brand(trusca): W4 — 식별자 리네임 (레포 경로·이미지명·URL) + 0.11.0 CHANGELOG

.env.example

@@ -25,15 +25,18 @@ TLS_EMAIL=
 # Traefik log level: DEBUG | INFO | WARN | ERROR. INFO is the safe default.
 TRAEFIK_LOG_LEVEL=INFO
 # IMAGE_REGISTRY is the namespace the production compose stack pulls images
-# from: <registry>/backend, <registry>/backend-worker, <registry>/frontend.
-# Default is GitHub Container Registry under the trustedoss org, published by
-# .github/workflows/release.yml on each vX.Y.Z tag. Override only for a fork,
-# a private mirror, or an air-gapped registry.
+# from: <registry>/trusca-backend, <registry>/trusca-backend-worker,
+# <registry>/trusca-frontend. Default is GitHub Container Registry under the
+# trustedoss org, published by .github/workflows/release.yml on each vX.Y.Z
+# tag. Override only for a fork, a private mirror, or an air-gapped registry.
+# (Releases <= 0.10.0 were published under the pre-rename names backend /
+# backend-worker / frontend; those tags stay where they are.)
 IMAGE_REGISTRY=ghcr.io/trustedoss
 # IMAGE_TAG pins the container tags pulled by the production compose stack.
 # Bump this on every release; never use :latest. The release workflow
-# publishes both an immutable X.Y.Z tag and a movable X.Y tag.
-IMAGE_TAG=0.10.0
+# publishes both an immutable X.Y.Z tag and a movable X.Y tag. 0.11.0 is the
+# first release published under the trusca-* image names.
+IMAGE_TAG=0.11.0
 
 # ---------- Evaluation (lightweight 2 vCPU / 4 GB profile) ----------
 # Used by the eval overlay + scripts/eval-up.sh:
@@ -570,7 +573,7 @@ COSIGN_TIMEOUT_SECONDS=120
 # a vendor-neutral URN; override to name your own deployment so a verifier can
 # pin provenance to a known builder (e.g. https://ci.example.com/trustedoss).
 # Build-platform identity, NOT a secret. Read at call time (rule #11).
-SLSA_BUILDER_ID=https://github.com/trustedoss/trustedoss-portal/worker
+SLSA_BUILDER_ID=https://github.com/trustedoss/trusca/worker
 # Version stamped into the provenance builder.version + SBOM generation context
 # (satisfies the CISA-2025 / NTIA "tool name + version" element from the
 # attestation alone). Defaults to the bundled portal version; set to the exact

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -9,8 +9,8 @@ body:
         Thanks for taking the time to file a bug report.
 
         Before submitting, please:
-        - Search [existing issues](https://github.com/trustedoss/trustedoss-portal/issues?q=is%3Aissue) to avoid duplicates.
-        - **Do not file security vulnerabilities here.** See [SECURITY.md](https://github.com/trustedoss/trustedoss-portal/blob/main/SECURITY.md) for the responsible disclosure process.
+        - Search [existing issues](https://github.com/trustedoss/trusca/issues?q=is%3Aissue) to avoid duplicates.
+        - **Do not file security vulnerabilities here.** See [SECURITY.md](https://github.com/trustedoss/trusca/blob/main/SECURITY.md) for the responsible disclosure process.
 
   - type: textarea
     id: summary

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -9,8 +9,8 @@ body:
         Thanks for proposing a new feature.
 
         Before submitting, please:
-        - Search [existing issues](https://github.com/trustedoss/trustedoss-portal/issues?q=is%3Aissue) and [discussions](https://github.com/trustedoss/trustedoss-portal/discussions) to avoid duplicates.
-        - Check the [v2 execution plan](https://github.com/trustedoss/trustedoss-portal/blob/main/docs/v2-execution-plan.md) — your idea may already be on the roadmap.
+        - Search [existing issues](https://github.com/trustedoss/trusca/issues?q=is%3Aissue) and [discussions](https://github.com/trustedoss/trusca/discussions) to avoid duplicates.
+        - Check the [v2 execution plan](https://github.com/trustedoss/trusca/blob/main/docs/v2-execution-plan.md) — your idea may already be on the roadmap.
 
   - type: textarea
     id: problem

.github/ISSUE_TEMPLATE/security.yml

@@ -10,9 +10,9 @@ body:
 
         **Do NOT file a public issue for an unpatched vulnerability.**
 
-        For confidential vulnerability reports, please use one of these private channels (see [SECURITY.md](https://github.com/trustedoss/trustedoss-portal/blob/main/SECURITY.md) for details):
+        For confidential vulnerability reports, please use one of these private channels (see [SECURITY.md](https://github.com/trustedoss/trusca/blob/main/SECURITY.md) for details):
 
-        - **GitHub private vulnerability reporting** — [Report a vulnerability](https://github.com/trustedoss/trustedoss-portal/security/advisories/new) (preferred)
+        - **GitHub private vulnerability reporting** — [Report a vulnerability](https://github.com/trustedoss/trusca/security/advisories/new) (preferred)
         - **Encrypted email** — `security@trustedoss.io` (PGP key fingerprint in SECURITY.md)
 
         Use this **public** template only for:

.github/workflows/dogfood-scan.yml

@@ -139,7 +139,7 @@ jobs:
           project_id=$(curl -fsS -X POST "$api/v1/projects" \
             -H "Authorization: Bearer $jwt" -H 'Content-Type: application/json' \
             -d "$(jq -nc --arg t "$team_id" \
-                  '{team_id: $t, name: "Dogfood Self-Scan", slug: "dogfood-self-scan", git_url: "https://github.com/trustedoss/trustedoss-portal.git"}')" \
+                  '{team_id: $t, name: "Dogfood Self-Scan", slug: "dogfood-self-scan", git_url: "https://github.com/trustedoss/trusca.git"}')" \
             | jq -r '.id')
           [ -n "$project_id" ] && [ "$project_id" != "null" ] || { echo "::error::project create failed"; exit 1; }
 

.github/workflows/release.yml

@@ -9,9 +9,13 @@ name: Release (publish container images)
 # that gap by publishing three multi-arch images to GitHub Container Registry
 # on every `vX.Y.Z` tag:
 #
-#   ghcr.io/trustedoss/backend         ← apps/backend/Dockerfile.prod
-#   ghcr.io/trustedoss/backend-worker  ← apps/backend/Dockerfile.worker
-#   ghcr.io/trustedoss/frontend        ← apps/frontend/Dockerfile.prod
+#   ghcr.io/trustedoss/trusca-backend         ← apps/backend/Dockerfile.prod
+#   ghcr.io/trustedoss/trusca-backend-worker  ← apps/backend/Dockerfile.worker
+#   ghcr.io/trustedoss/trusca-frontend        ← apps/frontend/Dockerfile.prod
+#
+# Image names carry the trusca- prefix from v0.11.0 onwards (TRUSCA rebrand
+# W4). Releases <= 0.10.0 stay under the pre-rename names backend /
+# backend-worker / frontend so that older pinned compose files keep pulling.
 #
 # Tag strategy (CLAUDE.md core rule #9 — NEVER `:latest`):
 #   git tag v2.0.1  →  image tags `2.0.1` (immutable) and `2.0` (movable minor).
@@ -60,18 +64,18 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - image: backend
+          - image: trusca-backend
             dockerfile: apps/backend/Dockerfile.prod
             context: apps/backend
-            description: TrustedOSS Portal backend (FastAPI API).
-          - image: backend-worker
+            description: TRUSCA backend (FastAPI API).
+          - image: trusca-backend-worker
             dockerfile: apps/backend/Dockerfile.worker
             context: apps/backend
-            description: TrustedOSS Portal Celery worker (cdxgen / scancode / Trivy / JRE).
-          - image: frontend
+            description: TRUSCA Celery worker (cdxgen / scancode / Trivy / JRE).
+          - image: trusca-frontend
             dockerfile: apps/frontend/Dockerfile.prod
             context: apps/frontend
-            description: TrustedOSS Portal frontend (React SPA on nginx).
+            description: TRUSCA frontend (React SPA on nginx).
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -105,9 +109,9 @@ jobs:
             type=semver,pattern={{version}},value=${{ github.event.inputs.tag }}
             type=semver,pattern={{major}}.{{minor}},value=${{ github.event.inputs.tag }}
           labels: |
-            org.opencontainers.image.title=trustedoss-${{ matrix.image }}
+            org.opencontainers.image.title=${{ matrix.image }}
             org.opencontainers.image.description=${{ matrix.description }}
-            org.opencontainers.image.source=https://github.com/trustedoss/trustedoss-portal
+            org.opencontainers.image.source=https://github.com/trustedoss/trusca
             org.opencontainers.image.licenses=Apache-2.0
 
       - name: Build & push (linux/amd64, linux/arm64)

.github/workflows/sca-self.yml

@@ -144,7 +144,7 @@ jobs:
           The nightly SCA self-scan (\`.github/workflows/sca-self.yml\`,
           run [\`${GITHUB_RUN_ID}\`](${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}))
           detected **${CRITICAL_COUNT}** Critical-severity vulnerabilities in the
-          dependency tree of \`trustedoss-portal\` itself.
+          dependency tree of \`trusca\` itself.
 
           ## Findings
 

.gitleaks.toml

@@ -1,4 +1,4 @@
-# gitleaks configuration for trustedoss-portal.
+# gitleaks configuration for trusca.
 #
 # Extends the upstream default ruleset and adds an allowlist for known
 # non-secrets that the generic high-entropy rules flag: synthetic fixtures
@@ -12,7 +12,7 @@
 # Only provably non-secret values (test fixtures, CI dummies, placeholders)
 # belong in this allowlist.
 
-title = "trustedoss-portal gitleaks config"
+title = "trusca gitleaks config"
 
 [extend]
 useDefault = true

CHANGELOG.md

@@ -5,6 +5,70 @@ All notable changes to TrustedOSS Portal are documented in this file.
 The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and the project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.11.0] — 2026-06-12
+
+The first post-GA feature release. Headlines: the product is **renamed to
+TRUSCA**, a public **read-only demo SaaS** deployable to a single Hetzner
+server, a UI **craft pass** (W11–W12), and a hardening sweep from an external
+verification campaign.
+
+### Renamed — TrustedOSS Portal is now TRUSCA
+
+**TRUSCA** (Trust + SCA) is the new product name — *the SCA tool of the
+TrustedOSS initiative*. The umbrella initiative keeps the TrustedOSS name; the
+tool gets its own. What changes for you:
+
+- **Repository**: `github.com/trustedoss/trustedoss-portal` →
+  `github.com/trustedoss/trusca`. Git remotes and old web links redirect
+  automatically.
+- **Docs site path**: `trustedoss.github.io/trustedoss-portal/` →
+  `trustedoss.github.io/trusca/` (GitHub Pages does **not** redirect the old
+  path — update bookmarks).
+- **Container images** (BREAKING for upgrades): from 0.11.0 images publish as
+  `ghcr.io/trustedoss/trusca-backend`, `trusca-backend-worker`, and
+  `trusca-frontend`. Releases ≤ 0.10.0 keep their old image names, and an
+  upgrade via `git checkout v0.11.0 && bash scripts/upgrade.sh` switches
+  automatically (the new compose file pins the new names). Only custom
+  overlays that hardcode the old image names need a manual edit.
+- **Unchanged on purpose**: database user/roles, the Celery app name, the
+  compose network, demo account e-mails, and `urn:trustedoss:*` problem URNs
+  are internal identifiers that match the umbrella name and stay as-is.
+- New brand: the "Hex Check" mark (package hexagon + verification check) and
+  the first frontend favicon.
+
+### Added
+- **Public read-only demo mode** — `DEMO_READ_ONLY` makes the backend serve all
+  reads but reject every write (allow-listing only the auth login/refresh/logout
+  flow) with an RFC 7807 403. The SPA surfaces it as a banner, a login-page
+  credentials hint, and a dedicated "read-only demo" toast on blocked writes.
+- **Hetzner demo provisioning** — cloud-init, an operator runbook (EN/KO), an
+  idempotent `seed_demo` dataset, a daily `reset_demo` wipe-and-reseed timer, and
+  a daily backup timer.
+- **Optional SSH-based CD** (`deploy-hetzner.yml`) — one-click / on-release deploy
+  to the demo host via the existing `upgrade.sh`, with strict tag validation and
+  host-key pinning.
+- **Day-2 operations** — opt-in offsite backup (`backup-offsite.sh`, rclone), a
+  backstop uptime canary workflow, and a Korean translation-style linter for the
+  docs site.
+
+### Changed
+- **Visual & craft pass (W11–W12)** — modern-enterprise theme (warm near-black
+  primary, off-white canvas), Inter/JetBrains-Mono typography system, an
+  in-house global toast, CSS-only route/motion transitions with a reduced-motion
+  guard, and richer empty/loading states.
+
+### Fixed
+- Drawer obligations, CVE deep-links, and the Compliance NOTICE toolbar
+  (M-20/M-21/M-22). Relative-time displays now always carry an absolute-time title.
+
+### Security
+- Revoke the entire refresh-token family on reuse detection (C-1).
+- Redact embedded `git_url` credentials on the read API and in audit logs (C-2).
+- Enforce the project boundary for project-scoped API keys (M-2) and scope
+  `GET /v1/audit` reads to the caller's team for team admins (M-3).
+- Codified five testing-hardening rules and vendored the verification team's
+  deterministic specs as a nightly regression gate.
+
 ## [0.10.0] — 2026-05-31
 
 First public release of TrustedOSS Portal.

CONTRIBUTING.md

@@ -43,8 +43,8 @@ This project adheres to the [Contributor Covenant 2.1](CODE_OF_CONDUCT.md). By p
 ### Bootstrap the dev stack
 
 ```bash
-git clone https://github.com/trustedoss/trustedoss-portal.git
-cd trustedoss-portal
+git clone https://github.com/trustedoss/trusca.git
+cd trusca
 cp .env.example .env  # adjust as needed
 docker-compose -f docker-compose.dev.yml up -d
 ```
@@ -74,7 +74,7 @@ npm run test -- --coverage
 
 ### Picking work
 
-- Browse open issues labeled `good first issue` or `help wanted` in the [issue tracker](https://github.com/trustedoss/trustedoss-portal/issues).
+- Browse open issues labeled `good first issue` or `help wanted` in the [issue tracker](https://github.com/trustedoss/trusca/issues).
 - For larger features, open a discussion or feature-request issue first so we can align on scope before you write code.
 
 ### Keeping in sync

GOVERNANCE.md

@@ -81,7 +81,7 @@ re-activation is welcome.
 The lifecycle for a non-trivial change is:
 
 1. **Open an issue** describing the problem and the proposed direction.
-2. **Discuss** on the issue or in [GitHub Discussions](https://github.com/trustedoss/trustedoss-portal/discussions)
+2. **Discuss** on the issue or in [GitHub Discussions](https://github.com/trustedoss/trusca/discussions)
    until the approach has rough agreement.
 3. **Open a pull request** that implements the agreed approach, following
    [`CONTRIBUTING.md`](CONTRIBUTING.md).

NOTICE

@@ -2,7 +2,7 @@ TRUSCA
 Copyright 2026 TRUSCA contributors
 
 This product includes software developed at the TRUSCA project
-(https://github.com/trustedoss/trustedoss-portal).
+(https://github.com/trustedoss/trusca).
 
 Licensed under the Apache License, Version 2.0 (the "License").
 You may obtain a copy of the License at:

README.md

@@ -2,14 +2,14 @@
 
 [![License: Apache 2.0](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](LICENSE)
 [![Release](https://img.shields.io/badge/release-v0.10.0-2563eb.svg)](CHANGELOG.md)
-[![Docs](https://img.shields.io/badge/docs-trustedoss.github.io-0f172a.svg)](https://trustedoss.github.io/trustedoss-portal/)
+[![Docs](https://img.shields.io/badge/docs-trustedoss.github.io-0f172a.svg)](https://trustedoss.github.io/trusca/)
 [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/13060/badge)](https://www.bestpractices.dev/projects/13060)
 
 > Open-source enterprise SCA portal — manage CVEs, license compliance, and SBOMs in one self-hosted UI.
 
 **TRUSCA** — the SCA tool of the [TrustedOSS](https://trustedoss.github.io/) initiative — is an Apache-2.0 licensed, self-hosted alternative to commercial Software Composition Analysis (SCA) products. It unifies vulnerability tracking (CVE), license compliance, and Software Bill of Materials (SBOM) management for engineering and legal teams.
 
-> **🔭 Live demo:** *Coming soon.* A hosted read-only demo will be published shortly; until then you can run a local read-only demo with `DEMO_READ_ONLY=true`. See [Live demo](https://trustedoss.github.io/trustedoss-portal/docs/installation/live-demo).
+> **🔭 Live demo:** *Coming soon.* A hosted read-only demo will be published shortly; until then you can run a local read-only demo with `DEMO_READ_ONLY=true`. See [Live demo](https://trustedoss.github.io/trusca/docs/installation/live-demo).
 
 ---
 
@@ -69,8 +69,8 @@
 ## Quick start (development)
 
 ```bash
-git clone https://github.com/trustedoss/trustedoss-portal.git
-cd trustedoss-portal
+git clone https://github.com/trustedoss/trusca.git
+cd trusca
 cp .env.example .env
 
 docker-compose -f docker-compose.dev.yml up
@@ -81,15 +81,15 @@ After roughly 30 seconds the dev containers (`postgres`, `redis`, `backend`, `ce
 
 ### Other ways to run it
 
-- **Production (Docker Compose)** — use the bundled `docker-compose.yml` (Traefik + Let's Encrypt). See the [installation guide](https://trustedoss.github.io/trustedoss-portal/docs/installation/docker-compose).
-- **Production (Kubernetes / Helm)** — the production-grade chart (`charts/trustedoss`) ships bundled-or-external PostgreSQL & Redis, an Ingress with cert-manager TLS, and a migration Job. See the [Helm / Kubernetes guide](https://trustedoss.github.io/trustedoss-portal/docs/installation/helm).
-- **Read-only live demo** — run any deploy with `DEMO_READ_ONLY=true`. See [Live demo](https://trustedoss.github.io/trustedoss-portal/docs/installation/live-demo).
-- **API reference** — the hosted OpenAPI reference is at [`/reference/api`](https://trustedoss.github.io/trustedoss-portal/reference/api).
+- **Production (Docker Compose)** — use the bundled `docker-compose.yml` (Traefik + Let's Encrypt). See the [installation guide](https://trustedoss.github.io/trusca/docs/installation/docker-compose).
+- **Production (Kubernetes / Helm)** — the production-grade chart (`charts/trustedoss`) ships bundled-or-external PostgreSQL & Redis, an Ingress with cert-manager TLS, and a migration Job. See the [Helm / Kubernetes guide](https://trustedoss.github.io/trusca/docs/installation/helm).
+- **Read-only live demo** — run any deploy with `DEMO_READ_ONLY=true`. See [Live demo](https://trustedoss.github.io/trusca/docs/installation/live-demo).
+- **API reference** — the hosted OpenAPI reference is at [`/reference/api`](https://trustedoss.github.io/trusca/reference/api).
 
 ## Repository layout
 
 ```
-trustedoss-portal/
+trusca/
 ├── apps/
 │   ├── backend/         FastAPI app (api, core, models, services, tasks, integrations)
 │   └── frontend/        React + Vite + shadcn/ui app
@@ -102,7 +102,7 @@ trustedoss-portal/
 
 ## Documentation
 
-- **[Documentation site](https://trustedoss.github.io/trustedoss-portal/)** — install, scan, operate, and integrate (English + Korean)
+- **[Documentation site](https://trustedoss.github.io/trusca/)** — install, scan, operate, and integrate (English + Korean)
 - [`ROADMAP.md`](ROADMAP.md) — public roadmap
 - [`CHANGELOG.md`](CHANGELOG.md) — release history
 
@@ -119,7 +119,7 @@ Contributions are welcome — code, documentation, translations, bug reports, an
 
 ## SCA self-scan
 
-[![SCA self-scan](https://github.com/trustedoss/trustedoss-portal/actions/workflows/sca-self.yml/badge.svg)](https://github.com/trustedoss/trustedoss-portal/actions/workflows/sca-self.yml)
+[![SCA self-scan](https://github.com/trustedoss/trusca/actions/workflows/sca-self.yml/badge.svg)](https://github.com/trustedoss/trusca/actions/workflows/sca-self.yml)
 
 The portal dog-foods its own toolchain. A nightly GitHub Actions workflow ([`.github/workflows/sca-self.yml`](.github/workflows/sca-self.yml)) generates a CycloneDX SBOM with cdxgen, runs Trivy against it, and auto-opens / closes a labelled GitHub issue when Critical CVEs appear in our dependency tree.
 

ROADMAP.md

@@ -68,4 +68,4 @@ SSO / OIDC, native Jenkins plugin, Excel reports, compliance PDF, historical-sca
 
 ---
 
-Roadmap items are proposals, not commitments — dates are deliberately omitted. Feedback and contributions are welcome: open a [discussion](https://github.com/trustedoss/trustedoss-portal/discussions) or an issue referencing the relevant section.
+Roadmap items are proposals, not commitments — dates are deliberately omitted. Feedback and contributions are welcome: open a [discussion](https://github.com/trustedoss/trusca/discussions) or an issue referencing the relevant section.