chore: vulnerability remediation (#409 phases A-G), OSSF hardening, and Docusaurus migration completion

[WilliamBerryiii]

This is a layered PR consolidating five related streams of work that had accumulated on ci/ossf-token-permissions-hardening. All 17 commits are intentional and grouped thematically below.

Summary

• Vulnerability remediation (Vulnerability remediation: 13 outstanding advisories from OSSF Scorecard #409 phases A–G) — cargo-audit and govulncheck advisory hardening across Rust and Go components (e97e37fc).
• OSSF Scorecard — Token-Permissions — least-privilege permissions: blocks on every GitHub Actions workflow (613b87db).
• Docusaurus migration completion — finishes the Docsify → Docusaurus cutover, upgrades to Docusaurus 3.10, resolves MDX parse errors, and removes residual Docsify references.
• CI / PR validation repairs — restores a working pr-validation.yml, adds Docusaurus build + tsc --noEmit typecheck + Jest gates, retires obsolete sidebar generation, and overrides vulnerable serialize-javascript.
• Content cleanup — removes the learning platform and praxisworx tree (61681eb9), which is the primary driver of the large net-negative line count.

Change Stats

• 645 files changed
• +25,281 insertions
• −224,708 deletions (primarily learning-platform/praxisworx removal and Docsify → Docusaurus migration)

Commit Groups

1. Content Cleanup

• 61681eb9 chore: remove learning platform and praxisworx content

2. Docusaurus Migration Completion

• 46e0a73f fix(docs): complete docusaurus migration build
• d3fbbd95 fix(docs): resolve docsify migration review findings C1/M2-M5
• ebd8300d fix(docs): resolve MDX parse error on autolink
• 6e874953 fix(docs): migrate onBrokenMarkdownLinks to markdown.hooks
• e3f660ba chore(docs): upgrade Docusaurus 3.9.2 to 3.10.0
• bd1cdc66 chore(docs): remove remaining Docsify legacy references

3. CI / Workflow Repairs

• 8e527249 fix(ci): remove obsolete sidebar generation, override vulnerable serialize-javascript, expand cspell dictionary
• 164f70fa fix(ci): remove obsolete three-tree sidebar generation job
• 936cd7a9 ci(docs): run Docusaurus tests and build on every PR
• eb297c40 fix(ci): repair pr-validation.yml after corrupted docusaurus job insertion
• b6db3e32 fix(ci): add ts-node devDependency for Jest TypeScript config
• 5f02af9d ci(docusaurus): add tsc --noEmit typecheck step
• b1225ad2 chore(docusaurus): add typecheck npm script and use it in CI
• 2050ece5 fix(ci): repair malformed YAML in docusaurus-tests workflow

4. OSSF Scorecard Hardening

• 613b87db ops(workflows): scope GITHUB_TOKEN permissions to least privilege for OSSF Scorecard

5. Issue #409 — Vulnerability Remediation (Phases A–G)

• e97e37fc chore(deps): cargo-audit + govulncheck advisory hardening (phases A-G)

Validation

• npm run tflint-fix-all / npm run tf-validate — clean on affected components
• Docusaurus: npm run build + npm run typecheck + Jest — all green locally
• cargo audit + govulncheck ./... — pass after phases A–G

Reviewer Notes

• Please review by commit group rather than as a single squash — each group is independently reviewable.
• The large deletion count is expected and driven by Groups 1 and 2.
• Fixes: Vulnerability remediation: 13 outstanding advisories from OSSF Scorecard #409.

[WilliamBerryiii]

Dependency chain note

This PR is intentionally stacked on feat/docsify-to-docusaurus-migration rather than main.

Why

Two of the nine workflow files hardened here also receive edits on the docusaurus migration branch:

• .github/workflows/docs-automation.yml
• .github/workflows/pr-validation.yml

Targeting main directly would create avoidable merge conflicts. Stacking lets both PRs land cleanly in order.

Plan after docusaurus merges

1. Rebase ci/ossf-token-permissions-hardening onto the new main.
2. Re-target this PR's base from feat/docsify-to-docusaurus-migration to main.
3. Force-push the rebased branch.

Reviewer guidance

Please review only the OSSF Token-Permissions hardening commits on this branch (commit 613b87db). Everything else is inherited from the docusaurus base branch and will be reviewed in PR #404.

[katriendg]

Thanks for the hardening — overall the pattern (top-level contents: read, elevated scopes scoped to jobs that need them) is applied consistently across most of the touched files, and the per-scope annotations are easy to verify.

Three items to consider:

• 🟡 application-matrix-builds.yml — top-level permissions block still carries packages: write, id-token: write, and security-events: write. Every other workflow in this PR dropped writes from top-level; this one only added the job-level grant without removing the workflow-level one. OSSF Token-Permissions will likely still flag it.
• 🟢 PR description mismatch — body lists pr-validation.yml among the 9 files, but the commit actually touches create-release.yml. Worth syncing the description with the commit.
• 🟢 Style (optional) — for workflows where every job declares its own permissions:, a top-level permissions: {} (deny-all) is stricter than contents: read and makes intent unambiguous. Equivalent OSSF score; just a preference.

Also — noted the rebase plan once #399 lands; please re-request review after the re-target so we don't miss anything in the delta. The stacked-branch annotation is helpful, thanks for the heads-up.

Everything else looks good: create-release.yml, security-scan.yml, security-comprehensive.yml, security-deployment.yml, security-staleness-check.yml, and main.yml all move writes to the specific jobs that need them, and docs-check-terraform.yml gains a proper default.

[github-actions]

📚 Documentation Health Report

Generated on: 2026-04-20 16:46:18 UTC

📈 Documentation Statistics

Category	File Count
Main Documentation	217
Infrastructure Components	196
Blueprints	39
GitHub Resources	41
AI Assistant Guides (Copilot)	17
Total	510

🏗️ Three-Tree Architecture Status

• ✅ Bicep Documentation Tree: Auto-generated navigation
• ✅ Terraform Documentation Tree: Auto-generated navigation
• ✅ README Documentation Tree: Manual README organization

🔍 Quality Metrics

• Frontmatter Validation:
  success
• Link Validation: success

---

This report is automatically generated by the Documentation Automation workflow.

[WilliamBerryiii]

CI regression resolved — full run green ✅

The earlier dep-audit failure on this branch is fixed. Final commit: e661a351 (supersedes 2596d655 and 0af30f49).

Root cause

cargo-audit 0.22.x has no --config/-c CLI flag (-c is --color). The interim attempts that passed -c <path> failed with an unknown-flag error. cargo-audit only auto-discovers config from $PWD/audit.toml, $PWD/.cargo/audit.toml, or $CARGO_HOME/audit.toml.

Fix

• Single source of truth: .github/audit.toml ignores RUSTSEC-2024-0384, RUSTSEC-2024-0436, RUSTSEC-2025-0134, RUSTSEC-2026-0097 and sets [yanked] enabled = false.
• .github/workflows/dep-audit.yml auto-discovers every Cargo.lock (excluding target/ and node_modules/), copies the central .github/audit.toml to <crate>/.cargo/audit.toml at runtime, then runs cargo audit --deny warnings from that crate dir.
• No per-crate audit.toml is committed; no unsupported -c flag is used.

Verification

CI run 24755122747:

• Overall status: completed
• Overall conclusion: success
• Failed jobs: none
• dep-audit Rust (Cargo Audit) job: ✅ pass
• dep-audit Go (govulncheck) job: ✅ pass

No collateral impact on other PR Validation jobs.