@mseep/open-computer-use 1.0.0

package/.github/workflows/security.yml

@@ -0,0 +1,332 @@
+# SPDX-License-Identifier: FSL-1.1-Apache-2.0
+# Copyright (c) 2025 Open Computer Use Contributors
+#
+# Security gates — the three a bank auditor opens first, per CLAUDE.md
+# "Testing & QA discipline (next/v1)":
+#
+#   1. Secrets scan blocks merge (gitleaks + trufflehog).
+#   2. SAST/SCA CRITICAL blocks merge (Semgrep + Trivy).
+#   3. IaC scan (Checkov) — CRITICAL on Helm blocks merge (HIGH currently
+#      soft-fail during bootstrap; tightened once the baseline cleanup PR
+#      lands and Dockerfile/Compose/K8s scopes are added back in).
+#
+# Signed SBOM + Cosign attestations for release artifacts live in
+# supply-chain.yml; this file covers the commit-time / PR-time gates.
+#
+# Per-rule "HIGH exception" file: .github/security-exceptions.yml.
+#
+# Pinning policy (mandatory for every `uses:` and container `image:`):
+#   - Third-party actions pinned to a 40-char commit SHA, never to a
+#     movable tag (zizmor `unpinned-uses` would block merge on its own).
+#   - Container images pinned to `name:tag@sha256:<digest>`.
+#   - Every actions/checkout call sets `persist-credentials: false`
+#     (zizmor `artipacked`).
+
+name: security
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - next/v1
+  schedule:
+    # Full-repo nightly re-scan (PRs are diff-only — re-confirm baseline).
+    - cron: "27 3 * * *"
+
+permissions:
+  contents: read
+  security-events: write
+  pull-requests: read
+
+concurrency:
+  group: security-${{ github.ref }}
+  # Do NOT cancel in-progress runs. On 5 quick commits to a PR, cancellation
+  # leaves intermediate commits unscanned by semgrep/trivy/checkov (they
+  # only see the working tree). gitleaks with fetch-depth: 0 catches
+  # history regardless. Letting runs queue is the safer default for
+  # merge-blocking gates.
+  cancel-in-progress: false
+
+jobs:
+  secrets-gitleaks:
+    name: secrets — gitleaks
+    runs-on: ubuntu-latest
+    steps:
+      # Fork-PR-safe two-source pattern. The PR HEAD provides the source
+      # files to scan, but the gitleaks CONFIG comes from the BASE ref —
+      # never from the PR head. Without this split, a fork PR could ship
+      # a permissive allowlist (`paths = ['''.*''']`) and the gate would
+      # pass green for any secret introduced in that PR. Canonical CI
+      # supply-chain attack against allowlist-based scanners.
+      #
+      # We fetch the base-ref config directly via `gh api` rather than
+      # checking out the base branch. sparse-checkout has long-standing
+      # quirks with non-cone single-file patterns in actions/checkout@v4
+      # and silently produces an empty working tree, which would re-open
+      # the fork-bypass hole.
+      - name: Checkout PR head (source)
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+          path: pr-head
+      - name: Fetch base-ref .gitleaks.toml via GitHub API
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BASE_REF: ${{ github.base_ref || github.ref_name }}
+          REPO: ${{ github.repository }}
+        # Always produce config/.gitleaks.toml. Two paths:
+        #
+        # 1. Base ref has a real .gitleaks.toml — fetch and use it.
+        # 2. Base ref has no .gitleaks.toml (bootstrap PRs, or any feature
+        #    branch off a base that hasn't merged the file yet) — write a
+        #    tiny stub that says "use the upstream default ruleset".
+        #
+        # Without this stub, the docker step would have to omit `--config`,
+        # and gitleaks falls back to autoload `/repo/.gitleaks.toml` per
+        # its documented config precedence (step 4 in `gitleaks detect
+        # --help`). `/repo` is the PR head, so a fork PR shipping a
+        # permissive allowlist (`paths = ['''.*''']`) would silently
+        # bypass the gate — the canonical attack the two-source pattern
+        # is supposed to close. Writing the stub keeps `--config` always
+        # on the command line and pins precedence to step 1.
+        #
+        # An explicit `gh api` `--jq` type check guards against the case
+        # where the URL resolves to a directory listing rather than a
+        # file — in that scenario `.content` is null and would produce a
+        # zero-byte file that gitleaks would silently accept.
+        run: |
+          mkdir -p config
+          # On a 404 (no config on the base ref) gh prints the error JSON
+          # to stdout and exits non-zero; reset content to empty so the
+          # stub branch below handles it instead of base64-decoding JSON.
+          content="$(gh api "repos/${REPO}/contents/.gitleaks.toml?ref=${BASE_REF}" \
+            --jq '.content // empty' 2>/dev/null)" || content=""
+          if [ -n "$content" ]; then
+            # The contents API base64-encodes with embedded newlines;
+            # strip them or `base64 -d` rejects the input on Linux.
+            printf '%s' "$content" | tr -d '\n' | base64 -d > config/.gitleaks.toml
+            echo "Fetched $(wc -c < config/.gitleaks.toml) bytes of base-ref gitleaks config."
+          elif [ -f pr-head/.gitleaks.toml ]; then
+            # Bootstrap: the base ref has no config yet (it is being
+            # introduced by this very change). The base-ref-wins rule
+            # protects an EXISTING config from being weakened by a PR;
+            # with none to protect, the tree's own config applies.
+            cp pr-head/.gitleaks.toml config/.gitleaks.toml
+            echo "No config on base ref ${BASE_REF}; using the tree's own (bootstrap)."
+          else
+            printf '[extend]\nuseDefault = true\n' > config/.gitleaks.toml
+            echo "No .gitleaks.toml on base ref ${BASE_REF} — wrote useDefault stub."
+          fi
+      - name: Run gitleaks (Docker)
+        # The official gitleaks-action requires a paid license for GitHub
+        # Organizations. Use the upstream Docker image directly — same
+        # detect engine, no license server. Pinned by digest so a future
+        # `:latest` push cannot silently change scan behaviour on a
+        # merge-blocking gate.
+        #
+        # Two separate mounts: /repo for source (PR head), /config for
+        # the gitleaks config (always populated by the previous step —
+        # either the real base-ref file or a useDefault stub). `--config`
+        # is always passed so gitleaks cannot autoload
+        # `/repo/.gitleaks.toml`.
+        #
+        # :ro mounts + non-root user + --read-only container fs are
+        # defence-in-depth against a compromised gitleaks image (digest
+        # pin above is the first layer).
+        run: |
+          docker run --rm \
+            --read-only \
+            --user "$(id -u):$(id -g)" \
+            -v "${{ github.workspace }}/pr-head:/repo:ro" \
+            -v "${{ github.workspace }}/config:/config:ro" \
+            zricethezav/gitleaks:v8.30.1@sha256:c00b6bd0aeb3071cbcb79009cb16a60dd9e0a7c60e2be9ab65d25e6bc8abbb7f \
+            detect --source=/repo --no-banner --redact --exit-code 1 \
+            --config=/config/.gitleaks.toml
+
+  secrets-trufflehog:
+    name: secrets — trufflehog
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - name: Run trufflehog
+        uses: trufflesecurity/trufflehog@0ec3634f6cf66a61912a923fee9d20cc45633a67  # main as of 2026-05-24
+        with:
+          path: ./
+          # `--fail` is appended by the action's entrypoint — passing it
+          # here a second time triggers "flag 'fail' cannot be repeated".
+          #
+          # `--no-verification` removes the egress data-exfiltration path:
+          # default `--results=verified` dials AWS/GitHub/Slack/… from the
+          # runner to validate detected patterns. For a bank-targeting CI
+          # we accept the higher false-positive rate over outbound calls.
+          extra_args: --no-verification
+
+  sast-semgrep:
+    name: SAST — semgrep
+    runs-on: ubuntu-latest
+    container:
+      # Org renamed from `returntocorp/semgrep` to `semgrep/semgrep`. Same
+      # image; the old name is mirrored but won't be updated forever.
+      image: semgrep/semgrep:1.163.0@sha256:7cad2bc2d1e44f87f0bf4be6d1fa23aa90fb72015bebc89fb91385d813987a03
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+        with:
+          # Diff-aware semgrep needs history back to the merge-base.
+          fetch-depth: 0
+          persist-credentials: false
+      - name: Semgrep CI (community rules)
+        env:
+          # Required for diff-aware scanning + PR commenting. Without it,
+          # `semgrep ci` falls back to a full-repo scan. Token is
+          # workflow-scoped and short-lived.
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # `semgrep ci` exits non-zero on findings by default. The
+          # `--suppress-errors` flag has the inverse meaning — DON'T set
+          # it. We pin it to false explicitly so a future runner-level
+          # env override can't silently downgrade the gate.
+          SEMGREP_SUPPRESS_ERRORS: "false"
+        run: |
+          # Verified registry packs as of 2026-05-24: p/bash and p/yaml
+          # do not exist on semgrep.dev (HTTP 404) — do not add them
+          # without first probing /c/p/<name>. Bash-in-YAML coverage
+          # comes from p/security-audit + p/github-actions; Docker
+          # socket misuse from p/dockerfile.
+          semgrep ci \
+            --config "p/security-audit" \
+            --config "p/owasp-top-ten" \
+            --config "p/python" \
+            --config "p/javascript" \
+            --config "p/dockerfile" \
+            --config "p/github-actions"
+
+  sca-trivy-fs:
+    name: SCA — trivy (filesystem)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+        with:
+          persist-credentials: false
+      - name: Trivy filesystem scan
+        uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8  # v0.36.0
+        with:
+          scan-type: fs
+          scan-ref: .
+          # Block merge on CRITICAL. HIGH gets a 14-day grace via the
+          # exceptions file; everything else is informational.
+          severity: CRITICAL
+          exit-code: "1"
+          # `ignore-unfixed: false` — a CRITICAL CVE without an upstream
+          # fix is exactly the class a bank auditor asks about first.
+          # Force an explicit dated entry in `security-exceptions.yml`
+          # before merge, rather than silently green-lighting it.
+          ignore-unfixed: false
+          skip-dirs: "node_modules,.venv,.planning,docs/future-architecture"
+          format: sarif
+          output: trivy-fs.sarif
+          # Without this, trivy-action drops `severity: CRITICAL` whenever
+          # `format: sarif` is set (entrypoint.sh unsets TRIVY_SEVERITY), so
+          # trivy scans for HIGH/MEDIUM/LOW too and exits 1 on the first
+          # finding — even though SARIF upload filters back to CRITICAL on
+          # the GitHub side. The "Building SARIF report with all severities"
+          # log line is the smoking gun. Issue:
+          # https://github.com/aquasecurity/trivy-action/issues/309
+          limit-severities-for-sarif: true
+      - name: Upload SARIF (CRITICAL)
+        if: always()
+        uses: github/codeql-action/upload-sarif@fee9466b8957867761f2d78f922ab084e3e2dd17  # v3
+        with:
+          sarif_file: trivy-fs.sarif
+          category: trivy-fs
+      # Second pass — HIGH severity, NON-blocking (exit-code 0). Without
+      # this the security-exceptions.yml schema and the CLAUDE.md
+      # "HIGH allowed for 14 days with a tracked exception file" rule
+      # both refer to a stream of findings that nothing in this workflow
+      # produces. Uploading HIGH as informational SARIF makes the
+      # exception ledger meaningful and gives a regulator something to
+      # audit against.
+      - name: Trivy filesystem scan (HIGH, informational)
+        uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8  # v0.36.0
+        with:
+          scan-type: fs
+          scan-ref: .
+          severity: HIGH
+          exit-code: "0"
+          ignore-unfixed: true
+          skip-dirs: "node_modules,.venv,.planning,docs/future-architecture"
+          format: sarif
+          output: trivy-fs-high.sarif
+          limit-severities-for-sarif: true
+      - name: Upload SARIF (HIGH)
+        if: always()
+        uses: github/codeql-action/upload-sarif@fee9466b8957867761f2d78f922ab084e3e2dd17  # v3
+        with:
+          sarif_file: trivy-fs-high.sarif
+          category: trivy-fs-high
+
+  iac-checkov:
+    name: IaC — checkov
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+        with:
+          persist-credentials: false
+      - name: Set up Python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
+        with:
+          python-version: "3.12"
+      - name: Install checkov
+        run: pip install checkov==3.2.314
+      - name: Run checkov
+        # Scope: only Helm (the next/v1 deployment substrate). The legacy
+        # Dockerfile + older workflows have pre-existing findings that
+        # belong in a separate cleanup PR — they are not the subject of
+        # this gate.
+        #
+        # `--soft-fail-on LOW,MEDIUM,HIGH` means only CRITICAL Helm findings
+        # block merge for the bootstrap phase. We tighten to HIGH+ in a
+        # follow-up once the baseline cleanup PR lands, and we extend the
+        # framework list to dockerfile/compose/k8s at the same time.
+        run: |
+          checkov \
+            -d helm/ \
+            --quiet \
+            --compact \
+            --framework helm \
+            --soft-fail-on LOW,MEDIUM,HIGH
+
+  conventional-commits:
+    name: commits — conventional-commits
+    runs-on: ubuntu-latest
+    # Accept both events. If we ever switch to `pull_request_target` as
+    # mitigation for fork-PR config-injection (see secrets-gitleaks
+    # header), this gate keeps firing instead of silently disabling.
+    if: github.event_name == 'pull_request' || github.event_name == 'pull_request_target'
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - name: Validate PR title
+        uses: amannn/action-semantic-pull-request@e32d7e603df1aa1ba07e981f2a23455dee596825  # v5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          # Match the Conventional Commits spec we use everywhere else.
+          types: |
+            feat
+            fix
+            chore
+            docs
+            refactor
+            test
+            ci
+            build
+            perf
+            style
+            revert
+          requireScope: false

package/.github/workflows/stale.yml

@@ -0,0 +1,31 @@
+name: Close stale issues and PRs
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+
+permissions:
+  issues: write
+  pull-requests: write
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v10
+        with:
+          stale-issue-message: >
+            This issue has been automatically marked as stale because it has not had
+            recent activity. It will be closed in 14 days if no further activity occurs.
+          close-issue-message: >
+            This issue was closed because it has been inactive for 60 days.
+            Feel free to reopen if it's still relevant.
+          stale-pr-message: >
+            This PR has been automatically marked as stale because it has not had
+            recent activity. It will be closed in 14 days if no further activity occurs.
+          days-before-stale: 45
+          days-before-close: 14
+          stale-issue-label: stale
+          stale-pr-label: stale
+          exempt-issue-labels: pinned,security,bug
+          exempt-pr-labels: pinned

package/.github/workflows/supply-chain.yml

@@ -0,0 +1,242 @@
+# SPDX-License-Identifier: FSL-1.1-Apache-2.0
+# Copyright (c) 2025 Open Computer Use Contributors
+#
+# Supply-chain integrity: SBOM + Cosign keyless signature + in-toto SBOM
+# attestation for every container image we publish.
+#
+# Per CLAUDE.md "Testing & QA discipline (next/v1)" top-3 gate #3:
+# "Signed SBOM + SLSA L3 provenance required for every release artifact.
+#  Syft → SPDX, Cosign-signed; CI fails if missing."
+#
+# Scope of this file: the SBOM + sign + attest half of that gate.
+#
+# SLSA-3 provenance is deferred to a follow-up release workflow that
+# colocates build/push and provenance generation so the real image digest
+# is available to slsa-github-generator's `digest:` input. Hard-coding
+# `digest: ""` violates the generator's contract and is worse than not
+# running it at all. Tracking: `manifesto/05-licensing-posture.md` BoM
+# row #9 (Sigstore/Cosign+Syft+Trivy+SLSA+in-toto) — keep its `status` as
+# `partial` until the release workflow lands.
+#
+# Pinning policy: every `uses:` and container `image:` is pinned to a
+# 40-char commit SHA / `@sha256:<digest>` — zizmor `unpinned-uses` would
+# block merge otherwise. Every actions/checkout sets
+# `persist-credentials: false` (zizmor `artipacked`).
+
+name: supply-chain
+
+on:
+  push:
+    tags: ["v*"]
+  workflow_dispatch:
+    inputs:
+      image_ref:
+        description: "Image ref (registry/name:tag) to sign and attest"
+        required: true
+
+permissions:
+  contents: read
+
+concurrency:
+  group: supply-chain-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  sbom-attest-sign:
+    name: SBOM + sign + attest (${{ matrix.image }})
+    runs-on: ubuntu-latest
+    # `environment: production` enforces required-reviewer approval before
+    # this job runs. Without it, any maintainer with workflow_dispatch
+    # access can sign an arbitrary image as the project's Sigstore
+    # identity ("identity laundering"). The Sigstore certificate that
+    # cosign emits carries the workflow ref + repo as the identity, and
+    # that signature lives in Rekor forever — burning the project's
+    # reputation if it was used to attest an attacker-controlled image.
+    environment: production
+    # Least-privilege: only this job needs id-token / packages /
+    # attestations write — keep them off the workflow-level scope.
+    permissions:
+      contents: read
+      id-token: write       # Required for Cosign keyless / Sigstore OIDC.
+      packages: write       # Required to push signatures + SBOM to GHCR.
+      attestations: write   # Required for GitHub-native attestation API.
+    strategy:
+      fail-fast: false
+      matrix:
+        image:
+          # The 4 images we publish, mirroring release.yml release-body block.
+          - open-computer-use
+          - open-computer-use-server
+          - open-computer-use-cleanup
+          - open-computer-use-webui
+
+    # All `${{ }}` interpolation of context data happens in env-vars; the
+    # `run:` steps only reference `"$VAR"` to defuse shell-injection (CWE-78)
+    # — semgrep rule yaml.github-actions.security.run-shell-injection.
+    env:
+      IMAGE_NAME: ${{ matrix.image }}
+      OWNER: ${{ github.repository_owner }}
+      REPO: ${{ github.repository }}
+      REF_NAME: ${{ github.ref_name }}
+      EVENT_NAME: ${{ github.event_name }}
+      DISPATCH_REF: ${{ inputs.image_ref }}
+
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+        with:
+          persist-credentials: false
+
+      - name: Resolve image ref
+        id: ref
+        # Two gates on the ref before it flows into syft/cosign:
+        #   1. Character whitelist defangs shell metacharacters that could
+        #      survive workflow_dispatch input.
+        #   2. Prefix anchor to `ghcr.io/${OWNER}/` makes it impossible to
+        #      sign an arbitrary registry/image as the project's Sigstore
+        #      identity. Any dispatch trying to sign
+        #      `registry.example.com/attacker/malware:latest` fails here.
+        run: |
+          owner_lower="$(echo "$OWNER" | tr '[:upper:]' '[:lower:]')"
+          # build.yml uses `type=match,pattern=v(.*),group=1` to strip the
+          # leading `v` from release tags before pushing to GHCR (so tag
+          # v0.9.5.1 lands as image …:0.9.5.1). Mirror that here, otherwise
+          # the first real tag push signs an image that does not exist.
+          tag="${REF_NAME#v}"
+          if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
+            ref="$DISPATCH_REF"
+          else
+            ref="ghcr.io/${owner_lower}/${IMAGE_NAME}:${tag}"
+          fi
+          # Whitelist-only: allowed chars are exactly what a valid OCI ref
+          # needs. Reject anything else outright instead of trying to
+          # escape it.
+          case "$ref" in
+            *[!A-Za-z0-9._/:@-]*)
+              echo "::error::image ref contains disallowed characters: $ref" >&2
+              exit 1
+              ;;
+          esac
+          # Defence-in-depth against `..` segment traversal smuggled past
+          # the whitelist (the whitelist permits the literal `..`).
+          case "$ref" in
+            *..*)
+              echo "::error::image ref contains '..': $ref" >&2
+              exit 1
+              ;;
+          esac
+          # Prefix anchor — see header comment above.
+          case "$ref" in
+            ghcr.io/${owner_lower}/*) ;;
+            *)
+              echo "::error::image_ref must start with ghcr.io/${owner_lower}/, got: $ref" >&2
+              exit 1
+              ;;
+          esac
+          # GITHUB_OUTPUT is the canonical write channel — github docs require
+          # using >> "$GITHUB_OUTPUT", not echo into a heredoc.
+          echo "ref=$ref" >> "$GITHUB_OUTPUT"
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@1aa8e0f2454b781fbf0fbf306a4c9533a0c57409  # v3.7.0
+
+      - name: Install Syft
+        uses: anchore/sbom-action/download-syft@fc46e51fd3cb168ffb36c6d1915723c47db58abb  # v0.17.7
+
+      - name: Generate SBOM (SPDX JSON + CycloneDX JSON)
+        env:
+          IMAGE_REF: ${{ steps.ref.outputs.ref }}
+        run: |
+          syft "$IMAGE_REF" \
+            -o spdx-json=sbom.spdx.json \
+            -o cyclonedx-json=sbom.cdx.json
+
+      - name: Sign image (keyless via Sigstore)
+        env:
+          IMAGE_REF: ${{ steps.ref.outputs.ref }}
+        # COSIGN_EXPERIMENTAL is no longer needed since cosign v2 — keyless
+        # signing via Fulcio is the default. See cosign CHANGELOG.
+        run: |
+          cosign sign --yes "$IMAGE_REF"
+
+      - name: Attest SBOM (in-toto, SPDX predicate)
+        env:
+          IMAGE_REF: ${{ steps.ref.outputs.ref }}
+        run: |
+          cosign attest --yes \
+            --predicate sbom.spdx.json \
+            --type spdxjson \
+            "$IMAGE_REF"
+
+      - name: Attest CycloneDX SBOM
+        env:
+          IMAGE_REF: ${{ steps.ref.outputs.ref }}
+        run: |
+          cosign attest --yes \
+            --predicate sbom.cdx.json \
+            --type cyclonedx \
+            "$IMAGE_REF"
+
+      - name: Verify signature + SBOM attestation
+        env:
+          IMAGE_REF: ${{ steps.ref.outputs.ref }}
+          REPO_FOR_VERIFY: ${{ github.repository }}
+          REF_NAME: ${{ github.ref_name }}
+          EVENT_NAME: ${{ github.event_name }}
+        # Anchored regex on certificate-identity. The unanchored variant
+        # `https://github.com/${REPO_FOR_VERIFY}` matched typosquats
+        # (`-EVIL` suffix) and signatures emitted by any other workflow in
+        # the same repo. We anchor on:
+        #   - protocol + `^`
+        #   - exact repo
+        #   - exact workflow path (`/.github/workflows/supply-chain.yml`)
+        #   - tag-shape ref (`@refs/tags/v…` on tag push; we accept any
+        #     ref on workflow_dispatch via a separate identity).
+        run: |
+          # Escape regex metacharacters in REF_NAME — tag `v0.9.5.1`
+          # contains `.` which would otherwise match any char and let
+          # a same-shape tag (e.g. `v0a9b5c1`) pass verification.
+          ref_re="$(printf '%s' "$REF_NAME" | sed -E 's/[][\\.*^$()+?{|]/\\&/g')"
+          repo_re="$(printf '%s' "$REPO_FOR_VERIFY" | sed -E 's/[][\\.*^$()+?{|]/\\&/g')"
+          if [ "$EVENT_NAME" = "push" ]; then
+            cert_id="^https://github\\.com/${repo_re}/\\.github/workflows/supply-chain\\.yml@refs/tags/${ref_re}$"
+          else
+            # workflow_dispatch — restrict the accepted refs to tags or
+            # the long-lived release branches. Without this an approver
+            # on the `production` environment could launder a signature
+            # for an image against an arbitrary throwaway branch.
+            cert_id="^https://github\\.com/${repo_re}/\\.github/workflows/supply-chain\\.yml@(refs/tags/v[0-9.]+|refs/heads/(main|next/v1))$"
+          fi
+
+          cosign verify \
+            --certificate-identity-regexp "$cert_id" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+            "$IMAGE_REF"
+
+          cosign verify-attestation \
+            --type spdxjson \
+            --certificate-identity-regexp "$cert_id" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+            "$IMAGE_REF"
+
+          # Mirror verification for the CycloneDX attestation. The
+          # gate's stated purpose is "fail if any artefact is missing"
+          # — verifying only spdxjson would let a corrupted CycloneDX
+          # attestation pass CI green.
+          cosign verify-attestation \
+            --type cyclonedx \
+            --certificate-identity-regexp "$cert_id" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+            "$IMAGE_REF"
+
+      - name: Upload SBOMs as workflow artifacts
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4
+        with:
+          name: sbom-${{ matrix.image }}
+          path: |
+            sbom.spdx.json
+            sbom.cdx.json
+          # Default retention is 90 days — too long for SBOMs, which leak
+          # internal package versions to anyone with repo read access.
+          # The canonical signed copies live in Rekor + the registry via
+          # `cosign attest` above; the workflow artifact is a debug aid.
+          retention-days: 7

package/.gitleaks.toml

@@ -0,0 +1,53 @@
+# SPDX-License-Identifier: FSL-1.1-Apache-2.0
+# Copyright (c) 2025 Open Computer Use Contributors
+#
+# gitleaks configuration — extends the default ruleset with project-specific
+# allowlists for known false-positives.
+#
+# Reference: https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml
+
+# Pull in the upstream default rules — we only add allowlists, never weaken
+# detection.
+[extend]
+useDefault = true
+
+[allowlist]
+description = "Project allowlists for documented placeholders and minified libs"
+
+# Documentation placeholders for `sk-yambr-...` — these are example tokens
+# in README.md and docs/CLOUD.md illustrating the curl/auth syntax. The
+# real shape is `sk-yambr-<actual-base64>`; the docs use the literal three
+# dots to mark them as placeholders.
+regexes = [
+  '''sk-yambr-\.\.\.''',
+  '''sk-yambr-<.*>''',
+]
+
+# Minified JavaScript bundles routinely contain substrings that resemble
+# entropy-based secret patterns (variable assignments like `t.X=void`).
+# We don't audit minified upstream code via gitleaks — that's a supply-chain
+# concern, not a secrets-in-history concern.
+paths = [
+  '''.*\.min\.js$''',
+  '''computer-use-server/static/xterm.min.js''',
+  # No Helm chart `values.example.yaml` allowlist today — the only
+  # chart is helm/computer-use-server/ and it has no example values
+  # file. If one ever lands, add a tight per-chart entry here so a
+  # future renaming or new chart cannot accidentally activate this
+  # allowlist.
+  # Legacy buffer — addressed in Layer 13 migration, not by this gate.
+  '''docs/future-architecture/.*''',
+  # Node modules / venv / planning cache.
+  '''node_modules/.*''',
+  '''\.venv.*''',
+  '''\.planning/.*''',
+]
+
+# Stop-words for entropy-based rules — DELIBERATELY EMPTY.
+#
+# Stopwords silence the generic-api-key rule for ANY string containing the
+# stopword as a substring, repo-wide. That is too blunt a tool: a real
+# secret like `password-construct-12345` would be hidden by the stopword
+# `construct`. If a specific file produces noise, allowlist that file's
+# path under `paths` above instead of the substring globally.
+stopwords = []