Officer impact: None — this corrects one engineering risk-ledger sentence. It changes no page, officer task, permission, data, payment, provider, or live service.
Officer documentation: None — no current officer procedure or diagram changes.
Deployment evidence: None at creation. Closure must distinguish documentation source/tests/merge from website publication, Firebase deployment, provider state, production data, and live behavior.
Problem
On exact main 5dd3ba6d3bb966ed1d6fa987abf32d3530d5f96b, the SUPPLY-001C residual sentence in SECURITY.md says there are 9 Functions production findings.
Fresh Node 20.20.2 lockfile audits on that exact source show:
npm --prefix functions audit --omit=dev --json: 8 moderate affected packages, 0 high or critical.
npm --prefix functions audit --json: 9 moderate affected packages, 0 high or critical.
The ninth finding is present only when development dependencies are included. Calling all nine production findings contradicts the current RISK-014 summary and SUPPLY-001D1 ledger, both of which correctly report eight production findings.
Atomic outcome
Change only the SUPPLY-001C residual sentence from 9 Functions production findings to 8. Preserve the 6-root count, all remaining wording, every other SECURITY row, and all historical evidence.
Required proof
- Both exact audit commands reproduce 8 production and 9 full-tree findings.
- Exact diff is one phrase in one
SECURITY.md row.
git diff --check, Markdown structure, and secret-pattern checks pass.
- Two independent read-only truth/coordination reviews approve the exact hash.
- Hosted and post-merge CI pass; deployment state is reported separately.
Exact ownership
SECURITY.md — only the SUPPLY-001C residual sentence currently saying 6 root and 9 Functions production findings.
Exclusions
No package, lockfile, source, test, Rules, workflow, provider, deployment, schema, migration, production-data, RISK-014 summary, SUPPLY-001D1 row, or other documentation change. Do not run audit fix or accept the remaining findings as safe.
Dependencies and coordination
SUPPLY-001C #202, SUPPLY-001D1 #212, and #238/#239 are merged and released. #242 owns only Strava callback/account/officer-guide paths. No open PR or duplicate issue owns this sentence. Stop if a newer exact-row claim appears.
Claim protocol
Creation is not a claim. Before editing, re-read live comments, assign the issue, post a UTC timestamped claim with branch and exact base, and move status:ready to status:in-progress.
Officer impact: None — this corrects one engineering risk-ledger sentence. It changes no page, officer task, permission, data, payment, provider, or live service.
Officer documentation: None — no current officer procedure or diagram changes.
Deployment evidence: None at creation. Closure must distinguish documentation source/tests/merge from website publication, Firebase deployment, provider state, production data, and live behavior.
Problem
On exact main
5dd3ba6d3bb966ed1d6fa987abf32d3530d5f96b, the SUPPLY-001C residual sentence inSECURITY.mdsays there are 9 Functions production findings.Fresh Node 20.20.2 lockfile audits on that exact source show:
npm --prefix functions audit --omit=dev --json: 8 moderate affected packages, 0 high or critical.npm --prefix functions audit --json: 9 moderate affected packages, 0 high or critical.The ninth finding is present only when development dependencies are included. Calling all nine production findings contradicts the current RISK-014 summary and SUPPLY-001D1 ledger, both of which correctly report eight production findings.
Atomic outcome
Change only the SUPPLY-001C residual sentence from 9 Functions production findings to 8. Preserve the 6-root count, all remaining wording, every other SECURITY row, and all historical evidence.
Required proof
SECURITY.mdrow.git diff --check, Markdown structure, and secret-pattern checks pass.Exact ownership
SECURITY.md— only the SUPPLY-001C residual sentence currently saying6 root and 9 Functions production findings.Exclusions
No package, lockfile, source, test, Rules, workflow, provider, deployment, schema, migration, production-data, RISK-014 summary, SUPPLY-001D1 row, or other documentation change. Do not run audit fix or accept the remaining findings as safe.
Dependencies and coordination
SUPPLY-001C #202, SUPPLY-001D1 #212, and #238/#239 are merged and released. #242 owns only Strava callback/account/officer-guide paths. No open PR or duplicate issue owns this sentence. Stop if a newer exact-row claim appears.
Claim protocol
Creation is not a claim. Before editing, re-read live comments, assign the issue, post a UTC timestamped claim with branch and exact base, and move
status:readytostatus:in-progress.