6 Commits

Author	SHA1	Message	Date
ezl-keygraph	147bc3f5f4	fix: harden supply chain security (#255) ... * fix: patch smol-toml and tsdown vulnerabilities Update smol-toml 1.6.0→1.6.1 (DoS via recursive comment parsing) and tsdown 0.21.2→0.21.5 (picomatch ReDoS + method injection). * fix: pin all unpinned dependency versions in Dockerfile Pins subfinder v2.13.0, WhatWeb v0.6.3 (switched from git clone to release tarball), schemathesis 4.13.0, addressable 2.8.9, claude-code 2.1.84, and playwright-cli 0.1.1 for reproducible builds. * fix: pin GitHub Actions to commit SHAs for supply chain security * fix: pin GitHub Actions to commit SHAs in beta and rollback workflows	2026-03-27 01:55:09 +05:30
ezl-keygraph	167f3c3ccd	feat: add beta release and rollback workflows with cosign signing	2026-03-18 22:07:58 +05:30
ezl-keygraph	a513aad161	fix: remove environment gates and add NPM_TOKEN to publish step	2026-03-18 16:09:40 +05:30
ezl-keygraph	955eae5d65	fix: remove duplicate environment gate from merge-docker job ... Move DOCKERHUB_USERNAME from vars to secrets so merge-docker can access credentials without its own environment scope. This eliminates the redundant double approval since build-docker already gates on release-publish.	2026-03-18 15:58:45 +05:30
ezl-keygraph	96732306a8	feat: mark GitHub release as latest during rollback	2026-03-18 15:58:45 +05:30
ezl-keygraph	9b1abd9ec0	feat: integrate npx CLI, CI/CD, and ephemeral worker architecture ... Bring in changes from shannon-npx: npx-distributable CLI package (cli/), semantic-release CI/CD workflows, ephemeral per-scan worker containers, TOML config support, setup wizard, and workspace management. Preserves all shannon-only changes: security hardening (localhost-bound ports, MCP env allowlist, path traversal guard), updated benchmarks (XBEN 19/31/35/44), README assets, and prompt injection disclaimer. Applies security hardening to cli/infra/compose.yml as well.	2026-03-18 15:57:57 +05:30