vln-devsecops dashboard

Generated 2026-07-12T10:01:48Z

Tracked repos

101of 40 visible repos across 5 owners · 11 not yet tracked

Workflow health

3 failing repo(s)18 OK · 3 failing · 80 warnings
healthy / warning / failing distribution

Visibility

59private · 42 public
public / private mix

Manifest confirmation

87repos awaiting reconfirmation
confirmed / needs reconfirmation

Pending pull requests

5across 4 tracked repos · dependabot: 1, other: 3, release-please: 1

Test coverage

0 of 101 repos reporting · 0 below threshold

Shared modules

8tracked extraction items

Portfolio summary

Owners: VlinderSoftware: 39, blytkerchan: 32, cpp4theselftaught: 5, vln-devsecops: 16, vln-polaris: 9

Visible repos by owner: VlinderSoftware: 10, blytkerchan: 21, cpp4theselftaught: 2, vln-devsecops: 7, vln-polaris: 0

Categories: application: 68, automation: 1, books: 7, devsecops: 6, github-action: 6, infrastructure: 3, org-profile: 1, standards: 1, website: 2, website-app: 1, website-blog: 3, website-tool: 1, workspace: 1

Roles: active-app: 6, active-infra: 2, extract-shared-parts: 9, inventory-reference: 47, migrated: 16, target: 21

Open attention items

  • Break up the `doxchange` repository as a separate undertaking.
  • Bring all repos across `vln-devsecops`, `VlinderSoftware`, `vln-polaris`, `cpp4theselftaught`, and the in-scope personal namespace up to the agreed compliance baseline: Dependabot for supported ecosystems, lightweight CI where missing, and safe minor/patch Dependabot auto-approval or auto-merge where test coverage supports it.
  • Replace the current Python-generated static dashboard with a React frontend built on the same front-end stack as `doxchange`.
  • Make sure we have workspace repositories wherever they should exist across the portfolio, including books, blogs/websites, Cloudflare apps, devsecops, and doxchange apps.
  • Repair the `utils-system-cleanup` test baseline so the repository can safely enable Dependabot minor/patch auto-merge instead of staying gated on lint-only CI.
  • Roll the two-tier npm audit gate (`npm ci`, `npm audit --audit-level=moderate --omit=dev`, and `npm audit --audit-level=critical`) across the remaining Node-based repositories where the baseline is clean enough for it to be a useful CI signal.
  • Repos with failing latest workflow runs: vln-devsecops/actions-validate-coverage, VlinderSoftware/paper-event-superschema, VlinderSoftware/cpp-exceptions
  • Repos without live API enrichment in this snapshot: vln-devsecops/github-runners, vln-devsecops/utils-system-cleanup, vln-devsecops/icon, vln-devsecops/guidance, vln-devsecops/infra ...

Failing repositories

Pending pull requests

Per-repo status matrix

Shortcuts: Alt+F focus filter, Alt+Shift+S cycle sort column, Alt+↑/Alt+↓ set sort direction, Alt+R reset view.

blytkerchan/ampere application inventory-reference dev unknown
unknown
n/a none unknown no manifest-only already archived on GitHub; not-applicable, no action needed unless unarchived
blytkerchan/antlr4 application active-app master green
completed / success
n/a none unknown no live fork of aqssxlzc/antlr4 (a Docker packaging of antlr4), but genuinely diverged - 10 commits ahead of upstream master per the GitHub compare API, so treated as a normal repo per user decision rather than not-applicable
compliance baseline: had no CI at all, and the Dockerfile's FROM java base image is dead - docker.io/library/java was deprecated/removed from Docker Hub years ago, so the first CI run failed outright with 'not found', not a config issue. Fixed by switching to eclipse-temurin:17-jre (the scripts only need `java -jar`/`java <class>`, no JDK-specific tooling) and adding unzip explicitly (deploy.sh needs it; not guaranteed on the new minimal base) - verified passing after. Added ci_validate_docker.yml (docker build as the lightweight gate) and dependabot.yml (docker + github-actions) plus ci_dependabot_automerge.yml (pull_request_target from the start). allow_auto_merge confirmed true (public repo), vulnerability alerts/automated security fixes enabled. Capped at partial: DEPENDABOT_AUTOMERGE_TOKEN not yet provisioned for blytkerchan at all (known portfolio-wide gap)
blytkerchan/applied-paranoia.com website-blog active-app dev green
completed / success
n/a v20210827-1 unknown no live static-site infra pattern was extracted to terraform-modules//modules/aws/static_site but the repo is a live production site, not a legacy candidate
local infra should eventually migrate to consume the shared module
blytkerchan/arxiv-digest website-app extract-shared-parts main green
completed / success
n/a none unknown no live PR
PR
blytkerchan/authority application target master unknown
unknown
n/a none unknown no manifest-only authority management repository
default_branch corrected 2026-07-10 - manifest said main, repo actually uses master (confirmed live via gh api)
blytkerchan/blog-copy-editor website-tool extract-shared-parts dev unknown
unknown
n/a none unknown no manifest-only package.json still has stale name/description copied from arxiv-digest ("name": "arxiv-digest") - not fixed here, out of scope for the compliance pass, flagged for the user
compliance baseline: Dependabot already present. ci_validate_worker.yml added 2026-07-10 (two-tier npm audit gate + wrangler deploy --dry-run; first run failed on Node 20, fixed to Node 22 for wrangler 4.x, now verified passing) and ci_dependabot_automerge.yml added gating minor/patch only. Partial because (a) DEPENDABOT_AUTOMERGE_TOKEN not yet provisioned for blytkerchan and (b) private repo on GitHub Free, so allow_auto_merge cannot be enabled regardless (accepted gap, see maintenance_notes)
blytkerchan/blytkerchan.github.io website-blog extract-shared-parts master green
completed / success
n/a none unknown no live compliance baseline: Dependabot already present. ci_validate_jekyll.yml added 2026-07-10 (verified passing - bundle exec jekyll build) and ci_dependabot_automerge.yml added gating minor/patch only; public repo, so allow_auto_merge could be enabled once DEPENDABOT_AUTOMERGE_TOKEN is provisioned for blytkerchan - no plan-tier blocker here unlike the private repos
blytkerchan/boden_experiments application inventory-reference main unknown
unknown
n/a none unknown no manifest-only audio-watermarking experiment scripts (test.py, spread_spectrum.py), no requirements.txt/pyproject.toml or other declared dependency manifest for Dependabot to manage; not-applicable rather than a gap
blytkerchan/book-apoptotic-cascade books extract-shared-parts main unknown
unknown
n/a none unknown no manifest-only compliance baseline: Dependabot already present, ci.yml does a full pandoc/LaTeX book build (PDF/DOCX/EPUB/dyslexic PDF), not just lint; ci_dependabot_automerge.yml added 2026-07-10 gating minor/patch only. Partial because (a) DEPENDABOT_AUTOMERGE_TOKEN not yet provisioned for blytkerchan and (b) private repo on GitHub Free, so allow_auto_merge cannot be enabled regardless (accepted gap, see maintenance_notes)
blytkerchan/book-cpp4theselftaught books extract-shared-parts main unknown
unknown
n/a none unknown no manifest-only compliance baseline: Dependabot already present, ci.yml does a full pandoc/LaTeX book build (PDF/DOCX/EPUB/dyslexic PDF), not just lint; ci_dependabot_automerge.yml added 2026-07-10 gating minor/patch only. Partial because (a) DEPENDABOT_AUTOMERGE_TOKEN not yet provisioned for blytkerchan and (b) private repo on GitHub Free, so allow_auto_merge cannot be enabled regardless (accepted gap, see maintenance_notes)
blytkerchan/book-git4theselftaught books inventory-reference master unknown
unknown
n/a none unknown no manifest-only older tex-based book structure
useful as a legacy contrast to the newer automation-heavy books
blytkerchan/book-observer books extract-shared-parts main unknown
unknown
n/a none unknown no manifest-only compliance baseline: Dependabot already present, ci.yml does a full pandoc/LaTeX book build (PDF/DOCX/EPUB/dyslexic PDF), not just lint; ci_dependabot_automerge.yml added 2026-07-10 gating minor/patch only. Partial because (a) DEPENDABOT_AUTOMERGE_TOKEN not yet provisioned for blytkerchan and (b) private repo on GitHub Free, so allow_auto_merge cannot be enabled regardless (accepted gap, see maintenance_notes)
blytkerchan/book-security4theselftaught books inventory-reference main unknown
unknown
n/a none unknown no manifest-only older tex-based book structure
less obviously aligned with the newer pandoc automation stack
blytkerchan/books-statemachines books inventory-reference main unknown
unknown
n/a none unknown no manifest-only older tex-based book structure, same pattern as book-security4theselftaught/book-git4theselftaught; no package-manager ecosystem, so Dependabot has nothing to manage here
blytkerchan/cppunit application inventory-reference master unknown
no runs
n/a none unknown no live already archived on GitHub; not-applicable, no action needed unless unarchived
blytkerchan/crassula application inventory-reference main unknown
unknown
n/a none unknown no manifest-only already archived on GitHub; not-applicable, no action needed unless unarchived
blytkerchan/depends application inventory-reference master unknown
no runs
n/a none unknown no live fork of cpp4theselftaught/depends (an in-org repo, already tracked at cpp4theselftaught/depends), zero commits ahead of upstream per the GitHub compare API; not-applicable, no action needed unless it diverges
blytkerchan/Dropbox-Uploader application inventory-reference master unknown
no runs
n/a v1.0 unknown no live fork of andreafabrizi/Dropbox-Uploader, was genuinely diverged (1 commit ahead of upstream master) but archived 2026-07-12 per user decision rather than onboarded; not-applicable, no action needed unless unarchived
blytkerchan/halos application inventory-reference i386-kernel unknown
no runs
n/a none unknown no live already archived on GitHub; not-applicable, no action needed unless unarchived
blytkerchan/hps-cucumber-typescript application inventory-reference master unknown
no runs
n/a none unknown no live fork of hiptest/hps-cucumber-typescript, already archived and zero commits ahead of upstream per the GitHub compare API; not-applicable, no action needed unless unarchived
blytkerchan/hunter-simple application inventory-reference master unknown
no runs
n/a none unknown no live fork of abandonware-pjz37/hunter-simple, zero commits ahead of upstream per the GitHub compare API (unmodified mirror); not-applicable, no action needed unless it diverges
blytkerchan/inih application inventory-reference master unknown
no runs
n/a r44 unknown no live fork of benhoyt/inih, zero commits ahead of upstream per the GitHub compare API (unmodified mirror); not-applicable, no action needed unless it diverges
blytkerchan/kem-make application active-app dev green
completed / success
n/a none unknown no live POC implementation of the KEM-MAKE protocol; pyproject.toml-based, asn1/doc/features/src layout
compliance baseline: had no CI at all. Added ci_validate_python.yml running pytest src/ -v (verified passing, including test_crypto_backend.py's ML-KEM round-trip test - confirmed empirically that ubuntu-latest's cryptography==49.0.0 wheel does have a working PQC backend). Deliberately left behave features/ out of the CI gate: many scenarios are StepNotImplementedError (spec written ahead of implementation for this active POC, not broken steps) - promote to CI once feature/step coverage is more complete. dependabot.yml (pip + github-actions) added with cryptography excluded entirely from automated updates - pyproject.toml pins it to an exact release (==49.0.0, not >=) specifically because that's the release line whose wheels bundle a PQC-capable OpenSSL, and a bump needs a human to re-verify that, not an automated merge. ci_dependabot_automerge.yml added (pull_request_target from the start), allow_auto_merge confirmed true (public repo), vulnerability alerts/automated security fixes enabled. Capped at partial: DEPENDABOT_AUTOMERGE_TOKEN not yet provisioned for blytkerchan at all (known portfolio-wide gap, see other blytkerchan entries)
blytkerchan/linux-insides application inventory-reference master unknown
no runs
n/a none unknown no live fork of 0xAX/linux-insides, zero commits ahead of upstream per the GitHub compare API (unmodified mirror); not-applicable, no action needed unless it diverges
blytkerchan/miki-state-machine application inventory-reference dev unknown
unknown
n/a none unknown no manifest-only state-machine-driven agent project in OpenClaw; a standalone Python script and shell/yaml config with no declared dependency manifest for Dependabot to manage; not-applicable rather than a gap
blytkerchan/papers application inventory-reference main unknown
unknown
n/a none unknown no manifest-only collection of paper/essay drafts (markdown and LaTeX-adjacent text), no package-manager ecosystem; not-applicable rather than a gap
blytkerchan/puzzles application inventory-reference main unknown
unknown
n/a none unknown no manifest-only single Jupyter notebook (lewitt_cubes), no declared dependency manifest; not-applicable rather than a gap
blytkerchan/react-embed-gist application inventory-reference master unknown
no runs
n/a none unknown no live fork of msaracevic/react-embed-gist, zero commits ahead of upstream per the GitHub compare API (unmodified mirror); not-applicable, no action needed unless it diverges
blytkerchan/resume application inventory-reference main unknown
unknown
n/a none unknown no manifest-only single main.tex resume source, no package-manager ecosystem; not-applicable rather than a gap
blytkerchan/tf-experiments application inventory-reference main unknown
unknown
n/a none unknown no manifest-only already archived on GitHub; not-applicable, no action needed unless unarchived
blytkerchan/vite-aws-app application inventory-reference main unknown
unknown
n/a none unknown no manifest-only already archived on GitHub; not-applicable, no action needed unless unarchived
blytkerchan/workspace-books books inventory-reference dev unknown
unknown
n/a none unknown no manifest-only umbrella workspace for book writing
useful for finding cross-book automation patterns
cpp4theselftaught/cpp4theselftaught.github.io website-blog extract-shared-parts master green
completed / success
n/a none unknown no live compliance baseline: had no Dependabot or CI at all before 2026-07-10, same starting state blytkerchan.github.io was in. Added bundler + github-actions Dependabot, ci_validate_jekyll.yml (bundle exec jekyll build), and ci_dependabot_automerge.yml (pull_request_target from the start). First run failed - Gemfile.lock pins BUNDLED WITH 2.0.2, incompatible with Ruby 3.2 (String#untaint removed) - fixed by patching the pin with sed in the CI checkout only, not the committed lockfile; verified passing after. allow_auto_merge confirmed true, vulnerability alerts/automated security fixes enabled, DEPENDABOT_AUTOMERGE_TOKEN provisioned (new cpp4theselftaught-scoped PAT). Partial pending its own live Dependabot PR to observe an actual merge
cpp4theselftaught/depends application target master green
completed / success
n/a none unknown no live CMake/Boost C++ dependency-tracking library
compliance baseline: only had a dead .travis.yml before 2026-07-10 (Travis CI stopped being usable for this kind of project long ago; it targeted gcc-4.9 through gcc-7 and clang-3.6 through 5.0, none available anywhere anymore). Replaced with ci_validate_cmake.yml (gcc+clang matrix on ubuntu-latest, cmake --build + ctest), verified passing on both compilers after initializing the exceptions/cmake submodules (both point to other VlinderSoftware repos, same-owner so no cross-repo auth wall). Added github-actions-only Dependabot (no vcpkg/conan manifest) and ci_dependabot_automerge.yml (pull_request_target from the start). allow_auto_merge confirmed true, vulnerability alerts/automated security fixes enabled, DEPENDABOT_AUTOMERGE_TOKEN provisioned (new cpp4theselftaught-scoped PAT). Partial pending its own live Dependabot PR to observe an actual merge
cpp4theselftaught/devcontainer devsecops target main unknown
unknown
n/a none unknown no manifest-only compliance baseline: empty scaffold - only a README.md exists, no devcontainer.json/Dockerfile/source yet despite the name. Not-applicable until content lands; revisit then
cpp4theselftaught/robot-car application migrated master unknown
unknown
n/a none unknown yes manifest-only robot car project with Raphael
compliance baseline: archived - same as actions-autoversion, GitHub blocks vulnerability-alerts/automated-security-fixes API changes on archived repos (422). No action unless unarchived
cpp4theselftaught/sudoku-solver application migrated master unknown
unknown
n/a none unknown yes manifest-only compliance baseline: archived - same as actions-autoversion, GitHub blocks vulnerability-alerts/automated-security-fixes API changes on archived repos (422). No action unless unarchived
VlinderSoftware/amp application inventory-reference master unknown
unknown
n/a none unknown no manifest-only dormant since 2024-05; 3 open issues but all self-filed 2020 design notes, not external signal. Archived 2026-07-12 per TODO #17
VlinderSoftware/amp-model application inventory-reference master unknown
unknown
n/a none unknown no manifest-only no description, dormant since 2022-03, zero stars/forks/issues; archived 2026-07-12 per TODO #17
VlinderSoftware/app-lector application target dev unknown
unknown
n/a none unknown no manifest-only multi-component app (frontend/lambda/worker/infra), same shape as VlinderSoftware/doxchange
compliance baseline: had no Dependabot or CI at all before 2026-07-10. Added Dependabot for all 5 ecosystems (npm/frontend, pip/lambda, pip/worker, pip/tests, terraform/infra, github-actions) and ci_validate_frontend.yml covering only the frontend component for now (type-check + build + vitest, verified passing with npm ci --legacy-peer-deps - @vitejs/plugin-react's published peerDependencies range lags vite 8.x but is actually compatible, confirmed 0 vulnerabilities and clean build/test). npm run lint was left out - no eslint.config.js exists at all, fails outright on ESLint 9's flat-config requirement, a pre-existing gap not papered over here. No automerge yet given how partial coverage still is
VlinderSoftware/build-server application inventory-reference master unknown
unknown
n/a none unknown no manifest-only Docker image for a build server, dormant since 2020-12, zero stars/forks/issues; archived 2026-07-12 per TODO #17
VlinderSoftware/buildenv application inventory-reference master unknown
no runs
n/a none unknown no live no description, dormant since 2019-05, zero stars/forks/issues; archived 2026-07-12 per TODO #17
VlinderSoftware/cmake application inventory-reference master unknown
no runs
n/a v20160326 unknown no live shared CMake settings/modules consumed as a git submodule by cpp4theselftaught/depends (and possibly others) - not dormant, despite last being pushed 2020-12
no package-manager ecosystem of its own (just .cmake modules), so Dependabot has nothing to manage here; not-applicable rather than a gap
VlinderSoftware/cpp-event-superschema application target dev green
completed / success
n/a none unknown no live C++ implementation of event superschema, linked from workspace-event-superschema
compliance baseline: CMake project (no vcpkg/conan manifest), ci.yml exists, dependabot.yml added 2026-07-10 (github-actions only) plus ci_dependabot_automerge.yml (pull_request_target from the start), DEPENDABOT_AUTOMERGE_TOKEN provisioned, allow_auto_merge confirmed true (public repo), vulnerability alerts/automated security fixes enabled. Partial pending its own live Dependabot PR to observe an actual merge
VlinderSoftware/cpp-exceptions application target master failing
completed / failure
n/a v1.1.0 unknown no live C++ exception base classes; renamed from VlinderSoftware/exceptions 2026-07-12 per the org naming convention (GitHub redirect in place for the old URL, but cpp4theselftaught/depends' .gitmodules was updated to the new URL directly rather than relying on it)
live git submodule dependency of cpp4theselftaught/depends - this is why it got the standard compliance treatment instead of being archived with the rest of the dormant legacy batch
VlinderSoftware/cpp-jose application migrated dev green
completed / success
n/a none unknown no live JOSE implementation in modern C++, known consumer of actions-msvc
compliance baseline: Dependabot already present (github-actions only), ci.yml exists, ci_dependabot_automerge.yml added 2026-07-10 (pull_request_target from the start), DEPENDABOT_AUTOMERGE_TOKEN provisioned, allow_auto_merge confirmed true (public repo), vulnerability alerts/automated security fixes enabled. Promoted to complete 2026-07-12: PR #19 (actions/checkout 6->7) merged via a genuinely dependabot-triggered automerge run (29134204646, pull_request_target, actor condition passed, conclusion=success)
VlinderSoftware/cs-event-superschema application target dev green
completed / success
n/a none unknown no live C# implementation of event superschema, linked from workspace-event-superschema
compliance baseline: .NET project (nuget.config), ci.yml exists, dependabot.yml added 2026-07-10 (nuget + github-actions) plus ci_dependabot_automerge.yml (pull_request_target from the start). Real end-to-end proof: PR #2 (coverlet.collector bump) merged automatically via a genuinely dependabot-triggered run (forced with `@dependabot recreate`), confirming both the token and the pull_request_target fix work together. First repo in this batch confirmed complete via an observed run rather than config inspection
VlinderSoftware/dnp-authority application inventory-reference master unknown
unknown
n/a none unknown no manifest-only dormant since 2020-07; 1 open issue but it's a self-filed 2020 design note, not external signal. Archived 2026-07-12 per TODO #17
VlinderSoftware/dnp-json-mapping application inventory-reference master unknown
unknown
n/a none unknown no manifest-only DNP application layer to JSON mapping for IIoT, dormant since 2023-09, zero stars/forks/issues; archived 2026-07-12 per TODO #17
VlinderSoftware/dnp3 application inventory-reference 2.0.x unknown
no runs
n/a v2.1.0-RC5 unknown no live fork of dnp3/opendnp3, zero commits ahead of upstream (unmodified mirror), dormant since 2018-03; archived 2026-07-12 per TODO #17
VlinderSoftware/doxchange application extract-shared-parts dev unknown
unknown
n/a none unknown no manifest-only project-owned infra structure is the precedent for app-specific infra boundaries
infra directory contains reusable terraform modules and automation worth extracting
VlinderSoftware/kem.make application inventory-reference dev unknown
unknown
n/a none unknown no manifest-only KEM.MAKE protocol implementation, last pushed 2025-03; superseded by the newer blytkerchan/kem-make (pushed 2026-07-08, days before this review) - archived 2026-07-12 as superseded rather than for pure dormancy
VlinderSoftware/logo application inventory-reference main unknown
unknown
n/a none unknown no manifest-only static logo/brand assets (svg/png/ico/xcf), no package-manager ecosystem and nothing to run CI against; not-applicable rather than a gap
VlinderSoftware/mai application inventory-reference master unknown
unknown
n/a none unknown no manifest-only Node-based service framework, dormant since 2022-12, zero stars/forks/issues; archived 2026-07-12 per TODO #17
VlinderSoftware/meta application inventory-reference master unknown
no runs
n/a none unknown no live C++ meta-programming library, dormant since 2016-03, zero stars/forks/issues; archived 2026-07-12 per TODO #17 (reviewed case-by-case with the user, no live consumers found)
VlinderSoftware/meta-opendnp3 application inventory-reference master unknown
no runs
n/a none unknown no live Yocto layer for OpenDNP3, dormant since 2017-10, zero stars/forks/issues; archived 2026-07-12 per TODO #17
VlinderSoftware/meta-vlinder application inventory-reference master unknown
unknown
n/a none unknown no manifest-only Yocto layer for Vlinder Software embedded libraries, dormant since 2018-03, zero stars/forks/issues; archived 2026-07-12 per TODO #17
VlinderSoftware/node-cognitojwtvalidator application migrated dev unknown
unknown
n/a none unknown no manifest-only validator for JWT tokens generated by Cognito
compliance baseline: same pattern as node-lambdahelpers - fixed and provisioned the same way 2026-07-10 (token swap + secrets: inherit + DEPENDABOT_AUTOMERGE_TOKEN secret). Capped at partial - private repo on GitHub Free, allow_auto_merge cannot be enabled (accepted gap, see maintenance_notes)
VlinderSoftware/node-dynamodbwrapper application migrated dev unknown
unknown
n/a none unknown no manifest-only wrapper (in TypeScript) for Node for AWS DynamoDB
compliance baseline: same pattern as node-lambdahelpers - fixed and provisioned the same way 2026-07-10 (token swap + secrets: inherit + DEPENDABOT_AUTOMERGE_TOKEN secret). Capped at partial - private repo on GitHub Free, allow_auto_merge cannot be enabled (accepted gap, see maintenance_notes)
VlinderSoftware/node-event-superschema application target dev green
completed / success
n/a none unknown no live Node.js implementation of event superschema, linked from workspace-event-superschema
compliance baseline: had no Dependabot or CI at all before 2026-07-10. Added npm + github-actions Dependabot, ci_validate_node.yml (build+test hard gate, verified passing; npm audit non-blocking since the prod dependency tree already has unresolved vulnerabilities via node-jose/node-forge/lodash/fast-uri/ajv, not a CI regression) and ci_dependabot_automerge.yml (pull_request_target from the start). allow_auto_merge confirmed true, DEPENDABOT_AUTOMERGE_TOKEN provisioned, vulnerability alerts/automated security fixes enabled. Promoted to complete 2026-07-12: multiple genuinely dependabot-triggered automerge runs observed (pull_request_target, actor condition passed, conclusion=success) across PRs #1-#11, e.g. run 29137724478 on dependabot/npm_and_yarn/uuid-14.0.0; test coverage is still uneven (JWE/JWS paths at 0%), same caveat as utils-system-cleanup, but that's a test-quality gap not a compliance-baseline one
VlinderSoftware/node-lambdahelpers application migrated dev unknown
unknown
n/a none unknown no manifest-only helpers for AWS Lambda
compliance baseline: Dependabot already present, full CI (build/eslint/formatting/unittestcoverage/cicd/deploy); ci_automerge.yml is a reusable (workflow_call) workflow, fixed 2026-07-10 to use secrets.DEPENDABOT_AUTOMERGE_TOKEN, with secrets: inherit added to the caller job in cicd.yml (custom secrets don't reach called workflows otherwise) and the secret provisioned (new VlinderSoftware-scoped PAT). Capped at partial because this is a private repo on GitHub Free, so allow_auto_merge cannot be enabled (accepted gap, see maintenance_notes)
VlinderSoftware/node-module-template devsecops migrated main unknown
unknown
n/a none unknown no manifest-only template repo the node-lambdahelpers/node-cognitojwtvalidator/node-dynamodbwrapper/node-permissionvalidator family was cloned from - explains why their CI/automerge workflows are identical
compliance baseline: fixed and provisioned 2026-07-10 (token swap + secrets: inherit + DEPENDABOT_AUTOMERGE_TOKEN secret) ahead of its downstream repos, since they likely get re-synced from this template. Capped at partial - private repo on GitHub Free, allow_auto_merge cannot be enabled (accepted gap, see maintenance_notes)
VlinderSoftware/node-permissionvalidator application migrated main unknown
unknown
n/a none unknown no manifest-only permission validation
repo description on GitHub currently reads "Validator for Cognito JWT tokens" - looks like a copy-paste leftover from node-cognitojwtvalidator, flagged for the user rather than changed here
VlinderSoftware/OpenSSLRSAExample application inventory-reference master unknown
no runs
n/a none unknown no live RSA+SHA256+PKCS1 signing example, dormant since 2020-11 (1 star); archived 2026-07-12 per TODO #17
VlinderSoftware/paper-event-superschema application target dev failing
completed / failure
n/a none unknown no live paper and documentation for event superschema; workspace-event-superschema's notes call it "already tracked" as a submodule, but no manifest entry actually existed until now - that note was stale, fixed by this addition
compliance baseline: paper-requirements.txt is empty and consumed as an explicit named input to vln-devsecops/actions-build-paper@v1 in the existing ci_paper.yml, not auto-discovered by any package manager - skipped a pip Dependabot ecosystem entry since there's nothing in the file for it to manage. Added github-actions Dependabot and ci_dependabot_automerge.yml (pull_request_target from the start). allow_auto_merge confirmed true (public repo), vulnerability alerts/automated security fixes enabled. Capped at partial: DEPENDABOT_AUTOMERGE_TOKEN not yet provisioned for this specific repo (VlinderSoftware owner PAT exists and covers it once set)
VlinderSoftware/phoenix.ui application inventory-reference main unknown
unknown
n/a none unknown no manifest-only already archived on GitHub; not-applicable, no action needed unless unarchived
VlinderSoftware/python-event-superschema application target dev green
completed / success
n/a v1.0.0 unknown no live super-schema support for Python, linked from workspace-event-superschema
compliance baseline: pyproject.toml-based project, ci.yml exists, dependabot.yml added 2026-07-10 (pip + github-actions) plus ci_dependabot_automerge.yml (pull_request_target from the start), DEPENDABOT_AUTOMERGE_TOKEN provisioned, allow_auto_merge confirmed true. Mechanism proven end-to-end on the identically-configured cs-event-superschema (PR #2, see its entry), but not yet observed on this specific repo's own live PR (#3 open) - promote to complete once seen merging here too
VlinderSoftware/relacy application inventory-reference master unknown
no runs
n/a none unknown no live already archived on GitHub; not-applicable, no action needed unless unarchived
VlinderSoftware/research.vlinder.ca website inventory-reference main unknown
no runs
n/a none unknown no live genuinely empty scaffold (LICENSE only, no source yet); not-applicable, revisit if it gets populated
VlinderSoftware/rtimdb application inventory-reference master unknown
no runs
n/a none unknown no live real-time in-memory database, dormant since 2020-12, zero stars/forks/issues; archived 2026-07-12 per TODO #17
VlinderSoftware/securitylayer application inventory-reference master unknown
no runs
n/a none unknown no live already archived on GitHub; not-applicable, no action needed unless unarchived
VlinderSoftware/sit-tools application inventory-reference master unknown
unknown
n/a none unknown no manifest-only tooling for SIT, dormant since 2020-12, zero stars/forks/issues; archived 2026-07-12 per TODO #17
VlinderSoftware/sitpy application inventory-reference master unknown
unknown
n/a none unknown no manifest-only Python implementation of SIT, dormant since 2023-10, zero stars/forks/issues; archived 2026-07-12 per TODO #17
VlinderSoftware/tools-amp application inventory-reference master unknown
unknown
n/a none unknown no manifest-only AMP tooling, dormant since 2020-07, zero stars/forks/issues; archived 2026-07-12 per TODO #17
VlinderSoftware/vlinder.ca website extract-shared-parts master unknown
unknown
n/a none unknown no manifest-only current deployment extraction candidate is AWS-specific; future Azure or GCP patterns may belong in separate or more generalized automation
compliance baseline: had no Dependabot or CI at all before 2026-07-10. Added bundler + npm + github-actions Dependabot ecosystems and ci_validate_jekyll.yml (jekyll build + two-tier npm audit gate; verified passing via a real triggered run). Critical-level audit step is non-blocking - serverless-s3-sync is a deprecated/unsupported package already pulling in a critical-severity transitive vuln (minimist) today, not a regression; a real fix means replacing that dependency, out of scope here. No auto-merge yet - this is a live production site, holding off until the new CI has a track record
VlinderSoftware/workspace-event-superschema application inventory-reference dev green
completed / success
n/a none unknown no live umbrella workspace linking cpp-event-superschema, cpp-jose, cs-event-superschema, node-event-superschema, paper-event-superschema (already tracked), and python-event-superschema as submodules, same pattern as blytkerchan/workspace-books
compliance baseline: had no Dependabot or CI at all before 2026-07-10. Added github-actions Dependabot and ci_validate_submodules.yml doing a real `submodules: recursive` checkout (verified passing) - confirmed all 6 linked submodules are public, unlike workspace-books, so no cross-repo auth wall applies here. allow_auto_merge confirmed true (public repo), vulnerability alerts/automated security fixes enabled. No automerge planned regardless (reference workspace, not a deployable)
vln-devsecops/.github org-profile target main unknown
no runs
n/a none unknown yes live org profile repository for the public-facing organization README and shared org metadata
compliance baseline: only LICENSE/README/profile content, no package-manager ecosystem and nothing to run CI against; not-applicable rather than a gap
vln-devsecops/actions-autoversion github-action migrated main green
completed / success
n/a v1.1.2 / v1.1 / v1 unknown yes live transferred directly from VlinderSoftware/autoversion
old location now redirects to the new repo
vln-devsecops/actions-build-paper github-action migrated dev green
completed / success
n/a v1.1.3 / v1.1 / v1 unknown yes live transferred directly from blytkerchan/build-paper
old location now redirects to the new repo
vln-devsecops/actions-generate-licenses github-action migrated main green
completed / success
n/a v1.2.11 / v1.2 / v1 unknown yes live transferred directly from VlinderSoftware/generate-licenses
old location now redirects to the new repo
vln-devsecops/actions-msvc github-action migrated dev green
completed / success
n/a v1.0.2 / v1.0 / v1 unknown yes live transferred directly from blytkerchan/devsecops-setup-msvc
published action with existing v1 tag line
vln-devsecops/actions-validate-coverage github-action migrated main failing
completed / action_required
n/a v1.0.18 / v1.0 / v1 unknown yes live transferred directly from VlinderSoftware/validate-coverage
old location now redirects to the new repo
vln-devsecops/automation-books automation target dev unknown
unknown
n/a none unknown no manifest-only initialized on dev with lightweight compliance workflows
intended home for shared book build and editorial automation
vln-devsecops/container-build devsecops active-infra main unknown
unknown
n/a none unknown no manifest-only generic build image (Dockerfile, Dockerfile.add-antlr, Dockerfile.add-pqc), uses release-please and a git submodule (antlr4)
compliance baseline: already had docker Dependabot and real CI (ci.yml: builds/pushes to Docker Hub); added github-actions ecosystem to dependabot.yml (was docker-only) and ci_dependabot_automerge.yml (pull_request_target from the start). vulnerability alerts/automated security fixes enabled. Capped at partial: private repo on GitHub Free (allow_auto_merge cannot be enabled, accepted gap) and DEPENDABOT_AUTOMERGE_TOKEN not yet provisioned for this specific repo
vln-devsecops/github-runners devsecops active-infra dev unknown
unknown
n/a none unknown yes manifest-only self-hosted GitHub Actions runner infrastructure (terraform + packer)
transferred from VlinderSoftware/devsecops-gha-runner
vln-devsecops/guidance standards target main unknown
unknown
n/a none unknown no manifest-only org-wide engineering standards, operational runbooks, and compliance scaffold
standards/repo-naming-convention.md — naming convention for all portfolio repos
vln-devsecops/icon github-action migrated main unknown
unknown
n/a none unknown yes manifest-only repository for the org icon
compliance baseline: just README.md and icon.svg, no package-manager ecosystem and nothing to run CI against; not-applicable rather than a gap
vln-devsecops/infra infrastructure target main unknown
unknown
n/a none unknown yes manifest-only org-level AWS infrastructure: GitHub OIDC trust, IAM roles for keyless CI/CD
github-oidc/ root module creates OIDC provider and 4 IAM roles
vln-devsecops/node-vlinder-auth devsecops active-app main unknown
unknown
n/a none unknown no manifest-only Vlinder-branded Cognito auth UI + vendored Lambda/admin-panel source for the cognito_auth Terraform module
compliance baseline: already had npm + github-actions Dependabot and real CI (ci_node.yml: lint/test/build); created the 3 missing repo labels (dependencies/npm/github-actions) its dependabot.yml already referenced (known label gap, see maintenance_notes) and added ci_dependabot_automerge.yml (pull_request_target from the start). vulnerability alerts/automated security fixes enabled. Capped at partial: private repo on GitHub Free (allow_auto_merge cannot be enabled, accepted gap) and DEPENDABOT_AUTOMERGE_TOKEN not yet provisioned for this specific repo (vln-devsecops owner PAT exists but the secret needs setting per-repo)
vln-devsecops/operations workspace target dev pending
in_progress / n/a
n/a none baseline yes partial central devsecops workspace
tracks the broader org migration/extraction plan and the org-profile repository
vln-devsecops/terraform-modules infrastructure target main green
completed / success
n/a v0.17.0 / v0.17 / v0 unknown yes live intended home for extracted reusable Terraform modules and infra patterns
modules at v0.7 (immutable v0.7.0); floating tags v0.7 and v0 current
vln-devsecops/utils-system-cleanup devsecops migrated dev unknown
unknown
n/a none unknown yes manifest-only transferred from VlinderSoftware/devsecops-utils-system-cleanup
old location now redirects to the new repo
vln-polaris/fhcs-simulator application active-app dev unknown
unknown
n/a none unknown no manifest-only simulator of a first-hop controlling station implementing AMP, part of the active Coppice ecosystem
compliance baseline: Dependabot already present, full CI (ci/docs/release/security workflows), dependabot-auto-merge.yml fixed 2026-07-10 to use secrets.DEPENDABOT_AUTOMERGE_TOKEN and the secret provisioned (new vln-polaris-scoped PAT); vulnerability alerts/automated security fixes enabled. Capped at partial because this is a private repo on GitHub Free, so allow_auto_merge cannot be enabled (accepted gap, see maintenance_notes)
vln-polaris/icon application migrated main unknown
unknown
n/a none unknown no manifest-only just icon.svg plus a generate-icons.yml workflow (apt-installed inkscape/imagemagick, no package.json) that renders PNG/ICO sizes on push
compliance baseline: no npm/pip/etc. ecosystem to track (system packages installed via apt, not a Dependabot-supported manifest) - only github-actions Dependabot ecosystem applies, added 2026-07-10. No automerge needed/added (CI is an image-generation pipeline, not a merge gate). vulnerability alerts/automated security fixes enabled; capped at partial because this is a private repo on GitHub Free, so allow_auto_merge is moot here anyway (accepted gap, see maintenance_notes) - though no automerge is planned for this repo regardless
vln-polaris/node-coppice-lambdas-audit-fanout application target dev unknown
unknown
n/a none unknown no manifest-only compliance baseline: empty scaffold - only README.md, .gitignore, and .github/copilot-instructions.md exist, no source code or package manifest yet. Not-applicable until code lands; revisit then
vln-polaris/node-coppice-lambdas-authorizer application target dev unknown
unknown
n/a none unknown no manifest-only compliance baseline: empty scaffold - only README.md, .gitignore, and .github/copilot-instructions.md exist, no source code or package manifest yet. Not-applicable until code lands; revisit then
vln-polaris/node-coppice-lambdas-token-service application target dev unknown
unknown
n/a none unknown no manifest-only compliance baseline: empty scaffold - only README.md, .gitignore, and .github/copilot-instructions.md exist, no source code or package manifest yet. Not-applicable until code lands; revisit then
vln-polaris/node-coppice-validate-jwt application target dev unknown
unknown
n/a none unknown no manifest-only compliance baseline: empty scaffold - only README.md, .gitignore, and .github/copilot-instructions.md exist, no source code or package manifest yet. Not-applicable until code lands; revisit then
vln-polaris/playwright-coppice-e2e application target dev unknown
unknown
n/a none unknown no manifest-only compliance baseline: empty scaffold - only README.md, .gitignore, and .github/copilot-instructions.md exist, no source code or package manifest yet. Not-applicable until code lands; revisit then
vln-polaris/terraform-aws-coppice infrastructure active-app dev unknown
unknown
n/a none unknown no manifest-only canonical infra repo for the Coppice application; not an archive candidate
lambda callers migrated to vln-devsecops/terraform-modules//modules/aws/lambda (v0.4); local modules/lambda deleted
vln-polaris/workspace-coppice application inventory-reference dev unknown
unknown
n/a none unknown no manifest-only umbrella workspace linking node-coppice-validate-jwt, the 3 node-coppice-lambdas-* repos, playwright-coppice-e2e, and terraform-aws-coppice (already tracked) as submodules, same pattern as blytkerchan/workspace-books
all 5 non-terraform submodules are currently empty scaffolds (see their own entries) - nothing substantive to validate here yet

Shared-platform view

Module status counts: deferred: 1, extracted: 7

Module Source repo Target path Status Provider Completed checks
rxmail VlinderSoftware/doxchange modules/aws/rxmail deferred aws none
deployment_bucket VlinderSoftware/doxchange modules/aws/deployment_bucket extracted aws static_checks_complete, terraform_test_complete, integration_test_complete, examples_complete, policy_checks_complete
dynamodb VlinderSoftware/doxchange modules/aws/dynamodb extracted aws static_checks_complete, terraform_test_complete, integration_test_complete, examples_complete, policy_checks_complete
lambda VlinderSoftware/doxchange modules/aws/lambda extracted aws static_checks_complete, terraform_test_complete, integration_test_complete, examples_complete, policy_checks_complete
lambda vln-polaris/terraform-aws-coppice modules/aws/lambda extracted aws static_checks_complete, terraform_test_complete, integration_test_complete, examples_complete, policy_checks_complete
lambda-at-edge VlinderSoftware/doxchange modules/aws/lambda-at-edge extracted aws static_checks_complete, terraform_test_complete, examples_complete, policy_checks_complete
mail VlinderSoftware/doxchange modules/aws/mail extracted aws static_checks_complete, terraform_test_complete, integration_test_complete, examples_complete, policy_checks_complete
static_site blytkerchan/applied-paranoia.com modules/aws/static_site extracted aws static_checks_complete, terraform_test_complete, examples_complete, policy_checks_complete

Operations run history

Adoption and migration view

Migration posture: this snapshot reflects the repo manifest and in-repo TODO list as of 2026-07-12T10:01:48Z. Remaining tracked follow-ups stay explicit in the prompt docs for archive cleanup and the shared Lambda@Edge gap.

The dashboard is intentionally static at publish time. Any richer cross-owner live API enrichment can be added later without changing the hosted security model.