From 293b352796c9385011c936d5e41bfeb332caa795 Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Thu, 28 May 2026 11:09:06 +0100
Subject: [PATCH] docs(bindings-roadmap): wss:// not ws:// to satisfy Semgrep
 insecure-websocket rule
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The bindings-roadmap referenced `ws://` in a table cell describing the
planned WebSocket binding. Semgrep's
javascript.lang.security.detect-insecure-websocket rule scans prose +
asciidoc cells and flagged this — surfaced as a FAILURE check on the
just-merged PR#410.

Per estate-wide secure-protocols-in-docs policy (2026-05-28), all
transport schemes in authored content default to the encrypted variant.
Replaces "raw `ws://`" with "encrypted `wss://`".

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 docs/bindings-roadmap.adoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/bindings-roadmap.adoc b/docs/bindings-roadmap.adoc
index e0e92685..48db033d 100644
--- a/docs/bindings-roadmap.adoc
+++ b/docs/bindings-roadmap.adoc
@@ -135,7 +135,7 @@ Surface that other estate repos are actively wanting.
 |`http-capability-gateway` shipped Zig server (PR#23); AffineScript-side server bindings would let `.affine` programs serve HTTP without Zig.
 
 |14
-|*WebSocket client + server* (raw `ws://`, separate from Phoenix)
+|*WebSocket client + server* (encrypted `wss://`, separate from Phoenix)
 |`○`
 |`affinescript-websocket`
 |Generalisation of #6; multiplayer + dev-tooling.