docs(roadmap): refresh 2026-05-01 — Green Security Baseline + Q6 progress#110
Merged
michelbr84 merged 2 commits intomainfrom May 1, 2026
Merged
docs(roadmap): refresh 2026-05-01 — Green Security Baseline + Q6 progress#110michelbr84 merged 2 commits intomainfrom
michelbr84 merged 2 commits intomainfrom
Conversation
…ress Adds §1.5 capturing what changed since 2026-04-13 without rewriting the baseline §1. Updates §7 "Próximos passos imediatos" to reflect the post- sprint priority order. §1.5 covers: * Sprint umbrella GAR-486 (PRs #104..#108) with per-PR commit hashes. * Metric deltas: secret-scanning 1→0, Dependabot 20→7, CodeQL ~90→71 (paths-ignore-driven, not triage), default-setup not-configured, continue-on-error reductions per Lote 2/4. * GAR-491 (Wave 2) in flight via PR #109 with the REST-dismissal + versioned-ledger mechanism — links to the new ledger artifacts. * GAR-490 (Wave 1) Backlog with the `validate_skill_name` + `sanitise_key` (single-segment) + `set_config` plan-of-attack noted so future sessions can pick up without context loss. * Q6 mutation-testing progress: GAR-436 baseline 85.04% → 90.78% killed (PR #94), GAR-463 Q6.1 ✅, GAR-468 Q6.6 ✅, GAR-469 Q6.7 ✅, GAR-481 Q6.8 (Node 24 migration) ✅. * CI Lote 2 (GAR-438) + Lote 4 (GAR-443 data-testid convention) as durable infrastructure improvements. §7 prioritization now leads with closing GAR-491 → GAR-490 → GAR-486 before the Phase 3.4 OpenAPI work resumes; older bullets re-numbered. Linear: GAR-486 (umbrella) — refresh, no status change. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Coverage Report (cargo-llvm-cov)Generated by Excluded crates: |
The original §1.5 line said "~90 → 71" inheriting that number from the GAR-486 umbrella description (where it was a projection of the paths-ignore effect). Empirical measurement via `gh api .../code-scanning /alerts?state=open --paginate | length` at session start (2026-05-01, Phase 0) returned 90, not 71 — paths-ignore changes the scanning surface but does NOT reduce the open count of pre-existing alerts. The post-GAR-491 measurement is 84 (90 − 6 dismissals from PR #109). This commit replaces the inherited projection with the verified numbers and explains the discrepancy honestly so the umbrella's "~90 → 71" is no longer mismatched against the ROADMAP without context. Linear: GAR-486 — same source as the discrepancy; consider amending the umbrella description or marking the projected "71" as not-materialized in a follow-up comment. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Coverage Report (cargo-llvm-cov)Generated by Excluded crates: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Docs-only refresh of
ROADMAP.md. Captures what changed between2026-04-13 (last header update) and 2026-05-01 without rewriting
the §1 baseline. Adds §1.5 as an incremental snapshot and re-orders §7
"Próximos passos imediatos" to lead with the open security sub-issues.
This PR can merge in parallel with the GAR-491 PR (#109) — the two do not touch the same files.
Recommended merge order: PR #110 first (this — docs-only, no dependencies), then PR #109 (GAR-491). That way
maincarries an up-to-date roadmap before any further security work.What's in §1.5 (new)
paths-ignorechanges the scanning surface and does NOT reduce the open count of pre-existing alerts. Commitfe6725dcorrects this honestly.not-configuredcontinue-on-errorreduced (GAR-438 Lote 2 + GAR-443 Lote 4)e2e/playwrightjobs; GAR-443 (Lote 4) introduced the admin Playwrightdata-testidconvention.What's in §7 (re-ordered)
Old §7 led with Phase 3.4 OpenAPI. New §7 leads with closing GAR-491 → GAR-490 → GAR-486 because those are the active security sub-issues that block the umbrella from going to Done. Phase 3.4 is now item #2; Q6 follow-ups item #3; ADR 0004 / Phase 3.5 (already partially delivered via GAR-394/395) item #4; CredentialVault final (GAR-291) item #5.
What's NOT in this PR
Test plan
git diff --stat— 1 file changed, 64 insertions (+), 7 deletions (-) (afterfe6725dcorrection).Linear
Policy guardrails
🤖 Generated with Claude Code