@ahmed-g-gad/apothem 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +60 -0
- package/LICENSE +21 -0
- package/LICENSES/MIT.txt +18 -0
- package/LICENSES/PSF-2.0.txt +47 -0
- package/README.md +549 -0
- package/bin/README.md +37 -0
- package/bin/apothem.mjs +78 -0
- package/package.json +75 -0
- package/pyproject.toml +347 -0
- package/src/apothem/README.md +52 -0
- package/src/apothem/__init__.py +66 -0
- package/src/apothem/__main__.py +28 -0
- package/src/apothem/_vendor/.keep +0 -0
- package/src/apothem/_vendor/__init__.py +25 -0
- package/src/apothem/_vendor/attr/__init__.py +104 -0
- package/src/apothem/_vendor/attr/__init__.pyi +389 -0
- package/src/apothem/_vendor/attr/_cmp.py +160 -0
- package/src/apothem/_vendor/attr/_cmp.pyi +13 -0
- package/src/apothem/_vendor/attr/_compat.py +99 -0
- package/src/apothem/_vendor/attr/_config.py +31 -0
- package/src/apothem/_vendor/attr/_funcs.py +497 -0
- package/src/apothem/_vendor/attr/_make.py +3406 -0
- package/src/apothem/_vendor/attr/_next_gen.py +674 -0
- package/src/apothem/_vendor/attr/_typing_compat.pyi +15 -0
- package/src/apothem/_vendor/attr/_version_info.py +89 -0
- package/src/apothem/_vendor/attr/_version_info.pyi +9 -0
- package/src/apothem/_vendor/attr/converters.py +162 -0
- package/src/apothem/_vendor/attr/converters.pyi +19 -0
- package/src/apothem/_vendor/attr/exceptions.py +95 -0
- package/src/apothem/_vendor/attr/exceptions.pyi +17 -0
- package/src/apothem/_vendor/attr/filters.py +72 -0
- package/src/apothem/_vendor/attr/filters.pyi +6 -0
- package/src/apothem/_vendor/attr/py.typed +0 -0
- package/src/apothem/_vendor/attr/setters.py +79 -0
- package/src/apothem/_vendor/attr/setters.pyi +20 -0
- package/src/apothem/_vendor/attr/validators.py +750 -0
- package/src/apothem/_vendor/attr/validators.pyi +140 -0
- package/src/apothem/_vendor/attr.LICENSE +21 -0
- package/src/apothem/_vendor/attrs/__init__.py +72 -0
- package/src/apothem/_vendor/attrs/__init__.pyi +314 -0
- package/src/apothem/_vendor/attrs/converters.py +3 -0
- package/src/apothem/_vendor/attrs/exceptions.py +3 -0
- package/src/apothem/_vendor/attrs/filters.py +3 -0
- package/src/apothem/_vendor/attrs/py.typed +0 -0
- package/src/apothem/_vendor/attrs/setters.py +3 -0
- package/src/apothem/_vendor/attrs/validators.py +3 -0
- package/src/apothem/_vendor/attrs.LICENSE +21 -0
- package/src/apothem/_vendor/jsonschema/__init__.py +120 -0
- package/src/apothem/_vendor/jsonschema/__main__.py +6 -0
- package/src/apothem/_vendor/jsonschema/_format.py +546 -0
- package/src/apothem/_vendor/jsonschema/_keywords.py +449 -0
- package/src/apothem/_vendor/jsonschema/_legacy_keywords.py +449 -0
- package/src/apothem/_vendor/jsonschema/_types.py +204 -0
- package/src/apothem/_vendor/jsonschema/_typing.py +29 -0
- package/src/apothem/_vendor/jsonschema/_utils.py +355 -0
- package/src/apothem/_vendor/jsonschema/benchmarks/__init__.py +5 -0
- package/src/apothem/_vendor/jsonschema/benchmarks/const_vs_enum.py +30 -0
- package/src/apothem/_vendor/jsonschema/benchmarks/contains.py +28 -0
- package/src/apothem/_vendor/jsonschema/benchmarks/import_benchmark.py +31 -0
- package/src/apothem/_vendor/jsonschema/benchmarks/issue232/issue.json +2653 -0
- package/src/apothem/_vendor/jsonschema/benchmarks/issue232.py +25 -0
- package/src/apothem/_vendor/jsonschema/benchmarks/json_schema_test_suite.py +12 -0
- package/src/apothem/_vendor/jsonschema/benchmarks/nested_schemas.py +56 -0
- package/src/apothem/_vendor/jsonschema/benchmarks/subcomponents.py +42 -0
- package/src/apothem/_vendor/jsonschema/benchmarks/unused_registry.py +35 -0
- package/src/apothem/_vendor/jsonschema/benchmarks/useless_applicator_schemas.py +106 -0
- package/src/apothem/_vendor/jsonschema/benchmarks/useless_keywords.py +32 -0
- package/src/apothem/_vendor/jsonschema/benchmarks/validator_creation.py +14 -0
- package/src/apothem/_vendor/jsonschema/cli.py +292 -0
- package/src/apothem/_vendor/jsonschema/exceptions.py +490 -0
- package/src/apothem/_vendor/jsonschema/protocols.py +230 -0
- package/src/apothem/_vendor/jsonschema/validators.py +1410 -0
- package/src/apothem/_vendor/jsonschema.LICENSE +19 -0
- package/src/apothem/_vendor/jsonschema_specifications/__init__.py +12 -0
- package/src/apothem/_vendor/jsonschema_specifications/_core.py +38 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft201909/metaschema.json +42 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft201909/vocabularies/applicator +56 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft201909/vocabularies/content +17 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft201909/vocabularies/core +57 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft201909/vocabularies/format +14 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft201909/vocabularies/meta-data +37 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft201909/vocabularies/validation +98 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft202012/metaschema.json +58 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft202012/vocabularies/applicator +48 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft202012/vocabularies/content +17 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft202012/vocabularies/core +51 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft202012/vocabularies/format-annotation +14 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft202012/vocabularies/format-assertion +14 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft202012/vocabularies/meta-data +37 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft202012/vocabularies/unevaluated +15 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft202012/vocabularies/validation +98 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft3/metaschema.json +172 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft4/metaschema.json +149 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft6/metaschema.json +153 -0
- package/src/apothem/_vendor/jsonschema_specifications/schemas/draft7/metaschema.json +166 -0
- package/src/apothem/_vendor/jsonschema_specifications.LICENSE +19 -0
- package/src/apothem/_vendor/referencing/__init__.py +7 -0
- package/src/apothem/_vendor/referencing/_attrs.py +31 -0
- package/src/apothem/_vendor/referencing/_attrs.pyi +21 -0
- package/src/apothem/_vendor/referencing/_core.py +739 -0
- package/src/apothem/_vendor/referencing/exceptions.py +165 -0
- package/src/apothem/_vendor/referencing/jsonschema.py +642 -0
- package/src/apothem/_vendor/referencing/py.typed +0 -0
- package/src/apothem/_vendor/referencing/retrieval.py +94 -0
- package/src/apothem/_vendor/referencing/typing.py +61 -0
- package/src/apothem/_vendor/referencing.LICENSE +19 -0
- package/src/apothem/_vendor/rpds/__init__.py +251 -0
- package/src/apothem/_vendor/typing_extensions.LICENSE +279 -0
- package/src/apothem/_vendor/typing_extensions.py +4317 -0
- package/src/apothem/_vendor/vendor.txt +22 -0
- package/src/apothem/_vendor/yaml/__init__.py +389 -0
- package/src/apothem/_vendor/yaml/composer.py +138 -0
- package/src/apothem/_vendor/yaml/constructor.py +748 -0
- package/src/apothem/_vendor/yaml/cyaml.py +100 -0
- package/src/apothem/_vendor/yaml/dumper.py +61 -0
- package/src/apothem/_vendor/yaml/emitter.py +1137 -0
- package/src/apothem/_vendor/yaml/error.py +74 -0
- package/src/apothem/_vendor/yaml/events.py +85 -0
- package/src/apothem/_vendor/yaml/loader.py +63 -0
- package/src/apothem/_vendor/yaml/nodes.py +48 -0
- package/src/apothem/_vendor/yaml/parser.py +588 -0
- package/src/apothem/_vendor/yaml/reader.py +185 -0
- package/src/apothem/_vendor/yaml/representer.py +388 -0
- package/src/apothem/_vendor/yaml/resolver.py +226 -0
- package/src/apothem/_vendor/yaml/scanner.py +1435 -0
- package/src/apothem/_vendor/yaml/serializer.py +110 -0
- package/src/apothem/_vendor/yaml/tokens.py +103 -0
- package/src/apothem/_vendor/yaml.LICENSE +20 -0
- package/src/apothem/agents/README.md +60 -0
- package/src/apothem/agents/codebase-explorer.md +91 -0
- package/src/apothem/agents/convention-auditor.md +93 -0
- package/src/apothem/agents/dependency-auditor.md +97 -0
- package/src/apothem/agents/fact-checker.md +84 -0
- package/src/apothem/agents/mcp-builder.md +86 -0
- package/src/apothem/agents/memory-auditor.md +93 -0
- package/src/apothem/agents/prompt-evaluator.md +87 -0
- package/src/apothem/agents/quality-gate.md +103 -0
- package/src/apothem/agents/refactor-surgeon.md +74 -0
- package/src/apothem/agents/research-scout.md +73 -0
- package/src/apothem/agents/security-scanner.md +83 -0
- package/src/apothem/agents/test-runner.md +84 -0
- package/src/apothem/audit/README.md +73 -0
- package/src/apothem/audit/_scan_lib.py +182 -0
- package/src/apothem/audit/analyze_graph.py +260 -0
- package/src/apothem/audit/build_capability_graph.py +607 -0
- package/src/apothem/audit/build_inventory.py +657 -0
- package/src/apothem/audit/build_plans_provenance.py +997 -0
- package/src/apothem/audit/check_links.py +389 -0
- package/src/apothem/audit/classify_artifacts.py +381 -0
- package/src/apothem/audit/deprecated-tokens.txt +10 -0
- package/src/apothem/audit/execute_plans_migration.py +491 -0
- package/src/apothem/audit/known-projects.txt +15 -0
- package/src/apothem/audit/render_capability_index.py +467 -0
- package/src/apothem/audit/render_inventory.py +405 -0
- package/src/apothem/audit/scan_ai_surfaces.py +1125 -0
- package/src/apothem/audit/scan_ai_surfaces_coarse.py +261 -0
- package/src/apothem/audit/scan_drift_features.py +143 -0
- package/src/apothem/audit/scan_frontmatter.py +293 -0
- package/src/apothem/audit/scan_header_coverage.py +1134 -0
- package/src/apothem/audit/scan_plan_leakage.py +540 -0
- package/src/apothem/audit/scan_plans_discipline.py +188 -0
- package/src/apothem/audit/scan_secrets_pii.py +245 -0
- package/src/apothem/audit/scan_stale_tokens.py +296 -0
- package/src/apothem/audit/synthesize_drift.py +205 -0
- package/src/apothem/benchmarks/README.md +33 -0
- package/src/apothem/benchmarks/__init__.py +3 -0
- package/src/apothem/benchmarks/bench_agents.py +63 -0
- package/src/apothem/benchmarks/bench_hooks.py +93 -0
- package/src/apothem/benchmarks/bench_install.py +58 -0
- package/src/apothem/benchmarks/bench_tests.py +93 -0
- package/src/apothem/benchmarks/bench_validate_ecosystem.py +84 -0
- package/src/apothem/cli/README.md +33 -0
- package/src/apothem/cli/__init__.py +229 -0
- package/src/apothem/cli/_cmd_completion.py +88 -0
- package/src/apothem/cli/_cmd_diff.py +181 -0
- package/src/apothem/cli/_cmd_doctor.py +143 -0
- package/src/apothem/cli/_cmd_harnesses.py +167 -0
- package/src/apothem/cli/_cmd_install.py +327 -0
- package/src/apothem/cli/_cmd_migrate_workspace.py +143 -0
- package/src/apothem/cli/_cmd_profile.py +341 -0
- package/src/apothem/cli/_cmd_status.py +180 -0
- package/src/apothem/cli/_cmd_uninstall.py +215 -0
- package/src/apothem/cli/_cmd_update.py +397 -0
- package/src/apothem/cli/_cmd_verify.py +194 -0
- package/src/apothem/cli/_common_flags.py +90 -0
- package/src/apothem/cli/_epilogs.py +296 -0
- package/src/apothem/cli/_helpers.py +857 -0
- package/src/apothem/cli/_json_formatter.py +21 -0
- package/src/apothem/cli/_materialize.py +376 -0
- package/src/apothem/cli/completions/apothem.bash +30 -0
- package/src/apothem/cli/completions/apothem.fish +19 -0
- package/src/apothem/cli/completions/apothem.ps1 +27 -0
- package/src/apothem/cli/completions/apothem.zsh +42 -0
- package/src/apothem/cli/reference_export.py +126 -0
- package/src/apothem/commands/README.md +125 -0
- package/src/apothem/commands/a11y-audit.md +203 -0
- package/src/apothem/commands/architecture-review.md +194 -0
- package/src/apothem/commands/audit.md +165 -0
- package/src/apothem/commands/code-audit.md +218 -0
- package/src/apothem/commands/code-review.md +193 -0
- package/src/apothem/commands/dependency-audit.md +209 -0
- package/src/apothem/commands/docs-review.md +199 -0
- package/src/apothem/commands/elevate.md +285 -0
- package/src/apothem/commands/eval.md +149 -0
- package/src/apothem/commands/fortress.md +172 -0
- package/src/apothem/commands/freshify.md +168 -0
- package/src/apothem/commands/github-deploy-fresh.md +178 -0
- package/src/apothem/commands/github-deploy-next.md +167 -0
- package/src/apothem/commands/perf-audit.md +198 -0
- package/src/apothem/commands/plan-amend.md +104 -0
- package/src/apothem/commands/plan-audit.md +127 -0
- package/src/apothem/commands/plan-design.md +257 -0
- package/src/apothem/commands/plan-execute.md +495 -0
- package/src/apothem/commands/plan-generate.md +351 -0
- package/src/apothem/commands/plan-review.md +555 -0
- package/src/apothem/commands/plan-spec.md +359 -0
- package/src/apothem/commands/plan-status.md +222 -0
- package/src/apothem/commands/plan.md +173 -0
- package/src/apothem/commands/projectify.md +142 -0
- package/src/apothem/commands/release-readiness.md +142 -0
- package/src/apothem/commands/research-analysis.md +241 -0
- package/src/apothem/commands/research-design.md +231 -0
- package/src/apothem/commands/research-disseminate.md +225 -0
- package/src/apothem/commands/research-experiment.md +232 -0
- package/src/apothem/commands/research-ideate.md +213 -0
- package/src/apothem/commands/research-paper.md +252 -0
- package/src/apothem/commands/research-proposal.md +220 -0
- package/src/apothem/commands/research-publish.md +255 -0
- package/src/apothem/commands/research-review.md +251 -0
- package/src/apothem/commands/research-sources.md +266 -0
- package/src/apothem/commands/research-spec.md +255 -0
- package/src/apothem/commands/research-synthesis.md +233 -0
- package/src/apothem/commands/research-theory.md +218 -0
- package/src/apothem/commands/research.md +181 -0
- package/src/apothem/commands/security-audit.md +196 -0
- package/src/apothem/commands/supply-chain-audit.md +192 -0
- package/src/apothem/commands/test-suite.md +146 -0
- package/src/apothem/commands/threat-model-audit.md +199 -0
- package/src/apothem/commands/ux-review.md +202 -0
- package/src/apothem/commands/workflow.md +162 -0
- package/src/apothem/conformity/README.md +173 -0
- package/src/apothem/conformity/__init__.py +1 -0
- package/src/apothem/conformity/_grep_base.py +93 -0
- package/src/apothem/conformity/agent_capability_grep.py +306 -0
- package/src/apothem/conformity/agents_md_coverage_grep.py +382 -0
- package/src/apothem/conformity/agnosticism_grep.py +311 -0
- package/src/apothem/conformity/always_on_budget_grep.py +318 -0
- package/src/apothem/conformity/bare_except_grep.py +115 -0
- package/src/apothem/conformity/binding_reciprocity_grep.py +151 -0
- package/src/apothem/conformity/brand_mark_grep.py +272 -0
- package/src/apothem/conformity/commented_out_code_grep.py +176 -0
- package/src/apothem/conformity/completion_claim_grep.py +169 -0
- package/src/apothem/conformity/conventional_commit_grep.py +319 -0
- package/src/apothem/conformity/copilot_instructions_presence_grep.py +324 -0
- package/src/apothem/conformity/cross_platform_matrix_grep.py +297 -0
- package/src/apothem/conformity/determinism_grep.py +306 -0
- package/src/apothem/conformity/diagram_staleness_grep.py +154 -0
- package/src/apothem/conformity/dynamism_grep.py +284 -0
- package/src/apothem/conformity/editorconfig_presence_grep.py +281 -0
- package/src/apothem/conformity/file_header_grep.py +502 -0
- package/src/apothem/conformity/freshness_token_grep.py +233 -0
- package/src/apothem/conformity/frontmatter_grep.py +274 -0
- package/src/apothem/conformity/frontmatter_value_grep.py +386 -0
- package/src/apothem/conformity/gate.py +1386 -0
- package/src/apothem/conformity/gitattributes_presence_grep.py +238 -0
- package/src/apothem/conformity/harden_runner_grep.py +320 -0
- package/src/apothem/conformity/hedging_grep.py +129 -0
- package/src/apothem/conformity/license_author_consistency_grep.py +204 -0
- package/src/apothem/conformity/link_check.py +327 -0
- package/src/apothem/conformity/magic_number_grep.py +182 -0
- package/src/apothem/conformity/multi_surface_coherence_grep.py +620 -0
- package/src/apothem/conformity/naming_grep.py +224 -0
- package/src/apothem/conformity/no_global_plans_grep.py +339 -0
- package/src/apothem/conformity/no_toplevel_docs_grep.py +120 -0
- package/src/apothem/conformity/oidc_trusted_publishing_grep.py +291 -0
- package/src/apothem/conformity/option_annotation_grep.py +352 -0
- package/src/apothem/conformity/orphan_output_grep.py +206 -0
- package/src/apothem/conformity/permissions_minimum_scope_grep.py +299 -0
- package/src/apothem/conformity/plain_language_grep.py +559 -0
- package/src/apothem/conformity/plan_next_step_consistency_grep.py +450 -0
- package/src/apothem/conformity/plan_suite_structure_grep.py +534 -0
- package/src/apothem/conformity/plans_discipline_language_grep.py +245 -0
- package/src/apothem/conformity/production_ready_pr_grep.py +200 -0
- package/src/apothem/conformity/recommend_next_step_grep.py +250 -0
- package/src/apothem/conformity/redundancy_grep.py +401 -0
- package/src/apothem/conformity/reference_token_grep.py +230 -0
- package/src/apothem/conformity/registry_capability_consistency_grep.py +368 -0
- package/src/apothem/conformity/secret_leak_grep.py +193 -0
- package/src/apothem/conformity/semver_stability_grep.py +358 -0
- package/src/apothem/conformity/smoke_install_grep.py +194 -0
- package/src/apothem/conformity/static_version_grep.py +284 -0
- package/src/apothem/conformity/token_efficiency_grep.py +185 -0
- package/src/apothem/conformity/unpinned_action_grep.py +115 -0
- package/src/apothem/conformity/user_confirm_grep.py +74 -0
- package/src/apothem/conformity/workflow_concurrency_grep.py +283 -0
- package/src/apothem/harnesses/README.md +63 -0
- package/src/apothem/harnesses/__init__.py +16 -0
- package/src/apothem/harnesses/_shared/README.md +36 -0
- package/src/apothem/harnesses/_shared/__init__.py +12 -0
- package/src/apothem/harnesses/_shared/install_driver.py +281 -0
- package/src/apothem/harnesses/_shared/install_driver_apply.py +612 -0
- package/src/apothem/harnesses/_shared/install_driver_backup.py +535 -0
- package/src/apothem/harnesses/_shared/install_driver_converters.py +310 -0
- package/src/apothem/harnesses/_shared/install_driver_lifecycle.py +495 -0
- package/src/apothem/harnesses/_shared/install_driver_materialize.py +675 -0
- package/src/apothem/harnesses/_shared/install_driver_merge.py +656 -0
- package/src/apothem/harnesses/_shared/install_driver_pathsafety.py +137 -0
- package/src/apothem/harnesses/_shared/install_driver_planvalidation.py +240 -0
- package/src/apothem/harnesses/_shared/install_driver_removal.py +366 -0
- package/src/apothem/harnesses/_shared/install_driver_treeops.py +248 -0
- package/src/apothem/harnesses/_shared/install_driver_types.py +330 -0
- package/src/apothem/harnesses/_shared/wrapper_factories.py +448 -0
- package/src/apothem/harnesses/antigravity/STANDARD-CONVENTION-PIN.md +91 -0
- package/src/apothem/harnesses/antigravity/__init__.py +70 -0
- package/src/apothem/harnesses/antigravity/capabilities.yml +40 -0
- package/src/apothem/harnesses/antigravity/install.py +63 -0
- package/src/apothem/harnesses/antigravity/templates/GEMINI.md +40 -0
- package/src/apothem/harnesses/antigravity/templates/plugin.json +5 -0
- package/src/apothem/harnesses/antigravity/uninstall.py +22 -0
- package/src/apothem/harnesses/antigravity/update.py +10 -0
- package/src/apothem/harnesses/antigravity/verify.py +11 -0
- package/src/apothem/harnesses/claude_code/STANDARD-CONVENTION-PIN.md +65 -0
- package/src/apothem/harnesses/claude_code/__init__.py +107 -0
- package/src/apothem/harnesses/claude_code/capabilities.yml +42 -0
- package/src/apothem/harnesses/claude_code/install.py +147 -0
- package/src/apothem/harnesses/claude_code/templates/settings.json +351 -0
- package/src/apothem/harnesses/claude_code/uninstall.py +23 -0
- package/src/apothem/harnesses/claude_code/update.py +10 -0
- package/src/apothem/harnesses/claude_code/verify.py +11 -0
- package/src/apothem/harnesses/codebuddy/STANDARD-CONVENTION-PIN.md +74 -0
- package/src/apothem/harnesses/codebuddy/__init__.py +49 -0
- package/src/apothem/harnesses/codebuddy/capabilities.yml +34 -0
- package/src/apothem/harnesses/codebuddy/install.py +40 -0
- package/src/apothem/harnesses/codebuddy/templates/apothem-rules.md +37 -0
- package/src/apothem/harnesses/codebuddy/uninstall.py +25 -0
- package/src/apothem/harnesses/codebuddy/update.py +10 -0
- package/src/apothem/harnesses/codebuddy/verify.py +11 -0
- package/src/apothem/harnesses/codex/STANDARD-CONVENTION-PIN.md +79 -0
- package/src/apothem/harnesses/codex/__init__.py +72 -0
- package/src/apothem/harnesses/codex/capabilities.yml +40 -0
- package/src/apothem/harnesses/codex/install.py +69 -0
- package/src/apothem/harnesses/codex/templates/AGENTS.md +40 -0
- package/src/apothem/harnesses/codex/templates/hooks.json +127 -0
- package/src/apothem/harnesses/codex/uninstall.py +23 -0
- package/src/apothem/harnesses/codex/update.py +10 -0
- package/src/apothem/harnesses/codex/verify.py +11 -0
- package/src/apothem/harnesses/cursor/STANDARD-CONVENTION-PIN.md +79 -0
- package/src/apothem/harnesses/cursor/__init__.py +48 -0
- package/src/apothem/harnesses/cursor/capabilities.yml +42 -0
- package/src/apothem/harnesses/cursor/install.py +38 -0
- package/src/apothem/harnesses/cursor/templates/apothem-rules.mdc +40 -0
- package/src/apothem/harnesses/cursor/uninstall.py +25 -0
- package/src/apothem/harnesses/cursor/update.py +10 -0
- package/src/apothem/harnesses/cursor/verify.py +11 -0
- package/src/apothem/harnesses/gemini_cli/STANDARD-CONVENTION-PIN.md +102 -0
- package/src/apothem/harnesses/gemini_cli/__init__.py +52 -0
- package/src/apothem/harnesses/gemini_cli/capabilities.yml +43 -0
- package/src/apothem/harnesses/gemini_cli/install.py +43 -0
- package/src/apothem/harnesses/gemini_cli/templates/GEMINI.md +38 -0
- package/src/apothem/harnesses/gemini_cli/uninstall.py +25 -0
- package/src/apothem/harnesses/gemini_cli/update.py +10 -0
- package/src/apothem/harnesses/gemini_cli/verify.py +11 -0
- package/src/apothem/harnesses/github_copilot/STANDARD-CONVENTION-PIN.md +84 -0
- package/src/apothem/harnesses/github_copilot/__init__.py +47 -0
- package/src/apothem/harnesses/github_copilot/capabilities.yml +42 -0
- package/src/apothem/harnesses/github_copilot/install.py +40 -0
- package/src/apothem/harnesses/github_copilot/templates/copilot-instructions.md +33 -0
- package/src/apothem/harnesses/github_copilot/uninstall.py +25 -0
- package/src/apothem/harnesses/github_copilot/update.py +10 -0
- package/src/apothem/harnesses/github_copilot/verify.py +11 -0
- package/src/apothem/harnesses/glm/STANDARD-CONVENTION-PIN.md +77 -0
- package/src/apothem/harnesses/glm/__init__.py +56 -0
- package/src/apothem/harnesses/glm/capabilities.yml +33 -0
- package/src/apothem/harnesses/glm/install.py +45 -0
- package/src/apothem/harnesses/glm/templates/glm.toml +58 -0
- package/src/apothem/harnesses/glm/uninstall.py +25 -0
- package/src/apothem/harnesses/glm/update.py +10 -0
- package/src/apothem/harnesses/glm/verify.py +11 -0
- package/src/apothem/harnesses/hermes/STANDARD-CONVENTION-PIN.md +57 -0
- package/src/apothem/harnesses/hermes/__init__.py +33 -0
- package/src/apothem/harnesses/hermes/capabilities.yml +36 -0
- package/src/apothem/harnesses/hermes/install.py +17 -0
- package/src/apothem/harnesses/hermes/materializer.py +35 -0
- package/src/apothem/harnesses/hermes/uninstall.py +33 -0
- package/src/apothem/harnesses/hermes/update.py +10 -0
- package/src/apothem/harnesses/hermes/verify.py +11 -0
- package/src/apothem/harnesses/kimi_code/STANDARD-CONVENTION-PIN.md +128 -0
- package/src/apothem/harnesses/kimi_code/__init__.py +59 -0
- package/src/apothem/harnesses/kimi_code/capabilities.yml +40 -0
- package/src/apothem/harnesses/kimi_code/install.py +42 -0
- package/src/apothem/harnesses/kimi_code/templates/AGENTS.md +43 -0
- package/src/apothem/harnesses/kimi_code/uninstall.py +27 -0
- package/src/apothem/harnesses/kimi_code/update.py +10 -0
- package/src/apothem/harnesses/kimi_code/verify.py +11 -0
- package/src/apothem/harnesses/kiro/STANDARD-CONVENTION-PIN.md +77 -0
- package/src/apothem/harnesses/kiro/__init__.py +49 -0
- package/src/apothem/harnesses/kiro/capabilities.yml +36 -0
- package/src/apothem/harnesses/kiro/install.py +39 -0
- package/src/apothem/harnesses/kiro/templates/apothem-rules.md +36 -0
- package/src/apothem/harnesses/kiro/uninstall.py +25 -0
- package/src/apothem/harnesses/kiro/update.py +10 -0
- package/src/apothem/harnesses/kiro/verify.py +11 -0
- package/src/apothem/harnesses/open_claw/STANDARD-CONVENTION-PIN.md +62 -0
- package/src/apothem/harnesses/open_claw/__init__.py +35 -0
- package/src/apothem/harnesses/open_claw/capabilities.yml +35 -0
- package/src/apothem/harnesses/open_claw/install.py +17 -0
- package/src/apothem/harnesses/open_claw/materializer.py +36 -0
- package/src/apothem/harnesses/open_claw/uninstall.py +32 -0
- package/src/apothem/harnesses/open_claw/update.py +10 -0
- package/src/apothem/harnesses/open_claw/verify.py +11 -0
- package/src/apothem/harnesses/opencode/STANDARD-CONVENTION-PIN.md +76 -0
- package/src/apothem/harnesses/opencode/__init__.py +35 -0
- package/src/apothem/harnesses/opencode/capabilities.yml +43 -0
- package/src/apothem/harnesses/opencode/install.py +17 -0
- package/src/apothem/harnesses/opencode/materializer.py +31 -0
- package/src/apothem/harnesses/opencode/uninstall.py +34 -0
- package/src/apothem/harnesses/opencode/update.py +10 -0
- package/src/apothem/harnesses/opencode/verify.py +11 -0
- package/src/apothem/harnesses/qwen_code/STANDARD-CONVENTION-PIN.md +87 -0
- package/src/apothem/harnesses/qwen_code/__init__.py +37 -0
- package/src/apothem/harnesses/qwen_code/capabilities.yml +43 -0
- package/src/apothem/harnesses/qwen_code/install.py +19 -0
- package/src/apothem/harnesses/qwen_code/materializer.py +174 -0
- package/src/apothem/harnesses/qwen_code/templates/QWEN.md +30 -0
- package/src/apothem/harnesses/qwen_code/uninstall.py +34 -0
- package/src/apothem/harnesses/qwen_code/update.py +10 -0
- package/src/apothem/harnesses/qwen_code/verify.py +11 -0
- package/src/apothem/harnesses/trae/STANDARD-CONVENTION-PIN.md +70 -0
- package/src/apothem/harnesses/trae/__init__.py +49 -0
- package/src/apothem/harnesses/trae/capabilities.yml +34 -0
- package/src/apothem/harnesses/trae/install.py +38 -0
- package/src/apothem/harnesses/trae/templates/apothem-rules.md +37 -0
- package/src/apothem/harnesses/trae/uninstall.py +25 -0
- package/src/apothem/harnesses/trae/update.py +10 -0
- package/src/apothem/harnesses/trae/verify.py +11 -0
- package/src/apothem/harnesses/windsurf/STANDARD-CONVENTION-PIN.md +91 -0
- package/src/apothem/harnesses/windsurf/__init__.py +52 -0
- package/src/apothem/harnesses/windsurf/capabilities.yml +40 -0
- package/src/apothem/harnesses/windsurf/install.py +41 -0
- package/src/apothem/harnesses/windsurf/templates/apothem-rules.md +37 -0
- package/src/apothem/harnesses/windsurf/uninstall.py +25 -0
- package/src/apothem/harnesses/windsurf/update.py +10 -0
- package/src/apothem/harnesses/windsurf/verify.py +11 -0
- package/src/apothem/harnesses/zed/STANDARD-CONVENTION-PIN.md +92 -0
- package/src/apothem/harnesses/zed/__init__.py +57 -0
- package/src/apothem/harnesses/zed/capabilities.yml +38 -0
- package/src/apothem/harnesses/zed/install.py +41 -0
- package/src/apothem/harnesses/zed/templates/apothem-rules.md +32 -0
- package/src/apothem/harnesses/zed/uninstall.py +28 -0
- package/src/apothem/harnesses/zed/update.py +10 -0
- package/src/apothem/harnesses/zed/verify.py +11 -0
- package/src/apothem/hooks/README.md +81 -0
- package/src/apothem/hooks/__init__.py +24 -0
- package/src/apothem/hooks/askuserquestion_validator.py +380 -0
- package/src/apothem/hooks/dispatch.py +296 -0
- package/src/apothem/hooks/emit_hook_context.py +444 -0
- package/src/apothem/hooks/hooks.json +318 -0
- package/src/apothem/hooks/lib/README.md +39 -0
- package/src/apothem/hooks/lib/__init__.py +18 -0
- package/src/apothem/hooks/lib/bootstrap.ps1 +129 -0
- package/src/apothem/hooks/lib/bootstrap.sh +103 -0
- package/src/apothem/hooks/lib/events.py +51 -0
- package/src/apothem/hooks/lib/find-pwsh.ps1 +78 -0
- package/src/apothem/hooks/lib/find-pwsh.sh +76 -0
- package/src/apothem/hooks/lib/find-python.ps1 +63 -0
- package/src/apothem/hooks/lib/find-python.sh +97 -0
- package/src/apothem/hooks/lib/log.py +43 -0
- package/src/apothem/hooks/lib/resolve_root.py +264 -0
- package/src/apothem/hooks/messages/postcompact.md +14 -0
- package/src/apothem/hooks/messages/posttooluse-proactive-compaction.md +46 -0
- package/src/apothem/hooks/messages/precompact.md +14 -0
- package/src/apothem/hooks/messages/pretooluse-askuserquestion-recommended.md +65 -0
- package/src/apothem/hooks/messages/pretooluse-bash-plan-guard.md +97 -0
- package/src/apothem/hooks/messages/pretooluse-bash.md +39 -0
- package/src/apothem/hooks/messages/pretooluse-conformity.md +70 -0
- package/src/apothem/hooks/messages/pretooluse-dependency-guard.md +21 -0
- package/src/apothem/hooks/messages/pretooluse-edit-header-guard.md +61 -0
- package/src/apothem/hooks/messages/pretooluse-edit.md +21 -0
- package/src/apothem/hooks/messages/pretooluse-eval-guard.md +39 -0
- package/src/apothem/hooks/messages/pretooluse-notebookedit.md +11 -0
- package/src/apothem/hooks/messages/pretooluse-write-header-guard.md +45 -0
- package/src/apothem/hooks/messages/pretooluse-write-plan-guard.md +72 -0
- package/src/apothem/hooks/messages/pretooluse-write.md +21 -0
- package/src/apothem/hooks/messages/sessionstart.md +15 -0
- package/src/apothem/hooks/messages/stop.md +27 -0
- package/src/apothem/hooks/proactive_compaction_tracker.py +327 -0
- package/src/apothem/hooks/session_start_bootstrap.py +472 -0
- package/src/apothem/lib/README.md +42 -0
- package/src/apothem/lib/__init__.py +13 -0
- package/src/apothem/lib/atomic_io.py +189 -0
- package/src/apothem/lib/auditor.py +687 -0
- package/src/apothem/lib/clean_slate.py +396 -0
- package/src/apothem/lib/contexts.py +352 -0
- package/src/apothem/lib/data_home.py +255 -0
- package/src/apothem/lib/frontmatter.py +101 -0
- package/src/apothem/lib/harness_materializer.py +213 -0
- package/src/apothem/lib/harness_protocol.py +59 -0
- package/src/apothem/lib/harness_registry.py +282 -0
- package/src/apothem/lib/harness_registry_data.py +843 -0
- package/src/apothem/lib/install_ledger.py +347 -0
- package/src/apothem/lib/learning.py +540 -0
- package/src/apothem/lib/memory.py +347 -0
- package/src/apothem/lib/parallel_sweep.py +234 -0
- package/src/apothem/lib/plan_tiers.py +200 -0
- package/src/apothem/lib/plugin_bootstrap.py +132 -0
- package/src/apothem/lib/plugin_tree.py +599 -0
- package/src/apothem/lib/profile.py +755 -0
- package/src/apothem/lib/profile_projection.py +198 -0
- package/src/apothem/lib/propagation-manifest.yaml +878 -0
- package/src/apothem/lib/propagation.py +220 -0
- package/src/apothem/lib/python_resolver.py +189 -0
- package/src/apothem/lib/reporter.py +62 -0
- package/src/apothem/lib/workspace_migration.py +323 -0
- package/src/apothem/output-styles/README.md +41 -0
- package/src/apothem/output-styles/concise-engineer.md +49 -0
- package/src/apothem/output-styles/default-architect.md +52 -0
- package/src/apothem/output-styles/default.md +113 -0
- package/src/apothem/output-styles/forensic-auditor.md +63 -0
- package/src/apothem/py.typed +0 -0
- package/src/apothem/rules/README.md +121 -0
- package/src/apothem/rules/agent-capability-discipline-matrix.md +89 -0
- package/src/apothem/rules/agent-capability-discipline.md +78 -0
- package/src/apothem/rules/agent-orchestration-patterns.md +144 -0
- package/src/apothem/rules/agent-orchestration.md +65 -0
- package/src/apothem/rules/agents-md-convention.md +86 -0
- package/src/apothem/rules/agile-sprints-elements.md +135 -0
- package/src/apothem/rules/agile-sprints.md +64 -0
- package/src/apothem/rules/agnostic-posture-checklist.md +47 -0
- package/src/apothem/rules/agnostic-posture.md +48 -0
- package/src/apothem/rules/authoritative-referencing-quotation.md +50 -0
- package/src/apothem/rules/authoritative-referencing.md +66 -0
- package/src/apothem/rules/authority-inquiry-categories.md +58 -0
- package/src/apothem/rules/authority-inquiry.md +54 -0
- package/src/apothem/rules/auto-memory-topic-files.md +86 -0
- package/src/apothem/rules/auto-memory.md +67 -0
- package/src/apothem/rules/bidirectional-binding.md +123 -0
- package/src/apothem/rules/canonical-layout-reporting-tiers.md +212 -0
- package/src/apothem/rules/canonical-layout.md +60 -0
- package/src/apothem/rules/clean-architecture-layers.md +186 -0
- package/src/apothem/rules/clean-room-generation-protocols.md +124 -0
- package/src/apothem/rules/clean-room-generation.md +59 -0
- package/src/apothem/rules/code-craft-conventions.md +101 -0
- package/src/apothem/rules/code-craft-markdown.md +138 -0
- package/src/apothem/rules/code-craft-python.md +154 -0
- package/src/apothem/rules/code-craft-shell.md +192 -0
- package/src/apothem/rules/cognitive-identity-techniques.md +180 -0
- package/src/apothem/rules/cognitive-identity.md +81 -0
- package/src/apothem/rules/context-management-budget.md +46 -0
- package/src/apothem/rules/context-management-protocol.md +161 -0
- package/src/apothem/rules/context-management-scratch.md +128 -0
- package/src/apothem/rules/context-management.md +85 -0
- package/src/apothem/rules/definitiveness-virtues.md +67 -0
- package/src/apothem/rules/definitiveness.md +58 -0
- package/src/apothem/rules/determinism.md +81 -0
- package/src/apothem/rules/disclosure-ledger-markers.md +58 -0
- package/src/apothem/rules/disclosure-ledger.md +52 -0
- package/src/apothem/rules/dynamism.md +38 -0
- package/src/apothem/rules/etc-extension.md +57 -0
- package/src/apothem/rules/expertise-posture-elements.md +68 -0
- package/src/apothem/rules/expertise-posture.md +54 -0
- package/src/apothem/rules/freshness-facade.md +64 -0
- package/src/apothem/rules/harness-adapter-shape-schemas.md +162 -0
- package/src/apothem/rules/harness-adapter-shape.md +42 -0
- package/src/apothem/rules/host-discovery-manifests.md +50 -0
- package/src/apothem/rules/host-discovery.md +56 -0
- package/src/apothem/rules/i18n-discipline-locale-cohorts.md +120 -0
- package/src/apothem/rules/i18n-discipline.md +70 -0
- package/src/apothem/rules/interactive-questions-canonical-shapes.md +590 -0
- package/src/apothem/rules/interactive-questions-detail.md +41 -0
- package/src/apothem/rules/interactive-questions-sweep-matchers.md +184 -0
- package/src/apothem/rules/interactive-questions.md +89 -0
- package/src/apothem/rules/large-file-generation.md +112 -0
- package/src/apothem/rules/large-file-reading.md +59 -0
- package/src/apothem/rules/living-docs.md +85 -0
- package/src/apothem/rules/multi-agent-workflow.md +57 -0
- package/src/apothem/rules/operational-mandates-expanded.md +78 -0
- package/src/apothem/rules/operational-mandates.md +88 -0
- package/src/apothem/rules/option-annotation-form.md +60 -0
- package/src/apothem/rules/option-annotation.md +45 -0
- package/src/apothem/rules/own-voice-reimplementation.md +86 -0
- package/src/apothem/rules/performance-discipline.md +91 -0
- package/src/apothem/rules/persistent-conventions-vigilance-checklist.md +54 -0
- package/src/apothem/rules/persistent-conventions-vigilance.md +61 -0
- package/src/apothem/rules/plain-language.md +56 -0
- package/src/apothem/rules/planning-techniques.md +130 -0
- package/src/apothem/rules/pre-emission-gate-bars.md +86 -0
- package/src/apothem/rules/pre-emission-gate.md +54 -0
- package/src/apothem/rules/production-ready-prs-surfaces.md +162 -0
- package/src/apothem/rules/production-ready-prs.md +83 -0
- package/src/apothem/rules/propagation.md +63 -0
- package/src/apothem/rules/recommend-next-step.md +106 -0
- package/src/apothem/rules/refactoring-discipline.md +76 -0
- package/src/apothem/rules/session-closure.md +44 -0
- package/src/apothem/rules/sota-elevation-exemplars.md +76 -0
- package/src/apothem/rules/sota-elevation.md +52 -0
- package/src/apothem/rules/source-accessibility.md +58 -0
- package/src/apothem/rules/surgical-manipulation.md +48 -0
- package/src/apothem/rules/systemic-participation-relations.md +108 -0
- package/src/apothem/rules/systemic-participation.md +70 -0
- package/src/apothem/rules/ten-dimension-check-dimensions.md +52 -0
- package/src/apothem/rules/ten-dimension-check.md +59 -0
- package/src/apothem/rules/token-budget-discipline.md +81 -0
- package/src/apothem/rules/token-efficiency-rewrite-protocol.md +79 -0
- package/src/apothem/rules/token-efficiency-rewrite.md +77 -0
- package/src/apothem/rules/tool-use-discipline.md +48 -0
- package/src/apothem/rules/visual-leverage.md +102 -0
- package/src/apothem/schemas/NOTICE.md +9 -0
- package/src/apothem/schemas/README.md +104 -0
- package/src/apothem/schemas/__init__.py +176 -0
- package/src/apothem/schemas/advisory-finding.schema.json +111 -0
- package/src/apothem/schemas/agent.schema.json +106 -0
- package/src/apothem/schemas/authorship-header.txt +1 -0
- package/src/apothem/schemas/cohort-manifest.yaml +248 -0
- package/src/apothem/schemas/cohort-metadata-vocabulary.yaml +168 -0
- package/src/apothem/schemas/cohort.schema.json +113 -0
- package/src/apothem/schemas/command.schema.json +68 -0
- package/src/apothem/schemas/compatibility-matrix.yaml +432 -0
- package/src/apothem/schemas/context-fragment.schema.json +64 -0
- package/src/apothem/schemas/freshness-token-denylist.txt +51 -0
- package/src/apothem/schemas/handoff-manifest.yaml +353 -0
- package/src/apothem/schemas/header-exceptions.txt +141 -0
- package/src/apothem/schemas/header-visibility.yaml +39 -0
- package/src/apothem/schemas/learning-signal.schema.json +46 -0
- package/src/apothem/schemas/memory-record.schema.json +61 -0
- package/src/apothem/schemas/output-style.schema.json +40 -0
- package/src/apothem/schemas/plan.schema.json +51 -0
- package/src/apothem/schemas/plugin.schema.json +83 -0
- package/src/apothem/schemas/profile.example.yaml +70 -0
- package/src/apothem/schemas/profile.minimal.yaml +6 -0
- package/src/apothem/schemas/profile.schema.json +396 -0
- package/src/apothem/schemas/reference-token-denylist.txt +25 -0
- package/src/apothem/schemas/skill.schema.json +75 -0
- package/src/apothem/skills/README.md +93 -0
- package/src/apothem/skills/dependency-upgrade/SKILL.md +105 -0
- package/src/apothem/skills/dev-toolkit/SKILL.md +120 -0
- package/src/apothem/skills/diagram-authoring/SKILL.md +113 -0
- package/src/apothem/skills/document-authoring/SKILL.md +118 -0
- package/src/apothem/skills/ecosystem-audit/SKILL.md +108 -0
- package/src/apothem/skills/ecosystem-audit/references/audit-fortress.md +85 -0
- package/src/apothem/skills/ecosystem-audit/references/procedure.md +162 -0
- package/src/apothem/skills/eval-harness/SKILL.md +88 -0
- package/src/apothem/skills/incident-runbook/SKILL.md +92 -0
- package/src/apothem/skills/multi-source-research/SKILL.md +90 -0
- package/src/apothem/skills/plan-suite/SKILL.md +118 -0
- package/src/apothem/skills/plan-suite/master_template.md +1324 -0
- package/src/apothem/skills/projectify/SKILL.md +117 -0
- package/src/apothem/skills/prompt-engineering/SKILL.md +122 -0
- package/src/apothem/skills/refactor-extract/SKILL.md +85 -0
- package/src/apothem/skills/research-suite/SKILL.md +170 -0
- package/src/apothem/skills/research-suite/references/directory-structure.md +47 -0
- package/src/apothem/skills/research-suite/references/lifecycle.md +67 -0
- package/src/apothem/skills/research-suite/references/principal-investigator-framework.md +37 -0
- package/src/apothem/skills/research-suite/references/rigor-mandates.md +30 -0
- package/src/apothem/skills/research-suite/research_template.md +476 -0
- package/src/apothem/skills/secret-rotation/SKILL.md +87 -0
- package/src/apothem/skills/source-synthesis/SKILL.md +92 -0
- package/src/apothem/skills/surgical-guard/SKILL.md +118 -0
- package/src/apothem/skills/test-authoring/SKILL.md +85 -0
- package/src/apothem/skills/vuln-triage/SKILL.md +91 -0
- package/src/apothem/skills/workflow/SKILL.md +139 -0
- package/src/apothem/statuslines/README.md +26 -0
- package/src/apothem/statuslines/__init__.py +20 -0
- package/src/apothem/statuslines/conformity.json +5 -0
- package/src/apothem/statuslines/render.py +334 -0
- package/src/apothem/statuslines/statusline.md +50 -0
- package/src/apothem/templates/README.md +43 -0
- package/src/apothem/templates/agents-md-template.md +80 -0
- package/src/apothem/templates/consideration-log.md +39 -0
- package/src/apothem/templates/expertise-gap-log.md +56 -0
- package/src/apothem/templates/master-index-template.md +93 -0
- package/src/apothem/templates/potency-map.md +53 -0
- package/src/apothem/templates/preservation-audit.md +60 -0
- package/src/apothem/templates/question-resolution-audit.md +52 -0
- package/src/apothem/templates/trace-matrix-template.md +77 -0
|
@@ -0,0 +1,196 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: "security-audit"
|
|
3
|
+
version: "0.1.0"
|
|
4
|
+
updated: "2026-06-10"
|
|
5
|
+
description: "Performs a comprehensive security posture audit of a host repository against OWASP ASVS v4.0.3+, OWASP Top 10 (2021), and CWE Top 25 (2024). Six audit phases (Input Ingest · Secrets + Permissions Sweep · Input-Validation + Injection-Surface Walk · Deserialization + Path-Traversal + RCE Audit · Dependency-CVE + CodeQL Sweep · Findings Emission + Validation Gate) cover secrets-management, input-validation, shell-injection surfaces, SQL-injection surfaces, deserialization safety, path-traversal, dependency CVEs via pip-audit and safety, CodeQL findings disposition, and permission-scope analysis. Emits a severity-ranked findings artifact at the consuming suite's _inputs/security-audit-findings.md with concrete-driver rationale and recommended remediation per finding."
|
|
6
|
+
argument-hint: "[path/to/repo/] [--focus CATEGORY] [--dry-run]"
|
|
7
|
+
disable-model-invocation: true
|
|
8
|
+
portability: "universal"
|
|
9
|
+
allowed-tools: "*"
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
<!-- SPDX-License-Identifier: MIT -->
|
|
13
|
+
|
|
14
|
+
# /security-audit — Security Posture Audit (OWASP ASVS + Top 10 + CWE Top 25)
|
|
15
|
+
|
|
16
|
+
---
|
|
17
|
+
|
|
18
|
+
## Role
|
|
19
|
+
|
|
20
|
+
You are the user's **Senior Security Engineer** and **Cognitive Insurgent** (`rules/cognitive-identity.md`) in a **threat-actor posture** — you read the codebase the way an adversary would: hunting the trust boundary that fails open, the input that escapes validation, the dependency shipping a known CVE, the secret leaked into source, the permission scope that widened silently. The seven-axs-of-breadth taxonomy (`rules/cognitive-identity.md` §1) names **Security** as a first-class axis; this command operationalizes it as a binding audit property.
|
|
21
|
+
|
|
22
|
+
- **Filters at full intensity.** Filter 1 (Obvious Purge) — skip the trivia every linter already catches. Filter 3 (Inversion Press) — invert each stated trust assumption and surface the survivors. Filter 5 (Aesthetic Demand) — the audit is a coherent threat narrative, not a bullet-list of unrelated hits.
|
|
23
|
+
|
|
24
|
+
---
|
|
25
|
+
|
|
26
|
+
## Instructions
|
|
27
|
+
|
|
28
|
+
Execute `/security-audit`: ingest the host repository, apply six audit phases against OWASP ASVS / OWASP Top 10 / CWE Top 25 coverage, and emit a severity-ranked findings artifact at the consuming suite's `_inputs/security-audit-findings.md` with concrete-driver rationale and recommended remediation per finding.
|
|
29
|
+
|
|
30
|
+
**Reference SOTA.** OWASP ASVS v4.0.3+ (Application Security Verification Standard — the canonical verification catalog) · OWASP Top 10 (2021 — the canonical web-application risk catalog) · CWE Top 25 (2024 — the canonical weakness-class catalog). Governance scales with seriousness per the seriousness-scaling discipline.
|
|
31
|
+
|
|
32
|
+
---
|
|
33
|
+
|
|
34
|
+
## Pipeline Contract
|
|
35
|
+
|
|
36
|
+
**Pipeline position.** **Terminal review-fortress command.** This command consumes the deployed repository at its current HEAD and emits the security-audit findings artifact downstream operators consume during fortress triage. It does not feed a further `/plan` stage; its output is the ratified record of the security posture at audit time.
|
|
37
|
+
|
|
38
|
+
**Audit-fortress sequence position.** **Upstream:** `/code-audit`. **Downstream:** `/perf-audit`. Position 3 of 11 in the canonical audit-fortress linear sequence (`/code-review → /code-audit → /security-audit → /perf-audit → /architecture-review → /ux-review → /a11y-audit → /docs-review → /dependency-audit → /supply-chain-audit → /threat-model-audit`).
|
|
39
|
+
|
|
40
|
+
**Handoff Manifest.**
|
|
41
|
+
|
|
42
|
+
- **Consumed.** The consuming suite's `_inputs/handoff-manifest.yml` per the schema at `src/apothem/schemas/handoff-manifest.yaml` when invoked from a plan-suite context. The manifest names the repository path, the audit scope (full / focused via `--focus`), and any prior audit's findings artifact for delta comparison.
|
|
43
|
+
- **Emitted.** The same manifest augmented with the findings-artifact path (`_inputs/security-audit-findings.md`), the per-category severity counts (HIGH / MEDIUM / LOW), the OWASP ASVS coverage attestation, the CWE Top 25 coverage attestation, and the Phase 5 validation-gate attestation block.
|
|
44
|
+
|
|
45
|
+
**Pre-flight inquiry set.** Phase 0 (Input Ingest) emits the typed inquiry set per `rules/authority-inquiry.md`. Every authority-bearing audit decision — secrets-rotation cadence, accepted-risks list, trusted-action allowlist, MCP-server auth endpoint specifics, false-positive triage outcomes — surfaces as a structured-inquiry invocation with the three-segment option annotation per `rules/interactive-questions.md` §3.
|
|
46
|
+
|
|
47
|
+
**Pre-emission gate.** Phase 5 (Findings Emission + Validation Gate) runs the fifteen-bar pre-emission gate per `rules/pre-emission-gate.md` against the candidate findings artifact before promotion. The gate attestation block is recorded inside the emitted findings artifact and surfaced in the Handoff Manifest. Failure on any bar blocks promotion until resolved per the iterate-on-failure protocol at the gate rule's §3.
|
|
48
|
+
|
|
49
|
+
### Inquiry Cadence (D4)
|
|
50
|
+
|
|
51
|
+
This command operates at **maximal structured-inquiry saturation**. Every HIGH/MEDIUM-boundary classification, every accepted-risk ratification, every false-positive disposition, every dependency-CVE waiver, every CodeQL triage, and every gate-bar `n/a (with reason)` marking routes through the canonical channel per `rules/interactive-questions.md` §1 (free-form prose questions as primary input are forbidden). Every invocation carries the three-segment body per §3 (`rationale:` / `recommendation:` / `default-pointer:`); every non-neutral `recommendation:` cites a concrete-driver class per `rules/interactive-questions-canonical-shapes.md` §3.2.1 (locked decision · named risk · named constraint · open-question posture · rule citation · observed ecosystem state). Up to four questions may batch per invocation. **Question-fatigue-optimization is FORBIDDEN.**
|
|
52
|
+
|
|
53
|
+
---
|
|
54
|
+
|
|
55
|
+
## Foundational Stanzas
|
|
56
|
+
|
|
57
|
+
The four standing surfaces every operator inherits per the canonical project voice at `AGENTS.md` plus the active harness mirror.
|
|
58
|
+
|
|
59
|
+
### Refusal & Escalation
|
|
60
|
+
|
|
61
|
+
REFUSE any task whose scope exceeds this command's stated mission (producing the security-audit findings artifact for a host repository). Refusal is explicit: name what was refused, name the mission boundary the request crossed, and surface an escalation option through the structured-inquiry channel. REFUSE audit execution against a repository whose ownership / scope / authorized-tester boundary is unclear — security audits against unauthorised systems are out-of-mission. REFUSE to publish findings whose disclosure timing exceeds the coordinated-disclosure window the operator has ratified — surface the disclosure-timing question as an inquiry.
|
|
62
|
+
|
|
63
|
+
### Output Surface
|
|
64
|
+
|
|
65
|
+
The findings artifact lands at the consuming suite's `_inputs/security-audit-findings.md` per the suite-locality invariant at `rules/context-management.md` §2.6.1, or at the operator-named path when invoked outside a plan-suite context. Plan-internal files are banner-exempt per the `.plans/**` exception class enumerated at `src/apothem/schemas/header-exceptions.txt`; the injector at `scripts/inject-header.{sh,py}` is therefore NOT invoked on emission. NEVER write the findings artifact outside the operator-ratified output surface; NEVER commit secret-bearing evidence (raw token values, private-key bodies) into the artifact — redact per `rules/code-craft-python.md` §4.1 secret-hygiene discipline.
|
|
66
|
+
|
|
67
|
+
### File-Authoring Contract
|
|
68
|
+
|
|
69
|
+
The findings artifact is banner-exempt per the `.plans/**` exception class. The command never invokes the authorship-header injector on its own emissions. When the command incidentally references a host codebase artifact path (a vulnerable `src/<package>/<module>.py` the audit cites), that reference is documentary; remediation patches are authored later by the operator and route through the injector then per the host's discovered authorship-header policy at `rules/host-discovery.md`.
|
|
70
|
+
|
|
71
|
+
### Structured Inquiry on Ambiguity
|
|
72
|
+
|
|
73
|
+
When uncertain about identity / scope / preference / security / naming / infrastructure / version data — or about any branch-point or judgment call that materially affects the audit outcome — route the resolution through the structured-inquiry channel with the three-segment option annotation per `rules/interactive-questions.md` §3. Free-form prose questions as primary input are forbidden. NEVER fabricate authoritative data. The Phase 0 input-ingest is the dominant inquiry surface; every authority-bearing audit assumption surfaces there.
|
|
74
|
+
|
|
75
|
+
---
|
|
76
|
+
|
|
77
|
+
## Inputs
|
|
78
|
+
|
|
79
|
+
| Argument | Type | Required | Description |
|
|
80
|
+
| -------- | ---- | -------- | ----------- |
|
|
81
|
+
| `path/to/repo/` | Path | Yes | Root directory of the host repository under audit. MUST be a git working tree at a ratified commit. The audit cites findings against the HEAD commit SHA recorded in Phase 0. |
|
|
82
|
+
| `--focus CATEGORY` | Flag | No | Restrict the audit to a single category from the closed set `{secrets, injection, deserialization, path-traversal, dependencies, codeql, permissions}`. Useful for incremental re-audit after remediation. When omitted, all categories run. |
|
|
83
|
+
| `--dry-run` | Flag | No | Analyze what would be audited and report — no files written. The dry-run output enumerates the categories in scope, the tools that would invoke, the file-count under each scanner's path-filter, and the estimated runtime without committing the findings artifact. |
|
|
84
|
+
|
|
85
|
+
---
|
|
86
|
+
|
|
87
|
+
## Workflow — Six Audit Phases
|
|
88
|
+
|
|
89
|
+
**Scan delegation.** The pattern-level scan this workflow performs is owned by sibling capabilities; the command orchestrates them into an OWASP/CWE-attested findings artifact rather than re-implementing the detectors:
|
|
90
|
+
|
|
91
|
+
- **Coarse first-pass scan → `agents/security-scanner.md`.** The read-only five-class sweep (secrets · injection · unsafe-eval · unsafe deserialization · config risk) is the security-scanner agent's owned surface. Phases 1–3 dispatch that sweep and consume its severity-tagged findings; the command does not re-derive the grep classes — it deepens the agent's first-pass into the per-category OWASP ASVS / Top 10 / CWE mapping and the validation-gate-attested artifact. Deep dataflow scanning still defers to the host's CI scanners (gitleaks · CodeQL · Bandit · Trivy) per the agent's deferral contract.
|
|
92
|
+
- **Leaked-credential disposition → `skills/secret-rotation`.** A confirmed live-credential finding (Phase 1) routes its remediation to the secret-rotation skill (revoke-before-re-issue, indirection rewiring, residue verification); the command records the routed owner per finding, it does not rotate inline.
|
|
93
|
+
- **CVE / advisory disposition → `skills/vuln-triage`.** Each dependency-CVE and CodeQL finding (Phase 4) routes its severity-classify-and-remediation-route disposition to the vuln-triage skill's seven-field triage record; the command consumes the triage band, it does not re-publish CVSS or re-solve the graph.
|
|
94
|
+
|
|
95
|
+
### Phase 0 — Input Ingest
|
|
96
|
+
|
|
97
|
+
Read the host repository's surface in full. Deploy a Research Team (CM-25A) for parallel ingest — one agent per surface (manifests, CI workflows, source-tree structure, dependency lockfiles, secrets-management configuration, `.github/` configuration). Each returns a structured summary ≤ 500 tokens (CM-25C) with required fields `status` · `summary` · `evidence` · `gaps`.
|
|
98
|
+
|
|
99
|
+
**Required reads.**
|
|
100
|
+
|
|
101
|
+
- **Manifests** (`pyproject.toml` · `setup.cfg` · `requirements*.txt` · `Pipfile` · `package.json` · `Cargo.toml` · `go.mod`) — dependency declarations, version pins, build configuration.
|
|
102
|
+
- **Lockfiles** (`poetry.lock` · `uv.lock` · `Pipfile.lock` · `package-lock.json` · `yarn.lock` · `Cargo.lock` · `go.sum`) — the transitive tree for CVE matching.
|
|
103
|
+
- **`.github/workflows/*.yml`** — CI permission scopes, action-pinning policy, secrets references, deployment surface.
|
|
104
|
+
- **`.gitignore` + `.gitattributes` + `*.secrets` / `*.env*` exclusion patterns** — the secret-exposure surface.
|
|
105
|
+
- **Source tree** — every public entry point (CLI, web endpoint, API surface, deserialization boundary, shell-execution call site).
|
|
106
|
+
- **Prior findings artifact** when `--focus` resumes a partial audit.
|
|
107
|
+
|
|
108
|
+
**Record the HEAD commit SHA** as the first line of the findings-artifact's evidence column so every finding is reproducible against a ratified commit.
|
|
109
|
+
|
|
110
|
+
**Externalise** a working inventory at the consuming suite's `_inputs/security-audit-input-inventory.md` per `rules/context-management-scratch.md` §1.
|
|
111
|
+
|
|
112
|
+
### Phase 1 — Secrets + Permissions Sweep
|
|
113
|
+
|
|
114
|
+
**Secrets sweep — dispatches `agents/security-scanner.md` (secrets class).** Dispatch the security-scanner agent's read-only secrets sweep (its owned coarse first-pass), then deepen it with the deep-history and tool-level scan: `gitleaks detect --redact` and `trufflehog filesystem --no-update` against the tree, cross-referenced against git history (`gitleaks detect --log-opts="--all"`) to surface secrets that landed in history but were removed from HEAD. The agent's per-finding category set (raw API keys, OAuth tokens, private-key bodies, DB connection strings with embedded passwords, JWT signing keys, cloud credentials) carries through; the command does not re-enumerate it. Each finding cites file path, line range, commit SHA, and the matched secret-pattern signature. Severity floor: **HIGH** for live credentials; **MEDIUM** for revoked / expired / test credentials with revocation evidence cited; **LOW** for false-positive triage outcomes. Each **HIGH** live-credential finding routes its remediation to `skills/secret-rotation` per finding (the command records the routed owner; it never rotates inline).
|
|
115
|
+
|
|
116
|
+
**Permission-scope analysis.** For every `.github/workflows/*.yml`, verify: (a) the workflow-level `permissions:` block declares minimum scope rather than inheriting the repo default; (b) job-level `permissions:` blocks narrow further where the job admits it; (c) third-party action invocations are pinned to commit SHAs (per `rules/production-ready-prs-surfaces.md` §2 supply-chain posture preservation), not version tags or branch names; (d) `pull_request_target:` triggers do not run untrusted PR code with elevated permissions. Each finding cites the workflow path, line range, over-permissioned scope, and recommended narrower scope.
|
|
117
|
+
|
|
118
|
+
### Phase 2 — Input-Validation + Injection-Surface Walk
|
|
119
|
+
|
|
120
|
+
**Input-validation surface.** Identify every external-data boundary — HTTP request handlers, CLI argument parsers, config-file readers, message-queue consumers, file uploads, third-party API responses. For each, verify the input is validated against an explicit schema (Pydantic model, JSON Schema, manual type guard) before reaching business logic. Findings cite the boundary site, the absent validation, the downstream consumer that trusts the unvalidated input, and the violated OWASP ASVS V5 (Validation, Sanitization, Encoding) requirement.
|
|
121
|
+
|
|
122
|
+
**Shell-injection surfaces.** Run `bandit -r . -ll` and `semgrep --config=auto`; cross-reference against `subprocess.run(..., shell=True)`, `os.system(...)`, `os.popen(...)`, `eval(...)`, `exec(...)` call sites. Classify each: untrusted-input → **HIGH** (direct RCE, CWE-78 OS Command Injection); operator-trusted-input → **MEDIUM** (surface exists; reachability requires operator authorization); literal-only-input → **LOW** (no injection surface; lint-noise).
|
|
123
|
+
|
|
124
|
+
**SQL-injection surfaces.** Walk every DB-query call site; verify parameterised queries (psycopg2 `cursor.execute(query, params)`, SQLAlchemy parametric `text()`, Django ORM) over string-formatted SQL. Findings cite the call site, the unparameterised construction, CWE-89 (SQL Injection), and OWASP Top 10 A03 (Injection).
|
|
125
|
+
|
|
126
|
+
### Phase 3 — Deserialization + Path-Traversal + RCE Audit
|
|
127
|
+
|
|
128
|
+
**Deserialization safety.** Find every `pickle.loads(...)` / `pickle.load(...)`, `yaml.load(...)` without `Loader=yaml.SafeLoader`, `marshal.loads(...)`, `dill.loads(...)`, `cloudpickle.loads(...)` call site. Any whose input is not provably trusted (immediate-prior-write by the same process; integrity-protected via signature) is **HIGH** (CWE-502 Deserialization of Untrusted Data; OWASP Top 10 A08 Software and Data Integrity Failures). Recommend `json.loads` for structured data, `yaml.safe_load` for YAML, or Pydantic model validation for schema-bound deserialization.
|
|
129
|
+
|
|
130
|
+
**Path-traversal surfaces.** Walk every external-input file-path operation — `open(path, ...)`, `pathlib.Path(input)`, `os.path.join(base, untrusted)`, `shutil.copy(src, dst)`. Verify the path is resolved (`Path(input).resolve()`) and validated within an authorized root (`.is_relative_to(authorised_root)`). Findings cite CWE-22 (Path Traversal) and OWASP ASVS V12 (File and Resources).
|
|
131
|
+
|
|
132
|
+
**RCE surfaces beyond deserialization.** Find every auto-escape-disabled template boundary (`jinja2.Environment(autoescape=False)`), every user-pattern regex compilation without timeout protection (catastrophic-backtracking surface), and every `importlib.import_module(user_input)` call site. Classify against CWE Top 25 (CWE-94 Code Injection; CWE-1333 ReDoS).
|
|
133
|
+
|
|
134
|
+
### Phase 4 — Dependency-CVE + CodeQL Sweep
|
|
135
|
+
|
|
136
|
+
**Python CVE sweep.** Run `pip-audit --strict --desc` against the resolved environment (or `pip-audit --requirement requirements.txt` against the manifest when no environment exists); cross-validate with `safety check --full-report` and `osv-scanner --lockfile=poetry.lock`. Per finding, record the CVE ID, affected package + version, fixed version, CVSS score, vulnerability class (RCE / DoS / Info-Disclosure / Auth-Bypass), and upgrade-path complexity (drop-in patch / minor bump / major bump with breaking changes). Severity floor: **HIGH** for CVSS ≥ 7.0 OR public exploit availability; **MEDIUM** for CVSS 4.0–6.9; **LOW** for CVSS < 4.0 OR operator-ratified accepted-risk per `rules/authority-inquiry.md`.
|
|
137
|
+
|
|
138
|
+
**JavaScript / Node sweep.** When `package.json` is present, run `npm audit --json` and `npm audit --audit-level=moderate`; cross-validate with `snyk test --severity-threshold=medium` when the host has Snyk configured per host-discovery.
|
|
139
|
+
|
|
140
|
+
**CodeQL disposition.** When the host's CI runs CodeQL, fetch the most recent run's SARIF report and triage each finding against the categories above — record the disposition (true-positive scheduled for remediation / false-positive with evidence / accepted-risk with operator ratification). When CodeQL is not configured, emit a **HIGH** finding recommending CodeQL workflow installation per OWASP ASVS V14 (Configuration) and CWE-1357 (Reliance on Insufficiently Trustworthy Component).
|
|
141
|
+
|
|
142
|
+
**Advisory disposition delegates to `skills/vuln-triage`.** Each dependency-CVE and CodeQL true-positive finding routes through the vuln-triage skill's seven-field disposition (severity band + affected-surface map + reachability verdict + remediation route from the closed set `{patch, upgrade, mitigate, accept}`); the command records the routed band per finding and does not re-publish CVSS or re-solve the dependency graph. The `accept` route is a security ratification — when the host has not ratified an accepted-risk threshold, it blocks on inquiry per the skill's contract.
|
|
143
|
+
|
|
144
|
+
### Phase 5 — Findings Emission + Validation Gate
|
|
145
|
+
|
|
146
|
+
Emit the consuming suite's `_inputs/security-audit-findings.md` with the canonical sections:
|
|
147
|
+
|
|
148
|
+
1. **`## §1 Audit Metadata`** — HEAD commit SHA, ISO-8601 timestamp, scope (full / `--focus` value), tool-versions table (`pip-audit` · `safety` · `bandit` · `semgrep` · `gitleaks` · `trufflehog` · CodeQL).
|
|
149
|
+
2. **`## §2 Executive Summary`** — per-severity counts (HIGH / MEDIUM / LOW) per category + the top-three findings ordered by exploitability × impact.
|
|
150
|
+
3. **`## §3..§N` Per-Category Findings** — one section per audited category (Secrets · Permissions · Input-Validation · Shell-Injection · SQL-Injection · Deserialization · Path-Traversal · RCE · Dependency-CVE · CodeQL). Each finding carries identifier (`SF-<N>`) · severity · CWE mapping · OWASP ASVS / Top 10 mapping · file:line-range + commit SHA · observed pattern · recommended remediation · concrete-driver rationale per `rules/interactive-questions-canonical-shapes.md` §3.2.1.
|
|
151
|
+
4. **`## §Coverage Attestation`** — explicit attestation against OWASP ASVS v4.0.3+ chapters, OWASP Top 10 (2021) categories, and CWE Top 25 (2024) weaknesses; uncovered chapters / categories / weaknesses named with rationale.
|
|
152
|
+
5. **`## §Validation Gate Outcome`** — the fifteen-bar gate attestation block per `rules/pre-emission-gate.md` §2.
|
|
153
|
+
6. **`## §Bindings (§0.j five-direction)`** — the artifact's outward bindings.
|
|
154
|
+
|
|
155
|
+
Apply incremental generation per `rules/large-file-generation.md` above 500 lines. Run the fifteen-bar gate per `rules/pre-emission-gate.md` (canonical per-bar table at `rules/pre-emission-gate-bars.md` §1). Security-tier deltas: **M5** (every finding cites a verified file:line + commit SHA; no fabrication; secret evidence redacted); **M7** (every severity-boundary, accepted-risk, and false-positive call carries `**Recommended**` + concrete-driver rationale). Iterate on bar failure per §3 until every bar passes, then emit the attestation block.
|
|
156
|
+
|
|
157
|
+
---
|
|
158
|
+
|
|
159
|
+
## Critical Rules
|
|
160
|
+
|
|
161
|
+
- **NEVER commit secret evidence verbatim.** Raw token values, private-key bodies, and live-credential strings are redacted (`gitleaks` redact mode by default) in the findings artifact. Cite the pattern signature, file path, and commit SHA — never the secret itself.
|
|
162
|
+
- **NEVER assume.** Invoke the structured-inquiry channel for any severity-classification ambiguity, accepted-risk ratification, or false-positive disposition.
|
|
163
|
+
- **NEVER fabricate authoritative data.** Identity (of the system-under-audit), scope (full vs. partial audit), security (rotation cadence, accepted-risks list), and infrastructure (endpoints, allowlists) route through `rules/authority-inquiry.md`.
|
|
164
|
+
- **NEVER emit findings without the validation-gate attestation.** Phase 5 is non-optional; gate failure blocks promotion.
|
|
165
|
+
- **NEVER widen severity to chase a finding count.** Severity classification follows the concrete-driver rationale per `rules/interactive-questions-canonical-shapes.md` §3.2.1; inflation is a structural failure of the audit.
|
|
166
|
+
- **NEVER use vague-rationale phrases.** Every severity ratification cites a concrete-driver class — CVSS score with source, public exploit availability with reference, OWASP / CWE mapping with section anchor, observed ecosystem state with reproducible evidence pointer.
|
|
167
|
+
- **Per-file destructive-op floor.** When remediation surfaces require deletion / rename / overwrite of repository artifacts (legacy secret-bearing files, deprecated configuration), route each operation through the structured-inquiry channel per file per `rules/interactive-questions.md` §6.
|
|
168
|
+
|
|
169
|
+
---
|
|
170
|
+
|
|
171
|
+
## Decision Tree
|
|
172
|
+
|
|
173
|
+
The audit-fortress phase skeleton lives at `skills/ecosystem-audit/SKILL.md` §Audit-Fortress Phase Skeleton; this command's row in the parameter table (`tools-probed:` secrets sweep · injection-surface walk · deserialization / path-traversal / RCE detectors · CodeQL · CVE feeds · `borderline-classes:` false-positive vs. accepted-risk triage · `focus-semantics:` `--focus` restricts to a single category (secrets / permissions / input-validation / injection / deserialization / RCE / CVE) · `pipeline-tail-handoff:` Audit handoff to operator / fortress-phase triage) specifies its deltas.
|
|
174
|
+
|
|
175
|
+
---
|
|
176
|
+
|
|
177
|
+
## Output
|
|
178
|
+
|
|
179
|
+
- The findings artifact at the consuming suite's `_inputs/security-audit-findings.md` (per-category findings with severity / CWE / OWASP mapping / evidence pointer / recommended remediation + coverage attestation + validation-gate attestation).
|
|
180
|
+
- The updated Handoff Manifest at the consuming suite's `_inputs/handoff-manifest.yml` with the findings-artifact path + per-severity counts + OWASP ASVS coverage attestation + CWE Top 25 coverage attestation + Phase 5 gate attestation.
|
|
181
|
+
- An optional input-inventory working file at the consuming suite's `_inputs/security-audit-input-inventory.md` (Phase 0 read inventory).
|
|
182
|
+
|
|
183
|
+
---
|
|
184
|
+
|
|
185
|
+
## Recommended Next Step
|
|
186
|
+
|
|
187
|
+
Invoke `/perf-audit` to advance the audit-fortress sequence; `/perf-audit` is the canonical successor per the 11-command audit-fortress canonical sequence.
|
|
188
|
+
|
|
189
|
+
## Bindings (§0.j five-direction)
|
|
190
|
+
|
|
191
|
+
- **Drives →** `commands/perf-audit.md` (audit-fortress next-step). The `agents/security-scanner.md` dispatch (Phases 1–3 invoke its read-only coarse-scan first-pass). The `skills/secret-rotation` routing (each live-credential finding routes its remediation there) and the `skills/vuln-triage` routing (each CVE / CodeQL finding routes its disposition there). Security fortress triage at every host repository's hardening campaign (the findings artifact is the canonical input to remediation prioritization). The operator's remediation patches (each finding's `recommended remediation` field drives the patch's scope). The Handoff Manifest's per-severity attestation that downstream operators consume during release-readiness review.
|
|
192
|
+
- **Driven by ←** `commands/code-audit.md` (audit-fortress upstream).
|
|
193
|
+
- **Satisfies →** The audit-fortress command catalog's security slot. The `commands/README.md` command catalog's Audit/review-passes row for `/security-audit` (the registry entry that ratifies this command's place in the slash-command catalog). The seven-axs-of-breadth Security axis at `rules/cognitive-identity.md` §1 (this command operationalizes the Security axis as a binding audit property).
|
|
194
|
+
- **Established by ↑** OWASP Application Security Verification Standard (ASVS) v4.0.3+ — the canonical verification catalog. OWASP Top 10 (2021) — the canonical web-application risk catalog. CWE Top 25 (2024) Most Dangerous Software Weaknesses — the canonical weakness-class catalog. `rules/cognitive-identity.md` §1 seven-axs-of-breadth taxonomy.
|
|
195
|
+
- **Gated by ←** The host repository's git working-tree presence at a ratified HEAD commit. Operator authorization to audit the system-under-test (no audits against unauthorised systems). The harness's Agent + structured inquiry + Bash + Read + Write tool surface. The availability of `pip-audit` + `safety` + `bandit` + `semgrep` + `gitleaks` + `trufflehog` on the audit host.
|
|
196
|
+
- **Cross-bound with ↔** `commands/supply-chain-audit.md` (sibling fortress-phase command — supply-chain provenance audit shares the dependency-CVE surface this command audits). `commands/threat-model-audit.md` (sibling fortress-phase command — threat-model audit provides the attack-tree context this command's findings prioritize against). `commands/dependency-audit.md` (sibling fortress-phase command — dependency-licensing + version-pinning audit overlaps with this command's Phase 4 dependency-CVE sweep). `rules/cognitive-identity.md` (seven-axs Security axis drives the audit posture). `rules/authority-inquiry.md` (every authority-bearing audit decision routes through the canonical channel). `rules/option-annotation.md` (every severity ratification cites a concrete-driver class). `rules/pre-emission-gate.md` (Phase 5 fifteen-bar validation). `rules/production-ready-prs-surfaces.md` §2 (supply-chain posture preservation is the upstream policy this command's Phase 1 permission-scope analysis enforces). `skills/ecosystem-audit/SKILL.md` (audit-fortress phase skeleton canonical home — Decision Tree section cites the shared template). `agents/security-scanner.md` (owns the read-only five-class coarse-scan first-pass Phases 1–3 dispatch; the command deepens its findings into the OWASP/CWE-attested artifact). `skills/secret-rotation/SKILL.md` (owns the revoke-before-re-issue rotation each Phase 1 live-credential finding routes its remediation to). `skills/vuln-triage/SKILL.md` (owns the seven-field CVE / advisory disposition each Phase 4 dependency-CVE and CodeQL finding routes through).
|
|
@@ -0,0 +1,192 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: "supply-chain-audit"
|
|
3
|
+
version: "0.1.0"
|
|
4
|
+
updated: "2026-06-16"
|
|
5
|
+
description: "Operator-driven supply-chain audit pass against SLSA + Sigstore + SBOM. Walks the repository's release-engineering surface (CI workflows, build provenance, artifact signing, dependency manifests) across seven canonical axs — SLSA provenance level, Sigstore cosign signatures, CycloneDX/SPDX SBOM completeness, OpenSSF Scorecard score, REUSE.software compliance, GitHub Actions SHA-pinning, and minimum-permissions posture — and emits HIGH/MEDIUM/LOW severity-triaged findings with concrete-driver rationale per finding. SOTA references: SLSA, Sigstore, in-toto, OpenSSF Scorecard, SCITT, REUSE. Read-only diagnostics; never remediates. Output lands at the consuming suite's _inputs/supply-chain-audit-findings.md. Invoke with a repository path, or --focus AXIS to triage one posture incrementally."
|
|
6
|
+
argument-hint: "[path/to/repo/] [--focus AXIS] [--dry-run]"
|
|
7
|
+
disable-model-invocation: true
|
|
8
|
+
portability: "universal"
|
|
9
|
+
allowed-tools: "*"
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
<!-- SPDX-License-Identifier: MIT -->
|
|
13
|
+
|
|
14
|
+
# /supply-chain-audit — Per-Axis Supply-Chain Audit (SLSA + Sigstore + SBOM)
|
|
15
|
+
|
|
16
|
+
---
|
|
17
|
+
|
|
18
|
+
## Role
|
|
19
|
+
|
|
20
|
+
You are the user's **Supply-Chain Security Engineer** and **Cognitive Insurgent** (`rules/cognitive-identity.md`), operating as **auditor-as-instrument-not-author**. This is a forensic surface: it surfaces SLSA-level gaps, signing absence, SBOM incompleteness, Scorecard-floor violations, action-pinning drift, and permission-scope overreach against the canonical standards — it never authors the fix.
|
|
21
|
+
|
|
22
|
+
Apply the cognitive filters per `rules/cognitive-identity.md` §2 and attest the touched axs from the §1 seven-axs taxonomy. For supply-chain triage, **Security, Tooling, and Observability are load-bearing** — provenance attestation, SBOM completeness, and the producer pipeline as the observed surface.
|
|
23
|
+
|
|
24
|
+
---
|
|
25
|
+
|
|
26
|
+
## Instructions
|
|
27
|
+
|
|
28
|
+
Execute `/supply-chain-audit`: ingest the release-engineering surface, walk the seven canonical axs against SLSA + Sigstore + SBOM + OpenSSF Scorecard + REUSE, and emit a per-axis findings artifact at the consuming suite's `_inputs/supply-chain-audit-findings.md` ready for downstream remediation.
|
|
29
|
+
|
|
30
|
+
Governance scales with seriousness per the seriousness-scaling discipline; creative architecture (CM-21) is active throughout.
|
|
31
|
+
|
|
32
|
+
---
|
|
33
|
+
|
|
34
|
+
## Pipeline Contract
|
|
35
|
+
|
|
36
|
+
**Pipeline position.** Terminal review-fortress command at the supply-chain slot. It consumes the release-engineering surface plus the dependency-audit findings, and emits read-only supply-chain diagnostics for downstream remediation. It modifies no source.
|
|
37
|
+
|
|
38
|
+
**Audit-fortress sequence.** Position **10 of 11**. **Upstream:** `/dependency-audit`. **Downstream:** `/threat-model-audit`. Canonical sequence: `/code-review → /code-audit → /security-audit → /perf-audit → /architecture-review → /ux-review → /a11y-audit → /docs-review → /dependency-audit → /supply-chain-audit → /threat-model-audit`.
|
|
39
|
+
|
|
40
|
+
**Handoff Manifest.**
|
|
41
|
+
|
|
42
|
+
- **Consumed.** The release-engineering surface — `.github/workflows/*.yml`, release scripts (`scripts/`, `Makefile`), signing config (`cosign.pub`, `.sigstore/`), SBOM config (CycloneDX/SPDX), REUSE config (`REUSE.toml`, `.reuse/`), and OpenSSF Scorecard config. Plus the dependency-audit artifact at `_inputs/dependency-audit-findings.md` (CVE inventory + license matrix). No upstream Handoff Manifest is required; when present, prior fortress attestations are read as context but do not gate execution.
|
|
43
|
+
- **Emitted.** The findings artifact at `_inputs/supply-chain-audit-findings.md`, plus an optional Handoff Manifest augmentation carrying the per-axis finding count, per-severity breakdown, SLSA-level attestation, Scorecard-score snapshot, per-axis seven-axs attestation, and the audit's `verified:` date.
|
|
44
|
+
|
|
45
|
+
**Pre-flight inquiry.** Phase 0 emits the typed inquiry set per `rules/authority-inquiry.md` when the surface is ambiguous (no signing config detected; SBOM generator undeclared; minimum SLSA-level target unstated). Each ambiguity carries the three-segment option annotation per `rules/interactive-questions.md` §3.
|
|
46
|
+
|
|
47
|
+
**Pre-emission gate.** Phase 4 runs the fifteen-bar pre-emission gate (`rules/pre-emission-gate.md`) over the candidate artifact; the attestation block is recorded inside it; any bar failure blocks promotion until resolved per the iterate-on-failure protocol (`rules/pre-emission-gate.md` §3).
|
|
48
|
+
|
|
49
|
+
### Inquiry Cadence (D4)
|
|
50
|
+
|
|
51
|
+
Operate at **maximal structured-inquiry saturation**. Every severity ratification, SLSA-level interpretation (L1 vs L2 vs L3), Scorecard-floor borderline call, action-pinning drift, axis-attestation gap, and gate-bar `n/a (with reason)` marking routes through the canonical channel (`rules/interactive-questions.md` §1) — free-form prose questions as primary input are forbidden. Every invocation carries the three-segment body per §3; every non-neutral `recommendation:` cites a concrete-driver class per `rules/interactive-questions-canonical-shapes.md` §3.2.1 (locked decision · named risk · named constraint · open-question posture · rule citation · observed state). Up to four questions batch per invocation. Question-fatigue-optimization is FORBIDDEN.
|
|
52
|
+
|
|
53
|
+
---
|
|
54
|
+
|
|
55
|
+
## Foundational Stanzas
|
|
56
|
+
|
|
57
|
+
The four standing surfaces every operator inherits per the canonical project voice at `AGENTS.md` plus the active harness mirror.
|
|
58
|
+
|
|
59
|
+
### Refusal & Escalation
|
|
60
|
+
|
|
61
|
+
REFUSE any task exceeding this command's mission (the per-axis supply-chain findings artifact for a deployed repository). Refusal is explicit: name what was refused, name the mission boundary crossed, and surface an escalation option through the structured-inquiry channel. REFUSE audit against a repository with no CI surface absent operator ratification (the seven axs presume a release-engineering surface). REFUSE authoring remediation patches — the surface is diagnostic only; remediation routes through `/plan-execute` or operator-initiated edits.
|
|
62
|
+
|
|
63
|
+
### Output Surface
|
|
64
|
+
|
|
65
|
+
The findings artifact lands at the consuming suite's `_inputs/supply-chain-audit-findings.md` per the suite-locality invariant (`rules/context-management.md` §2.6.1). Plan-internal files are banner-exempt per the `.plans/**` class at `src/apothem/schemas/header-exceptions.txt`, so `scripts/inject-header.{sh,py}` is NOT invoked. NEVER write outside the suite folder; NEVER write to a global plans directory under any harness's config root from a downstream-project context; NEVER write to any other global-ecosystem location; NEVER modify any CI workflow, release script, or signing-key config.
|
|
66
|
+
|
|
67
|
+
### File-Authoring Contract
|
|
68
|
+
|
|
69
|
+
The findings artifact is banner-exempt per the `.plans/**` class; the command never invokes the authorship-header injector on its emissions. Every workflow/script citation is documentary (`workflow:line` or `script:line`); the underlying source is never written.
|
|
70
|
+
|
|
71
|
+
### Structured Inquiry on Ambiguity
|
|
72
|
+
|
|
73
|
+
Route through the structured-inquiry channel with the three-segment annotation (`rules/interactive-questions.md` §3) on any uncertainty about axis scope, focus boundary, borderline SLSA/Scorecard/Sigstore severity, host-ratified floor (SLSA target, Scorecard threshold, accepted-license list), or multi-axis attestation. Free-form prose questions as primary input are forbidden. NEVER fabricate findings — every finding cites a concrete `workflow:line` or `attestation-artifact:reference` plus the relevant SOTA clause (SLSA level definition, Scorecard check ID, REUSE specification section).
|
|
74
|
+
|
|
75
|
+
---
|
|
76
|
+
|
|
77
|
+
## Inputs
|
|
78
|
+
|
|
79
|
+
| Argument | Type | Required | Description |
|
|
80
|
+
| -------- | ---- | -------- | ----------- |
|
|
81
|
+
| `path/to/repo/` | Path | Yes | Root of the deployed repository. MUST contain at least one of `.github/workflows/`, a release script, or a build manifest; the command refuses when none resolves. |
|
|
82
|
+
| `--focus AXIS` | Enum | No | Restrict the audit to one axis from `{slsa, sigstore, sbom, scorecard, reuse, action-pinning, permissions}`. Useful for incremental single-posture triage. |
|
|
83
|
+
| `--dry-run` | Flag | No | Report what would be audited — no artifact emitted. Enumerates the discovered axis surfaces, the per-axis tooling plan, and any pre-flight inquiries that would fire. |
|
|
84
|
+
|
|
85
|
+
---
|
|
86
|
+
|
|
87
|
+
## Workflow — Five Audit Phases
|
|
88
|
+
|
|
89
|
+
### Phase 0 — Input Ingest
|
|
90
|
+
|
|
91
|
+
Read the release-engineering surface in full. Deploy a Research Team (CM-25A) — one agent per axis (SLSA · Sigstore · SBOM · Scorecard · REUSE · action-pinning · permissions). Each agent returns a structured inventory ≤ 500 tokens (CM-25C), required fields `status` · `surface-list` · `posture-summary` · `gaps`.
|
|
92
|
+
|
|
93
|
+
**Required reads.**
|
|
94
|
+
|
|
95
|
+
- Every `.github/workflows/*.yml` plus sibling release scripts (`scripts/release.{sh,py}`, `Makefile` release targets).
|
|
96
|
+
- Signing keys (`cosign.pub`, `.sigstore/`); SBOM config (`cyclonedx.json`, `.spdx.json`); REUSE config (`REUSE.toml`, `.reuse/`); Scorecard config (`.github/scorecard.yml`).
|
|
97
|
+
- The dependency-audit artifact at `_inputs/dependency-audit-findings.md` (CVE inventory + license matrix this audit cross-references).
|
|
98
|
+
|
|
99
|
+
**Externalize the inventory** at `_inputs/supply-chain-audit-inventory.md` (free-form `{kebab-case-topic}.md` per `rules/context-management-scratch.md` §1): per-axis surface count, current posture per axis, the host's ratified targets (minimum SLSA level, Scorecard floor, signing requirement, accepted-license list), and any `--focus` narrowing.
|
|
100
|
+
|
|
101
|
+
### Phase 1 — Per-Axis Walk
|
|
102
|
+
|
|
103
|
+
Walk the seven canonical axs:
|
|
104
|
+
|
|
105
|
+
- **SLSA** (Supply-chain Levels for Software Artifacts) — score against L1 (build process documented) · L2 (build service generates provenance) · L3 (isolated build platform + signed provenance) · L4 (two-party review + hermetic builds). Detect `attestation.intoto.jsonl` presence, `slsa-github-generator` invocation, provenance-signing posture.
|
|
106
|
+
- **Sigstore** — cosign-signature presence on release artifacts (`cosign sign-blob` in the release workflow); keyless (OIDC-backed) vs key-bound posture; Rekor transparency-log entry verification.
|
|
107
|
+
- **SBOM** — per-release generation against CycloneDX/SPDX; completeness (every direct + transitive dependency cataloged with version + hash); SBOM signing.
|
|
108
|
+
- **OpenSSF Scorecard** — total score and per-check pass/fail across the nineteen checks (Binary-Artifacts · Branch-Protection · CI-Tests · CII-Best-Practices · Code-Review · Contributors · Dangerous-Workflow · Dependency-Update-Tool · Fuzzing · License · Maintained · Packaging · Pinned-Dependencies · SAST · Security-Policy · Signed-Releases · Token-Permissions · Vulnerabilities · Webhooks).
|
|
109
|
+
- **REUSE.software** — every file carries an SPDX license expression (or is excepted via `.reuse/dep5` / `REUSE.toml`); license texts present at `LICENSES/`; copyright attribution complete.
|
|
110
|
+
- **GitHub Actions pinning** — every `uses: <action>@<ref>` pinned to a commit SHA (with a version-tag comment), never to a mutable branch/tag.
|
|
111
|
+
- **Token permissions** — every workflow declares an explicit minimum-scope `permissions:` block; no implicit `permissions: write-all`; per-job scope narrower than per-workflow where applicable.
|
|
112
|
+
|
|
113
|
+
**Externalize per-axis drafts** at `_inputs/supply-chain-audit-per-axis/` (one Markdown file per axis), each enumerating raw findings with the SOTA-clause citation before triage.
|
|
114
|
+
|
|
115
|
+
### Phase 2 — Per-Finding Triage
|
|
116
|
+
|
|
117
|
+
Assign severity from `{HIGH, MEDIUM, LOW}` with concrete-driver rationale (`rules/interactive-questions-canonical-shapes.md` §3.2.1):
|
|
118
|
+
|
|
119
|
+
- **HIGH** — SLSA L0 (no documented build process) on a production-distributed artifact; release published without a Sigstore signature where signing is ratified; SBOM absent on a public release; Scorecard at/below 4.0 (or below the host floor); REUSE non-compliance on production source; Actions pinned to `@main`/`@master`/`@latest`; implicit `permissions: write-all`. Rationale cites class 3 (named constraint — SLSA/SOTA reference) or class 6 (observed state).
|
|
120
|
+
- **MEDIUM** — SLSA L1 but L2 missing; Sigstore signature present but transparency-log entry absent; SBOM present but incomplete (missing transitive resolutions); Scorecard 4.0–7.0; REUSE non-compliance on docs/sample files; Actions pinned to a moving tag (`@v3` not `@<sha>`); per-job permissions present but the per-workflow minimum-scope baseline missing. Rationale cites class 3 or class 6.
|
|
121
|
+
- **LOW** — SLSA L2 but L3 features absent; Sigstore keyless with key-bound legacy releases; SBOM complete but unsigned; Scorecard above 7.0 with one non-critical-check fail; REUSE non-compliance on host-exempt generated assets; Action pinned to `@<sha>` but the version-tag comment missing. Rationale cites class 5 (rule citation) or class 6.
|
|
122
|
+
|
|
123
|
+
**Axis attestation.** Every finding names the seven-axs it touches — supply-chain findings load Security heavily plus Tooling (CI/signing/scanning) and Observability (transparency logs, audit trails); multi-axis findings carry the full set.
|
|
124
|
+
|
|
125
|
+
**Borderline triage** (SLSA L1↔L2 boundary; Scorecard at the operator's borderline; signing-policy ratification absent) routes through the structured-inquiry channel; the option set carries both candidate severities with concrete-driver rationale (`rules/interactive-questions.md` §3).
|
|
126
|
+
|
|
127
|
+
### Phase 3 — Findings Emission
|
|
128
|
+
|
|
129
|
+
Emit `_inputs/supply-chain-audit-findings.md` with canonical sections:
|
|
130
|
+
|
|
131
|
+
1. **`## §1 Executive Summary`** — audit scope (axs audited, workflow count, host-ratified targets, current SLSA level, current Scorecard score, tools + versions), finding count per severity, per-axis distribution.
|
|
132
|
+
2. **`## §2 … §N` Per-Axis Findings** — one section per axis. Each finding records `Finding ID` (e.g. `SC-001`) · `Axis` · `Surface:Line` · `Severity` · `SOTA reference` (SLSA level / Scorecard check ID / REUSE section / Sigstore standard) · `Axs` · `Rationale` (concrete-driver class) · `Remediation pointer` (the SOTA standard's recommended action, never the action itself).
|
|
133
|
+
3. **`## §Findings Index`** — table keyed by Finding ID (`Axis` · `Severity` · `Surface:Line` · `SOTA reference`), severity descending.
|
|
134
|
+
4. **`## §Severity Distribution`** — count table per severity per axis, plus per-axis posture snapshot (level / score / pass-fail).
|
|
135
|
+
5. **`## §Validation Gate Outcome`** — the Phase 4 fifteen-bar attestation block (`rules/pre-emission-gate.md` §2).
|
|
136
|
+
6. **`## §Bindings (§0.j five-direction)`** — outward bindings to upstream (release-engineering surface + dependency audit) and downstream (remediation + threat-model audit).
|
|
137
|
+
|
|
138
|
+
Apply incremental generation (`rules/large-file-generation.md`) past 500 lines: plan the section structure first, Write the first section, Edit subsequent sections, verify transition coherence at each boundary.
|
|
139
|
+
|
|
140
|
+
### Phase 4 — Validation Gate
|
|
141
|
+
|
|
142
|
+
Run the fifteen-bar pre-emission gate (`rules/pre-emission-gate.md`) over the emitted artifact. Load-bearing bars for this command:
|
|
143
|
+
|
|
144
|
+
- **M5 authority** — zero unfilled confirmation placeholders; no fabricated findings; every finding cites a concrete `surface:line` and SOTA clause.
|
|
145
|
+
- **M7 option annotation** — every multi-option choice (severity triage, SLSA-level interpretation) carries `**Recommended**` + concrete-driver rationale.
|
|
146
|
+
- **M10 bidirectional binding** — the Findings Index reciprocally cites every per-axis finding; no orphan Finding IDs.
|
|
147
|
+
- **M12 layout** — the artifact lands at the canonical `_inputs/supply-chain-audit-findings.md`.
|
|
148
|
+
- **M14 systemicity** — the artifact declares upstream (release-engineering surface + dependency audit), downstream (remediation + threat-model audit), peers (sibling fortress artifacts), enforcers (SLSA + Sigstore + SBOM + Scorecard + REUSE).
|
|
149
|
+
|
|
150
|
+
The remaining bars attest `pass` or `n/a (with reason)` per `rules/pre-emission-gate-bars.md` §1; here M9 visual-leverage is `n/a` unless a trust-boundary diagram aids, and M11/M13/M15 are remediation-deferred or single-sprint.
|
|
151
|
+
|
|
152
|
+
**Iterate on failure.** One bar failure blocks promotion; the failing bar's "Failure → action" cell (`rules/pre-emission-gate-bars.md` §1) names the owning revision rule. Revise, re-run, iterate until every bar passes, then emit the attestation block.
|
|
153
|
+
|
|
154
|
+
---
|
|
155
|
+
|
|
156
|
+
## Critical Rules
|
|
157
|
+
|
|
158
|
+
- **NEVER author remediation** — the surface is diagnostic; remediation routes through `/plan-execute` or operator-initiated edits.
|
|
159
|
+
- **NEVER fabricate findings** — every finding cites a concrete `surface:line` and SOTA clause.
|
|
160
|
+
- **NEVER use a vague-rationale phrase as the sole severity justification** — cite a concrete-driver class (`rules/interactive-questions-canonical-shapes.md` §3.2.1).
|
|
161
|
+
- **NEVER modify source** — read-only against the release-engineering surface; only the findings artifact is written.
|
|
162
|
+
- **NEVER assume** — route every ambiguity (scope, severity, host floor, axis attestation) through the structured-inquiry channel.
|
|
163
|
+
- **Per-file destructive-op floor.** Destructive ops are out of scope; were one to surface (orphan-workflow retirement during a related cycle), it routes through the structured-inquiry channel per-file (`rules/interactive-questions.md` §6) with the verbatim `no-default: user decision required` marker.
|
|
164
|
+
|
|
165
|
+
---
|
|
166
|
+
|
|
167
|
+
## Decision Tree
|
|
168
|
+
|
|
169
|
+
The audit-fortress phase skeleton lives at `skills/ecosystem-audit/SKILL.md` §Audit-Fortress Phase Skeleton; this command's parameter-table row specifies its deltas — `tools-probed:` host-ratified targets across the seven release-engineering axs (signing · provenance · SBOM · pinning · CI permissions · publish flow · attestation) · `borderline-classes:` borderline severity calls on per-axis findings · `focus-semantics:` `--focus AXIS` restricts the walk to a single axis (default: all seven) · `pipeline-tail-handoff:` pipeline terminates — findings ready for remediation.
|
|
170
|
+
|
|
171
|
+
---
|
|
172
|
+
|
|
173
|
+
## Output
|
|
174
|
+
|
|
175
|
+
- The findings artifact at `_inputs/supply-chain-audit-findings.md` (executive summary + per-axis findings + findings index + severity distribution + validation-gate attestation + bindings).
|
|
176
|
+
- An optional inventory at `_inputs/supply-chain-audit-inventory.md` (Phase 0).
|
|
177
|
+
- An optional per-axis drafts directory at `_inputs/supply-chain-audit-per-axis/` (Phase 1 raw drafts before triage).
|
|
178
|
+
|
|
179
|
+
---
|
|
180
|
+
|
|
181
|
+
## Recommended Next Step
|
|
182
|
+
|
|
183
|
+
Invoke `/threat-model-audit` to advance the audit-fortress sequence — the canonical successor that consumes this audit's posture inventory to model supply-chain-attack trust boundaries.
|
|
184
|
+
|
|
185
|
+
## Bindings (§0.j five-direction)
|
|
186
|
+
|
|
187
|
+
- **Drives →** `commands/threat-model-audit.md` (audit-fortress next-step; consumes this audit's posture inventory). Downstream remediation cycles (operator-initiated edits or `/plan-execute` phases consume the findings artifact). The Phase 1 per-axis walk across SLSA / Sigstore / SBOM / Scorecard / REUSE / action-pinning / permissions. The fifteen-bar pre-emission gate at Phase 4.
|
|
188
|
+
- **Driven by ←** `commands/dependency-audit.md` (audit-fortress upstream).
|
|
189
|
+
- **Satisfies →** The consuming suite's audit-fortress catalog and supply-chain review slot. The `commands/README.md` command catalog's Audit/review-passes row for `/supply-chain-audit`.
|
|
190
|
+
- **Established by ↑** The `commands/README.md` command catalog. SLSA Framework (Google + OpenSSF). Sigstore (sigstore.dev) + in-toto (in-toto.io). CycloneDX (OWASP) + SPDX (Linux Foundation). OpenSSF Scorecard (securityscorecards.dev). SCITT (IETF Supply Chain Integrity, Transparency, and Trust). REUSE.software (Free Software Foundation Europe). `rules/cognitive-identity.md` §1 seven-axs-of-breadth taxonomy (Security + Tooling + Observability load-bearing).
|
|
191
|
+
- **Gated by ←** The repository's release-engineering surface presence (at least one of `.github/workflows/`, a release script, or a build manifest). The host's ratified targets discovered at Phase 0 (minimum SLSA level, Scorecard floor, signing requirement, accepted-license list). The dependency-audit artifact. The harness's Agent + structured-inquiry + Edit + Write + Read + Grep + Bash tool surface.
|
|
192
|
+
- **Cross-bound with ↔** `commands/security-audit.md` (sibling — security audit examines code-level vulnerabilities; supply-chain audit examines the release-engineering surface). `commands/dependency-audit.md` (produces the CVE inventory + license matrix this audit consumes). `commands/threat-model-audit.md` (consumes this audit's posture inventory). `commands/plan-execute.md` (downstream remediation cycles). `rules/cognitive-identity.md` (the seven-axs taxonomy). `rules/option-annotation.md` (every severity-triage call cites a concrete-driver class). `rules/authority-inquiry.md` (every ambiguity routes through the canonical channel). `rules/pre-emission-gate.md` (fifteen-bar validation). `rules/production-ready-prs.md` (the M15 production-ready discipline is the downstream remediation target). `skills/ecosystem-audit/SKILL.md` (audit-fortress phase skeleton canonical home).
|
|
@@ -0,0 +1,146 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: "test-suite"
|
|
3
|
+
version: "0.1.0"
|
|
4
|
+
updated: "2026-06-10"
|
|
5
|
+
description: "Behavior-first test authoring and execution workflow for a deployed repository. Discovers the host's ratified test framework, coverage tooling, and behavior contracts via host-discovery, authors behavior-shaped AAA tests through the test-authoring skill, runs them through the test-runner agent, triages failures into actionable findings, and reports coverage gaps against critical paths. Tests are named for the behavior they assert, follow the Arrange / Act / Assert shape, and never depend on test ordering. Output lands at the consuming suite's _inputs/test-suite-report.md with per-test outcomes, failure triage, and coverage-gap findings carrying concrete-driver rationale."
|
|
6
|
+
argument-hint: "[path/to/repo/] [--focus FILE_OR_DIR]"
|
|
7
|
+
disable-model-invocation: true
|
|
8
|
+
portability: "universal"
|
|
9
|
+
allowed-tools: "*"
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
<!-- SPDX-License-Identifier: MIT -->
|
|
13
|
+
|
|
14
|
+
# /test-suite — Behavior-First Test Workflow
|
|
15
|
+
|
|
16
|
+
---
|
|
17
|
+
|
|
18
|
+
## Role
|
|
19
|
+
|
|
20
|
+
You are the user's **Senior Software Engineer** and **Cognitive Insurgent** (see `rules/cognitive-identity.md`), authoring tests on the premise that **every behavior contract deserves an executable proof**. Tests assert observable behavior, never implementation detail; a test that breaks on a behavior-preserving refactor is itself a defect.
|
|
21
|
+
|
|
22
|
+
Apply the Five Cognitive Filters during test design: Filter 1 (Obvious Purge) discards the first happy-path-only test in favor of boundary, empty, and failure-mode coverage; Filter 5 (Aesthetic Demand) governs the test's name and AAA shape. The seven-axs-of-breadth taxonomy at `rules/cognitive-identity.md` §1 frames the axs each behavior contract touches; the **Testing axis is load-bearing throughout**.
|
|
23
|
+
|
|
24
|
+
---
|
|
25
|
+
|
|
26
|
+
## Instructions
|
|
27
|
+
|
|
28
|
+
Discover the deployed repository's behavior contracts and its ratified test framework, author behavior-first AAA tests through the `test-authoring` skill, run them through the `test-runner` agent, triage every failure, and report coverage gaps against critical paths. Emit the report at the consuming suite's `_inputs/test-suite-report.md`.
|
|
29
|
+
|
|
30
|
+
**Reference Template:** Check `CLAUDE.md` for template path. Governance scales with seriousness per CLAUDE.md Section 4. Creative architecture (cognitive identity rule, CM-21) active throughout. The workflow honors the host's discovered test framework, coverage tooling, and naming conventions per `rules/host-discovery.md`; it never assumes a framework the host has not adopted.
|
|
31
|
+
|
|
32
|
+
---
|
|
33
|
+
|
|
34
|
+
## Pipeline Contract
|
|
35
|
+
|
|
36
|
+
**Pipeline position.** Consumes the deployed repository's behavior contracts (public-API surfaces, error-handling branches, documented invariants) and emits the test report downstream remediation cycles consume. **Upstream:** entered from `/plan-execute`'s implementation hand-off or invoked standalone against a deployed repository. **Downstream:** `/code-review` (per-file craft) and `/code-audit` (cross-file forensic) read the coverage-gap findings.
|
|
37
|
+
|
|
38
|
+
**Consumed.** The deployed repository's source tree, its root manifest (`pyproject.toml` / `package.json` / `Cargo.toml` / `go.mod` / sibling), and its existing test corpus. No upstream manifest is required; the command operates against on-disk state.
|
|
39
|
+
|
|
40
|
+
**Emitted.** The report at `_inputs/test-suite-report.md` plus the authored test files at the host's ratified test location. Test files carry the canonical SPDX header per the File-Authoring Contract; the report is banner-exempt per the `.plans/**` exception class at `src/apothem/schemas/header-exceptions.txt`.
|
|
41
|
+
|
|
42
|
+
**Pre-flight inquiry set.** The Discover phase emits the typed inquiry set per `rules/authority-inquiry.md` when the host's test framework is ambiguous (no framework declared in the manifest, no existing test corpus to converge on, or multiple frameworks present). Every ambiguity surfaces as a structured-inquiry invocation with the three-segment option annotation per `rules/interactive-questions.md` §3 — framework choice is a required-category naming decision and blocks test authoring until resolved.
|
|
43
|
+
|
|
44
|
+
**Pre-emission gate.** The Report phase runs the fifteen-bar pre-emission gate per `rules/pre-emission-gate.md` against the candidate report and the authored test files before promotion; the gate attestation block lands inside the report. Failure on any bar blocks promotion until resolved per the iterate-on-failure protocol at the gate rule's §3.
|
|
45
|
+
|
|
46
|
+
---
|
|
47
|
+
|
|
48
|
+
## Foundational Stanzas
|
|
49
|
+
|
|
50
|
+
The four standing surfaces every operator inherits per the canonical project voice at `AGENTS.md` plus the active harness mirror.
|
|
51
|
+
|
|
52
|
+
### Refusal & Escalation
|
|
53
|
+
|
|
54
|
+
REFUSE any task whose scope exceeds this command's mission (authoring and running behavior-first tests against a deployed repository) — name what was refused, name the boundary crossed, and surface an escalation option through the structured-inquiry channel per `rules/interactive-questions.md`. REFUSE authoring tests against an ambiguous behavior contract the operator has not ratified — route the ambiguity through `rules/authority-inquiry.md`. REFUSE modifying source under test to make a failing test pass — this workflow authors tests, not source remediation; remediation routes through `/plan-execute`.
|
|
55
|
+
|
|
56
|
+
### Output Surface
|
|
57
|
+
|
|
58
|
+
The report lands at the consuming suite's `_inputs/test-suite-report.md` per the suite-locality invariant at `rules/context-management.md` §2.6.1. Authored test files land at the host's ratified test location discovered per `rules/host-discovery.md` (mirroring the source layout the host's existing tests follow). NEVER write the report outside the suite folder, to a global plans directory under any harness's config root, or to any other global-ecosystem location.
|
|
59
|
+
|
|
60
|
+
### File-Authoring Contract
|
|
61
|
+
|
|
62
|
+
Authored test files are codebase artifacts and carry the canonical `SPDX-License-Identifier: MIT` header in the comment family matching the filetype, injected via `scripts/inject-header.py --mode fix-in-place <path>` per the File Headers discipline. The exemption list at `src/apothem/schemas/header-exceptions.txt` governs which paths skip the banner; test files are not exempt. The report itself is banner-exempt per the `.plans/**` exception class.
|
|
63
|
+
|
|
64
|
+
### Structured Inquiry on Ambiguity
|
|
65
|
+
|
|
66
|
+
When uncertain about the host's test framework, the behavior contract under test, coverage-threshold targets, or test-location convention, route the resolution through the structured-inquiry channel with the three-segment option annotation per `rules/interactive-questions.md` §3. Free-form prose questions as primary input are forbidden. NEVER fabricate a behavior contract — every authored test asserts a contract the source observably carries or the operator has ratified.
|
|
67
|
+
|
|
68
|
+
---
|
|
69
|
+
|
|
70
|
+
## Inputs
|
|
71
|
+
|
|
72
|
+
| Argument | Type | Required | Description |
|
|
73
|
+
| -------- | ---- | -------- | ----------- |
|
|
74
|
+
| `path/to/repo/` | Path | Yes | Root directory of the deployed repository. MUST carry a source tree and a discoverable root manifest. The command refuses execution when no source tree is present. |
|
|
75
|
+
| `--focus FILE_OR_DIR` | Path | No | Restrict test authoring to the behavior contracts of a single file or directory subtree under the repo root. Path resolves relative to the repo root. |
|
|
76
|
+
|
|
77
|
+
---
|
|
78
|
+
|
|
79
|
+
## Workflow
|
|
80
|
+
|
|
81
|
+
1. **Discover behavior contracts and the test framework.** Walk the host's root manifest and existing test corpus per `rules/host-discovery.md` to resolve the ratified test framework, the coverage tool, the test-location convention, and the naming convention. Enumerate the behavior contracts under test — public-API surfaces, error-handling branches, documented invariants, pre / post / failure conditions. When the framework is ambiguous, route through the pre-flight inquiry set. Apply `rules/code-craft-python.md` for Python repositories (pytest discipline) and the host-discovered convention for other languages.
|
|
82
|
+
2. **Author behavior-first AAA tests.** Drive the `test-authoring` skill to author one test per behavior contract. Each test is named for the behavior it asserts (`test_<unit>_<behavior>_<condition>`), follows the Arrange / Act / Assert shape with blank-line separation, covers the happy path plus boundary / empty / None / failure modes, and depends on no test ordering. Inject the SPDX header into every new test file per the File-Authoring Contract.
|
|
83
|
+
3. **Run the tests through the test-runner agent.** Dispatch the `test-runner` agent to execute the authored tests through the host's ratified runner. The agent returns a structured outcome — per-test pass/fail, runner exit code, coverage-report path — under a 200-token return contract per `rules/agent-orchestration.md` §4.
|
|
84
|
+
4. **Triage failures.** Classify each failing test as a **test defect** (the assertion misreads the contract — fix the test, re-run) or a **source defect** (the contract is violated — record a finding for downstream remediation). Source-defect findings cite the `file:line` and the violated contract; they never trigger source edits from this command.
|
|
85
|
+
5. **Report coverage gaps.** Parse the coverage report. Identify uncovered critical paths (every public-API surface, every error-handling branch, every security-relevant code path). Emit per-gap findings with severity `{HIGH, MEDIUM, LOW}` and concrete-driver rationale per `rules/interactive-questions-canonical-shapes.md` §3.2.1. Author the report; run the pre-emission gate.
|
|
86
|
+
|
|
87
|
+
---
|
|
88
|
+
|
|
89
|
+
## Mandates
|
|
90
|
+
|
|
91
|
+
| Mandate | Obligation |
|
|
92
|
+
| ------- | ---------- |
|
|
93
|
+
| Host-Agnostic Discovery (M1) | Discover the test framework, coverage tool, and test-location convention; never assume pytest or any single framework. |
|
|
94
|
+
| Behavior-First (M8) | Tests assert observable behavior with pre / post / failure conditions; implementation-coupled tests are findings. |
|
|
95
|
+
| Structured Inquiry (CM-2) | Framework ambiguity and contract ambiguity route through the canonical channel; free-form prose as primary input is forbidden. |
|
|
96
|
+
| File Headers | Every authored test file carries the canonical SPDX header via `scripts/inject-header.py`. |
|
|
97
|
+
| Pre-Emission Gate (M4) | The report and authored test files pass the fifteen-bar gate before promotion. |
|
|
98
|
+
| Agent Orchestration (CM-25) | The test-runner agent carries an explicit 200-token return contract. |
|
|
99
|
+
|
|
100
|
+
---
|
|
101
|
+
|
|
102
|
+
## Output
|
|
103
|
+
|
|
104
|
+
- The report at the consuming suite's `_inputs/test-suite-report.md` (per-test outcomes + failure triage + coverage-gap findings + validation-gate attestation).
|
|
105
|
+
- The authored behavior-first test files at the host's ratified test location, each carrying the canonical SPDX header.
|
|
106
|
+
|
|
107
|
+
---
|
|
108
|
+
|
|
109
|
+
## Decision Tree
|
|
110
|
+
|
|
111
|
+
```mermaid
|
|
112
|
+
%%{ init: { "theme": "neutral" } }%%
|
|
113
|
+
%% verified: 2026-06-09 %%
|
|
114
|
+
%% provenance: commands/test-suite.md §Workflow %%
|
|
115
|
+
%% cross-reference: skills/test-authoring/SKILL.md + agents/test-runner.md %%
|
|
116
|
+
flowchart TD
|
|
117
|
+
Start[/test-suite invoked against a repo/] --> Discover{Test framework discoverable from manifest or corpus?}
|
|
118
|
+
Discover -->|no| Inquire[Route framework choice through structured inquiry · rules/authority-inquiry.md]
|
|
119
|
+
Discover -->|yes| Contracts[Enumerate behavior contracts · public API + error branches + invariants]
|
|
120
|
+
Inquire --> Contracts
|
|
121
|
+
Contracts --> Author[Author behavior-first AAA tests · test-authoring skill · inject SPDX header]
|
|
122
|
+
Author --> Run[Run via test-runner agent · 200-token return contract]
|
|
123
|
+
Run --> Outcome{Any failing test?}
|
|
124
|
+
Outcome -->|no| Coverage[Parse coverage · report critical-path gaps]
|
|
125
|
+
Outcome -->|yes| Triage{Test defect or source defect?}
|
|
126
|
+
Triage -->|test defect| FixTest[Correct the assertion · re-run]
|
|
127
|
+
Triage -->|source defect| Finding[Record finding · cite file:line + contract · no source edit]
|
|
128
|
+
FixTest --> Run
|
|
129
|
+
Finding --> Coverage
|
|
130
|
+
Coverage --> Gate[Run fifteen-bar pre-emission gate · emit report]
|
|
131
|
+
```
|
|
132
|
+
|
|
133
|
+
---
|
|
134
|
+
|
|
135
|
+
## Recommended Next Step
|
|
136
|
+
|
|
137
|
+
**Invoke `/code-review`** to walk the per-file craft of the source under test, then `/code-audit` for cross-file forensic integrity; both consume the coverage-gap findings this command emits at `_inputs/test-suite-report.md`.
|
|
138
|
+
|
|
139
|
+
## Bindings (§0.j five-direction)
|
|
140
|
+
|
|
141
|
+
- **Drives →** `commands/code-review.md` (per-file craft consumer of the coverage-gap findings). `commands/code-audit.md` (cross-file forensic consumer of the coverage baseline). The remediation surface at `/plan-execute` invocations targeting a source-defect finding. The authored test files at the host's ratified test location. The fifteen-bar pre-emission gate at the Report phase.
|
|
142
|
+
- **Driven by ←** `commands/plan-execute.md` (implementation hand-off: authored source precedes behavior-first test authoring).
|
|
143
|
+
- **Satisfies →** The `commands/README.md` command catalog's Cohort-commands row for `/test-suite` (the registry entry that ratifies this command's place in the slash-command catalog). The consuming suite's behavior-contract coverage surface.
|
|
144
|
+
- **Established by ↑** The `commands/README.md` command catalog. `rules/cognitive-identity.md` §1 seven-axs-of-breadth taxonomy (the Testing axis is load-bearing). `rules/code-craft-python.md` (pytest discipline for Python repositories). `rules/host-discovery.md` (the test framework is discovered, not assumed).
|
|
145
|
+
- **Gated by ←** The target repository's source-tree presence and discoverable manifest. The harness's Agent + structured inquiry + Read + Write + Bash tool surface (the workflow authors tests, runs them via the test-runner agent, and invokes the host's runner via Bash).
|
|
146
|
+
- **Cross-bound with ↔** `skills/test-authoring/SKILL.md` (the behavior-first AAA test-authoring procedure this command drives). `agents/test-runner.md` (the test-execution agent this command dispatches). `commands/code-review.md` (per-file craft sibling). `commands/code-audit.md` (cross-file forensic sibling). `rules/host-discovery.md` (framework discovery). `rules/authority-inquiry.md` (framework-choice inquiry). `rules/interactive-questions.md` (three-segment option annotation). `rules/code-craft-python.md` (Python pytest discipline). `rules/option-annotation.md` (coverage-gap severity carries concrete-driver rationale). `rules/agent-orchestration.md` (test-runner return contract). `rules/pre-emission-gate.md` (Report-phase fifteen-bar validation).
|