Skip to content

AdvisoryHub Specification

This specification set is the single source of truth for what AdvisoryHub is and does. All development must conform to it: read the relevant file before making non-trivial changes, cite INV-* IDs in commits and PRs, and update the affected spec file(s) in the same commit/PR as any behavior change — a code/spec mismatch is a defect in whichever side drifted. Any deviation from the spec requires explicit maintainer confirmation before implementation.

  • invariant.md — load-bearing rules with stable INV-* IDs, severity tiers, and enforcement file paths.
  • architecture.md — tech stack, full app layout, architectural patterns, publication & GHSA pipelines, env-var inventory, operations, testing strategy.
  • permissions.md — authorization model: actors, roles, capability matrix, state-conditioned overrides, enforcement surfaces.
  • advisory-lifecycle.md — four lifecycle states plus three orthogonal sub-machines (review, CVE-request, publication-task) with transition tables and a sequence diagram.
  • requirements.md — top-down functional spec: actors, domain objects, functional & non-functional requirements, use cases.
  • api.md — rendered OpenAPI reference for the machine-consumable endpoints (/api/ JSON namespace, GHSA webhook, intake project picker, health probes); openapi.yaml is the machine-readable source, drift-guarded against the URLconf by api/tests/test_openapi_spec.py.