","code_review_standards_status":"?","two_person_review_status":"?","test_statement_coverage90_status":"?","test_branch_coverage80_status":"?","security_review_status":"?","assurance_case_status":"?","achieve_passing_status":"Met","achieve_silver_status":"Unmet","tiered_percentage":115,"repo_url_updated_at":null,"achieved_silver_at":null,"lost_silver_at":null,"achieved_gold_at":null,"lost_gold_at":null,"first_achieved_passing_at":"2026-06-18T13:19:51.333Z","first_achieved_silver_at":null,"first_achieved_gold_at":null,"maintained_status":"Met","maintained_justification":"Active development on `main`. Recent fixes landed in commits 89de89a (RAN-56 HIGH/CRITICAL CVE patch), f433139 (RAN-53 OpenSSF stack), 4e0a4a2 (RAN-22). Dependabot weekly + security updates enabled.","OSPS-AC-01.01_status":"?","OSPS-AC-02.01_status":"?","OSPS-AC-03.01_status":"?","OSPS-AC-03.02_status":"?","OSPS-BR-01.01_status":"?","OSPS-BR-01.02_status":0,"OSPS-BR-01.02_justification":null,"OSPS-BR-03.01_status":"?","OSPS-BR-03.02_status":"?","OSPS-BR-07.01_status":"?","OSPS-DO-01.01_status":"?","OSPS-DO-02.01_status":"?","OSPS-GV-02.01_status":"?","OSPS-GV-03.01_status":"?","OSPS-LE-02.01_status":"?","OSPS-LE-02.02_status":"?","OSPS-LE-03.01_status":"?","OSPS-LE-03.02_status":"?","OSPS-QA-01.01_status":"?","OSPS-QA-01.02_status":"?","OSPS-QA-02.01_status":"?","OSPS-QA-04.01_status":"?","OSPS-QA-05.01_status":"?","OSPS-QA-05.02_status":"?","OSPS-VM-02.01_status":"?","OSPS-AC-04.01_status":"?","OSPS-BR-02.01_status":"?","OSPS-BR-04.01_status":"?","OSPS-BR-05.01_status":"?","OSPS-BR-06.01_status":"?","OSPS-DO-06.01_status":"?","OSPS-GV-01.01_status":"?","OSPS-GV-01.02_status":"?","OSPS-GV-03.02_status":"?","OSPS-LE-01.01_status":"?","OSPS-QA-03.01_status":"?","OSPS-QA-06.01_status":"?","OSPS-SA-01.01_status":"?","OSPS-SA-02.01_status":"?","OSPS-SA-03.01_status":"?","OSPS-VM-01.01_status":"?","OSPS-VM-03.01_status":"?","OSPS-VM-04.01_status":"?","OSPS-AC-04.02_status":"?","OSPS-BR-02.02_status":"?","OSPS-BR-07.02_status":"?","OSPS-DO-03.01_status":"?","OSPS-DO-03.02_status":"?","OSPS-DO-04.01_status":"?","OSPS-DO-05.01_status":"?","OSPS-GV-04.01_status":"?","OSPS-QA-02.02_status":"?","OSPS-QA-04.02_status":"?","OSPS-QA-06.02_status":"?","OSPS-QA-06.03_status":"?","OSPS-QA-07.01_status":"?","OSPS-SA-03.02_status":"?","OSPS-VM-04.02_status":"?","OSPS-VM-05.01_status":"?","OSPS-VM-05.02_status":"?","OSPS-VM-05.03_status":"?","OSPS-VM-06.01_status":"?","OSPS-VM-06.02_status":"?","badge_percentage_baseline_1":0,"badge_percentage_baseline_2":0,"badge_percentage_baseline_3":0,"achieved_baseline_1_at":null,"achieved_baseline_2_at":null,"achieved_baseline_3_at":null,"lost_baseline_1_at":null,"lost_baseline_2_at":null,"lost_baseline_3_at":null,"first_achieved_baseline_1_at":null,"first_achieved_baseline_2_at":null,"first_achieved_baseline_3_at":null,"baseline_tiered_percentage":0,"entry_locale":"en","passing_saved":true,"silver_saved":false,"gold_saved":false,"baseline_1_saved":false,"baseline_2_saved":false,"baseline_3_saved":false,"OSPS-BR-01.03_status":"?","OSPS-DO-07.01_status":"?","OSPS-BR-01.04_status":"?","unreported_badge_loss":0,"unreported_baseline_badge_loss":0,"last_loss_sent_at":null,"unreported_badge_warning":0,"unreported_baseline_badge_warning":0,"last_warning_sent_at":null,"badge_warning_effective_date":null,"badge_level":"passing","additional_rights":[],"project_entry_attribution":"Please credit Amit Kumar and the CII Best Practices badge contributors.","project_entry_license":"CC-BY-3.0+"}