Workflow health
3 failing repo(s)17 OK · 3 failing · 81 warningsVisibility
59private · 42 publicManifest confirmation
87repos awaiting reconfirmationPending pull requests
4across 4 tracked repos · dependabot: 0, other: 3, release-please: 1Test coverage
—0 of 101 repos reporting · 0 below thresholdShared modules
8tracked extraction itemsPortfolio summary
Owners: VlinderSoftware: 39, blytkerchan: 32, cpp4theselftaught: 5, vln-devsecops: 16, vln-polaris: 9
Visible repos by owner: VlinderSoftware: 10, blytkerchan: 22, cpp4theselftaught: 2, vln-devsecops: 7, vln-polaris: 0
Categories: application: 68, automation: 1, books: 7, devsecops: 6, github-action: 6, infrastructure: 3, org-profile: 1, standards: 1, website: 2, website-app: 1, website-blog: 3, website-tool: 1, workspace: 1
Roles: active-app: 7, active-infra: 2, extract-shared-parts: 9, inventory-reference: 46, migrated: 16, target: 21
Open attention items
- Break up the `doxchange` repository as a separate undertaking.
- Bring all repos across `vln-devsecops`, `VlinderSoftware`, `vln-polaris`, `cpp4theselftaught`, and the in-scope personal namespace up to the agreed compliance baseline: Dependabot for supported ecosystems, lightweight CI where missing, and safe minor/patch Dependabot auto-approval or auto-merge where test coverage supports it.
- Replace the current Python-generated static dashboard with a React frontend built on the same front-end stack as `doxchange`.
- Make sure we have workspace repositories wherever they should exist across the portfolio, including books, blogs/websites, Cloudflare apps, devsecops, and doxchange apps.
- Repair the `utils-system-cleanup` test baseline so the repository can safely enable Dependabot minor/patch auto-merge instead of staying gated on lint-only CI.
- Roll the two-tier npm audit gate (`npm ci`, `npm audit --audit-level=moderate --omit=dev`, and `npm audit --audit-level=critical`) across the remaining Node-based repositories where the baseline is clean enough for it to be a useful CI signal.
- Repos with failing latest workflow runs: vln-devsecops/actions-validate-coverage, VlinderSoftware/paper-event-superschema, VlinderSoftware/cpp-exceptions
- Repos without live API enrichment in this snapshot: vln-devsecops/github-runners, vln-devsecops/utils-system-cleanup, vln-devsecops/icon, vln-devsecops/guidance, vln-devsecops/infra ...
Failing repositories
- completed / failure
- completed / failure
- completed / action_required
Pending pull requests
- release-please
-
other
- other
- other
Per-repo status matrix
Shortcuts: Alt+F focus filter, Alt+Shift+S cycle sort column, Alt+↑/Alt+↓ set sort direction, Alt+R reset view.
| blytkerchan/ampere | application | inventory-reference | dev | unknown unknown |
n/a | none | unknown | no | manifest-only | already archived on GitHub; not-applicable, no action needed unless unarchived |
| blytkerchan/antlr4 | application | active-app | master | unknown no runs |
n/a | none | unknown | no | live | fork of aqssxlzc/antlr4 (a Docker packaging of antlr4), but genuinely diverged - 10 commits ahead of upstream master per the GitHub compare API, so treated as a normal repo per user decision rather than not-applicable triaged into repo-manifest.yml 2026-07-12 as part of the untracked-repo sweep; Dockerfile-only, no .github directory yet - docker ecosystem for Dependabot, needs CI added from scratch; DEPENDABOT_AUTOMERGE_TOKEN not yet provisioned for blytkerchan (known portfolio-wide gap); compliance baseline setup still pending |
| blytkerchan/applied-paranoia.com | website-blog | active-app | dev | green completed / success |
n/a | v20210827-1 | unknown | no | live | static-site infra pattern was extracted to terraform-modules//modules/aws/static_site but the repo is a live production site, not a legacy candidate local infra should eventually migrate to consume the shared module |
| blytkerchan/arxiv-digest | website-app | extract-shared-parts | main | green completed / success |
n/a | none | unknown | no | live | PR PR |
| blytkerchan/authority | application | target | master | unknown unknown |
n/a | none | unknown | no | manifest-only | authority management repository default_branch corrected 2026-07-10 - manifest said main, repo actually uses master (confirmed live via gh api) |
| blytkerchan/blog-copy-editor | website-tool | extract-shared-parts | dev | unknown unknown |
n/a | none | unknown | no | manifest-only | package.json still has stale name/description copied from arxiv-digest ("name": "arxiv-digest") - not fixed here, out of scope for the compliance pass, flagged for the user compliance baseline: Dependabot already present. ci_validate_worker.yml added 2026-07-10 (two-tier npm audit gate + wrangler deploy --dry-run; first run failed on Node 20, fixed to Node 22 for wrangler 4.x, now verified passing) and ci_dependabot_automerge.yml added gating minor/patch only. Partial because (a) DEPENDABOT_AUTOMERGE_TOKEN not yet provisioned for blytkerchan and (b) private repo on GitHub Free, so allow_auto_merge cannot be enabled regardless (accepted gap, see maintenance_notes) |
| blytkerchan/blytkerchan.github.io | website-blog | extract-shared-parts | master | green completed / success |
n/a | none | unknown | no | live | compliance baseline: Dependabot already present. ci_validate_jekyll.yml added 2026-07-10 (verified passing - bundle exec jekyll build) and ci_dependabot_automerge.yml added gating minor/patch only; public repo, so allow_auto_merge could be enabled once DEPENDABOT_AUTOMERGE_TOKEN is provisioned for blytkerchan - no plan-tier blocker here unlike the private repos |
| blytkerchan/boden_experiments | application | inventory-reference | main | unknown unknown |
n/a | none | unknown | no | manifest-only | audio-watermarking experiment scripts (test.py, spread_spectrum.py), no requirements.txt/pyproject.toml or other declared dependency manifest for Dependabot to manage; not-applicable rather than a gap |
| blytkerchan/book-apoptotic-cascade | books | extract-shared-parts | main | unknown unknown |
n/a | none | unknown | no | manifest-only | compliance baseline: Dependabot already present, ci.yml does a full pandoc/LaTeX book build (PDF/DOCX/EPUB/dyslexic PDF), not just lint; ci_dependabot_automerge.yml added 2026-07-10 gating minor/patch only. Partial because (a) DEPENDABOT_AUTOMERGE_TOKEN not yet provisioned for blytkerchan and (b) private repo on GitHub Free, so allow_auto_merge cannot be enabled regardless (accepted gap, see maintenance_notes) |
| blytkerchan/book-cpp4theselftaught | books | extract-shared-parts | main | unknown unknown |
n/a | none | unknown | no | manifest-only | compliance baseline: Dependabot already present, ci.yml does a full pandoc/LaTeX book build (PDF/DOCX/EPUB/dyslexic PDF), not just lint; ci_dependabot_automerge.yml added 2026-07-10 gating minor/patch only. Partial because (a) DEPENDABOT_AUTOMERGE_TOKEN not yet provisioned for blytkerchan and (b) private repo on GitHub Free, so allow_auto_merge cannot be enabled regardless (accepted gap, see maintenance_notes) |
| blytkerchan/book-git4theselftaught | books | inventory-reference | master | unknown unknown |
n/a | none | unknown | no | manifest-only | older tex-based book structure useful as a legacy contrast to the newer automation-heavy books |
| blytkerchan/book-observer | books | extract-shared-parts | main | unknown unknown |
n/a | none | unknown | no | manifest-only | compliance baseline: Dependabot already present, ci.yml does a full pandoc/LaTeX book build (PDF/DOCX/EPUB/dyslexic PDF), not just lint; ci_dependabot_automerge.yml added 2026-07-10 gating minor/patch only. Partial because (a) DEPENDABOT_AUTOMERGE_TOKEN not yet provisioned for blytkerchan and (b) private repo on GitHub Free, so allow_auto_merge cannot be enabled regardless (accepted gap, see maintenance_notes) |
| blytkerchan/book-security4theselftaught | books | inventory-reference | main | unknown unknown |
n/a | none | unknown | no | manifest-only | older tex-based book structure less obviously aligned with the newer pandoc automation stack |
| blytkerchan/books-statemachines | books | inventory-reference | main | unknown unknown |
n/a | none | unknown | no | manifest-only | older tex-based book structure, same pattern as book-security4theselftaught/book-git4theselftaught; no package-manager ecosystem, so Dependabot has nothing to manage here |
| blytkerchan/cppunit | application | inventory-reference | master | unknown no runs |
n/a | none | unknown | no | live | already archived on GitHub; not-applicable, no action needed unless unarchived |
| blytkerchan/crassula | application | inventory-reference | main | unknown unknown |
n/a | none | unknown | no | manifest-only | already archived on GitHub; not-applicable, no action needed unless unarchived |
| blytkerchan/depends | application | inventory-reference | master | unknown no runs |
n/a | none | unknown | no | live | fork of cpp4theselftaught/depends (an in-org repo, already tracked at cpp4theselftaught/depends), zero commits ahead of upstream per the GitHub compare API; not-applicable, no action needed unless it diverges |
| blytkerchan/Dropbox-Uploader | application | active-app | master | unknown no runs |
n/a | v1.0 | unknown | no | live | fork of andreafabrizi/Dropbox-Uploader, genuinely diverged - 1 commit ahead of upstream master (29 behind) per the GitHub compare API, treated as a normal repo per user decision rather than not-applicable triaged into repo-manifest.yml 2026-07-12 as part of the untracked-repo sweep; Dockerfile + Dockerfile.pi, no .github directory yet - docker ecosystem for Dependabot, needs CI added from scratch (bash script, so CI is likely just shellcheck); DEPENDABOT_AUTOMERGE_TOKEN not yet provisioned for blytkerchan (known portfolio-wide gap); compliance baseline setup still pending |
| blytkerchan/halos | application | inventory-reference | i386-kernel | unknown no runs |
n/a | none | unknown | no | live | already archived on GitHub; not-applicable, no action needed unless unarchived |
| blytkerchan/hps-cucumber-typescript | application | inventory-reference | master | unknown no runs |
n/a | none | unknown | no | live | fork of hiptest/hps-cucumber-typescript, already archived and zero commits ahead of upstream per the GitHub compare API; not-applicable, no action needed unless unarchived |
| blytkerchan/hunter-simple | application | inventory-reference | master | unknown no runs |
n/a | none | unknown | no | live | fork of abandonware-pjz37/hunter-simple, zero commits ahead of upstream per the GitHub compare API (unmodified mirror); not-applicable, no action needed unless it diverges |
| blytkerchan/inih | application | inventory-reference | master | unknown no runs |
n/a | r44 | unknown | no | live | fork of benhoyt/inih, zero commits ahead of upstream per the GitHub compare API (unmodified mirror); not-applicable, no action needed unless it diverges |
| blytkerchan/kem-make | application | active-app | dev | green completed / success |
n/a | none | unknown | no | live | POC implementation of the KEM-MAKE protocol; pyproject.toml-based, asn1/doc/features/src layout triaged into repo-manifest.yml 2026-07-12 as part of the untracked-repo sweep; no .github directory yet - needs CI and dependabot.yml added from scratch (pip + github-actions); DEPENDABOT_AUTOMERGE_TOKEN not yet provisioned for blytkerchan (known portfolio-wide gap, see other blytkerchan entries), so automerge will stay unwired until that's done; compliance baseline setup still pending |
| blytkerchan/linux-insides | application | inventory-reference | master | unknown no runs |
n/a | none | unknown | no | live | fork of 0xAX/linux-insides, zero commits ahead of upstream per the GitHub compare API (unmodified mirror); not-applicable, no action needed unless it diverges |
| blytkerchan/miki-state-machine | application | inventory-reference | dev | unknown unknown |
n/a | none | unknown | no | manifest-only | state-machine-driven agent project in OpenClaw; a standalone Python script and shell/yaml config with no declared dependency manifest for Dependabot to manage; not-applicable rather than a gap |
| blytkerchan/papers | application | inventory-reference | main | unknown unknown |
n/a | none | unknown | no | manifest-only | collection of paper/essay drafts (markdown and LaTeX-adjacent text), no package-manager ecosystem; not-applicable rather than a gap |
| blytkerchan/puzzles | application | inventory-reference | main | unknown unknown |
n/a | none | unknown | no | manifest-only | single Jupyter notebook (lewitt_cubes), no declared dependency manifest; not-applicable rather than a gap |
| blytkerchan/react-embed-gist | application | inventory-reference | master | unknown no runs |
n/a | none | unknown | no | live | fork of msaracevic/react-embed-gist, zero commits ahead of upstream per the GitHub compare API (unmodified mirror); not-applicable, no action needed unless it diverges |
| blytkerchan/resume | application | inventory-reference | main | unknown unknown |
n/a | none | unknown | no | manifest-only | single main.tex resume source, no package-manager ecosystem; not-applicable rather than a gap |
| blytkerchan/tf-experiments | application | inventory-reference | main | unknown unknown |
n/a | none | unknown | no | manifest-only | already archived on GitHub; not-applicable, no action needed unless unarchived |
| blytkerchan/vite-aws-app | application | inventory-reference | main | unknown unknown |
n/a | none | unknown | no | manifest-only | already archived on GitHub; not-applicable, no action needed unless unarchived |
| blytkerchan/workspace-books | books | inventory-reference | dev | unknown unknown |
n/a | none | unknown | no | manifest-only | umbrella workspace for book writing useful for finding cross-book automation patterns |
| cpp4theselftaught/cpp4theselftaught.github.io | website-blog | extract-shared-parts | master | green completed / success |
n/a | none | unknown | no | live | compliance baseline: had no Dependabot or CI at all before 2026-07-10, same starting state blytkerchan.github.io was in. Added bundler + github-actions Dependabot, ci_validate_jekyll.yml (bundle exec jekyll build), and ci_dependabot_automerge.yml (pull_request_target from the start). First run failed - Gemfile.lock pins BUNDLED WITH 2.0.2, incompatible with Ruby 3.2 (String#untaint removed) - fixed by patching the pin with sed in the CI checkout only, not the committed lockfile; verified passing after. allow_auto_merge confirmed true, vulnerability alerts/automated security fixes enabled, DEPENDABOT_AUTOMERGE_TOKEN provisioned (new cpp4theselftaught-scoped PAT). Partial pending its own live Dependabot PR to observe an actual merge |
| cpp4theselftaught/depends | application | target | master | green completed / success |
n/a | none | unknown | no | live | CMake/Boost C++ dependency-tracking library compliance baseline: only had a dead .travis.yml before 2026-07-10 (Travis CI stopped being usable for this kind of project long ago; it targeted gcc-4.9 through gcc-7 and clang-3.6 through 5.0, none available anywhere anymore). Replaced with ci_validate_cmake.yml (gcc+clang matrix on ubuntu-latest, cmake --build + ctest), verified passing on both compilers after initializing the exceptions/cmake submodules (both point to other VlinderSoftware repos, same-owner so no cross-repo auth wall). Added github-actions-only Dependabot (no vcpkg/conan manifest) and ci_dependabot_automerge.yml (pull_request_target from the start). allow_auto_merge confirmed true, vulnerability alerts/automated security fixes enabled, DEPENDABOT_AUTOMERGE_TOKEN provisioned (new cpp4theselftaught-scoped PAT). Partial pending its own live Dependabot PR to observe an actual merge |
| cpp4theselftaught/devcontainer | devsecops | target | main | unknown unknown |
n/a | none | unknown | no | manifest-only | compliance baseline: empty scaffold - only a README.md exists, no devcontainer.json/Dockerfile/source yet despite the name. Not-applicable until content lands; revisit then |
| cpp4theselftaught/robot-car | application | migrated | master | unknown unknown |
n/a | none | unknown | yes | manifest-only | robot car project with Raphael compliance baseline: archived - same as actions-autoversion, GitHub blocks vulnerability-alerts/automated-security-fixes API changes on archived repos (422). No action unless unarchived |
| cpp4theselftaught/sudoku-solver | application | migrated | master | unknown unknown |
n/a | none | unknown | yes | manifest-only | compliance baseline: archived - same as actions-autoversion, GitHub blocks vulnerability-alerts/automated-security-fixes API changes on archived repos (422). No action unless unarchived |
| VlinderSoftware/amp | application | inventory-reference | master | unknown unknown |
n/a | none | unknown | no | manifest-only | dormant since 2024-05; 3 open issues but all self-filed 2020 design notes, not external signal. Archived 2026-07-12 per TODO #17 |
| VlinderSoftware/amp-model | application | inventory-reference | master | unknown unknown |
n/a | none | unknown | no | manifest-only | no description, dormant since 2022-03, zero stars/forks/issues; archived 2026-07-12 per TODO #17 |
| VlinderSoftware/app-lector | application | target | dev | unknown unknown |
n/a | none | unknown | no | manifest-only | multi-component app (frontend/lambda/worker/infra), same shape as VlinderSoftware/doxchange compliance baseline: had no Dependabot or CI at all before 2026-07-10. Added Dependabot for all 5 ecosystems (npm/frontend, pip/lambda, pip/worker, pip/tests, terraform/infra, github-actions) and ci_validate_frontend.yml covering only the frontend component for now (type-check + build + vitest, verified passing with npm ci --legacy-peer-deps - @vitejs/plugin-react's published peerDependencies range lags vite 8.x but is actually compatible, confirmed 0 vulnerabilities and clean build/test). npm run lint was left out - no eslint.config.js exists at all, fails outright on ESLint 9's flat-config requirement, a pre-existing gap not papered over here. lambda/worker/infra CI is a follow-up; no automerge yet given how partial coverage still is |
| VlinderSoftware/build-server | application | inventory-reference | master | unknown unknown |
n/a | none | unknown | no | manifest-only | Docker image for a build server, dormant since 2020-12, zero stars/forks/issues; archived 2026-07-12 per TODO #17 |
| VlinderSoftware/buildenv | application | inventory-reference | master | unknown no runs |
n/a | none | unknown | no | live | no description, dormant since 2019-05, zero stars/forks/issues; archived 2026-07-12 per TODO #17 |
| VlinderSoftware/cmake | application | inventory-reference | master | unknown no runs |
n/a | v20160326 | unknown | no | live | shared CMake settings/modules consumed as a git submodule by cpp4theselftaught/depends (and possibly others) - not dormant, despite last being pushed 2020-12 no package-manager ecosystem of its own (just .cmake modules), so Dependabot has nothing to manage here; not-applicable rather than a gap |
| VlinderSoftware/cpp-event-superschema | application | target | dev | green completed / success |
n/a | none | unknown | no | live | C++ implementation of event superschema, linked from workspace-event-superschema compliance baseline: CMake project (no vcpkg/conan manifest), ci.yml exists, dependabot.yml added 2026-07-10 (github-actions only) plus ci_dependabot_automerge.yml (pull_request_target from the start), DEPENDABOT_AUTOMERGE_TOKEN provisioned, allow_auto_merge confirmed true (public repo), vulnerability alerts/automated security fixes enabled. Partial pending its own live Dependabot PR to observe an actual merge |
| VlinderSoftware/cpp-exceptions | application | target | master | failing completed / failure |
n/a | v1.1.0 | unknown | no | live | C++ exception base classes; renamed from VlinderSoftware/exceptions 2026-07-12 per the org naming convention (GitHub redirect in place for the old URL, but cpp4theselftaught/depends' .gitmodules was updated to the new URL directly rather than relying on it) live git submodule dependency of cpp4theselftaught/depends - this is why it got the standard compliance treatment instead of being archived with the rest of the dormant legacy batch |
| VlinderSoftware/cpp-jose | application | migrated | dev | green completed / success |
n/a | none | unknown | no | live | JOSE implementation in modern C++, known consumer of actions-msvc compliance baseline: Dependabot already present (github-actions only), ci.yml exists, ci_dependabot_automerge.yml added 2026-07-10 (pull_request_target from the start), DEPENDABOT_AUTOMERGE_TOKEN provisioned, allow_auto_merge confirmed true (public repo), vulnerability alerts/automated security fixes enabled. Promoted to complete 2026-07-12: PR #19 (actions/checkout 6->7) merged via a genuinely dependabot-triggered automerge run (29134204646, pull_request_target, actor condition passed, conclusion=success) |
| VlinderSoftware/cs-event-superschema | application | target | dev | green completed / success |
n/a | none | unknown | no | live | C# implementation of event superschema, linked from workspace-event-superschema compliance baseline: .NET project (nuget.config), ci.yml exists, dependabot.yml added 2026-07-10 (nuget + github-actions) plus ci_dependabot_automerge.yml (pull_request_target from the start). Real end-to-end proof: PR #2 (coverlet.collector bump) merged automatically via a genuinely dependabot-triggered run (forced with `@dependabot recreate`), confirming both the token and the pull_request_target fix work together. First repo in this batch confirmed complete via an observed run rather than config inspection |
| VlinderSoftware/dnp-authority | application | inventory-reference | master | unknown unknown |
n/a | none | unknown | no | manifest-only | dormant since 2020-07; 1 open issue but it's a self-filed 2020 design note, not external signal. Archived 2026-07-12 per TODO #17 |
| VlinderSoftware/dnp-json-mapping | application | inventory-reference | master | unknown unknown |
n/a | none | unknown | no | manifest-only | DNP application layer to JSON mapping for IIoT, dormant since 2023-09, zero stars/forks/issues; archived 2026-07-12 per TODO #17 |
| VlinderSoftware/dnp3 | application | inventory-reference | 2.0.x | unknown no runs |
n/a | v2.1.0-RC5 | unknown | no | live | fork of dnp3/opendnp3, zero commits ahead of upstream (unmodified mirror), dormant since 2018-03; archived 2026-07-12 per TODO #17 |
| VlinderSoftware/doxchange | application | extract-shared-parts | dev | unknown unknown |
n/a | none | unknown | no | manifest-only | project-owned infra structure is the precedent for app-specific infra boundaries infra directory contains reusable terraform modules and automation worth extracting |
| VlinderSoftware/kem.make | application | inventory-reference | dev | unknown unknown |
n/a | none | unknown | no | manifest-only | KEM.MAKE protocol implementation, last pushed 2025-03; superseded by the newer blytkerchan/kem-make (pushed 2026-07-08, days before this review) - archived 2026-07-12 as superseded rather than for pure dormancy |
| VlinderSoftware/logo | application | inventory-reference | main | unknown unknown |
n/a | none | unknown | no | manifest-only | static logo/brand assets (svg/png/ico/xcf), no package-manager ecosystem and nothing to run CI against; not-applicable rather than a gap |
| VlinderSoftware/mai | application | inventory-reference | master | unknown unknown |
n/a | none | unknown | no | manifest-only | Node-based service framework, dormant since 2022-12, zero stars/forks/issues; archived 2026-07-12 per TODO #17 |
| VlinderSoftware/meta | application | inventory-reference | master | unknown no runs |
n/a | none | unknown | no | live | C++ meta-programming library, dormant since 2016-03, zero stars/forks/issues; archived 2026-07-12 per TODO #17 (reviewed case-by-case with the user, no live consumers found) |
| VlinderSoftware/meta-opendnp3 | application | inventory-reference | master | unknown no runs |
n/a | none | unknown | no | live | Yocto layer for OpenDNP3, dormant since 2017-10, zero stars/forks/issues; archived 2026-07-12 per TODO #17 |
| VlinderSoftware/meta-vlinder | application | inventory-reference | master | unknown unknown |
n/a | none | unknown | no | manifest-only | Yocto layer for Vlinder Software embedded libraries, dormant since 2018-03, zero stars/forks/issues; archived 2026-07-12 per TODO #17 |
| VlinderSoftware/node-cognitojwtvalidator | application | migrated | dev | unknown unknown |
n/a | none | unknown | no | manifest-only | validator for JWT tokens generated by Cognito compliance baseline: same pattern as node-lambdahelpers - fixed and provisioned the same way 2026-07-10 (token swap + secrets: inherit + DEPENDABOT_AUTOMERGE_TOKEN secret). Capped at partial - private repo on GitHub Free, allow_auto_merge cannot be enabled (accepted gap, see maintenance_notes) |
| VlinderSoftware/node-dynamodbwrapper | application | migrated | dev | unknown unknown |
n/a | none | unknown | no | manifest-only | wrapper (in TypeScript) for Node for AWS DynamoDB compliance baseline: same pattern as node-lambdahelpers - fixed and provisioned the same way 2026-07-10 (token swap + secrets: inherit + DEPENDABOT_AUTOMERGE_TOKEN secret). Capped at partial - private repo on GitHub Free, allow_auto_merge cannot be enabled (accepted gap, see maintenance_notes) |
| VlinderSoftware/node-event-superschema | application | target | dev | green completed / success |
n/a | none | unknown | no | live | Node.js implementation of event superschema, linked from workspace-event-superschema compliance baseline: had no Dependabot or CI at all before 2026-07-10. Added npm + github-actions Dependabot, ci_validate_node.yml (build+test hard gate, verified passing; npm audit non-blocking since the prod dependency tree already has unresolved vulnerabilities via node-jose/node-forge/lodash/fast-uri/ajv, not a CI regression) and ci_dependabot_automerge.yml (pull_request_target from the start). allow_auto_merge confirmed true, DEPENDABOT_AUTOMERGE_TOKEN provisioned, vulnerability alerts/automated security fixes enabled. Promoted to complete 2026-07-12: multiple genuinely dependabot-triggered automerge runs observed (pull_request_target, actor condition passed, conclusion=success) across PRs #1-#11, e.g. run 29137724478 on dependabot/npm_and_yarn/uuid-14.0.0; test coverage is still uneven (JWE/JWS paths at 0%), same caveat as utils-system-cleanup, but that's a test-quality gap not a compliance-baseline one |
| VlinderSoftware/node-lambdahelpers | application | migrated | dev | unknown unknown |
n/a | none | unknown | no | manifest-only | helpers for AWS Lambda compliance baseline: Dependabot already present, full CI (build/eslint/formatting/unittestcoverage/cicd/deploy); ci_automerge.yml is a reusable (workflow_call) workflow, fixed 2026-07-10 to use secrets.DEPENDABOT_AUTOMERGE_TOKEN, with secrets: inherit added to the caller job in cicd.yml (custom secrets don't reach called workflows otherwise) and the secret provisioned (new VlinderSoftware-scoped PAT). Capped at partial because this is a private repo on GitHub Free, so allow_auto_merge cannot be enabled (accepted gap, see maintenance_notes) |
| VlinderSoftware/node-module-template | devsecops | migrated | main | unknown unknown |
n/a | none | unknown | no | manifest-only | template repo the node-lambdahelpers/node-cognitojwtvalidator/node-dynamodbwrapper/node-permissionvalidator family was cloned from - explains why their CI/automerge workflows are identical compliance baseline: fixed and provisioned 2026-07-10 (token swap + secrets: inherit + DEPENDABOT_AUTOMERGE_TOKEN secret) ahead of its downstream repos, since they likely get re-synced from this template. Capped at partial - private repo on GitHub Free, allow_auto_merge cannot be enabled (accepted gap, see maintenance_notes) |
| VlinderSoftware/node-permissionvalidator | application | migrated | main | unknown unknown |
n/a | none | unknown | no | manifest-only | permission validation repo description on GitHub currently reads "Validator for Cognito JWT tokens" - looks like a copy-paste leftover from node-cognitojwtvalidator, flagged for the user rather than changed here |
| VlinderSoftware/OpenSSLRSAExample | application | inventory-reference | master | unknown no runs |
n/a | none | unknown | no | live | RSA+SHA256+PKCS1 signing example, dormant since 2020-11 (1 star); archived 2026-07-12 per TODO #17 |
| VlinderSoftware/paper-event-superschema | application | target | dev | failing completed / failure |
n/a | none | unknown | no | live | paper and documentation for event superschema; workspace-event-superschema's notes call it "already tracked" as a submodule, but no manifest entry actually existed until now - that note was stale, fixed by this addition triaged into repo-manifest.yml 2026-07-12 as part of the untracked-repo sweep; has paper-requirements.txt (non-standard filename for the pip ecosystem - verify Dependabot actually detects it, may need renaming or an accepted gap) plus a Jupyter notebook and a submodule; compliance baseline setup still pending |
| VlinderSoftware/phoenix.ui | application | inventory-reference | main | unknown unknown |
n/a | none | unknown | no | manifest-only | already archived on GitHub; not-applicable, no action needed unless unarchived |
| VlinderSoftware/python-event-superschema | application | target | dev | green completed / success |
n/a | v1.0.0 | unknown | no | live | super-schema support for Python, linked from workspace-event-superschema compliance baseline: pyproject.toml-based project, ci.yml exists, dependabot.yml added 2026-07-10 (pip + github-actions) plus ci_dependabot_automerge.yml (pull_request_target from the start), DEPENDABOT_AUTOMERGE_TOKEN provisioned, allow_auto_merge confirmed true. Mechanism proven end-to-end on the identically-configured cs-event-superschema (PR #2, see its entry), but not yet observed on this specific repo's own live PR (#3 open) - promote to complete once seen merging here too |
| VlinderSoftware/relacy | application | inventory-reference | master | unknown no runs |
n/a | none | unknown | no | live | already archived on GitHub; not-applicable, no action needed unless unarchived |
| VlinderSoftware/research.vlinder.ca | website | inventory-reference | main | unknown no runs |
n/a | none | unknown | no | live | genuinely empty scaffold (LICENSE only, no source yet); not-applicable, revisit if it gets populated |
| VlinderSoftware/rtimdb | application | inventory-reference | master | unknown no runs |
n/a | none | unknown | no | live | real-time in-memory database, dormant since 2020-12, zero stars/forks/issues; archived 2026-07-12 per TODO #17 |
| VlinderSoftware/securitylayer | application | inventory-reference | master | unknown no runs |
n/a | none | unknown | no | live | already archived on GitHub; not-applicable, no action needed unless unarchived |
| VlinderSoftware/sit-tools | application | inventory-reference | master | unknown unknown |
n/a | none | unknown | no | manifest-only | tooling for SIT, dormant since 2020-12, zero stars/forks/issues; archived 2026-07-12 per TODO #17 |
| VlinderSoftware/sitpy | application | inventory-reference | master | unknown unknown |
n/a | none | unknown | no | manifest-only | Python implementation of SIT, dormant since 2023-10, zero stars/forks/issues; archived 2026-07-12 per TODO #17 |
| VlinderSoftware/tools-amp | application | inventory-reference | master | unknown unknown |
n/a | none | unknown | no | manifest-only | AMP tooling, dormant since 2020-07, zero stars/forks/issues; archived 2026-07-12 per TODO #17 |
| VlinderSoftware/vlinder.ca | website | extract-shared-parts | master | unknown unknown |
n/a | none | unknown | no | manifest-only | current deployment extraction candidate is AWS-specific; future Azure or GCP patterns may belong in separate or more generalized automation compliance baseline: had no Dependabot or CI at all before 2026-07-10. Added bundler + npm + github-actions Dependabot ecosystems and ci_validate_jekyll.yml (jekyll build + two-tier npm audit gate; verified passing via a real triggered run). Critical-level audit step is non-blocking - serverless-s3-sync is a deprecated/unsupported package already pulling in a critical-severity transitive vuln (minimist) today, not a regression; a real fix means replacing that dependency, out of scope here. No auto-merge yet - this is a live production site, holding off until the new CI has a track record |
| VlinderSoftware/workspace-event-superschema | application | inventory-reference | dev | green completed / success |
n/a | none | unknown | no | live | umbrella workspace linking cpp-event-superschema, cpp-jose, cs-event-superschema, node-event-superschema, paper-event-superschema (already tracked), and python-event-superschema as submodules, same pattern as blytkerchan/workspace-books compliance baseline: had no Dependabot or CI at all before 2026-07-10. Added github-actions Dependabot and ci_validate_submodules.yml doing a real `submodules: recursive` checkout (verified passing) - confirmed all 6 linked submodules are public, unlike workspace-books, so no cross-repo auth wall applies here. allow_auto_merge confirmed true (public repo), vulnerability alerts/automated security fixes enabled. No automerge planned regardless (reference workspace, not a deployable) |
| vln-devsecops/.github | org-profile | target | main | unknown no runs |
n/a | none | unknown | yes | live | org profile repository for the public-facing organization README and shared org metadata compliance baseline: only LICENSE/README/profile content, no package-manager ecosystem and nothing to run CI against; not-applicable rather than a gap |
| vln-devsecops/actions-autoversion | github-action | migrated | main | green completed / success |
n/a | v1.1.2 / v1.1 / v1 | unknown | yes | live | transferred directly from VlinderSoftware/autoversion old location now redirects to the new repo |
| vln-devsecops/actions-build-paper | github-action | migrated | dev | green completed / success |
n/a | v1.1.3 / v1.1 / v1 | unknown | yes | live | transferred directly from blytkerchan/build-paper old location now redirects to the new repo |
| vln-devsecops/actions-generate-licenses | github-action | migrated | main | green completed / success |
n/a | v1.2.11 / v1.2 / v1 | unknown | yes | live | transferred directly from VlinderSoftware/generate-licenses old location now redirects to the new repo |
| vln-devsecops/actions-msvc | github-action | migrated | dev | green completed / success |
n/a | v1.0.2 / v1.0 / v1 | unknown | yes | live | transferred directly from blytkerchan/devsecops-setup-msvc published action with existing v1 tag line |
| vln-devsecops/actions-validate-coverage | github-action | migrated | main | failing completed / action_required |
n/a | v1.0.18 / v1.0 / v1 | unknown | yes | live | transferred directly from VlinderSoftware/validate-coverage old location now redirects to the new repo |
| vln-devsecops/automation-books | automation | target | dev | unknown unknown |
n/a | none | unknown | no | manifest-only | initialized on dev with lightweight compliance workflows intended home for shared book build and editorial automation |
| vln-devsecops/container-build | devsecops | active-infra | main | unknown unknown |
n/a | none | unknown | no | manifest-only | generic build image (Dockerfile, Dockerfile.add-antlr, Dockerfile.add-pqc), uses release-please and a git submodule (antlr4) triaged into repo-manifest.yml 2026-07-12 as part of the untracked-repo sweep; docker ecosystem for Dependabot, already has a .github directory - inspect existing workflows before adding dependabot.yml/ci_dependabot_automerge.yml; compliance baseline setup still pending |
| vln-devsecops/github-runners | devsecops | active-infra | dev | unknown unknown |
n/a | none | unknown | yes | manifest-only | self-hosted GitHub Actions runner infrastructure (terraform + packer) transferred from VlinderSoftware/devsecops-gha-runner |
| vln-devsecops/guidance | standards | target | main | unknown unknown |
n/a | none | unknown | no | manifest-only | org-wide engineering standards, operational runbooks, and compliance scaffold standards/repo-naming-convention.md — naming convention for all portfolio repos |
| vln-devsecops/icon | github-action | migrated | main | unknown unknown |
n/a | none | unknown | yes | manifest-only | repository for the org icon compliance baseline: just README.md and icon.svg, no package-manager ecosystem and nothing to run CI against; not-applicable rather than a gap |
| vln-devsecops/infra | infrastructure | target | main | unknown unknown |
n/a | none | unknown | yes | manifest-only | org-level AWS infrastructure: GitHub OIDC trust, IAM roles for keyless CI/CD github-oidc/ root module creates OIDC provider and 4 IAM roles |
| vln-devsecops/node-vlinder-auth | devsecops | active-app | main | unknown unknown |
n/a | none | unknown | no | manifest-only | Vlinder-branded Cognito auth UI + vendored Lambda/admin-panel source for the cognito_auth Terraform module triaged into repo-manifest.yml 2026-07-12 as part of the untracked-repo sweep; npm ecosystem (package.json/package-lock.json), already has a .github directory - inspect existing workflows before adding dependabot.yml/ci_dependabot_automerge.yml; compliance baseline setup still pending |
| vln-devsecops/operations | workspace | target | dev | pending in_progress / n/a |
n/a | none | baseline | yes | partial | central devsecops workspace tracks the broader org migration/extraction plan and the org-profile repository |
| vln-devsecops/terraform-modules | infrastructure | target | main | green completed / success |
n/a | v0.17.0 / v0.17 / v0 | unknown | yes | live | intended home for extracted reusable Terraform modules and infra patterns modules at v0.7 (immutable v0.7.0); floating tags v0.7 and v0 current |
| vln-devsecops/utils-system-cleanup | devsecops | migrated | dev | unknown unknown |
n/a | none | unknown | yes | manifest-only | transferred from VlinderSoftware/devsecops-utils-system-cleanup old location now redirects to the new repo |
| vln-polaris/fhcs-simulator | application | active-app | dev | unknown unknown |
n/a | none | unknown | no | manifest-only | simulator of a first-hop controlling station implementing AMP, part of the active Coppice ecosystem compliance baseline: Dependabot already present, full CI (ci/docs/release/security workflows), dependabot-auto-merge.yml fixed 2026-07-10 to use secrets.DEPENDABOT_AUTOMERGE_TOKEN and the secret provisioned (new vln-polaris-scoped PAT); vulnerability alerts/automated security fixes enabled. Capped at partial because this is a private repo on GitHub Free, so allow_auto_merge cannot be enabled (accepted gap, see maintenance_notes) |
| vln-polaris/icon | application | migrated | main | unknown unknown |
n/a | none | unknown | no | manifest-only | just icon.svg plus a generate-icons.yml workflow (apt-installed inkscape/imagemagick, no package.json) that renders PNG/ICO sizes on push compliance baseline: no npm/pip/etc. ecosystem to track (system packages installed via apt, not a Dependabot-supported manifest) - only github-actions Dependabot ecosystem applies, added 2026-07-10. No automerge needed/added (CI is an image-generation pipeline, not a merge gate). vulnerability alerts/automated security fixes enabled; capped at partial because this is a private repo on GitHub Free, so allow_auto_merge is moot here anyway (accepted gap, see maintenance_notes) - though no automerge is planned for this repo regardless |
| vln-polaris/node-coppice-lambdas-audit-fanout | application | target | dev | unknown unknown |
n/a | none | unknown | no | manifest-only | compliance baseline: empty scaffold - only README.md, .gitignore, and .github/copilot-instructions.md exist, no source code or package manifest yet. Not-applicable until code lands; revisit then |
| vln-polaris/node-coppice-lambdas-authorizer | application | target | dev | unknown unknown |
n/a | none | unknown | no | manifest-only | compliance baseline: empty scaffold - only README.md, .gitignore, and .github/copilot-instructions.md exist, no source code or package manifest yet. Not-applicable until code lands; revisit then |
| vln-polaris/node-coppice-lambdas-token-service | application | target | dev | unknown unknown |
n/a | none | unknown | no | manifest-only | compliance baseline: empty scaffold - only README.md, .gitignore, and .github/copilot-instructions.md exist, no source code or package manifest yet. Not-applicable until code lands; revisit then |
| vln-polaris/node-coppice-validate-jwt | application | target | dev | unknown unknown |
n/a | none | unknown | no | manifest-only | compliance baseline: empty scaffold - only README.md, .gitignore, and .github/copilot-instructions.md exist, no source code or package manifest yet. Not-applicable until code lands; revisit then |
| vln-polaris/playwright-coppice-e2e | application | target | dev | unknown unknown |
n/a | none | unknown | no | manifest-only | compliance baseline: empty scaffold - only README.md, .gitignore, and .github/copilot-instructions.md exist, no source code or package manifest yet. Not-applicable until code lands; revisit then |
| vln-polaris/terraform-aws-coppice | infrastructure | active-app | dev | unknown unknown |
n/a | none | unknown | no | manifest-only | canonical infra repo for the Coppice application; not an archive candidate lambda callers migrated to vln-devsecops/terraform-modules//modules/aws/lambda (v0.4); local modules/lambda deleted |
| vln-polaris/workspace-coppice | application | inventory-reference | dev | unknown unknown |
n/a | none | unknown | no | manifest-only | umbrella workspace linking node-coppice-validate-jwt, the 3 node-coppice-lambdas-* repos, playwright-coppice-e2e, and terraform-aws-coppice (already tracked) as submodules, same pattern as blytkerchan/workspace-books all 5 non-terraform submodules are currently empty scaffolds (see their own entries) - nothing substantive to validate here yet |
Operations run history
-
Publish the organization dashboardin_progressschedule · 2026-07-12T03:50:44Z
-
Validate YAML filessuccesspush · 2026-07-12T03:18:29Z
-
Validate YAML filessuccesspush · 2026-07-12T02:43:41Z
-
Validate YAML filessuccesspush · 2026-07-12T01:11:58Z
-
Publish the organization dashboardsuccessschedule · 2026-07-11T21:01:47Z
-
Lint Markdown filesfailurepush · 2026-07-11T18:45:19Z
-
Publish the organization dashboardsuccessschedule · 2026-07-11T17:11:22Z
-
Lint Markdown filessuccesspush · 2026-07-11T16:07:21Z
Adoption and migration view
Migration posture: this snapshot reflects the repo manifest and in-repo TODO list as of 2026-07-12T03:54:02Z. Remaining tracked follow-ups stay explicit in the prompt docs for archive cleanup and the shared Lambda@Edge gap.
The dashboard is intentionally static at publish time. Any richer cross-owner live API enrichment can be added later without changing the hosted security model.