[Program] v0.1.4 residual security, warning, and brand-design follow-through

[seonghobae]

현재 역할

• 직무 / O0: v0.1.4 release-readiness stabilization
• 업무 / O1: residual security, warning, and brand/design follow-through coordination
• 과업 / O2~O3: keep remaining upstream-owned security exceptions, warning cleanup, stale queue disposition, and brand/design successor work connected to current code
• 작업 / O4~O7: evidence capture, root-cause PRs, review/check gates, post-merge validation, follow-up issue execution

현재 상태

• [Security] Post-#192 default-branch PR queue stabilization and dependency gate closure #194, [Security] Remove actions/download-artifact Buffer deprecation warning #199, and [Security] Remove build-baseline download-artifact Buffer exposure #201 are closed predecessors for default-branch warning/security stabilization.
• [Security] Track upstream-owned glib 0.18.5 RustSec exception #196 remains open for upstream-owned glib 0.18.5 / RUSTSEC-2024-0429.
• Current develop post-Harden release artifact extraction #202 gates passed at a328295.
• Residual CI warning strings include repo-controlled Git default-branch init hints and externally-owned/tool-output strings.
• Brand/design assets exist in @Branding and @brand_assets and need staged application to the desktop shell without adding remote assets.

현재 코드 기준 유효성

• docs/security/dependency-policy.md requires dependency review, audits, SBOM, SHA-pinned actions, and narrow exceptions only.
• docs/security/app-security.md treats files, URLs, subprocesses, IPC, WebView, logs, and exports as untrusted boundaries.
• docs/brand-story.md requires practical, rehearsal-first, non-authoritative UX copy and design.
• ARCHITECTURE.md identifies the app as a local-first Windows/macOS desktop app, not AKS production infrastructure.

상위/하위/인접 관계

• Predecessors: [Security] Post-#192 default-branch PR queue stabilization and dependency gate closure #194, [Security] Remove actions/download-artifact Buffer deprecation warning #199, [Security] Remove build-baseline download-artifact Buffer exposure #201, PR Harden Scorecard artifact extraction #200, PR Harden release artifact extraction #202.
• Active blocker/tracker: [Security] Track upstream-owned glib 0.18.5 RustSec exception #196, blocked on upstream Tauri/wry/webkit2gtk/gtk moving off vulnerable glib.
• Child work: residual warning/deprecation/notice inventory, first CI warning root-cause PR, app-security URL/subprocess redaction follow-up, brand/design desktop follow-up.
• Related historical design validation: Verify rehearsal console UI after PR #177 lands on default develop #183 / PR feat(ui): finalize rehearsal console redesign #177.
• Related stale queue item: Orchestrate PR #159 Rollout: Diagnostics, Fixes, and AKS Production Deployment #160 should be corrected or closed as historical because BandScope is local-first desktop.

Canonical sequence

1. Fix the smallest repo-controlled warning root cause: Git init default-branch hints before checkout.
2. Keep [Security] Track upstream-owned glib 0.18.5 RustSec exception #196 refreshed with upstream owner-chain evidence until patched.
3. Create and execute app-security follow-up for YouTube/Python subprocess error redaction.
4. Apply first brand/design shell alignment PR, then split broader feature/navigation/export work into v0.1.5.
5. Re-check GitHub Checks, robot reviewer state, and post-merge develop health after every PR.

완료 조건

• Residual warning/deprecation/notice issue has root-cause classification and one implemented PR slice.
• [Security] Track upstream-owned glib 0.18.5 RustSec exception #196 remains current and narrowly scoped.
• Brand/design follow-up is captured with milestone and acceptance criteria.
• Required GitHub Checks pass on every merged slice.
• Robot reviewer approval or authoritative skip evidence is used for merge; no human-review wait is introduced.

Security Notes

• Untrusted inputs: GitHub Actions logs, workflow config, URLs, files, IPC payloads, export data, brand reference assets.
• Trust boundaries: CI runner setup, dependency/toolchain supply chain, desktop UI rendering, Python subprocess boundary.
• Safe failure: warning guards should fail closed in repo-controlled checks; external platform warnings should be tracked instead of hidden.
• Logging/privacy: no raw file paths, URLs, downloader exceptions, or project payloads should be added to user-facing logs.
• Test points: verify_supply_chain.py, security_gates.py, targeted unit tests, CI required checks, post-merge log scans.

[coderabbitai]

🔗 Related PRs

#53 - feat: add local analysis orchestration [merged]
#81 - chore: patch npm audit vulnerabilities and restore canonical docs [merged]
#190 - fix: enforce OSSF Scorecard publish constraints [merged]
#191 - fix: patch rust dependency advisory ownership [merged]
#197 - Close Rust advisory owner-chain gaps [merged]

---

📝 Issue Planner

_{Check the box below or use the @coderabbitai plan command to generate an implementation plan and prompts that you can use with your favorite coding assistant.}

• Create Plan

---

🧪 Issue enrichment is currently in open beta.

You can configure auto-planning by selecting labels in the issue_enrichment configuration.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!

[seonghobae]

Stepwise follow-through discovered a post-merge blocker for the #204/#207 warning-cleanup slice.

• New child/blocker issue: [Security] Fix OSSF Scorecard global env regression after checkout guard #208
• Root cause: OSSF Scorecard rejects workflows with top-level env/defaults, while Prevent checkout default-branch warnings #207 added global GIT_CONFIG_* to suppress Git initial-branch warnings before checkout.
• Execution plan: move the guard to each OSSF checkout step only, keep workflow-level guard for normal workflows, add policy tests, open Draft PR, pass robot/check gates, merge, then validate develop Scorecard.

This keeps #205 and #206 sequenced after the warning/security gate is clean.

[seonghobae]

Program follow-through is complete against the current v0.1.4 residual scope.

Completed slices:

• Warning/root-cause slice: [Security] Fix OSSF Scorecard global env regression after checkout guard #208 closed by PR Fix OSSF Scorecard checkout guard placement #302.
• App-security YouTube/subprocess redaction follow-up: [Security] Align Python YouTube boundary and redact downloader errors #205 closed by PR Redact YouTube downloader errors #303.
• Brand/design desktop shell follow-up: [Design] Apply BandScope brand story to desktop shell follow-ups #206 closed by PR fix: apply BandScope desktop shell branding #304.
• Upstream-owned glib exception: [Security] Track upstream-owned glib 0.18.5 RustSec exception #196 remains open and current with refreshed owner-chain evidence; it is blocked on the Tauri/wry/webkit2gtk/gtk stack moving off glib 0.18.x or patching to glib >=0.20.0.

Verification used for the merged slices included required GitHub checks plus robot reviewer gates; local harness coverage was captured before each PR.

Security Notes

• [Security] Track upstream-owned glib 0.18.5 RustSec exception #196 remains the narrow active security exception tracker rather than being folded into this program issue.
• Follow-up slices kept file paths, downloader exceptions, and project/export payloads out of user-facing logs and exports.
• No remote runtime asset path was added for the desktop brand shell work.