OSS Inventory

Documentation Map

• Overview

• Quick Start

• Installation

• Configuration

• Operations

• Troubleshooting

• Release Notes

• Compatibility

• Architecture

• API Reference

• Security

• Integrations

• Capabilities

• Data Model

• Roadmap

• OSS Inventory

• OSS Version Truth

• Channel: latest

• Source repo: JaddaHelpifyr/jhf-tenter

OSS Inventory

jhf-tenter is the owner-repo for its repo-local OSS inventory and upgrade truth. That owner truth is still governed by Fabric contracts. We do not invent a second central policy lane beside Fabric, but we do publish repo-owned machine-readable OSS truth for the components this repository actually owns.

Canonical Upstream Governance

helpifyr-fabric remains the canonical governance and stack-truth owner for the shared OSS upgrade contract family consumed by this repository:

• contracts/platform/platform_version_truth.json
• contracts/platform/platform_projection_catalog.json
• contracts/platform/platform_oss_upgrade_governance_v1.json
• contracts/platform/platform_oss_upgrade_compatibility_matrix_v1.json
• contracts/platform/platform_oss_upgrade_evidence_contract_v1.json
• contracts/platform/helpifyr_stack_module_identity_v1.json
• contracts/platform/stack_tool_oss_inventory_directory.json
• contracts/platform/platform_oss_upgrade_adoption_roles_v1.json
• docs/contracts/HELPIFYR_PLATFORM_OSS_UPGRADE_GOVERNANCE.md
• docs/contracts/HELPIFYR_STACK_MODULE_IDENTITY.md
• docs/contracts/HELPIFYR_STACK_TOOL_OSS_INVENTORY_DIRECTORY.md
• docs/contracts/HELPIFYR_PLATFORM_OSS_UPGRADE_ADOPTION.md

Fabric governs:

• stack membership
• compatibility windows
• evidence contract family
• release-contract and versioning gate surfaces

jhf-tenter owns:

• the repo-local machine-readable OSS inventory for its own runtime and CI components
• the repo-local current/target/pinning posture for those owned components
• the repo-local fail-closed verifier that proves this truth still matches the checked-in sources

Machine-Readable Owner Truth

Canonical repo-local sources:

• maintenance/oss-inventory.json
• maintenance/oss-version-truth.json
• maintenance/oss-upgrade-policy.json
• maintenance/oss-upgrade-evidence-truth.json

These files are repo-owned machine-readable OSS truth. They are not prose-only notes, and they must not drift into a second global control plane. They only describe jhf-tenter-owned components under Fabric governance.

Repo-Owned Component Families

The current owner scope is intentionally small and explicit:

• runtime.asterisk_ari.image
• runtime.softphone_agent_bridge.image
• runtime.asterisk_gui.image
• ci.actions.checkout
• ci.actions.upload_artifact
• ci.smoke.python_dependencies

For each repo-owned component, the local truth must publish:

• current_version
• target_version
• allowed_version_range
• pinning_posture
• compatibility_window_ref
• preflight_assertion_refs
• postdeploy_assertion_refs
• rollback_contract_ref
• evidence_contract_ref

Explicit Current Pins

Current admitted pins:

• andrius/asterisk@sha256:e1f8d413975b6634bcc27479b6d821f76e2edae89652121ec5240f945a5a977c
• python:3.12-alpine@sha256:236173eb74001afe2f60862de935b74fcbd00adfca247b2c27051a70a6a39a2d
• actions/[email protected]
• actions/[email protected]
• PyYAML==6.0.3
• jsonschema==4.26.0

Fail-Closed Rules

• no prose-only upgrade truth
• no latest without explicit policy
• no major-only CI action refs
• no unpinned smoke dependency installs
• no green status when rollback or evidence refs are missing
• no green status when Fabric governance refs disappear
• no local shadow truth beside Fabric governance

If required owner fields or Fabric governance refs are missing, verification must fail-closed.

Live Fabric Readback Surfaces

The owner verifier still reads the canonical Fabric surfaces instead of inferring shared policy locally:

• GET /api/v1/platform/version-truth
• GET /api/v1/platform/projection-catalog
• GET /api/v1/platform/tool-oss-inventory-directory
• GET /api/v1/updates/compatibility-matrix
• GET /api/v1/tools/versioning-contracts
• GET /api/v1/tools/release-contracts/jhf-tenter
• GET /api/v1/docs/module-inventory

These surfaces are used for governance and readback. They do not replace the repo-owned machine-readable truth for the components listed above.

Verify Path

Run:

python3 scripts/ci/verify_oss_version_truth.py
python3 scripts/ci/verify_oss_version_truth.py --fabric-base-url http://<internal-runtime-redacted>:28080
python3 scripts/ci/verify_repo.py

The first command validates the repo-owned machine-readable owner truth against the checked-in sources. The second command confirms that the required Fabric governance and readback surfaces are live on <internal-runtime-redacted>. The third command enforces the same owner contract in the standard repo gate.

Non-goals

• no replacement of Fabric governance or stack truth
• no central OSS version policy for other repositories
• no runtime mutation from this document
• no credentials or secrets in inventory artifacts or evidence

License

AGPLv3. Learn more at helpifyr.com.