v1.3.37 -- Pre-public sanitization + doc hygiene¶

A doc + sanitization release. Tooling-only; argosVersion and frontend/package.json deliberately stay at 1.3.35.4. No Go code change beyond comment rewrites; no frontend code change beyond a comment rewrite; no panel binary change.

This release exists to close the four findings of the pre-public audit (docs/operations/pre-public-audit.md, shipped in this release) before flipping the repo from private to public. Audit + remediations land together as a single bundled commit so the "audited + fixed pre-public" story reads coherently in git history.

Why a single bundled release¶

Standard project hygiene would split this into 4-5 atomic PRs (one per audit item). For argos-edge specifically, the operator opted for a single bundle because:

• The audit and the fixes describe the same state transition — separating them would force readers to cross-reference two artifacts to understand either.
• Each item is small (the largest is verification- report.md at ~30 line edits); per-item PRs would carry more ceremony than work.
• The audit doc itself references the fixes by name and status; if the fixes shipped first, the audit doc would be stale on arrival.
• Pre-public is a one-shot event; this is the only release that will ever bear the "v1.3.37 pre-public sweep" framing.

Audit findings closed¶

C1 — TODO(kilian) markers leaked operator's first name¶

Severity at audit time: HIGH. Status: RESOLVED.

check-no-personal-data.sh covered three patterns (cmos486.es, operator LAN 192.168.{3,5}.x, gmail handle) but did not catch the operator's real first name in TODO(kilian) source-comment markers. 6 occurrences across 5 source files + 1 historical CHANGELOG line.

Fix:

scripts/check-no-personal-data.sh grew Pattern D as the regression-guard:

KILIAN=$(grep -riEn '\bkilian\b' $INCLUDES $EXCLUDES_D . 2>/dev/null \
           || true)

Word-boundary, case-insensitive. LICENSE is explicitly excluded (EXCLUDES_D="$EXCLUDES --exclude=LICENSE") because the BSL 1.1 Licensor identity is required + intentional + legally-load-bearing, not a leak.

The pre-public-audit.md doc itself is added to the general exception list (alongside v1.3.15.md and the script itself) because it documents the patterns being scrubbed in narrative — same pattern as the v1.3.15 cleanup meta-doc.

S1 — CLAUDE.md was 3 minor versions stale¶

Severity at audit time: MEDIUM. Status: RESOLVED.

5 stale markers in CLAUDE.md (the onboarding doc for future Claude Code sessions):

The smoke-suite section now enumerates the 5 new post-v1.3.32 scripts: scenario-descriptions.sh (v1.3.30 reverse-sentinel EFFECT — was missing from the prior list), country-reconciler.sh (v1.3.33 5min reconciler), deploy-rebuild.sh (v1.3.34.3 deploy-pipeline EFFECT), demo-environment.sh (v1.3.35 demo-stack self-smoke), capture-automation.sh (v1.3.36.x Playwright self-smoke).

The reference to the eight-strike pattern in Rule #4 ("No inventes APIs") is also updated to "Eleven-strike". The memory-file pointer keeps the original filename (project_four_strike_upstream_pattern.md) for git-history continuity, but the description line in CLAUDE.md notes "los 11 strikes completos".

S2 — verification-report.md was at v1.3.32 gate¶

Severity at audit time: MEDIUM (this page is the named single-source release gate). Status: RESOLVED.

Header bumped: v1.3.32 verification gate → v1.3.36.8 verification gate. Summary table:

5 new rows added to the smoke matrix, one per post-v1.3.32 script. Each row carries the standard "feature, smoke script, status, verifies" columns matching the existing table style.

The recommendation paragraph now cross-references the eleven-strike pattern explicitly: every external-protocol surface that caused an incident has a dedicated EFFECT-verifying smoke (LAPI WAL, scenarios source-of- truth, AppSec tuning, drift detection, true-detect-mode, country expansion async, country reconciler, alert-shape cap, deploy-pipeline rebuild). Pattern-to-smoke coverage is now traceable.

The "ready for public" section also points readers to docs/operations/pre-public-audit.md for the non-functional gates (sanitization, doc currency, GitHub governance files).

P1 — SECURITY.md missing¶

Severity at audit time: MEDIUM (argos-edge is a security-adjacent project; visitors expect a disclosure policy). Status: RESOLVED.

New SECURITY.md at repo root. GitHub recognizes SECURITY.md at repo root, .github/, or docs/; root is preferred so the file is the first-tab-second-link in the GitHub repo browser. Highlights:

• Reporting channel: GitHub Security Advisories private vulnerability reporting (/security/advisories/new) is the primary path. A no-technical-detail GitHub issue is the fallback for reporters who want to coordinate before sending details.
• Supported versions: latest tagged release on main (full support); previous minor (best-effort); older releases (not supported).
• Response: qualitative commitment, no specific SLA table. Solo-maintainer + side-project reality means specific time targets would create public commitments that vacation / illness / day-job pressure could turn into broken promises. The policy reads "maintainer- time-permitting; reasonable timeframe; severity-based triage; active exploitation prioritized" — honest under-promise rather than aspirational over-promise.
• Coordinated disclosure: 90-day industry-standard default ceiling, with adjustments based on severity and exploitation status. Shorter if the fix has shipped + adopters have had upgrade time; publish-then-disclose immediately if active exploitation in the wild.
• Scope: panel binary, compose stack, CLI, HTTP API, Caddyfile bootstrap, CrowdSec acquisition + profiles + AppSec configs as committed in this repo, credential handling, TOTP / session lifecycle, ForwardAuth, OIDC, drift / reconciler false negatives.
• Out of scope: upstream Caddy 2 / CrowdSec / Coraza / CRS issues (reporters routed to upstream security pages explicitly), self-signed cert warnings in lan mode, DoS by the operator against their own homelab, fork-only repros, attacks requiring root in the panel container, social engineering.
• Hall of fame: section delegates to /security/advisories as the public record (links out instead of maintaining a duplicate ledger that could drift).

The 1-page length is appropriate for a solo-maintained homelab project; cribbing the GitHub Security Advisory template + the standard supported-versions matrix + scope partition reads as a serious-but-not-bureaucratic policy that visitors can take at face value.

What this release does NOT change¶

• Panel binary version (argosVersion stays at 1.3.35.4).
• Frontend version (frontend/package.json stays at 1.3.35.4).
• Any Go function signature, frontend component, or panel behavior. The 5 source-file edits are comment-only: TODO(kilian) -> TODO(maintainer). gofmt / go vet / staticcheck continue to be clean against the same surface they were clean against pre-edit.
• Any docker compose, Makefile, or deploy-pipeline semantics.
• The eleven-strike memory file (filename retained for git-history continuity even though the count is now 11, not 4-or-8 as historical filenames suggest).

What's deferred¶

Audit items 6-9 (operator decision: defer to post-public):

• .github/ISSUE_TEMPLATE/ directory
• .github/PULL_REQUEST_TEMPLATE.md
• 9× TODO embed in features/X.md markers in docs/screenshots/README.md (existing screenshots not yet referenced from the relevant features pages)
• CONTRIBUTING.md symlink at repo root (currently lives at docs/CONTRIBUTING.md, which IS GitHub- recognized — symlink would only shorten the path shown in the GitHub PR-create UI)

All four are LOW severity, non-gating; they may ship in a future cosmetic-hygiene release or fold into a feature release as they become convenient.

Verification¶

[OK] no operator-specific data found in committed sources
mkdocs build --strict: PASS
go build ./...: clean
go vet ./...: clean

scripts/check-no-personal-data.sh runs all 4 patterns clean post-fix: - A: cmos486.es subdomain leak — clean - B: 192.168.{3,5}.x operator LAN — clean - C: gmail handle — clean - D: \bkilian\b (NEW v1.3.37) — clean (LICENSE excluded)

Tagging gate¶

This release is tagged after operator review of:

1. The audit doc content (especially severity calls and the deferred-vs-gating split)
2. The SECURITY.md draft (especially reporting channel choice + scope partition)

After tag: gh repo edit --visibility public is the final unblocked step. Item 6-9 cleanup, if pursued, can ship as v1.3.37.x or fold into a feature release.

Versioning¶

scripts/capture/package.json does NOT bump (this isn't a capture-tooling release). The release tag itself (v1.3.37) is the only version delta. Tag-without-rebuild precedent for tooling-only patches: v1.3.27.1, v1.3.34, v1.3.35.1, v1.3.35.5, v1.3.36.8.

Files changed¶

• backend/internal/totp/challenge.go — 1 comment edit
• backend/internal/appsec/status.go — 2 comment edits
• backend/internal/backup/scheduler.go — 1 comment edit
• frontend/src/pages/Backup.tsx — 1 comment edit
• scripts/check-no-personal-data.sh — Pattern D added; LICENSE excluded from D; pre-public-audit.md added to the meta-doc exception list
• CLAUDE.md — 5 stale markers refreshed
• docs/operations/verification-report.md — header + summary table + 5 new smoke rows + recommendation paragraph
• CHANGELOG.md — line 3954 rephrased; v1.3.37 entry added at top
• SECURITY.md (new at repo root)
• docs/operations/pre-public-audit.md (new) — the audit itself + post-resolution status table
• docs/release-notes/v1.3.37.md — this file
• mkdocs.yml — v1.3.37 nav entry + pre-public-audit.md nav entry