AdvisoryHub Specification¶
This specification set is the single source of truth for what
AdvisoryHub is and does. All development must conform to it: read the
relevant file before making non-trivial changes, cite INV-* IDs in
commits and PRs, and update the affected spec file(s) in the same
commit/PR as any behavior change — a code/spec mismatch is a defect in
whichever side drifted. Any deviation from the spec requires explicit
maintainer confirmation before implementation.
invariant.md— load-bearing rules with stableINV-*IDs, severity tiers, and enforcement file paths.architecture.md— tech stack, full app layout, architectural patterns, publication & GHSA pipelines, env-var inventory, operations, testing strategy.permissions.md— authorization model: actors, roles, capability matrix, state-conditioned overrides, enforcement surfaces.advisory-lifecycle.md— four lifecycle states plus three orthogonal sub-machines (review, CVE-request, publication-task) with transition tables and a sequence diagram.requirements.md— top-down functional spec: actors, domain objects, functional & non-functional requirements, use cases.api.md— rendered OpenAPI reference for the machine-consumable endpoints (/api/JSON namespace, GHSA webhook, intake project picker, health probes);openapi.yamlis the machine-readable source, drift-guarded against the URLconf byapi/tests/test_openapi_spec.py.