From 4de772a7707da50d6ee4abe6e51f947bbba03b89 Mon Sep 17 00:00:00 2001 From: Albert Mavashev Date: Sat, 2 May 2026 16:51:27 -0400 Subject: [PATCH] docs(profile): add OpenSSF Scorecard badge to trust-signal row MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Live badge from api.scorecard.dev for cycles-server (the reference impl). Currently 7.4/10. Auto-updates on every Scorecard scan (push to main, branch protection changes, weekly). This badge surfaces an independent third-party security signal alongside the existing License / Release / CI / Coverage row. Together they cover: license + active shipping + tested + well-tested + audited supply chain. Background: - All 13 high-value runcycles repos now run the Scorecard workflow - cycles-server hardened from 6.1 → 7.4 via SHA pinning (PR #143), permission tightening (PR #144), Alpine gnutls patch (PR #145) - The other 12 repos got the same SHA-pin + permissions sweep; their next Scorecard scan should land in similar territory Future improvements that would push this above 8: - OpenSSF CII Best Practices badge (separate questionnaire submission) - Branch protection scorecard PAT (currently '-1' Internal Error on Branch-Protection check; setting up admin:repo PAT would unblock) --- profile/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/profile/README.md b/profile/README.md index e13c0b3..272c8dd 100644 --- a/profile/README.md +++ b/profile/README.md @@ -1,6 +1,6 @@ # Runcycles — Runtime budget and action authority for AI agents -[![License: Apache 2.0](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://github.com/runcycles/.github/blob/main/LICENSE) [![Latest release](https://img.shields.io/github/v/release/runcycles/cycles-server?label=cycles-server&color=00C9A7)](https://github.com/runcycles/cycles-server/releases) [![CI](https://github.com/runcycles/cycles-server/actions/workflows/ci.yml/badge.svg)](https://github.com/runcycles/cycles-server/actions/workflows/ci.yml) [![Coverage](https://img.shields.io/badge/coverage-95%25%2B-brightgreen)](https://github.com/runcycles/cycles-server/blob/main/cycles-protocol-service/pom.xml) +[![License: Apache 2.0](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://github.com/runcycles/.github/blob/main/LICENSE) [![Latest release](https://img.shields.io/github/v/release/runcycles/cycles-server?label=cycles-server&color=00C9A7)](https://github.com/runcycles/cycles-server/releases) [![CI](https://github.com/runcycles/cycles-server/actions/workflows/ci.yml/badge.svg)](https://github.com/runcycles/cycles-server/actions/workflows/ci.yml) [![Coverage](https://img.shields.io/badge/coverage-95%25%2B-brightgreen)](https://github.com/runcycles/cycles-server/blob/main/cycles-protocol-service/pom.xml) [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/runcycles/cycles-server/badge)](https://scorecard.dev/viewer/?uri=github.com/runcycles/cycles-server) **Open-source enforcement layer for AI agent governance: hard limits on cost, risk, and tool actions before LLM agents execute.** Multi-tenant, concurrency-safe, and self-hostable. SDKs for Python, TypeScript, Rust, and Spring Boot; MCP server for Claude Desktop, Cursor, and Windsurf.