[AAASM-3568] 🔒 (node-sdk): SDK supply-chain attestation + SBOM + advisory gate

[Chisanan232]

Description

Hardens the Node SDK's distribution supply chain (Story AAASM-3568). Three changes, no behavior change to the SDK itself:

• Advisory gate (AAASM-3616): new dependency-audit workflow runs pnpm audit --audit-level=high on the same code-bearing PR/push triggers as test-matrix, and is wired into the CI Success aggregate gate. A known-vuln dependency now fails CI and blocks the release. Unfixable advisories are allowlisted (with a dated rationale) in root package.json pnpm.auditConfig.ignoreGhsas — none ignored today. This makes node the third SDK ecosystem with a uniform advisory gate (alongside go's govulncheck and python's pip-audit).
• CycloneDX SBOM (AAASM-3619): release-node.yml now generates sbom.cdx.json (@cyclonedx/cyclonedx-npm) after the build, uploads it as a workflow artifact on every dispatch (incl. dry-run, which validates generation), and attaches it to the GitHub Release on the real-publish path. The release-cut step's idempotent re-run branch still (re-)uploads the SBOM via --clobber. Completes the consumer-verifiable manifest alongside the existing npm provenance (NPM_CONFIG_PROVENANCE).
• Docs (AAASM-3628): new SECURITY.md lists the canonical @agent-assembly/* package names (SDK + 4 runtime-* sub-packages) to counter typosquats, and documents how a consumer verifies an install — npm audit signatures / the registry Provenance panel, plus the per-release SBOM. Linked from the README.

The operator-gated, FFI-pin-lockstep publish pipeline (AAASM-3503 / AAASM-3468) is unchanged — no dry-run gating or publish-order changes.

Type of Change

• ✨ New feature
• 🔧 Bug fix
• ♻️ Refactoring
• 🍀 Performance improvement
• 📚 Documentation update
• 🚀 Release
• 🔒 Security / supply-chain hardening (CI + release workflow)

Breaking Changes

• No
• Yes (please describe below)

Related Issues

• Related JIRA ticket: AAASM-3568 (Story); subtasks AAASM-3616, AAASM-3619, AAASM-3628
• Related GitHub issues: N/A

Testing

Describe the testing performed for this PR:

• Unit tests added/updated
• Integration tests added/updated
• Manual testing performed — actionlint clean on all three changed workflows; YAML parses (yaml.safe_load). The release-workflow SBOM step and the advisory gate exercise on the next dispatch/CI run (no local registry).
• No tests required (explain why) — changes are CI/release workflow YAML + Markdown docs; no SDK source touched.

Checklist

• Code follows project style guidelines
• Self-review completed
• Comments added for complex logic
• Documentation updated if needed
• All tests passing

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Chisanan232]

Merge-readiness review — AAASM-3568 (node-sdk)

CI: ALL GREEN. Buckets — tests (test 18/20/22/24, module-smoke 18/20/22, napi-build), advisory gate (audit ✅), quality/coverage (quality, coverage-and-analysis, codecov ✅), security (CodeQL/Analyze ✅), SonarCloud ✅. No red checks; nothing to fix.

Scope vs ticket — both node-sdk subtasks covered, no gap:

• AAASM-3616 (npm/OSV advisory gate) — new dependency-audit.yml runs pnpm audit --audit-level=high on the frozen lockfile; added to ci-success.yml workflow_run aggregate so it gates the release path. Allowlist convention documented (pnpm.auditConfig). ✅
• AAASM-3619 (CycloneDX SBOM) — release-node.yml adds a @cyclonedx/cyclonedx-npm step emitting sbom.cdx.json, uploaded as artifact + attached to the GitHub Release (--clobber); release-create block refactored to be idempotent. ✅
• Shared docs (AAASM-3628): SECURITY.md (canonical @agent-assembly/* package list incl. 4 runtime-* optionalDeps, npm audit signatures provenance + SBOM verification) + README note. ✅

npm provenance (--provenance) was already present (NPM_CONFIG_PROVENANCE); SBOM attach only runs on a real release dispatch — confirmed it won't run on this PR and is workflow-valid (CI green). The audit gate runs on every PR/push and is live.

Verdict: READY TO MERGE.

— Claude Code

[Chisanan232]

✅ Review — READY to approve & merge (Claude Code)

Re-reviewed first-hand against terminal CI + the diff (apologies it slipped earlier).

CI — terminal green, verified via run conclusion: 17/17 checks pass, 0 fail, 0 pending (head dfdd463); test matrix (18/20/22/24), napi-build, module-smoke, audit advisory gate, quality, coverage, CodeQL, SonarCloud all completed/success. mergeable: MERGEABLE (BLOCKED = approval gate only).

Scope — AAASM-3568 node subtasks all covered:

Subtask	Evidence in diff
3616 advisory gate	dependency-audit.yml: pnpm audit --audit-level=high (allowlist in root package.json) + wired into ci-success.yml aggregate → runs & gates on every PR (live-green)
3619 SBOM	@cyclonedx/cyclonedx-npm generates sbom.cdx.json, uploaded as artifact + gh release upload --clobber attaches it per release
provenance	--provenance / NPM_CONFIG_PROVENANCE present in release-node.yml (SLSA)
3628 docs	README + SECURITY.md document npm audit signatures verification + SBOM

Release/tag-time steps (provenance attest, SBOM attach, publish) only fire on a real release dispatch — correctly not run on this PR but workflow-valid; the advisory gate runs on the PR and is green.

Verdict: READY. No CI issues, scope complete. Builds on the operator-gated publish (AAASM-3503) + FFI-pin lockstep (AAASM-3468).