Skip to content

Document package hardening from PR #390 in README and DOCS.md#393

Merged
nicobistolfi merged 1 commit intomainfrom
vigilante/issue-392-document-package-hardening-from-pr-390-in-readme-and-docs-md
Apr 3, 2026
Merged

Document package hardening from PR #390 in README and DOCS.md#393
nicobistolfi merged 1 commit intomainfrom
vigilante/issue-392-document-package-hardening-from-pr-390-in-readme-and-docs-md

Conversation

@nicobistolfi
Copy link
Copy Markdown
Collaborator

@nicobistolfi nicobistolfi commented Apr 3, 2026

Summary

  • Adds a concise package hardening section to README.md with user-visible behavior and a scope caveat that the feature currently applies only to supported JS/TS/Node.js repositories.
  • Adds detailed operational documentation to DOCS.md covering trigger conditions, checks performed, PR comment/label behavior (vigilante:flagged-security-review), checkbox-driven remediation flow (implement fixes), and the package_hardening_enabled config toggle.
  • Updates the "More Docs" index in the README to reference the new package hardening docs section.

Test plan

  • Verified documentation accuracy against the implementation in PR Add deterministic JS/TS package hardening and PR-triggered security remediation #390 (internal/hardening/, internal/app/app.go, internal/state/state.go)
  • Confirmed the README caveat is prominently placed before the Key Commands section
  • Confirmed DOCS.md covers all acceptance criteria: trigger conditions, checks, PR comment/label behavior, remediation flow, config toggle, and scope limitation
  • Verified docs do not claim support for unsupported ecosystems
  • Verified consistent use of package_hardening_enabled, vigilante:flagged-security-review, and implement fixes terminology

Closes #392

@nicobistolfi
Document package hardening from PR #390 in README and DOCS.md
d4dadf8 
Add a concise package hardening section to README.md covering user-visible
behavior with a caveat that the feature currently applies only to supported
JS/TS/Node.js repositories and will expand over time.

Add detailed operational documentation to DOCS.md covering trigger conditions,
checks performed (lockfile presence, npm audit, non-exact ranges, CI
deterministic install, CI audit step), PR comment and label behavior
(vigilante:flagged-security-review), checkbox-driven remediation flow, and
the package_hardening_enabled config toggle.

Closes #392
@nicobistolfi nicobistolfi mentioned this pull request Apr 3, 2026
Closed
5 tasks
@nicobistolfi nicobistolfi merged commit 328286e into main Apr 3, 2026
1 of 2 checks passed
@nicobistolfi nicobistolfi deleted the vigilante/issue-392-document-package-hardening-from-pr-390-in-readme-and-docs-md branch April 3, 2026 20:53
@nicobistolfi nicobistolfi mentioned this pull request Apr 6, 2026
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Document package hardening from PR #390 in README and DOCS.md

1 participant

@nicobistolfi