🧹 chore: post-v1.0.0 cleanup — README trim, version refs, Snyk exclude#67
Merged
Conversation
The comparison prose led with "We give wollomatic its due — it is the strongest of the prior generation" and re-listed wollomatic's feature set that the comparison table directly above already covers. Cut the redundant sentence — the table carries the comparison.
The Configuration section had grown into a ~300-line reference manual
duplicating docs/content/docs/{configuration,admin,observability,
security}.mdx — configuration.mdx alone is more thorough at 1049 lines.
Replace the kitchen-sink YAML and per-knob prose (mTLS selectors, ACLs,
profiles, rate limits, rollout modes, hot-reload, admin API, signed
bundles, ownership, insecure opt-ins, redaction) with a minimal example
plus links to the canonical docs pages. Keeps the env-var quick
reference and the preset / compose-stack lists.
v1.0.0 was tagged and published on 2026-05-20; update the references that still pointed at the rc.2 pre-release: - SECURITY.md — supported-versions table now tracks the 1.0.x line, and the prose drops the "until v1.0 is tagged" qualifier. - docs verification.mdx — cosign verify-blob example uses the v1.0.0 tarball asset names. - website cli-demo.tsx — `version` / `--version` demo output shows v1.0.0 at the release commit.
Snyk Code's taint analysis flags upstreamInspector.inspectResource / inspectExec with two HIGH SSRF findings (CWE-918): a client-supplied resource identifier flows into the URL passed to NewRequestWithContext. Both are false positives. The URL host is the hardcoded literal "http://docker" — only the request path is dynamic, so the host can never be attacker-redirected — and u.client's transport is pinned to the Docker unix socket via a custom DialContext that ignores the host entirely. No outbound request can reach anything but the configured Docker socket. Snyk Code findings cannot be ignored per-finding via the SCA-only `ignore:` section, so this uses the existing `exclude: code:` mechanism. CodeQL and Gosec still scan the file.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
biggest-littlest
approved these changes
May 21, 2026
Member
biggest-littlest
left a comment
biggest-littlest
left a comment
There was a problem hiding this comment.
Post-v1.0.0 housekeeping — README trim, stale rc.2 refs bumped, Snyk Code SSRF false positives excluded with justification. CI green, security/snyk green.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Housekeeping now that v1.0.0 is tagged and published.
README cleanup
Stale version references → v1.0.0
SECURITY.md— supported-versions table tracks the 1.0.x line; prose drops the "until v1.0 is tagged" qualifier.docs/content/docs/verification.mdx— cosignverify-blobexample uses v1.0.0 tarball asset names.website/src/components/cli-demo.tsx—version/--versiondemo output shows v1.0.0 at the release commit.Snyk Code false positives
app/internal/ownership/middleware.gofrom Snyk Code. ItsupstreamInspectormethods build a request URL from a client-supplied identifier and pass it toNewRequestWithContext— flagged as SSRF (CWE-918). False positive: the URL host is the hardcoded literal"http://docker", only the path is dynamic, andu.client's transport is pinned to the Docker unix socket via a customDialContext. CodeQL and Gosec still scan the file.Verification
snyk code test --severity-threshold=high→ 0 issues (was 2 HIGH).cli-demo.tsx→ clean.main(already verified clean).