[security-audit] FAIL on 2026-06-21

[github-actions]

Audit failed at 2026-06-21T06:10Z. Run

Security Audit Report

Audited against SECURITY.md on 2026-06-21.

---

FAIL IF results

Dependency Supply Chain

Check 1 — FAIL node website/scripts/generate-deps.js changes dependency files when run from a clean checkout.

website/src/data/dependencies-cargo.json was modified. Three Cargo crates that became direct dependencies were missing from the committed file: objc2 v0.6.4, objc2-app-kit v0.3.2, and objc2-foundation v0.3.2 each gained a declaredName field and moved to the direct-dependency section. git diff --stat reports 45 lines changed (24 insertions, 21 deletions). The npm and runtime files were unchanged.

Check 2 — PASS package.json has devEngines.runtime.version: "22.22.3" (MAJOR.MINOR.PATCH).

Check 3 — PASS standalone/src-tauri/build.rs calls read_pinned_node_version() and verify_node_version() at lines 37–38, failing the build if the bundled binary's version string does not match.

Check 4 — PASS release.yml build-standalone job reads devEngines.runtime.version via jq -r '.devEngines.runtime.version' package.json, validates the MAJOR.MINOR.PATCH pattern with a regex, and passes the result to actions/setup-node (node-version: ${{ steps.node-pin.outputs.version }}).

Check 5 — PASS pnpm-workspace.yaml contains minimumReleaseAge: 1440 at the top level.

Check 6 — PASS .github/renovate.json enabledManagers is ["github-actions", "npm", "cargo"].

Check 7 — PASS .github/renovate.json has three minimumReleaseAge package rules matching ["npm", "cargo"]: "1 day" for patch, "3 days" for minor, "14 days" for major.

GitHub Actions Policies

Check 8 — PASS pull_request_target appears only in tend-review.yaml, which is an agent-managed (tend-*.yaml) workflow. No other workflow file contains the trigger.

Check 9 — PASS Non-agent-managed workflows (ci.yml, chromatic.yml, release.yml) grant only permitted write permissions:

• ci.yml: contents: read only.
• chromatic.yml: contents: read only.
• release.yml build-standalone / build-vscode: id-token: write, attestations: write (both explicitly allowed). security-audit job: actions: write (explicitly allowed by the "Release audit dispatch" exception). publish-vscode: inherits top-level contents: read.

Automated Maintainer (tend)

Check 10 — PASS Ruleset "Merge access" (ID 16757376): target=branch, conditions.ref_name.include=["~DEFAULT_BRANCH"], rules=[{"type":"update"}], bypass_actors=[{"actor_id":5,"actor_type":"RepositoryRole","bypass_mode":"exempt"}]. Sole bypass is admin.

Check 11 — PASS Ruleset "Tag operations" (ID 16757382): target=tag, conditions.ref_name.include=["~ALL"], rules=[{"type":"creation"},{"type":"update"}], bypass_actors=[{"actor_id":5,"actor_type":"RepositoryRole","bypass_mode":"exempt"}]. Blocks both creation and update; sole bypass is admin.

Check 12 — PASS dormouse-bot collaborator permission API response: "permission":"write", "role_name":"write". Not above push level.

Check 13 — PASS Repo-level secrets (via GH_TOKEN=$AUDIT_PAT gh api): ["CHROMATIC_PROJECT_TOKEN","CLAUDE_CODE_OAUTH_TOKEN","TEND_BOT_TOKEN"]. Neither OVSX_PAT nor VSCE_PAT is present.

Check 14 — PASS Environment deployment branch policies:

• vscode-extension-publish: one policy, {"name":"v*","type":"tag"} — admin-gated via "Tag operations" ruleset.
• security-audit: two policies, {"name":"main","type":"branch"} (admin-gated via "Merge access") and {"name":"v*","type":"tag"} (admin-gated via "Tag operations").
  No non-admin-gated ref is admitted by either environment.

Check 15 — PASS security-audit environment secrets: ["AUDIT_PAT"]. AUDIT_PAT does not appear in the repo-level secret list.

Check 16 — PASS .config/tend.yaml contains secrets: allowed: - CHROMATIC_PROJECT_TOKEN.

Check 17 — PASS workflow-audit.yaml exists and is not disabled. Most recent successful run API response: {"conclusion":"success","created_at":"2026-06-20T08:19:39Z","head_branch":"main","status":"completed"} — within the 48-hour window (current date: 2026-06-21).

Check 18 — PASS All tend-*.yaml workflows use only tag-pinned references: actions/checkout@v6 and max-sixty/tend@0.1.6. No @main or unversioned refs appear in any tend workflow.

Check 19 — PASS Agent-managed workflows declare only these permissions (all within the allowed set):

• tend-ci-fix.yaml: contents: write, pull-requests: write, id-token: write, actions: read
• tend-review.yaml: contents: write, pull-requests: write, issues: write, id-token: write, actions: read
• tend-review-runs.yaml, tend-triage.yaml, tend-nightly.yaml, tend-weekly.yaml, tend-notifications.yaml, tend-mention.yaml (handle job): same as tend-review.yaml
• workflow-audit.yaml: contents: read, issues: write, actions: read
• security-audit.yaml: contents: read, actions: read, issues: write, id-token: write

VS Code Extension Releases

Check 20 — PASS release.yml publish-vscode job declares environment: name: vscode-extension-publish.

Check 21 — PASS VSCE_PAT and OVSX_PAT are referenced only inside the publish-vscode job, which is gated by the vscode-extension-publish environment. No other job or workflow file references these secrets.

Check 22 — PASS release.yml does not reference any production desktop signing secret (APPLE_SIGN_PASS, EV_SIGN_PIN, TAURI_SIGNING_PRIVATE_KEY). CI artifacts are built with an ephemeral key only.

Check 23 — PASS release.yml build-standalone job contains the "Generate ephemeral Tauri updater key" step (tauri signer generate --ci), setting TAURI_SIGNING_PRIVATE_KEY in GITHUB_ENV.

Desktop Releases

Check 24 — PASS scripts/sign-and-deploy.sh verify_downloaded_artifact() function (lines 390–399) calls gh attestation verify with --cert-identity, --cert-oidc-issuer, --source-ref, and --source-digest flags, failing hard if verification fails.

Check 25 — PASS scripts/sign-and-deploy.sh verify_downloaded_artifact() calls check_sha256_manifest() (lines 359–370), which runs sha256sum -c or shasum -a 256 -c against the manifest, failing hard if any hash mismatches.

Check 26 — PASS scripts/sign-and-deploy.sh sign_windows() function (lines 694–702) calls jsign --storetype PIV --storepass "$EV_SIGN_PIN" for both the executable and the installer.

CI Validation Contract

Check 27 — PASS security-audit.yaml exists and is not disabled. release.yml security-audit job dispatches security-audit.yaml and watches it; publish-vscode job declares needs: [build-standalone, build-vscode, security-audit].

Check 28 — PASS security-audit.yaml retains all required guards:

• Prompt (line 84) includes "flag any other security hole you find" (qualitative pass required).
• "Verify AUDIT_PAT is provisioned" step (line 49) exits 1 and writes FAIL if the secret is absent.
• "Surface result, file or close issue" step (lines 125–174) opens/updates a security-audit-failure issue and calls exit 1 when status is not PASS.
• No FAIL IF can be suppressed by the prompt or environment.

---

Qualitative findings

WARNING — pnpm install without --frozen-lockfile in ci.yml

ci.yml build-and-test job (line 28) and standalone-smoketest job (line 81, working-directory: standalone) run pnpm install without --frozen-lockfile. On a fresh checkout, if the lockfile has drifted from package.json declarations, pnpm will silently update the lockfile rather than failing. This means CI tests could exercise dependency resolutions that have never been reviewed. The release builds in release.yml correctly use --frozen-lockfile so production artifacts are not affected, but CI test coverage may silently shift under unreviewed versions.

Recommendation: add --frozen-lockfile to both pnpm install calls in ci.yml (or rely on the pnpm.installFrozen workspace setting).

INFO — ANTHROPIC_API_KEY referenced in tend-*.yaml but not acknowledged in SECURITY.md

All eight tend-*.yaml workflows pass anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} to the tend action. The repo-level secrets list (confirmed via GH_TOKEN=$AUDIT_PAT gh api) does not currently include ANTHROPIC_API_KEY (["CHROMATIC_PROJECT_TOKEN","CLAUDE_CODE_OAUTH_TOKEN","TEND_BOT_TOKEN"]), so the secret is not currently reachable. However, SECURITY.md's "Reachable repo-level secrets" section lists only three secrets and does not mention ANTHROPIC_API_KEY. If this secret is provisioned in the future, it would become a fourth reachable secret without a corresponding acknowledgment in the spec. The spec should be updated to either document that ANTHROPIC_API_KEY is intentionally absent, or acknowledge it as a reachable secret if it is ever provisioned.

INFO — TAURI_SIGNING_PRIVATE_KEY passed as both env var and CLI argument in sign-and-deploy.sh

scripts/sign-and-deploy.sh sign_updates() function (line 763) sets TAURI_SIGNING_PRIVATE_KEY as an environment variable and simultaneously passes --private-key "$TAURI_SIGNING_PRIVATE_KEY" as a CLI argument (line 766). On Linux and macOS, process argument lists are visible in /proc/PID/cmdline and ps aux output for the brief duration of the tauri signer sign invocation, exposing the private key in the process table. Since the Tauri CLI already reads TAURI_SIGNING_PRIVATE_KEY from the environment, the --private-key CLI flag is redundant and can be removed to eliminate this momentary exposure.

---

Summary

Overall status: FAIL

The audit found one violated FAIL IF check (Check 1): node website/scripts/generate-deps.js modifies website/src/data/dependencies-cargo.json when run from a clean checkout. Three Cargo crates — objc2 v0.6.4, objc2-app-kit v0.3.2, and objc2-foundation v0.3.2 — recently became direct dependencies (gained declaredName entries and moved to the direct-dependency section) but the committed supply-chain page snapshot was not regenerated. This breaks the invariant that the published dependency list at dormouse.sh/supply-chain provably reflects what ships. All other 27 FAIL IF checks pass, and no qualitative finding rises to BLOCKER severity. The two non-FAIL IF findings are a WARNING (non-frozen lockfile in CI) and two INFO items (undocumented secret reference, redundant CLI secret argument in the local signing script).

[github-actions]

Audit failed at 2026-06-22T06:16Z. Run

Security Audit Report

FAIL IF results

Dependency Supply Chain

#	Check	Result	Evidence
1	generate-deps.js must not change dependency files	FAIL	Running node website/scripts/generate-deps.js changed website/src/data/dependencies-cargo.json: objc2 v0.6.4, objc2-app-kit v0.3.2, and objc2-foundation v0.3.2 moved from transitive-only entries to direct-dependency entries (gained declaredName fields). The supply-chain snapshot in the repo does not match the current lockfile.
2	package.json has devEngines.runtime.version as exact MAJOR.MINOR.PATCH	PASS	package.json line 9: "version": "22.22.3"
3	build.rs verifies bundled Node.js matches pin	PASS	standalone/src-tauri/build.rs lines 37–38 call read_pinned_node_version() and verify_node_version(), failing the build on mismatch
4	build-standalone job reads devEngines.runtime.version and passes it to actions/setup-node	PASS	release.yml lines 38–51: jq -r '.devEngines.runtime.version' package.json → actions/setup-node
5	pnpm-workspace.yaml has minimumReleaseAge: 1440	PASS	pnpm-workspace.yaml line 19
6	renovate.json includes npm and cargo in enabledManagers	PASS	.github/renovate.json line 3: ["github-actions", "npm", "cargo"]
7	renovate.json has minimumReleaseAge rules for npm/cargo	PASS	.github/renovate.json lines 40–52: patch → 1 day, minor → 3 days, major → 14 days for both managers

GitHub Actions Policies

#	Check	Result	Evidence
8	pull_request_target appears only in tend-*.yaml	PASS	grep -rn pull_request_target .github/workflows/: only tend-review.yaml line 11
9	Non-agent-managed workflows grant only allowed write permissions	PASS	release.yml: id-token: write, attestations: write on build jobs; actions: write only on the security-audit job. ci.yml and chromatic.yml: contents: read only

Automated Maintainer (tend)

#	Check	Result	Evidence
10	Merge access ruleset: present, targets ~DEFAULT_BRANCH, blocks only update, admin-only bypass	PASS	Ruleset ID 16757376: target=branch, conditions.ref_name.include=["~DEFAULT_BRANCH"], rules=["update"], bypass_actors=[{actor_id:5, actor_type:RepositoryRole, bypass_mode:exempt}]
11	Tag operations ruleset: present, targets ~ALL, blocks creation and update, admin-only bypass	PASS	Ruleset ID 16757382: target=tag, conditions.ref_name.include=["~ALL"], rules=["creation","update"], bypass_actors=[{actor_id:5, actor_type:RepositoryRole, bypass_mode:exempt}]
12	dormouse-bot holds no more than push permission	PASS	gh api repos/$REPO/collaborators: dormouse-bot → role_name: "write" (push)
13	OVSX_PAT and VSCE_PAT absent from repo-level secrets	PASS	Repo-level secrets: CHROMATIC_PROJECT_TOKEN, CLAUDE_CODE_OAUTH_TOKEN, TEND_BOT_TOKEN only
14	All environment deployment-branch-policies admit only admin-gated refs	PASS	vscode-extension-publish: v* tag only (admin-gated by Tag operations). security-audit: main branch + v* tag (both admin-gated by their respective rulesets)
15	AUDIT_PAT present in security-audit environment and not at repo level	PASS	security-audit env secrets: ["AUDIT_PAT"]; not in repo-level secrets list
16	CHROMATIC_PROJECT_TOKEN in secrets.allowed in .config/tend.yaml	PASS	.config/tend.yaml lines 4–6: secrets.allowed: [CHROMATIC_PROJECT_TOKEN]
17	workflow-audit.yaml present, enabled, successful run within 48 hours	PASS	File present; last successful run: 2026-06-21T08:41:10Z (21 hours before audit)
18	No tend-*.yaml uses an unpinned action reference (@main or no version)	PASS	All tend-*.yaml use tag pins: actions/checkout@v6, max-sixty/tend@0.1.6 — tag pins are explicitly accepted inside tend-*.yaml per SECURITY.md
19	Agent-managed workflows grant no permission beyond allowed set	PASS	All tend-*.yaml: contents:write, pull-requests:write, id-token:write, actions:read, issues:write. workflow-audit.yaml: contents:read, issues:write, actions:read. security-audit.yaml: contents:read, actions:read, issues:write, id-token:write. All within allowed set

VS Code Extension Releases

#	Check	Result	Evidence
20	release.yml publish job has vscode-extension-publish environment	PASS	release.yml line 305: environment: name: vscode-extension-publish on publish-vscode job
21	VSCE_PAT and OVSX_PAT used only within vscode-extension-publish environment	PASS	Both secrets referenced only inside the publish-vscode job (which carries the environment). Not in repo-level secrets
22	release.yml does not use production desktop signing secrets	PASS	No APPLE_SIGN_PASS, EV_SIGN_PIN, or production TAURI_SIGNING_PRIVATE_KEY secret in any release.yml step
23	release.yml generates ephemeral Tauri updater key for unsigned CI artifacts	PASS	release.yml lines 75–86: pnpm tauri signer generate --ci --write-keys "$RUNNER_TEMP/tauri-ci-updater.key"

Desktop Releases

#	Check	Result	Evidence
24	sign-and-deploy.sh verifies GitHub artifact attestations	PASS	scripts/sign-and-deploy.sh lines 388–399: gh attestation verify with --cert-identity, --cert-oidc-issuer, --source-ref, --source-digest
25	sign-and-deploy.sh verifies artifact SHA-256 manifests	PASS	scripts/sign-and-deploy.sh lines 359–369: check_sha256_manifest using sha256sum -c or shasum -a 256 -c
26	sign-and-deploy.sh uses PIV-backed Windows signing	PASS	scripts/sign-and-deploy.sh lines 692–701: jsign --storetype PIV --storepass "$EV_SIGN_PIN"

CI Validation Contract

#	Check	Result	Evidence
27	security-audit.yaml present, enabled, invoked from release.yml publish path	PASS	File present; schedule + workflow_dispatch triggers; release.yml lines 236–295 dispatch and gate on it; publish-vscode has needs: [security-audit] at line 302
28	Audit has not been weakened	PASS	Prompt includes full qualitative pass and all FAIL IF checks; AUDIT_PAT pre-check at lines 49–57; failure-reporting step (open/update issue, exit 1) at lines 125–174

---

Qualitative findings

INFO: ANTHROPIC_API_KEY used in all tend-*.yaml workflows but not enumerated in SECURITY.md's reachable-secrets threat model.
All 8 tend-*.yaml workflows pass anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} to max-sixty/tend. The repo-level secrets list contains only CHROMATIC_PROJECT_TOKEN, CLAUDE_CODE_OAUTH_TOKEN, and TEND_BOT_TOKEN. ANTHROPIC_API_KEY is either an org-level secret (org secret enumeration returned 403, unverifiable with current PAT) or unset. If it is a live org-level secret reachable from these workflows, its risk profile (bounded Anthropic API credit abuse) is similar to CLAUDE_CODE_OAUTH_TOKEN, and it should be named in SECURITY.md's §3 threat model. No structural breach — just a documentation gap if the secret is live.

INFO: sign-and-deploy.sh passes Tauri private key as both env var and --private-key CLI argument.
scripts/sign-and-deploy.sh lines 763–766 set TAURI_SIGNING_PRIVATE_KEY as an env var for the tauri signer sign invocation and also pass it via --private-key "$TAURI_SIGNING_PRIVATE_KEY". CLI arguments are readable by any process on the local machine with access to /proc/<pid>/cmdline or ps. The env-var path alone is sufficient. This is a local-only signing script on the operator's machine, limiting blast radius, but removing the redundant --private-key flag would eliminate the exposure.

---

Summary

FAIL.

One FAIL IF violation was found: running node website/scripts/generate-deps.js from a clean checkout modifies website/src/data/dependencies-cargo.json. Three direct Cargo dependencies — objc2 v0.6.4, objc2-app-kit v0.3.2, and objc2-foundation v0.3.2 — are recorded only as transitive dependencies in the committed snapshot, but the current lockfile promotes them to direct dependencies (they gain declaredName fields in the regenerated output). The supply-chain page therefore under-reports the direct dependency surface. All 27 other FAIL IF checks pass. Both qualitative findings are INFO severity; neither is a BLOCKER. The single FAIL IF violation requires regenerating and committing the dependency snapshot (node website/scripts/generate-deps.js) before the next release.

[github-actions]

Audit failed at 2026-06-23T05:51Z. Run

Security Audit Report

Audit date: 2026-06-23
Branch: main
Commit: 60e82ec

---

FAIL IF results

Dependency Supply Chain

[FAIL] node website/scripts/generate-deps.js changes website/src/data/dependencies-cargo.json when run from a clean checkout.
Evidence: git diff --stat website/src/data/ after running the script shows website/src/data/dependencies-cargo.json | 45 +++++++++++++++++--------------- (1 file changed, 24 insertions, 21 deletions). Three direct Cargo dependencies (objc2 v0.6.4, objc2-app-kit v0.3.2, objc2-foundation v0.3.2) were moved from a later position in the JSON to an earlier position and gained a "declaredName" field not present in the committed version. The supply-chain page would disclose different dependency metadata than what is committed.

[PASS] package.json has devEngines.runtime.version set to an exact version.
Evidence: package.json line 8: "version": "22.22.3" — matches ^MAJOR.MINOR.PATCH$.

[PASS] standalone/src-tauri/build.rs verifies the bundled Node.js binary matches devEngines.runtime.version.
Evidence: build.rs lines 37–38 call read_pinned_node_version() (reads from package.json) and verify_node_version() (runs node --version and compares), and the build fails if they don't match.

[PASS] build-standalone job in release.yml installs the pinned runtime by reading devEngines.runtime.version from package.json and passing it to actions/setup-node.
Evidence: release.yml lines 40–51: a Read pinned Node.js version step extracts the value with jq, validates MAJOR.MINOR.PATCH format, and passes node-version: ${{ steps.node-pin.outputs.version }} to actions/setup-node.

[PASS] pnpm-workspace.yaml has minimumReleaseAge: 1440.
Evidence: pnpm-workspace.yaml line 19: minimumReleaseAge: 1440.

[PASS] .github/renovate.json has npm and cargo in enabledManagers.
Evidence: renovate.json line 3: "enabledManagers": ["github-actions", "npm", "cargo"].

[PASS] .github/renovate.json has minimumReleaseAge package rules for npm/cargo updates.
Evidence: renovate.json lines 38–53: three rules for matchManagers: ["npm", "cargo"] with minimumReleaseAge: "1 day" (patch), "3 days" (minor), "14 days" (major).

GitHub Actions Policies

[PASS] pull_request_target does not appear in any non-agent-managed workflow.
Evidence: grep -l "pull_request_target" .github/workflows/*.{yml,yaml} returns only tend-review.yaml, which is an agent-managed workflow and is explicitly exempt.

[PASS] No non-agent-managed workflow grants write permissions beyond the allowed set.
Evidence:

• release.yml: root contents: read; build-standalone adds id-token: write, attestations: write; build-vscode adds id-token: write, attestations: write; security-audit job adds actions: write; publish-vscode inherits root-level contents: read. All within the allowed set.
• chromatic.yml: contents: read only.
• ci.yml: contents: read only.

Automated Maintainer (tend)

[PASS] Repository ruleset Merge access exists, targets ~DEFAULT_BRANCH, blocks only update, and has admin (RepositoryRole actor 5) as its sole bypass actor.
Evidence: GH_TOKEN=$AUDIT_PAT gh api repos/.../rulesets/16757376 → {"name":"Merge access","target":"branch","conditions":{"ref_name":{"include":["~DEFAULT_BRANCH"]}},"rules":[{"type":"update"}],"bypass_actors":[{"actor_id":5,"actor_type":"RepositoryRole","bypass_mode":"exempt"}]}.

[PASS] Repository ruleset Tag operations exists, targets ~ALL tags, blocks both creation and update, and has admin-only bypass.
Evidence: GH_TOKEN=$AUDIT_PAT gh api repos/.../rulesets/16757382 → {"name":"Tag operations","target":"tag","conditions":{"ref_name":{"include":["~ALL"]}},"rules":[{"type":"creation"},{"type":"update"}],"bypass_actors":[{"actor_id":5,"actor_type":"RepositoryRole","bypass_mode":"exempt"}]}.

[PASS] dormouse-bot holds no higher than push permission on this repository.
Evidence: GH_TOKEN=$AUDIT_PAT gh api repos/.../collaborators/dormouse-bot/permission → {"permission":"write","role_name":"write","user":{"permissions":{"admin":false,"maintain":false,"push":true,...}}}.

[PASS] OVSX_PAT and VSCE_PAT do not appear as repo-level secrets.
Evidence: GH_TOKEN=$AUDIT_PAT gh api repos/.../actions/secrets → ["CHROMATIC_PROJECT_TOKEN","CLAUDE_CODE_OAUTH_TOKEN","TEND_BOT_TOKEN"]. Neither OVSX_PAT nor VSCE_PAT is present.

[PASS] All GitHub environment deployment-branch-policies admit only admin-gated refs.
Evidence:

• vscode-extension-publish: admits only v* tags → admin-gated via Tag operations ruleset.
• security-audit: admits main branch (admin-gated via Merge access) and v* tags (admin-gated via Tag operations).
  Both verified via GH_TOKEN=$AUDIT_PAT gh api repos/.../environments/{name}/deployment-branch-policies.

[PASS] AUDIT_PAT is in the security-audit environment and not at repo level.
Evidence: GH_TOKEN=$AUDIT_PAT gh api repos/.../environments/security-audit/secrets → ["AUDIT_PAT"]. Not in repo-level secrets list.

[PASS] CHROMATIC_PROJECT_TOKEN is in secrets.allowed in .config/tend.yaml.
Evidence: .config/tend.yaml lines 3–5: secrets:\n allowed:\n - CHROMATIC_PROJECT_TOKEN.

[PASS] workflow-audit.yaml is present, not disabled, and has a successful run within the last 48 hours.
Evidence: File exists at .github/workflows/workflow-audit.yaml. gh run list --workflow workflow-audit.yaml --status success --limit 1 → last success at 2026-06-22T09:17:33Z (~24 hours ago).

[PASS] No tend-*.yaml workflow uses an unpinned action reference (@main or no version).
Evidence: All tend-.yaml workflows use tag-pinned references: actions/checkout@v6 and max-sixty/tend@0.1.6. Tag pins are explicitly accepted for tend-.yaml per SECURITY.md ("Tag pins are accepted inside tend-*.yaml because the file is owned by the upstream generator").

[PASS] No agent-managed workflow grants permissions beyond the allowed set.
Evidence: All tend-*.yaml workflows declare contents: write, pull-requests: write, id-token: write, actions: read, issues: write — all within the allowed set. workflow-audit.yaml uses contents: read, issues: write, actions: read. security-audit.yaml uses contents: read, actions: read, issues: write, id-token: write.

VS Code Extension Releases

[PASS] release.yml has vscode-extension-publish environment on the VS Code publish job.
Evidence: release.yml lines 303–305: publish-vscode job has environment:\n name: vscode-extension-publish.

[PASS] VSCE_PAT and OVSX_PAT are used only within the vscode-extension-publish environment.
Evidence: grep -rn "VSCE_PAT\|OVSX_PAT" .github/workflows/ → both appear only in release.yml lines 336 and 348, within the publish-vscode job that uses vscode-extension-publish environment. GH_TOKEN=$AUDIT_PAT gh api repos/.../environments/vscode-extension-publish/secrets → ["OVSX_PAT","VSCE_PAT"].

[PASS] release.yml does not use production desktop signing secrets in CI.
Evidence: No reference to APPLE_SIGN_PASS, EV_SIGN_PIN, or production TAURI_SIGNING_PRIVATE_KEY secrets in release.yml. The ephemeral key is generated on-the-fly with tauri signer generate --ci.

[PASS] release.yml generates an ephemeral Tauri updater key for unsigned CI artifacts.
Evidence: release.yml lines 75–87: "Generate ephemeral Tauri updater key" step runs tauri signer generate --ci --write-keys "$key_path" --force and sets TAURI_SIGNING_PRIVATE_KEY to the file path.

Desktop Releases

[PASS] scripts/sign-and-deploy.sh verifies GitHub artifact attestations.
Evidence: sign-and-deploy.sh lines 393–398: verify_downloaded_artifact() calls gh attestation verify "$manifest" --repo ... --cert-identity ... --cert-oidc-issuer ... --source-ref ... --source-digest.

[PASS] scripts/sign-and-deploy.sh verifies artifact SHA-256 manifests.
Evidence: sign-and-deploy.sh lines 362–369: check_sha256_manifest() calls sha256sum -c (or shasum -a 256 -c) on the manifest. Called from verify_downloaded_artifact() at line 403.

[PASS] scripts/sign-and-deploy.sh uses PIV-backed Windows signing.
Evidence: sign-and-deploy.sh lines 696–701 and 709–714: jsign --storetype PIV --storepass "$EV_SIGN_PIN" --alias "$JSIGN_ALIAS" is called for both the .exe and the NSIS installer.

CI Validation Contract

[PASS] security-audit.yaml is present, not disabled, and is invoked from release.yml's publish path.
Evidence: File exists at .github/workflows/security-audit.yaml with schedule and workflow_dispatch triggers. release.yml lines 236–295: security-audit job dispatches security-audit.yaml and watches its result. publish-vscode job declares needs: [build-standalone, build-vscode, security-audit].

[PASS] The audit has not been weakened.
Evidence: security-audit.yaml lines 49–57: AUDIT_PAT pre-check is present and exits non-zero if missing. Lines 59–124: claude-code-action step with full prompt including qualitative pass requirement. Lines 126–174: failure-reporting step opens/updates a security-audit-failure issue and exits non-zero on failure.

---

Qualitative findings

WARNING — Stale supply-chain disclosure (substantive)

The dependencies-cargo.json stale finding above (FAIL IF #1) also has a qualitative dimension: the three affected entries (objc2, objc2-app-kit, objc2-foundation) are missing the "declaredName" field in the committed file but have it after regeneration. The declaredName field appears to distinguish entries generated as direct vs. transitive dependencies. If the supply-chain page renders this field, the disclosure for these three crates would be incomplete or incorrect in the current committed state.

Severity: WARNING (covered by the FAIL above; noting separately for clarity).

WARNING — ANTHROPIC_API_KEY not documented in the SECURITY.md threat model

All tend-*.yaml workflows pass anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} to the max-sixty/tend action. This secret is not listed in repo-level secrets (suggesting it is org-scoped), and it is not mentioned in the SECURITY.md "Reachable repo-level secrets" section. Since it is accessible to any tend-authored workflow, the threat model should document it alongside CLAUDE_CODE_OAUTH_TOKEN (which it supplements or replaces depending on tend's runtime behaviour). Blast radius: Anthropic API credit abuse, identical to CLAUDE_CODE_OAUTH_TOKEN.

Severity: WARNING — no FAIL IF violation, but the security posture is incompletely documented.

INFO — tend-mention.yaml verify job lacks an explicit permissions block

Every other tend-*.yaml workflow declares job-level permissions explicitly. The verify job in tend-mention.yaml has no permissions key and relies on the repository default (likely contents: read). The subsequent handle job does declare the correct minimal permissions. This is not a policy violation, but explicit permission declarations in verify would improve defense-in-depth consistency.

Severity: INFO

INFO — CHROMATIC_PROJECT_TOKEN reachable via bot-authored workflows (accepted risk)

CHROMATIC_PROJECT_TOKEN is a repo-level secret accessible to any workflow the bot can author, because chromatic.yml triggers on pull_request without environment scoping. SECURITY.md explicitly accepts this risk ("rotation as the mitigation"). The token is present in secrets.allowed in .config/tend.yaml, constituting an explicit acknowledgment. No action required; noting for completeness.

Severity: INFO

INFO — Cross-compilation skips Node.js version verification in build.rs

build.rs lines 196–204: when host != target, the Node.js version check is skipped with a cargo:warning. In practice, all CI builds in release.yml are native (macOS runner for aarch64-apple-darwin, Linux for Linux, Windows for Windows), so this code path is not exercised in normal CI. A hypothetical developer cross-compiling locally could bundle an unverified Node.js binary. The SECURITY.md design acknowledges the CI path is authoritative; a comment warning local developers might help.

Severity: INFO

---

Summary

FAIL

One FAIL IF condition is violated: website/src/data/dependencies-cargo.json is stale. Running node website/scripts/generate-deps.js from a clean checkout modifies this file — three direct Cargo dependencies (objc2 v0.6.4, objc2-app-kit v0.3.2, objc2-foundation v0.3.2) appear at a different position in the JSON and gain a "declaredName" field absent in the committed version. All other 27 FAIL IF conditions pass, including both rulesets, all environment deployment policies, secrets placement, bot permissions, workflow permissions, the AUDIT_PAT pre-check, the ephemeral Tauri key, PIV-backed Windows signing, and artifact attestation verification. The two WARNING-severity qualitative findings (ANTHROPIC_API_KEY not in threat model, stale-file consequences) do not themselves constitute independent BLOCKERs beyond the dependency staleness already recorded as a FAIL. No BLOCKER-severity qualitative findings were identified.