Update security-governance preset to v0.4.0

[hindermath]

Preset Update

Preset Name: Security Governance
Preset ID: security-governance
Version: 0.4.0
Repository: https://github.com/hindermath/spec-kit-preset-security-governance

This is a separate follow-up catalog update for the existing security-governance community preset. It is intentionally separate from #2676 and updates the catalog directly to v0.4.0.

Summary

• Point security-governance to the v0.4.0 tag archive.
• Add language-specific secure-coding profile wording for memory-safe implementation languages.
• Keep the SBOM/AI-SBOM and G7/BSI AI-SBOM target evidence wording from the v0.3.0 update.
• Update the Community Presets table so the visible description matches the new preset scope.

What changed in v0.4.0

• Added Rust, Go, Swift, Java/Kotlin, Python, and TypeScript/JavaScript secure-coding sections.
• Deepened C#/.NET review coverage for authorization, validation, SSRF, and file path handling.
• Updated tasks/checklist guidance so MSL status does not replace language-specific secure-coding review.

Checklist

• Valid preset.yml manifest in the standalone preset repo
• README.md with description and usage
• LICENSE file included
• GitHub release created for v0.4.0
• Tag ZIP download URL reachable
• Added/updated presets/catalog.community.json
• Updated row in docs/community/presets.md

Verification

• Standalone preset repo: ruby -e 'require "yaml"; data = YAML.load_file("preset.yml"); abort "wrong version" unless data.dig("preset", "version") == "0.4.0"; puts data.dig("preset", "version")'\n- Standalone preset smoke test: specify init --here --force --integration codex, specify preset add --dev ... --priority 10, specify preset list, and specify preset resolve secure-coding-language-rules-template\n- Catalog PR: python3 -m json.tool presets/catalog.community.json\n- Catalog PR: curl -fsSL -I https://github.com/hindermath/spec-kit-preset-security-governance/archive/refs/tags/v0.4.0.zip returned the GitHub redirect and final 200 from codeload.\n- Catalog PR: gh release view v0.4.0 --repo hindermath/spec-kit-preset-security-governance --json tagName,name,isDraft,isPrerelease,url verified the release is not draft and not prerelease.\n- Catalog PR: uv run --with pytest pytest tests/test_presets.py -k catalog passed: 46 passed, 200 deselected.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the Security Governance community preset entry to version 0.4.0, expanding its description, tags, and documentation to reflect new capabilities.

Changes:

• Bumps Security Governance preset from 0.2.0 to 0.4.0 with updated download URL and timestamps.
• Expands tag list to include SSDF, SBOM/AI-SBOM, VEX, SLSA, CWE Top 25, language-specific tags, and G7/BSI/CRA.
• Updates the docs table row description to reflect the new scope.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
presets/catalog.community.json	Bumps preset version, refreshes description, download URL, tags, and updated_at timestamps.
docs/community/presets.md	Updates the Security Governance description in the community presets table.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[hindermath]

Hi @mnriem,

this is another small follow-up for the existing security-governance community preset entry.

PR #2703 is the follow-up update for v0.4.0:

https://github.com/hindermath/spec-kit-preset-security-governance/releases/tag/v0.4.0

#2676 has now been merged upstream, and this PR has been rebased accordingly. The remaining diff is now the clean follow-up from v0.3.0 to v0.4.0. The v0.4.0 release keeps the AI-SBOM scope from v0.3.0 and additionally expands the preset with language-specific secure-coding profiles for Rust, Go, Swift, Java/Kotlin, Python, and TypeScript/JavaScript.

The PR is ready from my side and waiting for maintainer review/approval when you have time.

[hindermath]

Hi @mnriem,

quick follow-up: after #2676 was merged upstream, this PR has been updated/rebased and the previous merge conflicts are resolved now.

#2703 is mergeable again from my side and now represents the clean follow-up update from security-governance v0.3.0 to v0.4.0.

Thanks again for taking a look when you have time.

[Copilot]

Copilot's findings

• Files reviewed: 2/2 changed files
• Comments generated: 0 new

[mnriem]

Please resolve conflicts

[hindermath]

@mnriem The conflicts have been resolved.

I rebased this PR branch onto the current github/spec-kit main branch (cec63d3). The only manual conflict was in presets/catalog.community.json around the top-level updated_at value; I kept the newer upstream value (2026-05-27T00:00:00Z) so the catalog timestamp is not rolled back.

The PR branch has been force-pushed with lease and now points to 6bbdae0.

Validation after the rebase:

• no remaining conflict markers in the changed files
• presets/catalog.community.json parses as valid JSON
• git diff --check upstream/main...HEAD passes
• uv run --with pytest pytest tests/test_presets.py -k catalog passes: 46 passed, 204 deselected

Thanks again for reviewing and for your time maintaining the community preset catalog.

[Copilot]

Copilot's findings

• Files reviewed: 2/2 changed files
• Comments generated: 0 new

[mnriem]

Thank you!

[hindermath]

@mnriem Thank you very much for the review and for merging this follow-up PR for security-governance v0.4.0.

I appreciate your time and the work you put into maintaining the Spec Kit community preset catalog.