From 696f5d5528930f07c54e91b6ace26dbc02687c38 Mon Sep 17 00:00:00 2001 From: Muzaffar Hossain Date: Wed, 15 Apr 2026 09:15:24 +0530 Subject: [PATCH] docs: open-source community scaffolding MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Structural polish for the repo now that it has public traction. Adds the community files drive-by contributors expect and tidies the root. Content is sourced from existing canonical docs — no duplicated rules. Structural reorg ---------------- - Move DEPLOYMENT.md, VIBE_CODING.md, CONVERSATIONS.md into docs/. - Fix the 3 inbound links in README.md to their new paths. - Update the README project-structure tree block to reflect the move. Community files (thin pointers) ------------------------------- - CONTRIBUTING.md — points at ENGINEERING_PRINCIPLES.md and CLAUDE.md's "Required tests on every PR" section. Zero duplicated rules. - SECURITY.md — contact@transilience.ai, 48 h / 7 d / 30 d SLAs. - CODE_OF_CONDUCT.md — Contributor Covenant v2.1 by reference. .github/ scaffolding -------------------- - ISSUE_TEMPLATE/bug_report.yml (YAML form) - ISSUE_TEMPLATE/feature_request.yml (YAML form) - ISSUE_TEMPLATE/new_check_proposal.yml (encodes Principles 3/4/6/7 at intake) - ISSUE_TEMPLATE/config.yml (blank_issues_enabled: false, mailto for security) - pull_request_template.md (requires Closes #N + principles checklist) README hero overhaul -------------------- Centered hero block with CI / license / Python / stars / Claude badges, pipe-separated nav row to Quick Start / Skills / Architecture / TRUST / Principles / Contributing. contrib.rocks contributors block at the bottom. Also fixes a pre-existing drift: the tree-block claim "515+ tests" is stale — actual collected is 514 — updated to "500+". pyproject.toml metadata ----------------------- authors, license, readme, keywords, classifiers, and [project.urls] for PyPI and GitHub sidebar discoverability. No runtime dep changes. No ruff / lint config changes. Not in scope ------------ - No Python source edits (src/, tests/). - No CI workflow edits. - No docs/INCIDENT_RESPONSE.md — an SLA-backed incident runbook is the wrong shape for a small-team OSS scanner with no on-call. - Pre-existing issues acknowledged but deliberately untouched: the integrity workflow has been red on main since 2026-04-09 (broken pyproject force-include + pycairo install + pre-existing ruff state). Those are separate fixes that should ride their own PRs with a post-mortem on why the build has been red unnoticed for days. --- .github/ISSUE_TEMPLATE/bug_report.yml | 109 ++++++++++++++++++ .github/ISSUE_TEMPLATE/config.yml | 11 ++ .github/ISSUE_TEMPLATE/feature_request.yml | 66 +++++++++++ .github/ISSUE_TEMPLATE/new_check_proposal.yml | 107 +++++++++++++++++ .github/pull_request_template.md | 74 ++++++++++++ CODE_OF_CONDUCT.md | 30 +++++ CONTRIBUTING.md | 70 +++++++++++ README.md | 52 +++++++-- SECURITY.md | 42 +++++++ CONVERSATIONS.md => docs/CONVERSATIONS.md | 0 DEPLOYMENT.md => docs/DEPLOYMENT.md | 0 VIBE_CODING.md => docs/VIBE_CODING.md | 0 pyproject.toml | 36 ++++++ 13 files changed, 589 insertions(+), 8 deletions(-) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.yml create mode 100644 .github/ISSUE_TEMPLATE/config.yml create mode 100644 .github/ISSUE_TEMPLATE/feature_request.yml create mode 100644 .github/ISSUE_TEMPLATE/new_check_proposal.yml create mode 100644 .github/pull_request_template.md create mode 100644 CODE_OF_CONDUCT.md create mode 100644 CONTRIBUTING.md create mode 100644 SECURITY.md rename CONVERSATIONS.md => docs/CONVERSATIONS.md (100%) rename DEPLOYMENT.md => docs/DEPLOYMENT.md (100%) rename VIBE_CODING.md => docs/VIBE_CODING.md (100%) diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml new file mode 100644 index 0000000..a4aefa9 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -0,0 +1,109 @@ +name: Bug report +description: Report a bug in Shasta or Whitney +title: "[Bug]: " +labels: ["bug", "triage"] +body: + - type: markdown + attributes: + value: | + Thanks for taking the time to file a bug report. Please fill out the + sections below so we can reproduce and fix the issue quickly. + + For **security vulnerabilities**, do not use this form — email + `contact@transilience.ai` per [`SECURITY.md`](../blob/main/SECURITY.md). + + - type: dropdown + id: component + attributes: + label: Component + description: Which part of Shasta is affected? + options: + - AWS check module (src/shasta/aws/**) + - Azure check module (src/shasta/azure/**) + - Whitney code scanner (src/whitney/code/**) + - Whitney cloud scanner (src/whitney/cloud/**) + - Compliance framework / scoring + - Remediation templates + - Policy generator + - Dashboard + - Claude Code skill (.claude/skills/**) + - Docs + - CI / build + - Other + validations: + required: true + + - type: input + id: affected_module + attributes: + label: Affected module or file + description: If you know it, paste the file path (e.g. `src/shasta/aws/iam.py`). + placeholder: src/shasta/aws/iam.py + + - type: textarea + id: description + attributes: + label: Bug description + description: What happened? What did you expect to happen instead? + validations: + required: true + + - type: textarea + id: repro + attributes: + label: Steps to reproduce + description: Minimal steps a maintainer can follow. + value: | + 1. + 2. + 3. + validations: + required: true + + - type: textarea + id: expected + attributes: + label: Expected behavior + validations: + required: true + + - type: textarea + id: actual + attributes: + label: Actual behavior + validations: + required: true + + - type: dropdown + id: bug_type + attributes: + label: Bug type + options: + - False positive (check flagged something that is compliant) + - False negative (check missed something that is non-compliant) + - Crash / unhandled exception + - Incorrect output / wrong framework mapping + - Performance regression + - Other + validations: + required: true + + - type: textarea + id: environment + attributes: + label: Environment + description: OS, Python version, Shasta version, cloud region / subscription if relevant. + value: | + - OS: + - Python version: + - Shasta version (`pip show shasta | grep Version`): + - AWS region / Azure subscription: + validations: + required: true + + - type: textarea + id: logs + attributes: + label: Relevant logs or traceback + description: Paste any error output here. Redact secrets before submitting. + render: shell diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 0000000..8353f70 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,11 @@ +blank_issues_enabled: false +contact_links: + - name: Questions and usage help + url: https://github.com/transilienceai/shasta/discussions + about: Please ask usage and setup questions in GitHub Discussions. + - name: Feature ideas discussion + url: https://github.com/transilienceai/shasta/discussions/categories/ideas + about: Discuss ideas before filing a formal feature request. + - name: Security vulnerability + url: mailto:contact@transilience.ai + about: Report security vulnerabilities by email, not in public issues. diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml new file mode 100644 index 0000000..d8ccb1c --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.yml @@ -0,0 +1,66 @@ +name: Feature request +description: Propose a new feature, framework mapping, or improvement +title: "[Feature]: " +labels: ["enhancement"] +body: + - type: markdown + attributes: + value: | + Thanks for proposing an improvement. For a **new compliance check + module** specifically, please use the "New check proposal" template + instead — it encodes the engineering principles at intake. + + - type: dropdown + id: category + attributes: + label: Category + options: + - New compliance check (use the "New check proposal" template instead) + - New framework mapping (e.g. mapping existing checks to a new control) + - New Terraform remediation template + - New Claude Code skill + - Dashboard / reporting improvement + - Docs improvement + - Developer experience / tooling + - Other + validations: + required: true + + - type: textarea + id: problem + attributes: + label: Problem or motivation + description: What is the user problem you are trying to solve? Who benefits? + validations: + required: true + + - type: textarea + id: solution + attributes: + label: Proposed solution + description: How would you like this to work? + validations: + required: true + + - type: textarea + id: alternatives + attributes: + label: Alternatives considered + description: What other approaches did you think about and why did you reject them? + + - type: dropdown + id: contribution + attributes: + label: Contribution willingness + description: Are you interested in submitting a PR for this? + options: + - Yes, I plan to open a PR + - Yes, but I would like guidance first + - No, I am just suggesting + validations: + required: true + + - type: textarea + id: context + attributes: + label: Additional context diff --git a/.github/ISSUE_TEMPLATE/new_check_proposal.yml b/.github/ISSUE_TEMPLATE/new_check_proposal.yml new file mode 100644 index 0000000..8f36b01 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/new_check_proposal.yml @@ -0,0 +1,107 @@ +name: New check proposal +description: Propose a new compliance check module (AWS or Azure) +title: "[Check]: " +labels: ["enhancement", "new-check"] +body: + - type: markdown + attributes: + value: | + This template encodes the rules in + [`ENGINEERING_PRINCIPLES.md`](../blob/main/ENGINEERING_PRINCIPLES.md) + at the intake stage. Please fill in every field — the form is + deliberately opinionated so the PR that implements this check has + a clear green path through the integrity tests. + + - type: dropdown + id: cloud + attributes: + label: Cloud + options: + - AWS + - Azure + - Both (single check, multi-cloud module) + validations: + required: true + + - type: input + id: service + attributes: + label: Service or resource + description: Which service does this check apply to? + placeholder: S3 / Azure Key Vault / RDS / Cosmos DB ... + validations: + required: true + + - type: textarea + id: framework_mapping + attributes: + label: Framework mapping + description: | + Which compliance controls does this check satisfy? List ALL that apply. + This enforces Principle 4 (frameworks belong on the `Finding` model). + value: | + - SOC 2 control ID: + - CIS AWS / CIS Azure control: + - ISO 27001 control: + - HIPAA safeguard (if applicable): + - MCSB control (Azure only, if applicable): + validations: + required: true + + - type: dropdown + id: detection_approach + attributes: + label: Detection approach + description: How will the check determine compliance? + options: + - SDK listing (list_* / describe_*) + - Resource config lookup (get_*) + - Multi-region walker (AWS) + - Multi-subscription walker (Azure) + - Cross-service walker (see src/shasta/azure/private_endpoints.py for the pattern) + - Other + validations: + required: true + + - type: dropdown + id: walker_eligible + attributes: + label: Walker-eligible? + description: | + Would this check duplicate logic across 3+ services? If yes, consider + writing a walker instead of a per-service function (Principle 7). + options: + - "No, this is a single-service check" + - "Yes, it would be redundant per-service — use a walker" + - "Unsure" + validations: + required: true + + - type: textarea + id: multi_region + attributes: + label: Multi-region / multi-subscription behavior + description: | + How will this check iterate regions (AWS) or subscriptions (Azure)? + Enforces Principle 3 — single-region / single-subscription is never + the default. + validations: + required: true + + - type: textarea + id: false_clean_risk + attributes: + label: False-clean risk + description: | + What happens on API error, missing permission, or empty results? + Enforces Principle 6 — `NOT_ASSESSED` on error, `NOT_APPLICABLE` on + legitimately empty, `FAIL` only on actual non-compliance. Describe + how each case will be handled. + validations: + required: true + + - type: textarea + id: references + attributes: + label: References + description: CIS benchmark PDF, vendor docs, CVE, or existing similar check in this repo. diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..b3b9ea4 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,74 @@ + + +## Summary + + + +## Related issue + + + +Closes # + +## Changes + + + +- +- +- + +## Type of change + +- [ ] Bug fix (non-breaking change which fixes an issue) +- [ ] New compliance check +- [ ] New framework mapping (existing check → new control) +- [ ] New Terraform remediation template +- [ ] New Claude Code skill +- [ ] Refactor (no behavior change) +- [ ] Docs only +- [ ] Tests only +- [ ] CI / build + +## Engineering principles checklist + +These mirror the 8 load-bearing rules in +[`CLAUDE.md`](../blob/main/CLAUDE.md). Tick each one that applies to this PR. + +- [ ] **Doc-vs-code drift considered.** Any numeric claim I added or + changed in `README.md` / `TRUST.md` has a matching test in + `tests/test_integrity/test_doc_claims.py`. (Principle 1) +- [ ] **No stub functions introduced.** Every new `check_* / run_* / + generate_*` function has a real body. (Principle 2) +- [ ] **Multi-region / multi-subscription by default.** New AWS checks + iterate `client.get_enabled_regions()`; new Azure checks iterate + subscriptions via `AzureClient.for_subscription`. (Principle 3) +- [ ] **Framework controls populated on `Finding`.** I did not embed + control IDs in description strings. (Principle 4) +- [ ] **Zero LLM calls in the detection path.** The default scan / scoring + / mapping path is deterministic. (Principle 5) +- [ ] **`NOT_ASSESSED` vs `NOT_APPLICABLE` vs `FAIL` used correctly.** + Empty results are not conflated with errors. (Principle 6) +- [ ] **Walker pattern considered.** If this PR touches ≥3 similar checks + across services, I evaluated whether a walker would be cleaner. + (Principle 7) +- [ ] **`/audit` slash command run.** Claude Code audit passed on the + staged diff. (pre-commit discipline) + +## Tests run locally + +- [ ] `pytest tests/test_integrity/` (doc-vs-code drift) +- [ ] `pytest tests/test_aws/test_aws_sweep_smoke.py` (AWS structural) +- [ ] `pytest tests/test_azure/test_smoke.py` (Azure structural) +- [ ] `pytest` (full suite) +- [ ] `ruff check src/ tests/` and `ruff format --check src/ tests/` + +## Additional notes + + diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..2e26a66 --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,30 @@ +# Code of Conduct + +This project adopts the **Contributor Covenant, version 2.1**, as its code +of conduct. The full text is maintained by its authors at: + + + +## Scope + +The Contributor Covenant applies within all project spaces — GitHub issues, +pull requests, discussions, and any communication channels associated with +the Shasta project — and also when an individual is officially representing +the project in public spaces. + +## Enforcement + +Reports of abusive, harassing, or otherwise unacceptable behavior may be +sent to **`contact@transilience.ai`**. Reports will be reviewed and handled +in accordance with the Contributor Covenant's enforcement guidelines: + + + +All project maintainers are required to respect the privacy and security of +the reporter of any incident. + +## Attribution + +This Code of Conduct is adopted from the Contributor Covenant, version 2.1, +available at +. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..6d6890b --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,70 @@ +# Contributing to Shasta + +Thanks for your interest in contributing. Shasta is a multi-cloud compliance +and AI governance toolkit — keeping it correct is more important than keeping +it big, so the bar on PRs is "does this stay honest under the integrity +tests." This page tells you how to stay green. + +## Read this first + +Shasta's engineering rules live in [`ENGINEERING_PRINCIPLES.md`](./ENGINEERING_PRINCIPLES.md). +Read it once before your first PR. The 8 most load-bearing rules are inlined +at the top of [`CLAUDE.md`](./CLAUDE.md) so they're in context at every +Claude Code session. + +Short version: numbers in docs are tests; no stub functions; multi-region by +default; framework controls on `Finding`, not in description strings; zero +LLM calls in the detection path; `NOT_ASSESSED` vs `NOT_APPLICABLE` vs +`FAIL` used correctly; walkers beat N near-duplicate checks. + +## Workflow + +1. **Open an issue first** using one of the templates in + [`.github/ISSUE_TEMPLATE/`](./.github/ISSUE_TEMPLATE/) — + `bug_report`, `feature_request`, or `new_check_proposal` for new + check modules. The `new_check_proposal` form encodes the engineering + principles at intake so your proposal can't accidentally skip them. +2. **Branch** with a prefix: `feature/`, `fix/`, `docs/`, or `check/` + (for new check modules). +3. **Commit** using [Conventional Commits](https://www.conventionalcommits.org/): + `type(scope): description`. Example: `feat(aws/iam): add root-key age check`. +4. **Open a PR** — the template in + [`.github/pull_request_template.md`](./.github/pull_request_template.md) + includes a principles checklist that mirrors `CLAUDE.md`. Every PR must + link its issue with `Closes #N`. + +## Required tests (must pass locally before PR) + +See the **Required tests on every PR** section in +[`CLAUDE.md`](./CLAUDE.md#required-tests-on-every-pr): + +- `pytest tests/test_integrity/` — doc-vs-code drift tests +- `pytest tests/test_aws/test_aws_sweep_smoke.py` — AWS module smoke tests +- `pytest tests/test_azure/test_smoke.py` — Azure module smoke tests + +These are mechanically enforced by +[`.github/workflows/integrity.yml`](./.github/workflows/integrity.yml). +A drift in any numeric claim in `README.md` or `TRUST.md` fails the build +until either the code is restored or the doc is updated. + +## Pre-commit + +Run the `/audit` Claude Code skill on staged changes before every non-trivial +commit. It walks the engineering-principles checklist and reports pass/fail +per principle, catching doc drift and framework-mapping regressions before +CI does. + +## Reporting vulnerabilities + +Vulnerability reports go to `contact@transilience.ai`, not public issues — +see [`SECURITY.md`](./SECURITY.md). + +## Code of Conduct + +This project follows the [Contributor Covenant](./CODE_OF_CONDUCT.md). +Enforcement contact: `contact@transilience.ai`. + +## License + +By contributing, you agree that your contributions are licensed under the +MIT License — see [`LICENSE`](./LICENSE). diff --git a/README.md b/README.md index 27d1870..da3d984 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,24 @@ -# Shasta + Whitney — Multi-Cloud Compliance & AI Governance Platform +
+ +# Shasta + Whitney + +**Multi-Cloud Compliance & AI Governance, Claude-Native** + +AI-native compliance toolkit — SOC 2, ISO 27001, HIPAA, ISO 42001 and EU AI Act +across AWS and Azure. Through conversation, not dashboards. From the team at [Transilience.ai](https://www.transilience.ai). [![Built by Transilience](https://img.shields.io/badge/Built%20by-Transilience.ai-4A90D9)](https://www.transilience.ai) -[![MIT License](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE) -[![GitHub stars](https://img.shields.io/github/stars/transilienceai/shasta)](https://github.com/transilienceai/shasta/stargazers) +[![CI](https://github.com/transilienceai/shasta/actions/workflows/integrity.yml/badge.svg)](https://github.com/transilienceai/shasta/actions/workflows/integrity.yml) +[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](./LICENSE) +[![Python 3.11+](https://img.shields.io/badge/python-3.11+-blue.svg)](https://www.python.org/downloads/) +[![GitHub stars](https://img.shields.io/github/stars/transilienceai/shasta?style=social)](https://github.com/transilienceai/shasta/stargazers) +[![Powered by Claude](https://img.shields.io/badge/Powered%20by-Claude-8A2BE2)](https://claude.com/claude-code) + +[Quick Start](#quick-start) · [Skills Reference](#skills-reference) · [Architecture](#architecture) · [TRUST](./TRUST.md) · [Principles](./ENGINEERING_PRINCIPLES.md) · [Contributing](./CONTRIBUTING.md) -**An AI-native compliance toolkit that enables startup founders to achieve and maintain SOC 2, ISO 27001, HIPAA, ISO 42001, and EU AI Act compliance across AWS and Azure — through conversation, not dashboards. From the team at [Transilience.ai](https://www.transilience.ai).** +
+ +--- Shasta scans your cloud infrastructure for SOC 2, ISO 27001, HIPAA, ISO 42001, EU AI Act, OWASP LLM Top 10 and more. The standalone Whitney static scanner ([github.com/transilienceai/whitney](https://github.com/transilienceai/whitney)) handles application source-code prompt-injection detection. Together, they cover 13 compliance frameworks, 221 automated checks, and 199 security questionnaire answers — with a web dashboard, 112 Terraform remediation templates, and auditor-grade evidence. Built for founders running <50 employee companies who need compliance without the $30K/year Vanta bill. @@ -278,9 +292,9 @@ az account show # Note your subscription_id and tenant_id /policy-gen # Generate 8 SOC 2 policy documents ``` -See [DEPLOYMENT.md](DEPLOYMENT.md) for the complete setup guide including exact IAM permissions. +See [docs/DEPLOYMENT.md](./docs/DEPLOYMENT.md) for the complete setup guide including exact IAM permissions. -> **You don't need to memorize slash commands.** Shasta and Whitney are AI-native — just describe what you need in plain English inside Claude Code. Say *"Connect to my AWS and run a full SOC 2 gap analysis with remediation Terraform"* and Claude orchestrates everything. See **[CONVERSATIONS.md](CONVERSATIONS.md)** for 15 real conversation examples. +> **You don't need to memorize slash commands.** Shasta and Whitney are AI-native — just describe what you need in plain English inside Claude Code. Say *"Connect to my AWS and run a full SOC 2 gap analysis with remediation Terraform"* and Claude orchestrates everything. See **[docs/CONVERSATIONS.md](./docs/CONVERSATIONS.md)** for 15 real conversation examples. --- @@ -689,10 +703,21 @@ At ~860K tokens on Claude Opus across both sessions, the API cost for this entir ``` shasta/ ├── CLAUDE.md # Claude Code project instructions -├── DEPLOYMENT.md # Complete deployment guide ├── README.md # This file +├── TRUST.md # How to verify the claims +├── ENGINEERING_PRINCIPLES.md # Load-bearing contributor rules +├── CONTRIBUTING.md # Contribution workflow +├── SECURITY.md # Vulnerability reporting +├── CODE_OF_CONDUCT.md # Contributor Covenant +├── CHANGELOG.md # Keep-a-Changelog ├── pyproject.toml # Python project configuration │ +├── docs/ # Secondary docs +│ ├── DEPLOYMENT.md # Complete deployment guide +│ ├── VIBE_CODING.md # Build-process essay +│ ├── CONVERSATIONS.md # Real conversation examples +│ └── TRIAGE.md # Whitney LLM-as-judge triage guide +│ ├── .claude/skills/ # Claude Code skills (auto-discovered) │ ├── connect-aws/SKILL.md # AWS connection and validation │ ├── connect-azure/SKILL.md # Azure connection and validation @@ -769,7 +794,7 @@ shasta/ │ └── azure-test-env/ # Azure test environment │ └── main.tf # Azure test resources (compliant + non-compliant) │ -├── tests/ # pytest test suite (515+ tests) +├── tests/ # pytest test suite (500+ tests) │ ├── conftest.py │ ├── test_aws/ │ │ ├── test_client.py # AWS client tests (moto) @@ -860,6 +885,17 @@ shasta/ --- +## Contributors + +Thanks to everyone who has contributed checks, framework mappings, +remediation templates, skills, or docs to Shasta + Whitney. + +[![Contributors](https://contrib.rocks/image?repo=transilienceai/shasta)](https://github.com/transilienceai/shasta/graphs/contributors) + +See [`CONTRIBUTING.md`](./CONTRIBUTING.md) to get started. + +--- + ## License MIT License. See `LICENSE`. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..1a82ef9 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,42 @@ +# Security Policy + +## Reporting a vulnerability + +Email **`contact@transilience.ai`** with a description, reproduction steps, +and the affected Shasta or Whitney version. Please do **not** open a public +GitHub issue for security vulnerabilities. + +## SLA + +| Stage | Target | +|---|---| +| Acknowledgement | within 48 hours | +| Status update | within 7 days | +| Fix or mitigation | within 30 days | + +## Scope + +**In scope** + +- Vulnerabilities in Shasta or Whitney source code. +- Supply-chain or CI/CD issues in this repository (e.g. compromised + workflows in `.github/workflows/`). +- Vulnerabilities in published artifacts (PyPI packages, release tarballs). +- Data-exposure issues in the optional dashboard (`shasta[dashboard]`) or + trust-center generator. + +**Out of scope** + +- Compliance findings Shasta reports against your own cloud account — + those are the intended product output, not Shasta vulnerabilities. Open + a normal issue. +- Vulnerabilities in third-party cloud services Shasta scans (AWS, Azure). + Report those to the respective provider. +- Vulnerabilities in dependencies that do not affect Shasta's actual use + of them. (Still appreciated, just lower priority.) + +## Disclosure + +We credit reporters in the fix commit and in `CHANGELOG.md` unless the +reporter requests anonymity. For high-severity issues we also publish a +GitHub advisory (`gh advisory create`). diff --git a/CONVERSATIONS.md b/docs/CONVERSATIONS.md similarity index 100% rename from CONVERSATIONS.md rename to docs/CONVERSATIONS.md diff --git a/DEPLOYMENT.md b/docs/DEPLOYMENT.md similarity index 100% rename from DEPLOYMENT.md rename to docs/DEPLOYMENT.md diff --git a/VIBE_CODING.md b/docs/VIBE_CODING.md similarity index 100% rename from VIBE_CODING.md rename to docs/VIBE_CODING.md diff --git a/pyproject.toml b/pyproject.toml index 7390900..9d3572e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -2,7 +2,37 @@ name = "shasta" version = "1.8.0" description = "Multi-cloud compliance and AI governance platform — SOC 2, ISO 27001, HIPAA, ISO 42001, and EU AI Act" +readme = "README.md" requires-python = ">=3.11" +license = { text = "MIT" } +authors = [{ name = "Transilience AI" }] +keywords = [ + "compliance", + "soc2", + "iso27001", + "hipaa", + "iso42001", + "eu-ai-act", + "aws", + "azure", + "security", + "cloud-security", + "ai-governance", + "claude-code", + "cspm", +] +classifiers = [ + "Development Status :: 4 - Beta", + "Intended Audience :: Developers", + "Intended Audience :: System Administrators", + "License :: OSI Approved :: MIT License", + "Operating System :: OS Independent", + "Programming Language :: Python :: 3", + "Programming Language :: Python :: 3.11", + "Programming Language :: Python :: 3.12", + "Topic :: Security", + "Topic :: System :: Systems Administration", +] dependencies = [ "boto3>=1.35.0", "rich>=13.9.0", @@ -11,6 +41,12 @@ dependencies = [ "pydantic>=2.9.0", ] +[project.urls] +Homepage = "https://github.com/transilienceai/shasta" +Repository = "https://github.com/transilienceai/shasta" +Issues = "https://github.com/transilienceai/shasta/issues" +Changelog = "https://github.com/transilienceai/shasta/blob/main/CHANGELOG.md" + [project.optional-dependencies] azure = [ "azure-identity>=1.17.0",