Skip to main content

OSS Inventory Version Truth

Documentation Map

OSS Inventory Version Truth

Scope

jhf-keystore is owner/producer for repo-local OSS inventory and upgrade readiness truth for build/runtime components required for delivery readiness.

Canonical machine-readable truth:

  • contracts/oss-version-inventory-readiness.json
  • contracts/oss_inventory.json
  • contracts/oss_version_truth.json
  • contracts/oss_upgrade_governance.json
  • contracts/oss_upgrade_evidence_posture.json

Canonical upstream Fabric source-of-truth consumed read-only:

  • contracts/platform/platform_version_truth.json
  • contracts/platform/platform_projection_catalog.json
  • contracts/platform/platform_oss_upgrade_governance_v1.json
  • contracts/platform/platform_oss_upgrade_compatibility_matrix_v1.json
  • contracts/platform/platform_oss_upgrade_evidence_contract_v1.json
  • contracts/platform/helpifyr_stack_module_identity_v1.json
  • contracts/platform/stack_tool_oss_inventory_directory.json
  • docs/contracts/HELPIFYR_PLATFORM_OSS_UPGRADE_GOVERNANCE.md
  • docs/contracts/HELPIFYR_STACK_MODULE_IDENTITY.md
  • docs/contracts/HELPIFYR_STACK_TOOL_OSS_INVENTORY_DIRECTORY.md

Required Verify Lane

  • Local:
    • python3 scripts/validate-oss-version-inventory.py --json
    • bash scripts/verify-oss-version-inventory.sh
  • CI:
    • .gitea/workflows/ci.yml runs bash scripts/verify-oss-version-inventory.sh

The verifier is fail-closed on missing component coverage, missing external owner classification, or source-truth drift. The verifier is also fail-closed when required Fabric upstream surfaces are missing from the consumer contract binding or from this repo-local consumer docs. The verifier is owner-fail-closed when required version/evidence/rollback fields are missing per component.

Required Owner Fields Per Component

Each relevant component in contracts/oss_version_truth.json must define:

  • current_version
  • target_version or explicit target_posture
  • allowed_version_range
  • pinning_posture
  • compatibility_window_ref
  • preflight_assertion_refs
  • postdeploy_assertion_refs
  • rollback_contract_ref
  • evidence_contract_ref

Pinning Posture

  • vaultwarden/server:1.35.7 is pinned in maintained compose files.
  • components are either pinned (pinned-exact, pinned-tag, pinned-range) or external-classified with owner issue references.
  • latest tags are not accepted in repo-owned runtime truth unless explicitly owner-justified and documented.

Dependency Ownership

  • JaddaHelpifyr/helpifyr-fabric#289: stackwide Fabric contract/version catalog ownership (consumed read-only).
  • JaddaHelpifyr/jhf-openclaw-env#209: environment-owned runtime materialization and host-level pinning policy.
  • JaddaHelpifyr/jhf-deployment#270: deployment-owned coordinated upgrade rollout catalog.

AGPLv3. See LICENSE (LICENSE).

Learn more at helpifyr.com.