Step
ID: OPS-8.a
Source refinement task: OPS-8 Replace dependabot with a documented supply-chain audit cadence
Directory: docs/operations.md or new docs/security.md, optionally .github/dependabot.yml
Execution tier: human
Why this matters for prod
d6904ba also deleted .github/dependabot.yml. Bookie ships pdf-lib, jszip, sqlx, keyring, aws-sdk-s3, tauri-plugin-sql, and now zip 8 — any CVE in this set lands in user binaries that GoBD wants retained for ten years. Dependabot is free even when CI is disabled (it just files PRs that a human reviews), but the user removed the file alongside CI, which suggests the intent was to stop noise rather than to stop monitoring. Without either bot-driven advisories or a documented manual cadence, the next sha2 0.10→0.11-style bump won't surface until something breaks.
What to do
The maintainer decides between (A) restore .github/dependabot.yml with cargo + npm ecosystems, monthly schedule, open-pull-requests-limit: 3 — accepting that Dependabot files PRs without CI, reviewed manually; or (B) commit a docs/security.md documenting a quarterly cadence in which the maintainer runs bun audit --audit-level=high and cargo audit --deny warnings on the first of each quarter and files an issue per advisory. Decision recorded as a one-line comment on this step issue.
Verification
Maintainer comments restore or manual_cadence on the step issue; agent removes human_input label and proceeds to OPS-8.b.
Dependencies
Depends on: none.
Audit
- Step ID:
OPS-8.a
- Source task:
OPS-8 (see REFINEMENT.md)
- Generated from
refinement.decomposition.json on 2026-05-14
- Created by: Sandcastle (
production-refinement skill)
Step
ID:
OPS-8.aSource refinement task:
OPS-8Replace dependabot with a documented supply-chain audit cadenceDirectory: docs/operations.md or new docs/security.md, optionally .github/dependabot.yml
Execution tier:
humanWhy this matters for prod
d6904baalso deleted.github/dependabot.yml. Bookie shipspdf-lib,jszip,sqlx,keyring,aws-sdk-s3,tauri-plugin-sql, and nowzip 8— any CVE in this set lands in user binaries that GoBD wants retained for ten years. Dependabot is free even when CI is disabled (it just files PRs that a human reviews), but the user removed the file alongside CI, which suggests the intent was to stop noise rather than to stop monitoring. Without either bot-driven advisories or a documented manual cadence, the nextsha2 0.10→0.11-style bump won't surface until something breaks.What to do
The maintainer decides between (A) restore
.github/dependabot.ymlwithcargo+npmecosystems, monthly schedule,open-pull-requests-limit: 3— accepting that Dependabot files PRs without CI, reviewed manually; or (B) commit adocs/security.mddocumenting a quarterly cadence in which the maintainer runsbun audit --audit-level=highandcargo audit --deny warningson the first of each quarter and files an issue per advisory. Decision recorded as a one-line comment on this step issue.Verification
Maintainer comments
restoreormanual_cadenceon the step issue; agent removeshuman_inputlabel and proceeds to OPS-8.b.Dependencies
Depends on: none.
Audit
OPS-8.aOPS-8(seeREFINEMENT.md)refinement.decomposition.jsonon2026-05-14production-refinementskill)