OSS Inventory Version Truth

Documentation Map

• Overview

• Quick Start

• Installation

• Configuration

• Operations

• Troubleshooting

• Release Notes

• Compatibility

• Architecture

• API Reference

• Security

• Integrations

• Capabilities

• Data Model

• Roadmap

• Project Plan

• OSS Inventory

• Channel: stable

• Source repo: JaddaHelpifyr/jhf-spindle

OSS Inventory / Version Truth / Upgrade Readiness

This document defines the canonical repo-owned truth for OSS components used by jhf-spindle.

Canonical Sources

• Inventory: maintenance/oss-inventory.json
• Version truth: maintenance/oss-version-truth.json
• Upgrade policy: maintenance/oss-upgrade-policy.json
• Verifier: maintenance/verify_oss_inventory_version_truth.py

The machine-readable truth is fail-closed and includes explicit upgrade-governance fields per relevant runtime family:

• current_version
• target_version
• allowed_version_range
• pinning_posture
• compatibility_window_ref
• preflight_assertion_refs
• postdeploy_assertion_refs
• rollback_contract_ref
• evidence_contract_ref

Scope Boundary

jhf-spindle owns the ERP-/Identity-near OSS truth for this repository.

Allowed:

• repo-owned, machine-readable inventory and version truth
• fail-closed drift checks in local verify and CI
• explicit classification of external-owner surfaces

Forbidden:

• local workaround for foreign-owner runtime drift
• shadow truth outside the canonical JSON files listed above
• storing secrets/tokens in docs, evidence, or contracts

Verify Path

Local:

python maintenance/verify_oss_inventory_version_truth.py --output test-results/oss-version-truth.verify.json

Optional bounded live check:

python maintenance/verify_oss_inventory_version_truth.py --check-live --ssh-target <internal-runtime-redacted><internal-runtime-redacted> --output artifacts/evidence/oss-version-truth.live.json

CI:

• python maintenance/verify_oss_inventory_version_truth.py --output test-results/oss-version-truth.verify.ci.json
• smoke test lane also executes:
  • apps/jhf_spindle_core/tests/test_verify_oss_inventory_version_truth_script.py

Guardrail On Floating Versions

• latest and floating refs must fail verification unless owner policy declares an explicit external-owner exception.
• missing upgrade-governance fields must fail verification.
• Runtime image refs should be digest-pinned (@sha256:...) or explicit stable tags per policy.
• CI action refs must be pinned to approved stable refs per version truth.

---

License notice: AGPLv3 (GNU Affero General Public License v3.0)
Website: https://helpifyr.com