Browse Source

docs: Condense v2.9.0 supply-chain-defense Recent Updates entry (#9)

The supply-chain-defense bullet was a ~180-word wall. Trim to ~95 words
(~7 lines) keeping the load-bearing detail; drop cost figure, per-IOC
version list, and the scan-extensions/GuardDog aside. Add the
settings.local.json secret-safety bullet so the v2.9.0 block reflects
everything shipping in the release.

Co-authored-by: 0xDarkMatter <0xDarkMatter@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
0xDarkMatter 1 month ago
parent
commit
a48594bc5f
1 changed files with 2 additions and 1 deletions
  1. 2 1
      README.md

+ 2 - 1
README.md

@@ -23,7 +23,8 @@ From Python async patterns to Rust ownership models, from AWS Fargate deployment
 ## Recent Updates
 
 **v2.9.0** (May 2026)
-- 🛡️ **`supply-chain-defense` skill** - Behavioural-first defense against the 2026 npm/PyPI/Composer worm campaign (Shai-Hulud / Mini Shai-Hulud) that `npm audit` misses in the publish-to-advisory window — the proactive sibling to `security-ops`. Free-first Socket.dev integration (open-source CLI, $0 tier, zero-auth `depscore` MCP for Claude Code) plus two advisory hooks covering both ways a dependency enters: install commands and the agent editing a manifest. `exposure-check.py` answers "are we running a named-bad version?" by matching installed lockfiles across npm/pnpm/yarn/bun, PyPI, Composer, Cargo, Go, RubyGems + editor extensions against a cited-IOC catalog (axios 1.14.1, Laravel-Lang tag-rewrite, Nx Console 18.95.0, durabletask 1.4.1–1.4.3); `integrity-audit.sh` hunts worm persistence in Claude/editor configs, shell rc files, and `.npmrc`; `scan-extensions.sh` adds inventory + recency + opt-in GuardDog triage; `preinstall-check.sh` enforces a 7-day release-age cooldown. A global `rules/supply-chain.md` carries the doctrine to every project, and four references map the free-OSS complements (GuardDog, OSV-Scanner, zizmor, Harden-Runner). 42-assertion offline test suite; IOC-catalog format borrowed from Perplexity's [Bumblebee](https://github.com/perplexityai/bumblebee).
+- 🛡️ **`supply-chain-defense` skill** - Behavioural-first defense against the 2026 npm/PyPI/Composer worm campaign (Shai-Hulud) that `npm audit` misses in the publish-to-advisory window — the proactive sibling to `security-ops`. Free-first Socket.dev integration (open-source CLI, zero-auth `depscore` MCP) plus advisory hooks on both install commands and manifest edits. `exposure-check.py` matches installed lockfiles (npm/pnpm/yarn/bun, PyPI, Composer, Cargo, Go, RubyGems + editor extensions) against a cited-IOC catalog; `integrity-audit.sh` hunts worm persistence in configs, shell rc, and `.npmrc`; `preinstall-check.sh` enforces a 7-day release-age cooldown. A global `rules/supply-chain.md` carries the doctrine everywhere; 42-assertion offline test suite, IOC format from Perplexity's [Bumblebee](https://github.com/perplexityai/bumblebee).
+- 🔒 **`settings.local.json` secret-safety** - `.claude/settings.local.json` accumulates API keys inside permission rules, so it's now gitignored and untracked repo-wide. Three layers keep it off any remote: the `.gitignore` rule, `setperms` self-healing that rule on every permissions write, and the `git-ops` push-safety gate refusing any push that adds the file.
 
 **v2.8.0** (May 2026)
 - 🩺 **`mac-ops` skill** - Comprehensive macOS workstation diagnostics, peer to `windows-ops`. 23 scripts + 11 reference docs along an 8-rung ladder: `health-audit` orchestrates and `quickrun` gives a one-shot "what's wrong with my Mac?" verdict. Mac-unique probes cover TCC privacy permissions (the "can't screen-share" cause), wake reasons, Spotlight, and APFS storage pressure (the "disk full but `du` disagrees" mystery).