Change Management
Branch flow → security gate → tagged release.
Code change flow
- Branch flow
Feature → alpha → beta → main. Each promotion runs the full test suite, typecheck, lint, and security scans.
- Pre-commit hooks
Husky pre-commit runs typecheck + lint-staged (ESLint + Prettier for TS/TSX, Ruff for Python). Catches typing and policy violations before commit.
- Code review
All changes reach main via PR with required review. Security-sensitive changes get a second reviewer.
- Signed commits
Engineering uses commit signing. Hooks not skipped (--no-verify) without explicit policy allowance.
Release flow
- Version bump
scripts/bump-version.sh updates 10 files atomically (package.json, Cargo.toml, tauri.conf.json, pyproject.toml, README, CHANGELOG, etc.).
- Release security gate
grype --only-fixed scans 9 lockfiles before any tag is published. No fixable vulnerabilities = green light.
Security gate detail - Auto-generated artefacts
CycloneDX SBOM, SBOM HTML report, SHA-256 checksums per platform, signed installers (macOS notarised, Windows signed).
SBOM - Trust portal auto-publish
publish-trust-artifacts.sh refreshes products.json / compliance.json / vulnerabilities.json / trust-overview.json + mirrors CHANGELOG.md and SECURITY.md to GCS on every release.
Configuration change flow
- Infrastructure as code
GitHub Actions workflows under .github/workflows/ with SHA-pinned actions. Vercel and Tauri config in repo.
- Audit trail
Every config change is a PR; review and history live in git.