source-security-dev · pureliture · Jun 21, 2026 · Jun 21, 2026
diff --git a/CURRENT.md b/CURRENT.md
@@ -4,7 +4,7 @@
 
 - Project: `security-scanner`
 - Merge mode: `guarded-auto-merge`
-- Active goal: `phase-2a-sarif-product-complete`
+- Active goal: `personal-prod-deploy`
 - Last auto merge: `ledger:20260617T003405Z-autopilot-3236f4`
 - Ledger entries: `4`
 - Ledger index hash: `sha256:e1893a649a1101b74a087b5eaaa275813a85708c5bb46c4ae70c24e10a111050`

diff --git a/deploy/systemd/user/security-scanner-personal-baseline.service b/deploy/systemd/user/security-scanner-personal-baseline.service
@@ -0,0 +1,23 @@
+[Unit]
+Description=security-scanner personal baseline enqueue
+Documentation=https://github.com/source-security-dev/security-scanner
+
+[Service]
+Type=oneshot
+Slice=securityscanner.slice
+Nice=15
+IOSchedulingClass=idle
+TasksMax=128
+WorkingDirectory=%h/security-scanner
+EnvironmentFile=-%h/.config/security-scanner/personal-prod.env
+Environment=PATH=%h/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/bin
+Environment=SECURITY_SCANNER_STORAGE_BACKEND=dynamodb
+Environment=SECURITY_SCANNER_DYNAMO_ENDPOINT=http://localhost:4567
+Environment=SECURITY_SCANNER_DYNAMO_TABLE=security_scanner_personal
+Environment=SECURITY_SCANNER_CACHE_ROOT=%h/.cache/security-scanner-personal/repos
+ExecStart=%h/.local/bin/uv run security-scanner baseline \
+    --rolling-divisor 1 \
+    --backpressure-threshold 1000
+
+[Install]
+WantedBy=default.target
diff --git a/deploy/systemd/user/security-scanner-personal-baseline.timer b/deploy/systemd/user/security-scanner-personal-baseline.timer
@@ -0,0 +1,12 @@
+[Unit]
+Description=Scheduler for security-scanner personal baseline enqueue
+Documentation=https://github.com/source-security-dev/security-scanner
+
+[Timer]
+OnCalendar=*-*-* 04:00:00
+Persistent=true
+RandomizedDelaySec=1800
+Unit=security-scanner-personal-baseline.service
+
+[Install]
+WantedBy=timers.target
diff --git a/deploy/systemd/user/security-scanner-personal-freshness-eval.service b/deploy/systemd/user/security-scanner-personal-freshness-eval.service
@@ -0,0 +1,25 @@
+[Unit]
+Description=security-scanner personal freshness eval
+Documentation=https://github.com/source-security-dev/security-scanner
+
+[Service]
+Type=oneshot
+Slice=securityscanner.slice
+Nice=15
+IOSchedulingClass=idle
+TasksMax=128
+WorkingDirectory=%h/security-scanner
+EnvironmentFile=-%h/.config/security-scanner/personal-prod.env
+Environment=PATH=%h/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/bin
+Environment=SECURITY_SCANNER_STORAGE_BACKEND=dynamodb
+Environment=SECURITY_SCANNER_DYNAMO_ENDPOINT=http://localhost:4567
+Environment=SECURITY_SCANNER_DYNAMO_TABLE=security_scanner_personal
+ExecStart=%h/.local/bin/uv run security-scanner freshness-eval \
+    --poll-interval-hours 0.0833333333 \
+    --baseline-cadence-hours 24 \
+    --margin-hours 1 \
+    --backlog-alert-threshold 10 \
+    --notification-log %h/.local/state/security-scanner/personal-alerts.log.jsonl
+
+[Install]
+WantedBy=default.target
diff --git a/deploy/systemd/user/security-scanner-personal-freshness-eval.timer b/deploy/systemd/user/security-scanner-personal-freshness-eval.timer
@@ -0,0 +1,12 @@
+[Unit]
+Description=Scheduler for security-scanner personal freshness eval
+Documentation=https://github.com/source-security-dev/security-scanner
+
+[Timer]
+OnCalendar=*:0/10:00
+Persistent=true
+RandomizedDelaySec=120
+Unit=security-scanner-personal-freshness-eval.service
+
+[Install]
+WantedBy=timers.target
diff --git a/deploy/systemd/user/security-scanner-personal-incr-poll.service b/deploy/systemd/user/security-scanner-personal-incr-poll.service
@@ -0,0 +1,26 @@
+[Unit]
+Description=security-scanner personal incremental poll
+Documentation=https://github.com/source-security-dev/security-scanner
+
+[Service]
+Type=oneshot
+Slice=securityscanner.slice
+Nice=15
+IOSchedulingClass=idle
+TasksMax=128
+WorkingDirectory=%h/security-scanner
+EnvironmentFile=-%h/.config/security-scanner/personal-prod.env
+Environment=PATH=%h/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/bin
+Environment=SECURITY_SCANNER_STORAGE_BACKEND=dynamodb
+Environment=SECURITY_SCANNER_DYNAMO_ENDPOINT=http://localhost:4567
+Environment=SECURITY_SCANNER_DYNAMO_TABLE=security_scanner_personal
+Environment=SECURITY_SCANNER_CACHE_ROOT=%h/.cache/security-scanner-personal/repos
+ExecStart=%h/.local/bin/uv run security-scanner discover-updates \
+    --enqueue \
+    --from-catalog \
+    --ls-remote-skip \
+    --cadence-seconds 300 \
+    --notification-log %h/.local/state/security-scanner/personal-incr-poll.log.jsonl
+
+[Install]
+WantedBy=default.target
diff --git a/deploy/systemd/user/security-scanner-personal-incr-poll.timer b/deploy/systemd/user/security-scanner-personal-incr-poll.timer
@@ -0,0 +1,12 @@
+[Unit]
+Description=Scheduler for security-scanner personal incremental poll
+Documentation=https://github.com/source-security-dev/security-scanner
+
+[Timer]
+OnCalendar=*:0/5:00
+Persistent=true
+RandomizedDelaySec=60
+Unit=security-scanner-personal-incr-poll.service
+
+[Install]
+WantedBy=timers.target
diff --git a/deploy/systemd/user/security-scanner-personal-lease-reaper.service b/deploy/systemd/user/security-scanner-personal-lease-reaper.service
@@ -0,0 +1,20 @@
+[Unit]
+Description=security-scanner personal lease reaper
+Documentation=https://github.com/source-security-dev/security-scanner
+
+[Service]
+Type=oneshot
+Slice=securityscanner.slice
+Nice=15
+IOSchedulingClass=idle
+TasksMax=128
+WorkingDirectory=%h/security-scanner
+EnvironmentFile=-%h/.config/security-scanner/personal-prod.env
+Environment=PATH=%h/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/bin
+Environment=SECURITY_SCANNER_STORAGE_BACKEND=dynamodb
+Environment=SECURITY_SCANNER_DYNAMO_ENDPOINT=http://localhost:4567
+Environment=SECURITY_SCANNER_DYNAMO_TABLE=security_scanner_personal
+ExecStart=%h/.local/bin/uv run security-scanner reap-expired-leases
+
+[Install]
+WantedBy=default.target
diff --git a/deploy/systemd/user/security-scanner-personal-lease-reaper.timer b/deploy/systemd/user/security-scanner-personal-lease-reaper.timer
@@ -0,0 +1,12 @@
+[Unit]
+Description=Scheduler for security-scanner personal lease reaper
+Documentation=https://github.com/source-security-dev/security-scanner
+
+[Timer]
+OnUnitActiveSec=2min
+Persistent=true
+RandomizedDelaySec=15
+Unit=security-scanner-personal-lease-reaper.service
+
+[Install]
+WantedBy=timers.target
diff --git a/deploy/systemd/user/security-scanner-personal-scan-worker@.service b/deploy/systemd/user/security-scanner-personal-scan-worker@.service
@@ -0,0 +1,27 @@
+[Unit]
+Description=security-scanner personal scan-worker instance %i
+Documentation=https://github.com/source-security-dev/security-scanner
+PartOf=security-scanner-personal-workers.target
+
+[Service]
+Type=simple
+Slice=securityscanner.slice
+Nice=15
+IOSchedulingClass=idle
+TasksMax=256
+WorkingDirectory=%h/security-scanner
+EnvironmentFile=-%h/.config/security-scanner/personal-prod.env
+Environment=PATH=%h/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/bin
+Environment=SECURITY_SCANNER_STORAGE_BACKEND=dynamodb
+Environment=SECURITY_SCANNER_DYNAMO_ENDPOINT=http://localhost:4567
+Environment=SECURITY_SCANNER_DYNAMO_TABLE=security_scanner_personal
+Environment=SECURITY_SCANNER_CACHE_ROOT=%h/.cache/security-scanner-personal/repos
+ExecStart=%h/.local/bin/uv run security-scanner scan-worker \
+    --daemon \
+    --worker-id security-scanner-personal-scan-worker@%i \
+    --notification-log %h/.local/state/security-scanner/personal-scan-worker.log.jsonl
+Restart=on-failure
+RestartSec=10
+
+[Install]
+WantedBy=security-scanner-personal-workers.target
diff --git a/deploy/systemd/user/security-scanner-personal-workers.target b/deploy/systemd/user/security-scanner-personal-workers.target
@@ -0,0 +1,6 @@
+[Unit]
+Description=security-scanner personal worker pool
+Documentation=https://github.com/source-security-dev/security-scanner
+
+[Install]
+WantedBy=default.target
diff --git a/deploy/systemd/user/securityscanner.slice b/deploy/systemd/user/securityscanner.slice
@@ -0,0 +1,13 @@
+[Unit]
+Description=security-scanner personal worker resource slice
+Documentation=https://github.com/source-security-dev/security-scanner
+
+[Slice]
+CPUAccounting=true
+MemoryAccounting=true
+IOAccounting=true
+TasksAccounting=true
+CPUQuota=150%
+MemoryMax=3G
+TasksMax=512
+IOWeight=100
diff --git a/governance/autopilot_goal.yml b/governance/autopilot_goal.yml
@@ -1,5 +1,5 @@
 schema_version: 1
-goal_id: phase-2a-sarif-product-complete
+goal_id: personal-prod-deploy
 execution_mode:
   style: long-single-goal
   human_gate: stop-conditions-only
@@ -20,6 +20,7 @@ allowed_writes:
   - docs/views/research-and-technical-decisions.md
   - src/security_scanner/**
   - tests/**
+  - deploy/systemd/user/**
   - examples/**
   - eval/**
   - docs/workbench/**

diff --git a/governance/current.yml b/governance/current.yml
@@ -37,7 +37,7 @@ gates:
   proof_ref: ''
   proof_hash: ''
 autopilot:
-  active_goal: phase-2a-sarif-product-complete
+  active_goal: personal-prod-deploy
   merge_mode: guarded-auto-merge
   last_auto_merge: ledger:20260617T003405Z-autopilot-3236f4
 open_decisions: []

diff --git a/src/security_scanner/targets/fetcher.py b/src/security_scanner/targets/fetcher.py
@@ -43,6 +43,9 @@ class UnsupportedHostError(FetchError):
 
 
 def _default_cache_root() -> Path:
+    configured = os.environ.get("SECURITY_SCANNER_CACHE_ROOT")
+    if configured:
+        return Path(configured).expanduser()
     return Path.home() / ".cache" / "security-scanner" / "repos"
 
 

diff --git a/tests/test_fetcher.py b/tests/test_fetcher.py
@@ -140,6 +140,7 @@ def test_existing_cache_path_triggers_git_fetch(monkeypatch, tmp_path):
 
 def test_default_cache_root_uses_home(monkeypatch, tmp_path):
     """When cache_root is omitted, path is ~/.cache/security-scanner/repos/<owner>/<repo>."""
+    monkeypatch.delenv("SECURITY_SCANNER_CACHE_ROOT", raising=False)
     monkeypatch.setattr(Path, "home", classmethod(lambda cls: tmp_path))
 
     calls = []
@@ -164,6 +165,24 @@ def test_default_cache_root_uses_home(monkeypatch, tmp_path):
     assert cmd[4] == str(expected_path)
 
 
+def test_default_cache_root_can_be_overridden_by_env(monkeypatch, tmp_path):
+    cache_root = tmp_path / "personal-cache"
+    monkeypatch.setenv("SECURITY_SCANNER_CACHE_ROOT", str(cache_root))
+
+    calls = []
+    monkeypatch.setattr(
+        "security_scanner.targets.fetcher.subprocess.run",
+        _record_run(calls),
+    )
+
+    result = fetch_or_clone("https://github.com/octocat/hello-world")
+
+    expected_path = cache_root / "github.com" / "octocat" / "hello-world"
+    assert result == expected_path
+    cmd, _ = calls[0]
+    assert cmd[4] == str(expected_path)
+
+
 def test_missing_gh_falls_back_to_public_git_clone(monkeypatch, tmp_path):
     calls = []