From 30fa99a71782a16c949f1717d7070f80880237c4 Mon Sep 17 00:00:00 2001
From: Barcode Betty <32+cs_betty@noreply.git.farh.net>
Date: Tue, 23 Jun 2026 02:39:55 +0000
Subject: [PATCH 1/4] ci(auth): add Grype scan step; document provenance/sbom
 OCI referrer limitation (CAR-1446)

- Insert anchore/scan-action@v5 step between Build and Push
- severity-cutoff: high, only-fixed: true (matches monorepo pattern)
- Add inline comment on provenance:false/sbom:false explaining OCI distribution
  spec >=1.1 limitation on git.farh.net registry

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .gitea/workflows/ci.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 9a02ee6..fc237e8 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -67,11 +67,28 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 
+      - name: Scan Docker image
+        uses: anchore/scan-action@v5
+        id: scan
+        env:
+          GRYPE_CONFIG: .grype.yaml
+        with:
+          image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}"
+          fail-build: true
+          severity-cutoff: high
+          only-fixed: "true"
+          output-format: sarif
+
       - name: Push Docker image
         uses: docker/build-push-action@v6
         with:
           context: .
           push: true
+          # CAR-1446: git.farh.net does not support OCI referrers (distribution spec
+          # >=1.1 required for attestation push). Enabling provenance:true/sbom:true
+          # would cause the push to fail on the referrer PUT. The Grype scan step
+          # above is the compensating control — it fails the build on any unfixed
+          # high-severity CVE before the image reaches the registry.
           provenance: false
           sbom: false
           tags: ${{ steps.meta.outputs.tags }}
-- 
2.52.0


From 88952a465190c58a157aff52fc831be180dfb0b3 Mon Sep 17 00:00:00 2001
From: Barcode Betty <32+cs_betty@noreply.git.farh.net>
Date: Tue, 23 Jun 2026 02:50:37 +0000
Subject: [PATCH 2/4] ci(auth): update CAR-1446 comment with empirical OCI
 referrers proof

---
 .gitea/workflows/ci.yml | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index fc237e8..07de451 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -84,11 +84,14 @@ jobs:
         with:
           context: .
           push: true
-          # CAR-1446: git.farh.net does not support OCI referrers (distribution spec
-          # >=1.1 required for attestation push). Enabling provenance:true/sbom:true
-          # would cause the push to fail on the referrer PUT. The Grype scan step
-          # above is the compensating control — it fails the build on any unfixed
-          # high-severity CVE before the image reaches the registry.
+          # CAR-1446: git.farh.net does not implement the OCI referrers API.
+          # Verified 2026-06-23: GET /v2/cartsnitch/auth/referrers/{digest} →
+          # HTTP 404 "page not found" (plain proxy 404, not an OCI error — the path
+          # does not exist in this Gitea registry version). OCI Distribution Spec
+          # >=1.1 is required for provenance/SBOM attestation manifests; without it
+          # the docker/build-push-action would fail at the attestation PUT.
+          # Compensating control: the Grype scan step above fails the build on any
+          # unfixed HIGH-severity CVE before the image reaches the registry.
           provenance: false
           sbom: false
           tags: ${{ steps.meta.outputs.tags }}
-- 
2.52.0


From 6722b0e796a1c51da1fc937913ae70b0f5470759 Mon Sep 17 00:00:00 2001
From: Barcode Betty <32+cs_betty@noreply.git.farh.net>
Date: Tue, 23 Jun 2026 03:42:45 +0000
Subject: [PATCH 3/4] fix(deps): add npm overrides to pin patched versions of
 defu, kysely, picomatch (CAR-1446)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Grype found 3 HIGH-severity CVEs in transitive npm deps that npm audit
missed (different advisory DB):
- GHSA-737v-mqg7-c878: defu 6.1.4 → 6.1.5+
- GHSA-pv5w-4p9q-p3v2: kysely 0.28.14 → 0.28.17
- GHSA-c2c7-rcm5-vvqj: picomatch 4.0.3 → 4.0.4

All three are transitive deps of better-auth. Adding npm overrides
forces the patched versions. Grype scan passes at --fail-on high
after these overrides are applied.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 package.json | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 9eef257..032d08b 100644
--- a/package.json
+++ b/package.json
@@ -21,5 +21,10 @@
     "@types/pg": "^8.11.0",
     "tsx": "^4.19.0",
     "typescript": "^5.7.0"
+  },
+  "overrides": {
+    "picomatch": "^4.0.4",
+    "defu": "^6.1.5",
+    "kysely": "^0.28.17"
   }
-}
\ No newline at end of file
+}
-- 
2.52.0


From 92015fc5e945aa9dffc3ba6156ba553a37aa448d Mon Sep 17 00:00:00 2001
From: Barcode Betty <32+cs_betty@noreply.git.farh.net>
Date: Tue, 23 Jun 2026 03:43:04 +0000
Subject: [PATCH 4/4] fix(deps): regenerate lockfile with defu 6.1.7, kysely
 0.28.17 (CAR-1446)

Applied npm overrides from previous commit. Grype scan now passes
at --fail-on high with only MEDIUM-severity remaining CVEs in uuid
(GHSA-w5hq-g745-h8pq, major bump to v11 required, not a blocking risk)
and better-auth (GHSA-wxw3-q3m9-c3jr, updating to 1.6.2 separately).

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 package-lock.json | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index ce0c339..b43974c 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -818,9 +818,9 @@
       }
     },
     "node_modules/defu": {
-      "version": "6.1.4",
-      "resolved": "https://registry.npmjs.org/defu/-/defu-6.1.4.tgz",
-      "integrity": "sha512-mEQCMmwJu317oSz8CwdIOdwf3xMif1ttiM8LTufzc3g6kR+9Pe236twL8j3IYT1F7GfRgGcW6MWxzZjLIkuHIg==",
+      "version": "6.1.7",
+      "resolved": "https://registry.npmjs.org/defu/-/defu-6.1.7.tgz",
+      "integrity": "sha512-7z22QmUWiQ/2d0KkdYmANbRUVABpZ9SNYyH5vx6PZ+nE5bcC0l7uFvEfHlyld/HcGBFTL536ClDt3DEcSlEJAQ==",
       "license": "MIT"
     },
     "node_modules/esbuild": {
@@ -909,9 +909,9 @@
       }
     },
     "node_modules/kysely": {
-      "version": "0.28.14",
-      "resolved": "https://registry.npmjs.org/kysely/-/kysely-0.28.14.tgz",
-      "integrity": "sha512-SU3lgh0rPvq7upc6vvdVrCsSMUG1h3ChvHVOY7wJ2fw4C9QEB7X3d5eyYEyULUX7UQtxZJtZXGuT6U2US72UYA==",
+      "version": "0.28.17",
+      "resolved": "https://registry.npmjs.org/kysely/-/kysely-0.28.17.tgz",
+      "integrity": "sha512-nbD8lB9EB3wNdMhOCdx5Li8DxnLbvKByylRLcJ1h+4SkrowVeECAyZlyiKMThF7xFdRz0jSQ2MoJr+wXux2y0Q==",
       "license": "MIT",
       "engines": {
         "node": ">=20.0.0"
-- 
2.52.0