[docs] SECURITY: promote Advisory link, drop non-delivering mailbox#61
Merged
Conversation
The security@tracecore.ai mailbox is not provisioned (user
confirmed) and the security-followup@tracecore.ai escalation
address shares its fate; a reporter following SECURITY.md today
reaches a black hole. The only verified-working disclosure channel
is the GitHub Security Advisory link (a feature of every public
repo).
Concrete changes:
- SECURITY.md: replaced the two email paragraphs with the Advisory
URL as the primary disclosure channel; reframed the escalation
step ("comment on your own advisory thread to ping the
maintainers" instead of CC'ing a non-existent inbox);
updated the proprietary-synthesis-engine carve-out to use the
same Advisory URL with a tagged title instead of a fake email.
- CONTRIBUTING.md § "Security issues": replaced the email line
with a direct link to the Advisory form + a pointer to SECURITY.md
for the full procedure.
- MILESTONES.md M21 rubric: replaced the "canary email" check with
a falsifiable Advisory-inbox check —
`gh api /repos/tracecoreai/tracecore/private-vulnerability-reporting`
returns `{"enabled":true}` and at least one @TraceCoreAI/core
member is configured to receive advisory notifications. Release
is blocked if either check fails. Anchor citations updated from
L20/L21 (which no longer exist after the SECURITY.md rewrite)
to the corresponding H2 anchors.
The GitHub Security Advisory has a real ACL — visible only to the
reporter and @TraceCoreAI/core — and a real notification path
(advisory creation pings every team member). No mailbox setup is
required for this PR to make the disclosure procedure work.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
trilamsr
added a commit
that referenced
this pull request
May 19, 2026
Phase 2 of 5-phase rigorous review. Dispatched 8 reviewer subagents
in parallel: Performance, SRE/Infra, Maintainer, Contributor, Operator,
Adopter, Security, Researcher. Applied validation cycle to every
finding; rejected one in contradict; applied five doc improvements.
## Per-lens verdicts
- Performance: APPROVED (gate runtime <2ms; pattern correct)
- SRE/Infra: BLOCKER → demoted (disclosure exists at chart README troubleshooting)
- Maintainer: CONCERNS → applied forward-compat statement to Commitments
- Contributor: BLOCKER → applied RFC index entry
- Operator: APPROVED → applied helm rollback runbook line
- Adopter: BLOCKER → demoted (already disclosed in chart README:212-217); applied cross-ref to Upgrade posture
- Security: BLOCKER → REJECTED in contradict (depguard pkg: is prefix-by-default; same config's `math/rand$` is the proof)
- Researcher: APPROVED (orthogonal)
## Pushback table
| ID | Lens | Beneficiary | Severity | Finding | Proof | Contradict | TDD record | Rubric+? | Action |
|-------|---------------------|-------------------|------------------|-------------------------------------------------------------------------|--------------------------------------------------------------------|-------------------------------------------------------------------------|------------|----------|---------|
| P2.1 | sre, adopter | operator | CONCERN | Chart default points at unpublished registry; first-touch failure | values.yaml: image.repository=ghcr.io/...; release.yml has no docker push | Chart README:212-217 already discloses under Troubleshooting; cross-ref needs surfacing under Upgrade | n/a (doc) | no | applied — surfaced from Upgrade posture |
| P2.2 | operator | operator | CONCERN | Chart README "Upgrade posture" doesn't name helm rollback for incidents | grep "helm rollback" chart README → 0 hits before this edit | Operator may know helm syntax already; chart-specific guidance still valued | n/a (doc) | no | applied — helm rollback line + /healthz pointer |
| P2.3 | contributor | customer-contrib | BLOCKER | RFC-0008 missing from docs/rfcs/README.md index table | grep 0008 docs/rfcs/README.md → 0 hits before | The RFC file exists; an RFC accepted but not indexed contradicts the index's purpose | n/a (doc) | no | applied — index row added |
| P2.4 | maintainer | repo-long-term | CONCERN | Forward-compat ("Operator-pattern RFC may expose but not relax") buried in Open Questions, should be a Commitment | RFC L84 contains the binding statement; Commitments has 3 bullets, none on CRD-knob path | Open Questions is a valid home for "adjacent" statements | n/a (doc) | no | applied — fourth Commitment added |
| P2.5 | security | repo-long-term | BLOCKER | depguard pkg: may not block subpackage imports | Reviewer cited unverified golangci-lint semantics | `math/rand$` in same config proves pkg: is prefix-by-default — `$` anchor would be redundant otherwise | n/a | no | REJECTED in contradict cycle |
| P2.6 | operator | repo-long-term | NIT | MILESTONES.md M21 rubric still references "canary email" | grep "canary email" MILESTONES.md → found | Pre-existing on main; PR #61 (SECURITY rewrite) fixes upstream | n/a | no | explicitly-skipped (feedback_narrow_pr_scope — PR #61 fixes) |
| P2.7 | maintainer | repo-long-term | NIT | pkg/ exclusion not mentioned in RFC body | RFC § Enforcement doesn't name scope boundary; FOLLOWUPS does | The FOLLOWUPS entry is sufficient disclosure for a follow-up gap | n/a | no | deferred (already in FOLLOWUPS via P1.3) |
| P2.8 | contributor | customer-contrib | CONCERN | RFC-0008 missing from "When to read which" in docs/rfcs/README.md | grep 0008 docs/rfcs/README.md → 0 hits in onboarding paths | Onboarding section may legitimately omit RFCs without contributor-touchable surface | n/a (doc) | no | applied — "Adding a dependency" bullet added |
## Validation-cycle stats this phase
- Findings raised: 8
- Rejected during contradict: 1 (P2.5)
- Demoted severity after re-validate: 2 (P2.1, adopter BLOCKER→CONCERN; SRE BLOCKER→CONCERN — same finding, same evidence)
- Applied: 5 (P2.1, P2.2, P2.3, P2.4, P2.8)
- Deferred to FOLLOWUPS: 1 (P2.7 — already covered by P1.3 entry)
- Explicitly-skipped: 1 (P2.6 — out of scope; downstream PR #61 fixes)
## Rubric additions proposed this phase
The following were proposed by reviewers:
- (SRE) "Upgrade story verifiability: prove the artifact appears in the published registry pre-RFC-ratification." — TASTE-CALL; reasonable but would have blocked legitimate RFC ratification of policy decisions ahead of operational artifacts; the FOLLOWUPS pattern handles this trade-off. Skipped.
- (Maintainer) "RFC forward-compatibility: any RFC that defers to a future RFC must state what the deferred RFC may/may not do." — LOAD-BEARING but generalizable beyond M23; defer to docs/STYLE-docs.md ammendment. Captured by applying P2.4 to RFC-0008 itself; not promoted to MILESTONES rubric.
- (Contributor) "RFC index completeness gate: every accepted RFC must have a Status index row." — LOAD-BEARING and measurable. Could become a doc-check assertion. Captured by applying P2.3; lint-level gate deferred to FOLLOWUPS.
- (Operator) "RFC body does not document incomplete follow-up work as if it is already shipped." — TASTE-CALL; RFC clearly cites FOLLOWUPS for the image-publish gap. Skipped.
- (Adopter) "Chart defaults must be realizable without external work." — TASTE-CALL; the chart README troubleshooting already addresses this and the kind-load workaround is documented. Skipped.
- (Security) "Depguard subpackage coverage audit." — REJECTED with P2.5.
- (Security) "Supersession-bar clarity." — TASTE-CALL; current bar ("written use case from production operator that can't be served by operator-side automation") is concrete enough. Skipped.
- (Security) "Chart + binary supply-chain alignment." — LOAD-BEARING but duplicates the chart-appversion CI gate. Captured by existing gate.
No rubric additions promoted to .claude/ralph-loop.local.md this phase. Decision recorded for audit.
Signed-off-by: Tri Lam <trilamsr@gmail.com>
trilamsr
added a commit
that referenced
this pull request
May 19, 2026
Phase 2 of 5-phase rigorous review. Dispatched 8 reviewer subagents
in parallel: Performance, SRE/Infra, Maintainer, Contributor, Operator,
Adopter, Security, Researcher. Applied validation cycle to every
finding; rejected one in contradict; applied five doc improvements.
## Per-lens verdicts
- Performance: APPROVED (gate runtime <2ms; pattern correct)
- SRE/Infra: BLOCKER → demoted (disclosure exists at chart README troubleshooting)
- Maintainer: CONCERNS → applied forward-compat statement to Commitments
- Contributor: BLOCKER → applied RFC index entry
- Operator: APPROVED → applied helm rollback runbook line
- Adopter: BLOCKER → demoted (already disclosed in chart README:212-217); applied cross-ref to Upgrade posture
- Security: BLOCKER → REJECTED in contradict (depguard pkg: is prefix-by-default; same config's `math/rand$` is the proof)
- Researcher: APPROVED (orthogonal)
## Pushback table
| ID | Lens | Beneficiary | Severity | Finding | Proof | Contradict | TDD record | Rubric+? | Action |
|-------|---------------------|-------------------|------------------|-------------------------------------------------------------------------|--------------------------------------------------------------------|-------------------------------------------------------------------------|------------|----------|---------|
| P2.1 | sre, adopter | operator | CONCERN | Chart default points at unpublished registry; first-touch failure | values.yaml: image.repository=ghcr.io/...; release.yml has no docker push | Chart README:212-217 already discloses under Troubleshooting; cross-ref needs surfacing under Upgrade | n/a (doc) | no | applied — surfaced from Upgrade posture |
| P2.2 | operator | operator | CONCERN | Chart README "Upgrade posture" doesn't name helm rollback for incidents | grep "helm rollback" chart README → 0 hits before this edit | Operator may know helm syntax already; chart-specific guidance still valued | n/a (doc) | no | applied — helm rollback line + /healthz pointer |
| P2.3 | contributor | customer-contrib | BLOCKER | RFC-0008 missing from docs/rfcs/README.md index table | grep 0008 docs/rfcs/README.md → 0 hits before | The RFC file exists; an RFC accepted but not indexed contradicts the index's purpose | n/a (doc) | no | applied — index row added |
| P2.4 | maintainer | repo-long-term | CONCERN | Forward-compat ("Operator-pattern RFC may expose but not relax") buried in Open Questions, should be a Commitment | RFC L84 contains the binding statement; Commitments has 3 bullets, none on CRD-knob path | Open Questions is a valid home for "adjacent" statements | n/a (doc) | no | applied — fourth Commitment added |
| P2.5 | security | repo-long-term | BLOCKER | depguard pkg: may not block subpackage imports | Reviewer cited unverified golangci-lint semantics | `math/rand$` in same config proves pkg: is prefix-by-default — `$` anchor would be redundant otherwise | n/a | no | REJECTED in contradict cycle |
| P2.6 | operator | repo-long-term | NIT | MILESTONES.md M21 rubric still references "canary email" | grep "canary email" MILESTONES.md → found | Pre-existing on main; PR #61 (SECURITY rewrite) fixes upstream | n/a | no | explicitly-skipped (feedback_narrow_pr_scope — PR #61 fixes) |
| P2.7 | maintainer | repo-long-term | NIT | pkg/ exclusion not mentioned in RFC body | RFC § Enforcement doesn't name scope boundary; FOLLOWUPS does | The FOLLOWUPS entry is sufficient disclosure for a follow-up gap | n/a | no | deferred (already in FOLLOWUPS via P1.3) |
| P2.8 | contributor | customer-contrib | CONCERN | RFC-0008 missing from "When to read which" in docs/rfcs/README.md | grep 0008 docs/rfcs/README.md → 0 hits in onboarding paths | Onboarding section may legitimately omit RFCs without contributor-touchable surface | n/a (doc) | no | applied — "Adding a dependency" bullet added |
## Validation-cycle stats this phase
- Findings raised: 8
- Rejected during contradict: 1 (P2.5)
- Demoted severity after re-validate: 2 (P2.1, adopter BLOCKER→CONCERN; SRE BLOCKER→CONCERN — same finding, same evidence)
- Applied: 5 (P2.1, P2.2, P2.3, P2.4, P2.8)
- Deferred to FOLLOWUPS: 1 (P2.7 — already covered by P1.3 entry)
- Explicitly-skipped: 1 (P2.6 — out of scope; downstream PR #61 fixes)
## Rubric additions proposed this phase
The following were proposed by reviewers:
- (SRE) "Upgrade story verifiability: prove the artifact appears in the published registry pre-RFC-ratification." — TASTE-CALL; reasonable but would have blocked legitimate RFC ratification of policy decisions ahead of operational artifacts; the FOLLOWUPS pattern handles this trade-off. Skipped.
- (Maintainer) "RFC forward-compatibility: any RFC that defers to a future RFC must state what the deferred RFC may/may not do." — LOAD-BEARING but generalizable beyond M23; defer to docs/STYLE-docs.md ammendment. Captured by applying P2.4 to RFC-0008 itself; not promoted to MILESTONES rubric.
- (Contributor) "RFC index completeness gate: every accepted RFC must have a Status index row." — LOAD-BEARING and measurable. Could become a doc-check assertion. Captured by applying P2.3; lint-level gate deferred to FOLLOWUPS.
- (Operator) "RFC body does not document incomplete follow-up work as if it is already shipped." — TASTE-CALL; RFC clearly cites FOLLOWUPS for the image-publish gap. Skipped.
- (Adopter) "Chart defaults must be realizable without external work." — TASTE-CALL; the chart README troubleshooting already addresses this and the kind-load workaround is documented. Skipped.
- (Security) "Depguard subpackage coverage audit." — REJECTED with P2.5.
- (Security) "Supersession-bar clarity." — TASTE-CALL; current bar ("written use case from production operator that can't be served by operator-side automation") is concrete enough. Skipped.
- (Security) "Chart + binary supply-chain alignment." — LOAD-BEARING but duplicates the chart-appversion CI gate. Captured by existing gate.
No rubric additions promoted to .claude/ralph-loop.local.md this phase. Decision recorded for audit.
Signed-off-by: Tri Lam <trilamsr@gmail.com>
trilamsr
added a commit
that referenced
this pull request
May 19, 2026
Phase 2 of 5-phase rigorous review. Dispatched 8 reviewer subagents
in parallel: Performance, SRE/Infra, Maintainer, Contributor, Operator,
Adopter, Security, Researcher. Applied validation cycle to every
finding; rejected one in contradict; applied five doc improvements.
## Per-lens verdicts
- Performance: APPROVED (gate runtime <2ms; pattern correct)
- SRE/Infra: BLOCKER → demoted (disclosure exists at chart README troubleshooting)
- Maintainer: CONCERNS → applied forward-compat statement to Commitments
- Contributor: BLOCKER → applied RFC index entry
- Operator: APPROVED → applied helm rollback runbook line
- Adopter: BLOCKER → demoted (already disclosed in chart README:212-217); applied cross-ref to Upgrade posture
- Security: BLOCKER → REJECTED in contradict (depguard pkg: is prefix-by-default; same config's `math/rand$` is the proof)
- Researcher: APPROVED (orthogonal)
## Pushback table
| ID | Lens | Beneficiary | Severity | Finding | Proof | Contradict | TDD record | Rubric+? | Action |
|-------|---------------------|-------------------|------------------|-------------------------------------------------------------------------|--------------------------------------------------------------------|-------------------------------------------------------------------------|------------|----------|---------|
| P2.1 | sre, adopter | operator | CONCERN | Chart default points at unpublished registry; first-touch failure | values.yaml: image.repository=ghcr.io/...; release.yml has no docker push | Chart README:212-217 already discloses under Troubleshooting; cross-ref needs surfacing under Upgrade | n/a (doc) | no | applied — surfaced from Upgrade posture |
| P2.2 | operator | operator | CONCERN | Chart README "Upgrade posture" doesn't name helm rollback for incidents | grep "helm rollback" chart README → 0 hits before this edit | Operator may know helm syntax already; chart-specific guidance still valued | n/a (doc) | no | applied — helm rollback line + /healthz pointer |
| P2.3 | contributor | customer-contrib | BLOCKER | RFC-0008 missing from docs/rfcs/README.md index table | grep 0008 docs/rfcs/README.md → 0 hits before | The RFC file exists; an RFC accepted but not indexed contradicts the index's purpose | n/a (doc) | no | applied — index row added |
| P2.4 | maintainer | repo-long-term | CONCERN | Forward-compat ("Operator-pattern RFC may expose but not relax") buried in Open Questions, should be a Commitment | RFC L84 contains the binding statement; Commitments has 3 bullets, none on CRD-knob path | Open Questions is a valid home for "adjacent" statements | n/a (doc) | no | applied — fourth Commitment added |
| P2.5 | security | repo-long-term | BLOCKER | depguard pkg: may not block subpackage imports | Reviewer cited unverified golangci-lint semantics | `math/rand$` in same config proves pkg: is prefix-by-default — `$` anchor would be redundant otherwise | n/a | no | REJECTED in contradict cycle |
| P2.6 | operator | repo-long-term | NIT | MILESTONES.md M21 rubric still references "canary email" | grep "canary email" MILESTONES.md → found | Pre-existing on main; PR #61 (SECURITY rewrite) fixes upstream | n/a | no | explicitly-skipped (feedback_narrow_pr_scope — PR #61 fixes) |
| P2.7 | maintainer | repo-long-term | NIT | pkg/ exclusion not mentioned in RFC body | RFC § Enforcement doesn't name scope boundary; FOLLOWUPS does | The FOLLOWUPS entry is sufficient disclosure for a follow-up gap | n/a | no | deferred (already in FOLLOWUPS via P1.3) |
| P2.8 | contributor | customer-contrib | CONCERN | RFC-0008 missing from "When to read which" in docs/rfcs/README.md | grep 0008 docs/rfcs/README.md → 0 hits in onboarding paths | Onboarding section may legitimately omit RFCs without contributor-touchable surface | n/a (doc) | no | applied — "Adding a dependency" bullet added |
## Validation-cycle stats this phase
- Findings raised: 8
- Rejected during contradict: 1 (P2.5)
- Demoted severity after re-validate: 2 (P2.1, adopter BLOCKER→CONCERN; SRE BLOCKER→CONCERN — same finding, same evidence)
- Applied: 5 (P2.1, P2.2, P2.3, P2.4, P2.8)
- Deferred to FOLLOWUPS: 1 (P2.7 — already covered by P1.3 entry)
- Explicitly-skipped: 1 (P2.6 — out of scope; downstream PR #61 fixes)
## Rubric additions proposed this phase
The following were proposed by reviewers:
- (SRE) "Upgrade story verifiability: prove the artifact appears in the published registry pre-RFC-ratification." — TASTE-CALL; reasonable but would have blocked legitimate RFC ratification of policy decisions ahead of operational artifacts; the FOLLOWUPS pattern handles this trade-off. Skipped.
- (Maintainer) "RFC forward-compatibility: any RFC that defers to a future RFC must state what the deferred RFC may/may not do." — LOAD-BEARING but generalizable beyond M23; defer to docs/STYLE-docs.md ammendment. Captured by applying P2.4 to RFC-0008 itself; not promoted to MILESTONES rubric.
- (Contributor) "RFC index completeness gate: every accepted RFC must have a Status index row." — LOAD-BEARING and measurable. Could become a doc-check assertion. Captured by applying P2.3; lint-level gate deferred to FOLLOWUPS.
- (Operator) "RFC body does not document incomplete follow-up work as if it is already shipped." — TASTE-CALL; RFC clearly cites FOLLOWUPS for the image-publish gap. Skipped.
- (Adopter) "Chart defaults must be realizable without external work." — TASTE-CALL; the chart README troubleshooting already addresses this and the kind-load workaround is documented. Skipped.
- (Security) "Depguard subpackage coverage audit." — REJECTED with P2.5.
- (Security) "Supersession-bar clarity." — TASTE-CALL; current bar ("written use case from production operator that can't be served by operator-side automation") is concrete enough. Skipped.
- (Security) "Chart + binary supply-chain alignment." — LOAD-BEARING but duplicates the chart-appversion CI gate. Captured by existing gate.
No rubric additions promoted to .claude/ralph-loop.local.md this phase. Decision recorded for audit.
Signed-off-by: Tri Lam <trilamsr@gmail.com>
2 tasks
trilamsr
added a commit
that referenced
this pull request
May 19, 2026
…als (#65) ## Summary Two hygiene fixes to the deferred-work tracker, surfaced by an audit of what was deferred during PR #54's 5-phase rigorous review: 1. **Retire resolved `security@tracecore.ai` entry from § "Governance gaps".** PR #61 chose resolution option (b) — rewrote SECURITY.md to promote the GitHub Security Advisory URL as the primary disclosure channel — but did not retire the FOLLOWUPS entry. Per the doc's own preamble ("If a row in this file stays uncrossed for two milestones, ... it should be deleted, not silently carried"), resolved items are deleted; git history is the audit trail. 2. **New § "M23 follow-ups (post-rigorous-review)".** Four A+ criteria from PR #54 phase 4 were marked `deferred` rather than `skipped` in the `[review-pass-4-aplus]` commit body, but never surfaced in `docs/FOLLOWUPS.md`. Promoting them now so future readers find them at the canonical location: - **Stable / parseable grep-gate output format** — triggers when first automation consumer of `no-autoupdate-check` output appears - **Operator CVE response time SLA (≤30 min patch-to-production)** — triggers at M21 release-tag prep or first adopter ask - **Explicit false-positive override path** — triggers on first false-positive incident - **Audit trail for depguard rule additions** — promotes to MEMORY.md rule on second deny-list bump ## Why The deferred A+ criteria were searchable via `git log --grep "review-pass-4-aplus"` but invisible to anyone reading `docs/FOLLOWUPS.md`. Trigger-based items belong in the tracker so they fire when conditions appear. The stale governance-gap entry was an out-of-date reference to a falsehood we already corrected. ## Test plan - [x] `bash scripts/doc-check.sh` exits 0 (link-integrity + banned-phrase lint + section assertions all green) - [ ] `docs/FOLLOWUPS.md` renders correctly on GitHub; new "M23 follow-ups" section sits among the other milestone-tagged sections ```release-notes NONE ``` Signed-off-by: Tri Lam <trilamsr@gmail.com>
4 tasks
trilamsr
added a commit
that referenced
this pull request
May 19, 2026
…self-falsifying) (#67) ## Summary Captures two load-bearing lessons surfaced during this conversation's PR cycles, via the `learn-from-mistakes` skill's full capture flow (format-check + banned-vocab + diff approval + DCO commit). 1. **Verify named identifiers exist before echoing them as fact in repo docs.** PR #56 + PR #61 caught two inherited falsehoods: `CODEOWNERS` routed to a non-existent `@TraceCoreAI/maintainers` team (GitHub silently ignores), and `SECURITY.md` cited an unprovisioned `security@tracecore.ai` mailbox. A 30-second `gh api` / `dig MX` / `[ -f path ]` check before landing the reference is the cure. 2. **RFC commitments must be self-falsifying.** PR #54's first RFC-0008 draft asserted `depguard` rules that didn't exist yet, and a `chart-appversion` drift gate that only checks non-empty (not drift). Rule: every "X gate enforces Y" line in an RFC body must be verifiable in the current tree, or labeled deferred with the trigger condition. ## What this PR changes - `AGENTS.md`: 2 new bullets under § "Load-bearing lessons" (entries 5 and 6 of the 6 universal rules). 113 → 128 lines, still under the documented 150-line cap. ## Test plan - [x] `wc -l AGENTS.md` = 128 (under 150 cap) - [x] `bash scripts/doc-check.sh` exits 0 - [x] No banned vocabulary, no first-person AI phrasing, no AI-attribution trailers in the lesson bodies (verified per the `learn-from-mistakes` capture flow) - [ ] Renders correctly on GitHub ```release-notes NONE ``` --------- Signed-off-by: Tri Lam <trilamsr@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
security@tracecore.aiis not a provisioned mailbox (confirmed by maintainer) andsecurity-followup@tracecore.aishares its fate. A reporter followingSECURITY.mdtoday reaches a black hole. The GitHub Security Advisory form built into every public repo is the only verified-working disclosure channel.This PR promotes the Advisory URL to primary across the three files that named the dead address, and rephrases the M21 rubric that depended on an email canary to use a falsifiable Advisory-inbox check instead.
What this PR changes
SECURITY.md— full rewrite:CONTRIBUTING.md§ "Security issues" — replaced the email line with a direct Advisory link + pointer back to SECURITY.md.MILESTONES.mdM21 — replaced the "canary email" rubric with:gh api /repos/tracecoreai/tracecore/private-vulnerability-reportingreturns{"enabled":true}AND at least one@TraceCoreAI/coremember is configured to receive advisory notifications. Release blocks if either check fails. Anchor citations updated to H2 names (line numbers no longer reliable after the SECURITY.md rewrite).Why
The Advisory channel has a real ACL (visible only to the reporter and
@TraceCoreAI/core) and a real notification path (creation pings every team member). It's also discoverable in GitHub's native "Security" tab — most reporters land there first regardless of whatSECURITY.mdsays. Promoting it to primary aligns the doc with the channel that actually works today; no mailbox setup is blocked on this PR.Tracked governance gap closed:
docs/FOLLOWUPS.md§ "Governance gaps" entry on the non-delivering mailbox (added in #56) can retire once this merges.Test plan
bash scripts/doc-check.shexits 0grep -r 'security@tracecore.ai\|security-followup@tracecore.ai'returns no markdown hits outside.claude/worktrees/SECURITY.mdrenders correctly on GitHubNote on ordering
Independent of PR #56 (which only flags the gap in
docs/maintainership.md). If this merges first, the FOLLOWUPS entry in #56 becomes stale and #56 should be rebased to drop it. If #56 merges first, this PR's commit message still applies as-is.🤖 Generated with Claude Code