source-security-dev · pureliture · Jun 21, 2026 · Jun 21, 2026 · Jun 21, 2026 · Jun 21, 2026
diff --git a/deploy/systemd/user/security-scanner-personal-vuln-freshness-eval.service b/deploy/systemd/user/security-scanner-personal-vuln-freshness-eval.service
@@ -0,0 +1,37 @@
+[Unit]
+Description=security-scanner personal code-vuln freshness/coverage eval
+Documentation=https://github.com/source-security-dev/security-scanner
+
+# ROLLOUT DRAFT (not for autonomous enable). Authored under
+# .worktrees/vuln-rollout-prep per the catalog-driven vuln-rollout DECISION.
+# The `vuln-freshness-eval` subcommand NOW EXISTS on this branch: it reads the
+# INCLUDED org catalog (read-only), enumerates the per-run vuln JSONL artifacts
+# under --artifact-dir, and reports per-repo last-vuln-scan recency plus a
+# fresh/stale/never-scanned coverage rollup. It is a report-only observability
+# timer, not a gate, and always exits 0.
+#
+# It does NOT read or write vuln findings to the durable table; durable
+# REPO_HEALTH / BREACH_COUNTER for the vuln plane is separate human-gated work,
+# not this draft. The catalog read uses the store provided via EnvironmentFile
+# (the personal-prod env file supplies storage backend, endpoint, table, region,
+# and cache root).
+
+[Service]
+Type=oneshot
+Slice=securityscanner.slice
+Nice=19
+IOSchedulingClass=idle
+TasksMax=128
+WorkingDirectory=%h/security-scanner
+EnvironmentFile=-%h/.config/security-scanner/personal-prod.env
+Environment=PATH=%h/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/bin
+Environment=SECURITY_SCANNER_CACHE_ROOT=%h/.cache/security-scanner-personal/repos
+ExecStart=%h/.local/bin/uv run security-scanner vuln-freshness-eval \
+    --artifact-dir %h/.local/state/security-scanner/vuln-artifacts \
+    --scan-cadence-hours 24 \
+    --margin-hours 6 \
+    --backlog-alert-threshold 10 \
+    --notification-log %h/.local/state/security-scanner/personal-vuln-alerts.log.jsonl
+
+[Install]
+WantedBy=default.target
diff --git a/deploy/systemd/user/security-scanner-personal-vuln-freshness-eval.timer b/deploy/systemd/user/security-scanner-personal-vuln-freshness-eval.timer
@@ -0,0 +1,17 @@
+[Unit]
+Description=Scheduler for security-scanner personal code-vuln freshness/coverage eval
+Documentation=https://github.com/source-security-dev/security-scanner
+
+# ROLLOUT DRAFT (not for enable). Evaluation cadence is much looser than the
+# secret freshness-eval (10 min) because the vuln scan cadence itself is daily,
+# not per-commit. Every 6 hours is enough to surface a missed daily vuln pass
+# without churn. Tune alongside the vuln-scan timer during H-track calibration.
+
+[Timer]
+OnCalendar=*-*-* 00/6:00:00
+Persistent=true
+RandomizedDelaySec=300
+Unit=security-scanner-personal-vuln-freshness-eval.service
+
+[Install]
+WantedBy=timers.target
diff --git a/deploy/systemd/user/security-scanner-personal-vuln-scan.service b/deploy/systemd/user/security-scanner-personal-vuln-scan.service
@@ -0,0 +1,42 @@
+[Unit]
+Description=security-scanner personal code-vuln (SAST) scheduled scan
+Documentation=https://github.com/source-security-dev/security-scanner
+
+# ROLLOUT DRAFT (not for autonomous enable). Authored under
+# .worktrees/vuln-rollout-prep per the catalog-driven vuln-rollout DECISION.
+# The catalog-driven scan-vuln entrypoint NOW EXISTS on this branch:
+# `scan-vuln --from-catalog` reads the INCLUDED org catalog (read-only) and
+# writes one no-clobber per-repo/per-run JSONL artifact under --artifact-dir.
+#
+# Remaining blockers before any `systemctl enable`:
+#   (a) the host checkout must contain THIS branch (origin/main may be behind);
+#   (b) a pinned semgrep-compatible binary must exist at %h/.local/bin/semgrep
+#       (the runtime preflight returns a distinct binary-missing exit otherwise);
+#   (c) this is NOT cleared for autonomous enable — single-owner review first.
+# See docs/runbooks/vuln-rollout-enable-checklist.md before any enable.
+#
+# Catalog read uses the store provided via EnvironmentFile (the personal-prod
+# env file supplies the storage backend, endpoint, table, region, cache root,
+# and GH token). This unit does NOT write vuln findings to the durable table;
+# per-repo artifacts live under --artifact-dir / the isolated cache root.
+
+[Service]
+Type=oneshot
+Slice=securityscanner.slice
+Nice=19
+IOSchedulingClass=idle
+TasksMax=256
+WorkingDirectory=%h/security-scanner
+EnvironmentFile=-%h/.config/security-scanner/personal-prod.env
+Environment=PATH=%h/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/bin
+Environment=SECURITY_SCANNER_CACHE_ROOT=%h/.cache/security-scanner-personal/repos
+ExecStart=%h/.local/bin/uv run security-scanner scan-vuln \
+    --from-catalog \
+    --artifact-dir %h/.local/state/security-scanner/vuln-artifacts \
+    --semgrep-binary %h/.local/bin/semgrep \
+    --semgrep-config auto \
+    --timeout-seconds 1800 \
+    --path-policy redacted
+
+[Install]
+WantedBy=default.target
diff --git a/deploy/systemd/user/security-scanner-personal-vuln-scan.timer b/deploy/systemd/user/security-scanner-personal-vuln-scan.timer
@@ -0,0 +1,18 @@
+[Unit]
+Description=Scheduler for security-scanner personal code-vuln (SAST) scan
+Documentation=https://github.com/source-security-dev/security-scanner
+
+# ROLLOUT DRAFT (not for enable). Cadence is deliberately LONG: semgrep-compatible
+# SAST is a full directory-tree HEAD scan, far more expensive than the per-commit
+# secret incr-poll (5 min) or daily secret baseline. Daily at 03:30 keeps the
+# vuln pass off the secret baseline's 04:00 slot. Tune per real semgrep wall-clock
+# during H-track calibration; weekly is also acceptable for large catalogs.
+
+[Timer]
+OnCalendar=*-*-* 03:30:00
+Persistent=true
+RandomizedDelaySec=1800
+Unit=security-scanner-personal-vuln-scan.service
+
+[Install]
+WantedBy=timers.target