49922dff5a
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Risk Bundle CI / risk-bundle-build (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Risk Bundle CI / risk-bundle-offline-kit (push) Has been cancelled
Risk Bundle CI / publish-checksums (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Scanner Design Dossiers
This directory contains deep technical designs for current and upcoming analyzers and surface components.
Language analyzers
ruby-analyzer.md— lockfile, runtime graph, capability signals for Ruby.deno-runtime-signals.md— runtime trace + policy signal contract for Deno analyzer.deno-runtime-shim.md— loader/trace shim plan for runtime NDJSON capture in Deno analyzer.
Surface & platform contracts
surface-fs.mdsurface-env.mdsurface-validation.mdsurface-secrets.md
OS ecosystem designs
macos-analyzer.md— Homebrew, pkgutil,.appbundle plan.windows-analyzer.md— MSI, WinSxS, Chocolatey, registry collectors.cdx17-cbom-contract.md— deterministic CycloneDX 1.7 + CBOM export profile (ordering, hashes, downgrade rules).slsa-source-track.md— deterministic SLSA Source Track capture (repo/ref/commit, tree hash, invocation hash, provenance DSSE, CAS paths).
Demand & dashboards
../../benchmarks/scanner/windows-macos-demand.md— demand tracker.../../benchmarks/scanner/windows-macos-interview-template.md— interview template.../../api/scanner/windows-coverage.md— coverage summary dashboard.../../api/scanner/windows-macos-summary.md— metric snapshot.
Utility & reference
../operations/field-engagement.md— SE workflow guidance.../operations/analyzers.md— operational runbook.../operations/rustfs-migration.md— storage migration notes.
Maintenance tips
- Keep demand tracker (
../../benchmarks/scanner/windows-macos-demand.md) and API dashboards in sync when updating macOS/Windows designs. - Cross-reference policy readiness briefs for associated predicates and waiver models.
Policy readiness
../policy/secret-leak-detection-readiness.md— secret leak pipeline decisions.../policy/windows-package-readiness.md— Windows analyzer policy decisions.