RandomCodeSpace · aksOps · Apr 26, 2026 · Apr 26, 2026 · Apr 26, 2026
diff --git a/.bestpractices.json b/.bestpractices.json
@@ -0,0 +1,39 @@
+{
+  "$schema": "https://bestpractices.coreinfrastructure.org/projects.schema.json",
+  "_comment": "OpenSSF Best Practices self-assessment for RandomCodeSpace/otelcontext (RAN-53). Project page: https://www.bestpractices.dev/en/projects/12646. The badge level transition from in_progress -> passing requires a board admin to log into bestpractices.dev with the OSS-Random identity and confirm the evidence pointers against the questionnaire. The self-assessment below is the evidence map for that review.",
+  "project_id": 12646,
+  "name": "otelcontext",
+  "description": "Self-hosted OTLP observability platform in a single Go binary — OTLP gRPC + HTTP ingest, GraphRAG-powered root-cause analysis, multi-tenant storage, and a built-in MCP server for AI agents.",
+  "homepage_url": "https://github.com/RandomCodeSpace/otelcontext",
+  "repo_url": "https://github.com/RandomCodeSpace/otelcontext",
+  "license": "MIT",
+  "level": "passing",
+  "status": {
+    "basics": "self-assessed-passing",
+    "change_control": "self-assessed-passing",
+    "reporting": "self-assessed-passing",
+    "quality": "self-assessed-passing",
+    "security": "self-assessed-passing",
+    "analysis": "self-assessed-passing"
+  },
+  "evidence": {
+    "vulnerability_report_process": "SECURITY.md",
+    "engineering_standards": "CLAUDE.md",
+    "license_file": "LICENSE.md",
+    "build_reproducible": "go build -o otelcontext .",
+    "ci_workflow": ".github/workflows/ci.yml",
+    "supply_chain_scorecard": ".github/workflows/scorecard.yml",
+    "dependency_updates": ".github/dependabot.yml",
+    "signed_commits": "scripts/setup-git-signed.sh",
+    "secret_scanning": ".github/workflows/security.yml (gitleaks job, full git history) + GitHub repo setting (secret_scanning + push_protection enabled — escalated to board)",
+    "static_analysis": "golangci-lint (.golangci.yml) + Semgrep (.github/workflows/security.yml, p/security-audit + p/owasp-top-ten + p/golang)",
+    "vulnerability_scanning": "OSV-Scanner (go.mod + ui/package-lock.json) + Trivy (filesystem) + Dependabot (.github/dependabot.yml)",
+    "sbom": ".github/workflows/security.yml (anchore/sbom-action — SPDX + CycloneDX, 90-day artifact retention)",
+    "duplication": ".github/workflows/security.yml (jscpd, threshold 3%, scoped to internal/ + ui/src/)"
+  },
+  "audit": {
+    "self_assessment_date": "2026-04-26",
+    "self_assessment_author": "TechLead (RAN-53)",
+    "registration_blocker": "Badge promotion in_progress -> passing requires board admin OAuth at https://www.bestpractices.dev/. Tracked under RAN-53 acceptance item #1."
+  }
+}
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,123 @@
+# Dependabot configuration for otelcontext.
+# Docs: https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+#
+# Strategy:
+#   * weekly cadence — keeps the noise floor low while still catching CVEs early
+#   * grouped updates per ecosystem so PR fan-out stays manageable
+#   * security updates fire whenever needed regardless of the weekly slot
+#
+# RAN-53 AC #5 reactive channel. Also enable repo-level "Dependabot security
+# updates" via gh api (the version-updates below cover routine bumps; security
+# updates are the reactive channel).
+
+version: 2
+updates:
+  # ----- Go modules (the otelcontext binary) -----
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "08:00"
+      timezone: "Etc/UTC"
+    open-pull-requests-limit: 10
+    labels:
+      - "type:dependencies"
+      - "area:backend"
+    commit-message:
+      prefix: "chore(deps)"
+      include: "scope"
+    groups:
+      otel:
+        patterns:
+          - "go.opentelemetry.io/*"
+      grpc-protobuf:
+        patterns:
+          - "google.golang.org/grpc"
+          - "google.golang.org/protobuf"
+          - "google.golang.org/genproto*"
+      gorm:
+        patterns:
+          - "gorm.io/*"
+      azure:
+        patterns:
+          - "github.com/Azure/*"
+          - "github.com/AzureAD/*"
+      prometheus:
+        patterns:
+          - "github.com/prometheus/*"
+      test-libs:
+        patterns:
+          - "github.com/stretchr/testify"
+          - "github.com/google/go-cmp"
+
+  # ----- GitHub Actions (CI / release / security) -----
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "08:00"
+      timezone: "Etc/UTC"
+    open-pull-requests-limit: 5
+    labels:
+      - "type:dependencies"
+      - "area:ci"
+    commit-message:
+      prefix: "chore(actions)"
+      include: "scope"
+    groups:
+      actions:
+        patterns:
+          - "*"
+
+  # ----- Frontend (npm under ui/) -----
+  - package-ecosystem: "npm"
+    directory: "/ui"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "08:00"
+      timezone: "Etc/UTC"
+    open-pull-requests-limit: 5
+    labels:
+      - "type:dependencies"
+      - "area:frontend"
+    commit-message:
+      prefix: "chore(frontend)"
+      include: "scope"
+    groups:
+      react:
+        patterns:
+          - "react"
+          - "react-dom"
+          - "react-window"
+          - "@types/react*"
+          - "@types/react-window"
+      mantine:
+        patterns:
+          - "@mantine/*"
+      vite:
+        patterns:
+          - "vite"
+          - "@vitejs/*"
+      vitest-testing:
+        patterns:
+          - "vitest"
+          - "@testing-library/*"
+          - "jsdom"
+      echarts:
+        patterns:
+          - "echarts"
+          - "echarts-for-react"
+      eslint:
+        patterns:
+          - "eslint"
+          - "@eslint/*"
+          - "eslint-plugin-*"
+          - "typescript-eslint"
+          - "globals"
+      typescript:
+        patterns:
+          - "typescript"
+          - "@types/*"
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -0,0 +1,67 @@
+# OpenSSF Scorecard supply-chain analysis.
+# RAN-53 AC #4. Best-effort target — no hard numeric floor; Scorecard does not gate merge.
+# Stretch target: >= 8.0/10. See CLAUDE.md "Security & Supply Chain" for baseline tracking.
+# Docs: https://github.com/ossf/scorecard-action
+
+name: Scorecard supply-chain security
+
+on:
+  push:
+    branches: [main]
+  schedule:
+    # Mondays 06:00 UTC
+    - cron: "0 6 * * 1"
+  workflow_dispatch:
+
+# Restrict the default GITHUB_TOKEN to read-only; the steps below request the
+# narrow scopes they actually need.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Required for upload to the code-scanning Security tab.
+      security-events: write
+      # Required to read OIDC token for publish_results.
+      id-token: write
+      # Default scopes for actions/checkout.
+      contents: read
+      actions: read
+
+    steps:
+      - name: Harden runner egress
+        # step-security/harden-runner v2.19.0
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
+        with:
+          egress-policy: audit
+
+      - name: Checkout code
+        # actions/checkout v6.0.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
+
+      - name: Run Scorecard analysis
+        # ossf/scorecard-action v2.4.3
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # Publish the results so they appear on the public Scorecard dashboard.
+          publish_results: true
+
+      - name: Upload Scorecard SARIF (artifact)
+        # actions/upload-artifact v7.0.1
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
+        with:
+          name: scorecard-sarif
+          path: results.sarif
+          retention-days: 5
+
+      - name: Upload SARIF to GitHub code-scanning
+        # github/codeql-action/upload-sarif v3.35.2
+        uses: github/codeql-action/upload-sarif@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a
+        with:
+          sarif_file: results.sarif