Skip to content

docs: fix WRONG+HIGH tier doc-accuracy audit findings#85

Merged
devonartis merged 3 commits into
developfrom
fix/doc-accuracy-audit
Jun 29, 2026
Merged

docs: fix WRONG+HIGH tier doc-accuracy audit findings#85
devonartis merged 3 commits into
developfrom
fix/doc-accuracy-audit

Conversation

@devonartis

Copy link
Copy Markdown
Owner

Corrects nine shipped docs against current code and the live Python SDK (PyPI `agentwrit` v0.3.0), per the 2026-06-07 doc-accuracy audit. Every fix verified against source — caught two stale audit claims (event count is 25 not 26; release 403 `insufficient_scope` is correct as-shipped).

WRONG tier

  • demos.md — replace "coming soon" with live `docker compose` run steps + the three published image names (`devonartis/agentwrit`, `-medassist`, `-support-tickets`).
  • python-sdk.md — drop fabricated `register(launch_token=…)` API; document the real `AgentWritApp`/`create_agent` surface.
  • faq.md — remove enterprise-module/open-core framing (Decision 022); mark SDK + demos shipped; event count 24 → 25.

HIGH tier

  • common-tasks.md — sanitized validate-invalid response (no `detail`/codes); de-hardcode `iss` example.
  • foundations.md — `iss` is config-driven (`AA_ISSUER`, empty default skips check), not always `agentwrit`.
  • SECURITY.md — add GitHub Security Advisory channel; real version table (only 2.0.0 tagged).
  • design-decisions.md — planned OIDC bridge behind an interface seam, not an "add-on".
  • api.md — `/v1/app/auth` rate limit `10/min burst 3`; event count 23 → 25; add `sid` claim.
  • openapi.yaml — `details`→`detail` + 8 missing event fields; correct `policy` fields; real SPIFFE shape.

Verification

  • `grep` clean for residual "coming soon" / "enterprise module" / hardcoded `iss`.
  • `openapi.yaml` parses as valid YAML.
  • `git diff --stat`: 9 files, +154/-76.

MED/LOW audit tiers are a separate follow-up sweep.

Correct nine shipped docs against current code and the live Python SDK
(PyPI agentwrit v0.3.0), per the 2026-06-07 doc-accuracy audit.

WRONG tier:
- demos.md: replace coming-soon banner with live docker-compose run steps
  and the three published image names
- python-sdk.md: drop fabricated register(launch_token=) API, document the
  real AgentWritApp/create_agent surface
- faq.md: remove enterprise-module/open-core framing (Decision 022); mark
  SDK + demos shipped; event count 24 -> 25

HIGH tier:
- common-tasks.md: sanitized validate-invalid response (no detail/codes);
  de-hardcode iss example
- foundations.md: iss is config-driven (AA_ISSUER, empty default skips check),
  not always 'agentwrit'
- SECURITY.md: add GitHub Security Advisory channel; real version table
- design-decisions.md: planned OIDC bridge behind interface seam, not add-on
- api.md: app/auth rate limit 10/min burst 3; event count 23 -> 25; add sid
- openapi.yaml: details->detail + 8 missing event fields; policy fields;
  real SPIFFE shape

Verified every fix against source; corrected two stale audit claims
(event count is 25 not 26; release 403 insufficient_scope is correct).

Co-authored-by: Claude <noreply@anthropic.com>
@github-actions

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@devonartis devonartis added the skip-changelog Docs/config-only PR — no CHANGELOG entry needed label Jun 29, 2026
devonartis and others added 2 commits June 29, 2026 18:25
Clears two Go stdlib advisories flagged by govulncheck:
- GO-2026-5039 (net/textproto), reached via ed25519.GenerateKey
- GO-2026-5037 (crypto/x509)

Both fixed in go1.25.11. CI reads go-version-file: go.mod, so the
toolchain directive bump applies across all jobs. Comment refs in
ci.yml updated to match.

Co-authored-by: Claude <noreply@anthropic.com>
Second pass over the 2026-06-07 audit (MED/LOW + cross-cutting), all
verified against current code:

- README.md: add missing POST /v1/app/launch-tokens row (19 endpoints)
- awrit-reference.md: config file is KEY=VALUE not YAML (MODE=/ADMIN_SECRET=);
  audit IDs are evt-NNNNNN not UUID; app deregister status is 'inactive'
- troubleshooting.md: go run -> ./bin/; /v1/register has no requested_ttl
  (TTL comes from launch-token max_ttl); config path is /etc/broker/config
- concepts.md: hash covers 13 fields; claims include iss/nbf/aud/sid;
  eight components (was 'seven')
- security-topology.md + 2 SVG diagrams: 24 -> 25 event types
- architecture.md: prometheus/client_model marked indirect (5 direct deps)
- implementation-map.md + scenarios.md: mutauth built+tested but NOT mounted
- getting-started-{user,operator}.md: go run -> ./bin/
- CHANGELOG.md: [Unreleased] docs-accuracy + Go toolchain entries

Deferred: RFC 7807-vs-9457 reconciliation (code emits 7807, rules say 9457
— owner decision, out of docs-only scope). AGENTS.md/CONTRIBUTING.md fixes
are local-only (both gitignored, not tracked in this repo).

Co-authored-by: Claude <noreply@anthropic.com>
@devonartis devonartis merged commit 8f77617 into develop Jun 29, 2026
20 checks passed
@devonartis devonartis deleted the fix/doc-accuracy-audit branch June 29, 2026 22:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

skip-changelog Docs/config-only PR — no CHANGELOG entry needed

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant