Skip to content

docs(release): SBOM + Cosign signing, CHANGELOG.md, mermaid diagrams#74

Merged
mopanc merged 1 commit into
mainfrom
feat/supply-chain-hardening-changelog-mermaid
May 11, 2026
Merged

docs(release): SBOM + Cosign signing, CHANGELOG.md, mermaid diagrams#74
mopanc merged 1 commit into
mainfrom
feat/supply-chain-hardening-changelog-mermaid

Conversation

@mopanc
Copy link
Copy Markdown
Owner

@mopanc mopanc commented May 11, 2026
edited
Loading

Summary

Three coupled changes to align release artifacts with what the docs claim, plus the README diagrams you asked for.

Supply-chain hardening

SECURITY.md (introduced in #72) claimed "Releases are signed Cosign-keyless and ship with a CycloneDX SBOM" — but the goreleaser config produced neither. This PR makes the claim true from the next tagged release forward:

  • .goreleaser.yaml — adds sboms: (one CycloneDX JSON per archive via syft) and signs: (Cosign keyless on checksums.txt, plus the Fulcio certificate alongside the signature). Verification recipe documented inline.
  • .github/workflows/release.ymlid-token: write permission (required for OIDC keyless), plus anchore/sbom-action/download-syft@v0 and sigstore/cosign-installer@v3 steps before goreleaser runs.
  • SECURITY.md — until the next tag lands with the artifacts, the claim was an overclaim. Rewritten to "on the immediate roadmap"; the original wording returns automatically from the next release forward.

CHANGELOG.md (Keep-a-Changelog)

Maintained in-tree alongside the auto-generated goreleaser release notes. Sections for [Unreleased], v1.0.0-rc.1, v1.0.0-beta.3, v1.0.0-beta.2, v1.0.0-beta.1 reconstructed from git log + PR titles.

Mermaid diagrams in the README

  • Sequence diagram in "Why Saga" → the literal call path of one prompt: You → Claude Code → saga hook → SQLite + markdown → AI → topic_write → next session. Annotated with the source files so readers can follow it in code.
  • Flowchart in "Architecture" → storage / runtime / agent surfaces with the transports labelled (MCP stdio, UserPromptSubmit, FTS5 + BM25 + relations). Reinforces "markdown is the source of truth; SQLite is a regenerable cache".

GitHub renders mermaid natively — no build step, no images to maintain.

Re-tag plan after merge

v1.0.0-rc.1 already shipped without the SBOM / signature artifacts. After merge, a follow-up v1.0.0-rc.2 tag re-fires goreleaser with the new config so the SECURITY.md claim is true on a downloadable release.

Test plan

  • `go build ./...` clean (no Go changes, defensive)
  • `go test ./...` clean
  • `golangci-lint run --timeout=2m` — 0 issues
  • Goreleaser config syntax — couldn't validate locally (`goreleaser` not on PATH); CI on the rc.2 tag is the real verification
  • Confirm mermaid diagrams render correctly on GitHub once PR is open (visual check)

@mopanc @claude
docs(release): SBOM + Cosign signing, CHANGELOG.md, mermaid diagrams
1cd486f 
Three coupled changes to align release artifacts with what the docs claim:

**Supply-chain hardening (matches the SECURITY.md claim).**
- `.goreleaser.yaml`: adds `sboms:` (CycloneDX per archive via syft) and
  `signs:` (Cosign keyless via the runner's ambient OIDC identity, signs
  `checksums.txt`). The next tagged release ships `*.sbom.cdx.json` plus
  `checksums.txt.sig` + `checksums.txt.pem`.
- `.github/workflows/release.yml`: adds `id-token: write` permission and
  installs syft + cosign before goreleaser runs.
- `SECURITY.md`: until the next tagged release lands with these artifacts,
  the "Releases are signed Cosign-keyless and ship with a CycloneDX SBOM"
  line was an overclaim. Replaced with an honest "on the immediate
  roadmap" wording; the previous text returns automatically from the
  next release forward.

**CHANGELOG.md (Keep-a-Changelog).**
Maintained in-tree, complementing the goreleaser-generated commit-level
release notes. Initial sections reconstructed for v1.0.0-beta.1 →
v1.0.0-rc.1 from git log + PR titles. `[Unreleased]` carries the SBOM +
Cosign + diagram entries from this PR.

**Mermaid diagrams in the README.**
- `Why Saga` → sequence diagram of the prompt lifecycle (You → Claude Code
  → hook → SQLite/markdown → AI → topic_write → next session).
  Annotated with the exact source files so readers can follow the call
  path in code.
- `Architecture` → flowchart of the storage / runtime / agent surfaces
  with the transports labelled (MCP stdio, UserPromptSubmit, FTS5 +
  BM25 + relations). Reinforces "markdown is the source of truth,
  SQLite is regenerable cache".

GitHub renders mermaid natively — no extra build step.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@mopanc mopanc merged commit 99499fb into main May 11, 2026
6 checks passed
@mopanc mopanc deleted the feat/supply-chain-hardening-changelog-mermaid branch May 11, 2026 19:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mopanc