From 32ff872f80e781d2a421d86c23bf9daed7fcef5f Mon Sep 17 00:00:00 2001
From: stxkxs <stxkxs@users.noreply.github.com>
Date: Sun, 7 Jun 2026 09:40:46 -0700
Subject: [PATCH 1/3] Fix README least-privilege policy: cluster-residue
 actions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

From the core-repos quality audit. The documented read-only IAM policy omitted
the three actions the cluster-residue orphan scan calls — logs:DescribeLogGroups,
events:ListRules, events:ListTagsForResource. Because that scan is best-effort
(warns-and-skips on AccessDenied), a user with exactly the documented role got
silent data loss (missing orphan findings, no visible error) on a headline
feature. Added the three actions; dropped servicequotas:ListServiceQuotas, which
the policy listed but no code path calls (only GetServiceQuota is used).
---
 README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 45b1d31..a74a7a8 100644
--- a/README.md
+++ b/README.md
@@ -150,7 +150,9 @@ Required IAM permissions for a read-only audit role:
         "sqs:ListQueueTags",
         "iam:GetAccountSummary",
         "servicequotas:GetServiceQuota",
-        "servicequotas:ListServiceQuotas"
+        "logs:DescribeLogGroups",
+        "events:ListRules",
+        "events:ListTagsForResource"
       ],
       "Resource": "*"
     }

From 560c7f344c2e3ae6a23725b7fe9baa9f12411eba Mon Sep 17 00:00:00 2001
From: stxkxs <stxkxs@users.noreply.github.com>
Date: Sun, 7 Jun 2026 11:04:30 -0700
Subject: [PATCH 2/3] Shorten release desc to AWS-native + under Homebrew
 80-char limit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The .goreleaser description (which generates the Homebrew formula desc) was
150 chars — over Homebrew's 80-char audit limit. Shortened to an AWS-native
one-liner under the limit.
---
 .goreleaser.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index ddab7db..be4929e 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -54,7 +54,7 @@ brews:
         enabled: true
     directory: Formula
     homepage: "https://github.com/nanohype/cloudgov"
-    description: "AWS governance CLI — IAM least-privilege, cost anomalies, posture, drift, compliance, and resource hygiene across AWS, plus a Kubernetes RBAC scanner"
+    description: "AWS security     description: "AWS governance CLI — IAM least-privilege, cost anomalies, posture, drift, compliance, and resource hygiene across AWS, plus a Kubernetes RBAC scanner" cost CLI - IAM, posture, drift, hygiene, K8s RBAC"
     license: "Apache-2.0"
     test: |
       system "#{bin}/cloudgov", "--version"

From 1d63e0f9aeae9eaa9a6dec8cedaba0dd0541a87e Mon Sep 17 00:00:00 2001
From: stxkxs <stxkxs@users.noreply.github.com>
Date: Sun, 7 Jun 2026 11:05:06 -0700
Subject: [PATCH 3/3] Fix mangled .goreleaser description line

---
 .goreleaser.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index be4929e..5c88508 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -54,7 +54,7 @@ brews:
         enabled: true
     directory: Formula
     homepage: "https://github.com/nanohype/cloudgov"
-    description: "AWS security     description: "AWS governance CLI — IAM least-privilege, cost anomalies, posture, drift, compliance, and resource hygiene across AWS, plus a Kubernetes RBAC scanner" cost CLI - IAM, posture, drift, hygiene, K8s RBAC"
+    description: "AWS security & cost CLI - IAM, posture, drift, hygiene, K8s RBAC"
     license: "Apache-2.0"
     test: |
       system "#{bin}/cloudgov", "--version"