Revise security policy with reporting and disclosure info#608
Merged
bradygaster merged 1 commit intobradygaster:devfrom Mar 26, 2026
Merged
Revise security policy with reporting and disclosure info#608bradygaster merged 1 commit intobradygaster:devfrom
bradygaster merged 1 commit intobradygaster:devfrom
Conversation
Updated the security policy to include reporting guidelines and disclosure expectations.
Owner
🔍 Squad Team ReviewReviewed by: CONTROL (TypeScript Engineer) — Pass 3 of consensus ceremony Review SummaryStandalone SECURITY.md update. No code changes, no conflicts with any other PR. Can merge at any position in the Phase 1 sequence or independently. DependenciesNone — fully independent. ✅ Verdict: APPROVED for merge |
bradygaster
approved these changes
Mar 26, 2026
Owner
bradygaster
left a comment
bradygaster
left a comment
There was a problem hiding this comment.
FIDO Quality Review — PR #608: Security policy
Verdict: ✅ MERGE (with minor fixes suggested)
Findings
✅ Appropriate content: SECURITY.md at repo root is standard practice. Content covers reporting via GitHub Private Vulnerability Reporting, required info, disclosure expectations, and prohibited channels.
✅ Professional tone: Concise, clear, no hype. Follows the project's tone ceiling decision.
✅ Target branch: dev — correct.
- Typo: 'timely manor' should be 'timely manner' (line 22)
- Trailing dash: Last line has a stray
-that appears to be an artifact - No trailing newline: File should end with a newline
Not a Tamir PR: This is from eric-vanartsdalen. No changeset needed for a docs-only file outside of packages.
Clean contribution — these minor issues can be fixed in a follow-up commit.
bradygaster
pushed a commit
that referenced
this pull request
Mar 26, 2026
Round 1 (Audit & Baseline): - Flight audited PR/issue state after CLI crash - FIDO verified baseline: 5,038 tests passing, dev green - Scribe merged stale decision inbox Round 2 (Execution): - Flight closed duplicate PRs #605, #604, #602 - Procedures rebased & merged PR #619 (model catalog) - FIDO reviewed 9 community PRs: approved 3, change-requested 6 Round 3 (Community Merges): - Coordinator merged 3 approved community PRs (#625, #603, #608) Outcomes: - 10 PRs merged total (6 merge-plan, 3 community, 1 legacy) - 3 PRs closed as duplicates - 6 PRs awaiting author changes - Dev green: 5,038 tests passing - All 6 original merge-plan PRs complete - Decision inbox merged & deleted Artifacts: - Orchestration logs for Flight, Procedures, FIDO - Session log: 2026-03-26T06:41:00Z-crash-recovery.md - Team history updated (Flight, FIDO, Procedures) - Decisions merged to decisions.md Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
chrislomonico
pushed a commit
to clomonico/squad
that referenced
this pull request
Mar 26, 2026
…r#608) * feat: version bump to 0.8.6-preview, auto-link detection, docs updates - Bump all packages from 0.8.5.1 to 0.8.6-preview - Add checkAutoLink() to cli-entry.ts for local dev detection - Update CONTRIBUTING.md with local dev versioning and npm link docs - Update Kobayashi charter with release versioning sequence - Add scrollback and auto-link decisions to inbox - File 13 REPL UX issues (bradygaster#595-bradygaster#607) from screenshot review Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * test: add REPL UX E2E tests — verify what users actually see Spawn the real CLI binary via child_process and assert against actual terminal output. 22 tests across 6 categories: - First Run (no team): welcome banner once, init prompt visible, no coordinator label, no ExperimentalWarning, no Resumed session - Clean Output: no warnings on --help, --version, first-run; stderr clean on --version - Banner Renders Once: version banner and welcome each appear exactly once, no duplicate taglines - Message Labels: Squad branding (not coordinator) in help, welcome, and error messages - Markdown Rendering: no raw **bold** asterisks leak to terminal - Work Gating: status/doctor work in empty dirs without crashing All tests use child_process.spawn with ANSI stripping, NO_COLOR=1, TERM=dumb, temp directories for isolation, and text-pattern assertions (no sleep-based timing). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: REPL UX fixes — init guard, scrollback, banner, labels, markdown, tests P0 fixes: - bradygaster#596: squad init now scaffolds all required files (team.md, routing.md, decisions.md, agents/, ceremonies.md) - bradygaster#597: Coordinator refuses work when no team.md exists, redirects to init - bradygaster#595: Completed messages render via Ink Static for full scrollback history - bradygaster#601: Ghost text eliminated by Static/dynamic message split P1 fixes: - bradygaster#598: Banner renders once (sync init instead of lazy useEffect) - bradygaster#599: Coordinator label changed from 'coordinator:' to 'Squad:' - bradygaster#600: Inline markdown rendering (**bold**, *italic*, code) - bradygaster#602: SQLite ExperimentalWarning suppressed at CLI entry - bradygaster#603: Shell gates work requests when no team exists - bradygaster#604: Session resume skipped on first run (no team.md) Tests: - 30 new unit tests in test/repl-ux-fixes.test.ts covering all fixes - 22 new E2E tests in test/repl-ux-e2e.test.ts emulating terminal output - Updated existing tests for new coordinator prompt text Closes bradygaster#595, bradygaster#596, bradygaster#597, bradygaster#598, bradygaster#599, bradygaster#600, bradygaster#601, bradygaster#602, bradygaster#603, bradygaster#604 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
bradygaster
added a commit
that referenced
this pull request
Mar 26, 2026
) * chore(squad): crash recovery complete — 10 PRs merged, 3 dupes closed Round 1 (Audit & Baseline): - Flight audited PR/issue state after CLI crash - FIDO verified baseline: 5,038 tests passing, dev green - Scribe merged stale decision inbox Round 2 (Execution): - Flight closed duplicate PRs #605, #604, #602 - Procedures rebased & merged PR #619 (model catalog) - FIDO reviewed 9 community PRs: approved 3, change-requested 6 Round 3 (Community Merges): - Coordinator merged 3 approved community PRs (#625, #603, #608) Outcomes: - 10 PRs merged total (6 merge-plan, 3 community, 1 legacy) - 3 PRs closed as duplicates - 6 PRs awaiting author changes - Dev green: 5,038 tests passing - All 6 original merge-plan PRs complete - Decision inbox merged & deleted Artifacts: - Orchestration logs for Flight, Procedures, FIDO - Session log: 2026-03-26T06:41:00Z-crash-recovery.md - Team history updated (Flight, FIDO, Procedures) - Decisions merged to decisions.md Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * chore: remove leaked test fixture, gitignore .test-setup-* and .test-init-scaffold-* consult.test.ts creates .test-setup-{hash}/ dirs in cwd and init-scaffolding.test.ts creates .test-init-scaffold-{hash}/ dirs. If tests crash before afterEach cleanup, these get left behind. One .test-setup-* dir was accidentally committed and tracked. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * chore: repo root cleanup — remove one-off publish scripts, export artifact, consolidate .gitignore Removed: - publish-0.8.21.ps1, publish-0.8.22.ps1 (version-pinned one-off release helpers) - PUBLISH-README.md (companion to publish scripts) - squad-export.json (generated export snapshot, not needed in repo) .gitignore: Consolidated 3 specific .test-* patterns into single .test-* glob to cover all 15+ test artifact naming patterns that create temp dirs in cwd. Also pruned 3 dead git worktrees (squad-337, squad-348, squad-356). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat(cli): add squad config model command for model pinning (#618) Add a new 'squad config' CLI command with 'model' subcommand that lets users manage model configuration: - squad config model — show current model config - squad config model <name> — set default model for all agents - squad config model <name> --agent <a> — pin model to specific agent - squad config model --clear — clear default model override - squad config model --clear --agent <a> — clear agent override Validates model names against MODEL_CATALOG and agent names against the .squad/agents/ directory. Uses existing SDK functions for all config read/write operations. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: add @latest to npm install commands in cli.js and package README (#597) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updated the security policy to include reporting guidelines and disclosure expectations.
Note: we can't create potential security issues without a policy.