ADRs tagged security¶
Auto-generated by scripts/docs/generate-adr-by-tag.sh. Edit ADR Tags: lines to update.
24 ADR(s) carry this tag.
| ID | Title |
|---|---|
| ADR-0010 | Sign release artifacts keyless via Sigstore |
| ADR-0015 | CI matrix Linux/macOS/Windows with sanitizers |
| ADR-0033 | Relocate CodeQL config to .github/ |
| ADR-0037 | Protect master branch on GitHub with required checks |
| ADR-0038 | Purge upstream MATLAB MEX compiled binaries from tree |
| ADR-0039 | Pull forward runtime op-allowlist walk and model registry |
| ADR-0169 | ONNX op-allowlist — admit Loop + If with recursive subgraph scan (T6-5) |
| ADR-0171 | Bounded Loop.M trip-count guard (T6-5b) |
| ADR-0211 | Tiny-model registry schema + Sigstore --tiny-model-verify |
| ADR-0258 | ONNX op-allowlist — admit Resize for saliency / segmentation models (T7-32) |
| ADR-0263 | OSSF Scorecard policy and remediation cadence |
| ADR-0270 | libFuzzer scaffold for parser surfaces (OSSF Scorecard remediation) |
| ADR-0311 | libFuzzer harness expansion — fuzz_yuv_input + fuzz_cli_parse |
| ADR-0316 | cli_parse — handle long-only options in error() |
| ADR-0348 | Globally suppress CodeQL cpp/poorly-documented-function |
| ADR-0363 | Mend Renovate replaces Dependabot as the dependency-update bot |
| ADR-0379 | libvmaf Symbol Visibility — Hide Internal Symbols with -fvisibility=hidden |
| ADR-0382 | Y4M header parser — reject non-positive width or height before allocation |
| ADR-0404 | Keep nightly.yml + fuzz.yml red until underlying bugs land |
| ADR-0683 | Replace banned functions in vendored MCP cJSON |
| ADR-0694 | Tighten clang-tidy enforcement + confirm sanitizers as required CI gates |
| ADR-0698 | VMAFX Production Dockerfile — Multi-Arch, Image Signing, SBOM |
| ADR-0840 | Fix cu_state leak on import failure and gpu_dispatch_env TOCTOU |
| ADR-0887 | Reject JSON models whose per-feature arrays disagree on length |