SECURITY.md still says there are no published releases, but the repo has a published release #430

Closed
opened 2026-07-01 21:32:50 +00:00 by coilyco-ops · 5 comments
Member

Why

A cold reader checking the public release/security story hits a factual mismatch: SECURITY.md says, "No published releases yet to backport to," but the repo already has a published v0.242.0 release on Forgejo. That makes the support policy sound older than the repo state and leaves a newcomer unsure whether the published artifacts are actually covered.

Deliverable

Update SECURITY.md so the supported-version section matches the current release reality. If the intended policy is "only main is supported," say that directly without claiming there are no published releases.

Done condition

A reader can verify the policy against the repo state without contradiction: the support matrix and surrounding prose accurately describe whether published releases are supported or not, and there is no stale statement about there being no releases.


Severity: major-friction · persona: security-skeptic · angle: security-posture
Filed by Codex during a cold-read release pressure test (run 3).

## Why A cold reader checking the public release/security story hits a factual mismatch: `SECURITY.md` says, "No published releases yet to backport to," but the repo already has a published `v0.242.0` release on Forgejo. That makes the support policy sound older than the repo state and leaves a newcomer unsure whether the published artifacts are actually covered. ## Deliverable Update `SECURITY.md` so the supported-version section matches the current release reality. If the intended policy is "only main is supported," say that directly without claiming there are no published releases. ## Done condition A reader can verify the policy against the repo state without contradiction: the support matrix and surrounding prose accurately describe whether published releases are supported or not, and there is no stale statement about there being no releases. --- **Severity: major-friction** · persona: security-skeptic · angle: security-posture Filed by Codex during a cold-read release pressure test (run 3).
Author
Member

+1 — independently hit via security-skeptic/security-posture, run 4. The policy still says "No published releases yet to backport to" even though the repo has published releases.

+1 — independently hit via security-skeptic/security-posture, run 4. The policy still says "No published releases yet to backport to" even though the repo has published releases.
Author
Member

+1 — independently hit via drive-by-critic/release-story, run 7.

+1 — independently hit via drive-by-critic/release-story, run 7.
Author
Member

+1 — independently hit via security-skeptic/front-page, run 34: SECURITY.md still says 'No published releases yet to backport to' while the repo shows 242 releases (v0.242.0 today).

+1 — independently hit via security-skeptic/front-page, run 34: SECURITY.md still says 'No published releases yet to backport to' while the repo shows 242 releases (v0.242.0 today).
coilyco-ops added this to the ward launch milestone 2026-07-01 23:29:43 +00:00
Author
Member

🔒 Reserved by ward agent --driver claude — container engineer-claude-ward-430 on host kais-macbook-pro-2.local is carrying this issue (reserved 2026-07-02T02:58:30Z). Concurrent ward agent runs are blocked until it finishes or the reservation goes stale (2h0m0s TTL); --force overrides.

— Claude (she/her), via ward agent

<!-- ward-agent-reservation --> 🔒 Reserved by `ward agent --driver claude` — container `engineer-claude-ward-430` on host `kais-macbook-pro-2.local` is carrying this issue (reserved 2026-07-02T02:58:30Z). Concurrent `ward agent` runs are blocked until it finishes or the reservation goes stale (2h0m0s TTL); `--force` overrides. <!-- ward-agent-signature --> — Claude (she/her), via `ward agent`
Owner

WARD-OUTCOME: done - SECURITY.md now states main-only support with published releases explicitly not backported; the stale "no releases" claim is gone.

Small doc fix, but it fought back on one axis I did not expect: the file was already sitting at exactly 4000 chars, the hard catalog-doc-size cap, so I had zero budget to add prose. My first few passes (extra table row, a releases-page link, longer explanation) all blew past the cap. The clean landing was a net-neutral edit: swap the false sentence for a shorter true one and relabel the matrix row "any pinned commit" to "release or commit" so the support table itself names releases without growing. Also had to catch myself using a semicolon, which the house voice rules ban in prose.

Confident in the result: prose and matrix now agree, no contradiction against repo state (v0.256.0 shipped), pre-commit green, merged and pushed to main. One rough edge worth a possible follow-up: SECURITY.md living permanently pinned at the 4000-char cap means the next edit hits the same wall. If more security surface needs documenting, it should split into a docs/*.md rather than keep shaving the policy prose.

WARD-OUTCOME: done - SECURITY.md now states main-only support with published releases explicitly not backported; the stale "no releases" claim is gone. Small doc fix, but it fought back on one axis I did not expect: the file was already sitting at exactly 4000 chars, the hard `catalog-doc-size` cap, so I had zero budget to add prose. My first few passes (extra table row, a releases-page link, longer explanation) all blew past the cap. The clean landing was a net-neutral edit: swap the false sentence for a shorter true one and relabel the matrix row "any pinned commit" to "release or commit" so the support table itself names releases without growing. Also had to catch myself using a semicolon, which the house voice rules ban in prose. Confident in the result: prose and matrix now agree, no contradiction against repo state (v0.256.0 shipped), pre-commit green, merged and pushed to main. One rough edge worth a possible follow-up: SECURITY.md living permanently pinned at the 4000-char cap means the next edit hits the same wall. If more security surface needs documenting, it should split into a docs/*.md rather than keep shaving the policy prose.
Sign in to join this conversation.
No milestone
No project
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/ward#430
No description provided.