OpenSSF Best Practices — Silver application¶

Pre-drafted answers for the OpenSSF Best Practices Badge Silver-level application. Filed on Day 1 after the public flip.

Basics¶

Basic project website content¶

The project's main website is the GitHub repository and the docs site at https://klein-business.github.io/legal-text-mcp-de. Both describe what the software does, allow users to view contents, and allow users to view recent changes.

FLOSS licence¶

Apache License 2.0. See LICENSE.

Documentation¶

README, documentation site, CONTRIBUTING, SECURITY, Versioning policy, Threat model.

Other project basics¶

Public version-control repository on GitHub.
Public issue tracker on GitHub.
Welcoming environment: Contributor Covenant 2.1.

Change control¶

Public version-controlled source repository¶

GitHub. Full history preserved; tags are signed via keyless OIDC.

Unique version numbering¶

Strict SemVer 2.0.0; releases tagged vMAJOR.MINOR.PATCH.

Release notes¶

CHANGELOG.md follows Keep a Changelog 1.1.0. Per-release notes generated by release-please.

Reporting¶

Bug-reporting process¶

Public GitHub Issues with templates for bug reports and feature requests. Response targets documented in SUPPORT.md.

Vulnerability-reporting process¶

GitHub Security Advisories with martin@klein.business as the backup channel. SLA: 5 business days acknowledgement, 90 days coordinated disclosure. See SECURITY.md.

Quality¶

Working build system¶

uv build produces sdist and wheel deterministically. CI verifies on every PR.

Automated test suite¶

286+ tests in mcp/tests/. Coverage measured by pytest-cov and enforced via [tool.coverage.report] fail_under in pyproject.toml.

New tests for new functionality¶

Documented in CONTRIBUTING.md; enforced by review.

Warning flags¶

ruff enforces lint rules. mypy strict on scripts/ and on five mcp/ modules. CI fails on warnings.

Security¶

Knowledge of secure design¶

Threat model published. Maintainer has direct experience in secure software design.

Use basic good cryptographic practices¶

The project does not implement cryptography; it consumes well-vetted cryptographic primitives via Sigstore cosign and SLSA-3 attestations.

Secured delivery against MITM and package modification¶

HTTPS for all source and release distribution. PyPI Trusted Publisher + PEP 740 attestations. GHCR images signed via cosign keyless.

Publicly known vulnerabilities¶

Dependabot weekly scans + CodeQL SAST. Known issues are tracked as GitHub Security Advisories.

Analysis¶

Static analysis¶

CodeQL (Python) runs on PR and weekly. Mypy strict on scripts/ and selected mcp/ modules.

Dynamic analysis¶

Test suite functions as dynamic analysis. Integration tests against the real HTTP and MCP surfaces (verify_e2e.py).

Silver-level extras¶

Full responses to each of the 51 silver-level criteria are filled out before submission post-flip; this document tracks our current position.

The silver-level criteria cover the following additional areas not addressed in the basics above:

Public roadmap — ROADMAP.md documents planned work for the next 3–6 months.
Governance — GOVERNANCE.md describes the BDFL model and path to co-maintainer.
Code of Conduct — Contributor Covenant 2.1 with enforcement contact.
Two-factor authentication — Maintainer uses 2FA on GitHub. PyPI account uses 2FA. GHCR access is through GitHub Actions only (no long-lived tokens).
Signed releases — cosign keyless signing on all GHCR images; Sigstore attestations on PyPI wheel/sdist.
Reproducible builds — uv build with pinned uv.lock is deterministic given the same Python version and OS. Full hermetic reproduction is provided by SLSA-3.
Memory-safe language — Python is memory-safe by default.
Hardened delivery — TLS everywhere; PEP 740 + cosign for artefact integrity; Dependabot for dependency freshness.
Fuzz testing — not implemented at v1.0.0; planned for v1.x. This item will be marked as a gap in the application.
Formal assurance — not applicable at this scope.

(Full per-criterion table to be added before submission.)