@boyingliu01/xp-gate 0.12.1 → 0.12.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/gate-3.sh +68 -0
- package/gate-4.sh +80 -0
- package/gate-7.sh +45 -0
- package/gate-8.sh +56 -0
- package/gate-9.sh +130 -0
- package/mock-policy/AGENTS.md +2 -2
- package/mutation/AGENTS.md +2 -2
- package/package.json +7 -2
- package/plugins/claude-code/.claude-plugin/plugin.json +1 -1
- package/plugins/claude-code/skills/delphi-review/AGENTS.md +2 -2
- package/plugins/claude-code/skills/sprint-flow/AGENTS.md +2 -2
- package/plugins/claude-code/skills/test-specification-alignment/AGENTS.md +2 -2
- package/plugins/opencode/package.json +1 -1
- package/plugins/opencode/skills/delphi-review/AGENTS.md +2 -2
- package/plugins/opencode/skills/sprint-flow/AGENTS.md +2 -2
- package/plugins/opencode/skills/test-specification-alignment/AGENTS.md +2 -2
- package/plugins/qoder/plugin.json +1 -1
- package/plugins/qoder/skills/delphi-review/AGENTS.md +2 -2
- package/plugins/qoder/skills/sprint-flow/AGENTS.md +2 -2
- package/plugins/qoder/skills/test-specification-alignment/AGENTS.md +2 -2
- package/principles/AGENTS.md +2 -2
- package/skills/delphi-review/AGENTS.md +2 -2
- package/skills/sprint-flow/AGENTS.md +2 -2
- package/skills/test-specification-alignment/AGENTS.md +2 -2
package/gate-3.sh
ADDED
|
@@ -0,0 +1,68 @@
|
|
|
1
|
+
# ============================================================================
|
|
2
|
+
# GATE 3: Cyclomatic Complexity Check
|
|
3
|
+
# Uses lizard - checks cyclomatic complexity of changed source files
|
|
4
|
+
# ============================================================================
|
|
5
|
+
|
|
6
|
+
2>&1 echo ""
|
|
7
|
+
2>&1 echo "→ Gate 3: Cyclomatic complexity..."
|
|
8
|
+
GATE_3_START=$(gate_start_ms)
|
|
9
|
+
|
|
10
|
+
if [ "$PROJECT_LANG" = "documentation-only" ]; then
|
|
11
|
+
echo "⏭️ SKIPPED - Complexity (documentation project)."
|
|
12
|
+
GATE_3_STATUS="SKIP"
|
|
13
|
+
|
|
14
|
+
elif [ "$PROJECT_LANG" = "powershell" ]; then
|
|
15
|
+
echo "ℹ️ No PowerShell Clean Code / SOLID tool available"
|
|
16
|
+
echo "⏭️ SKIPPED - Complexity (no PowerShell tool)"
|
|
17
|
+
GATE_3_STATUS="SKIP"
|
|
18
|
+
|
|
19
|
+
else
|
|
20
|
+
CCN_THRESHOLD=5
|
|
21
|
+
|
|
22
|
+
# Check lizard availability
|
|
23
|
+
LIZARD_CMD=""
|
|
24
|
+
if command -v lizard > /dev/null 2>&1; then
|
|
25
|
+
LIZARD_CMD=lizard
|
|
26
|
+
elif [ -f ~/.local/bin/lizard ]; then
|
|
27
|
+
LIZARD_CMD=~/.local/bin/lizard
|
|
28
|
+
fi
|
|
29
|
+
|
|
30
|
+
if [ -n "$LIZARD_CMD" ]; then
|
|
31
|
+
LIZARD_PATH=$(eval echo "$LIZARD_CMD")
|
|
32
|
+
|
|
33
|
+
# Get changed source files for complexity check
|
|
34
|
+
CC_FILES=$(echo "$CHANGED_FILES" | grep -E '\.(ts|tsx|js|jsx|py|go|java|swift|cpp|c|hpp|h|m|mm|kt)$' || true)
|
|
35
|
+
|
|
36
|
+
if [ -n "$CC_FILES" ]; then
|
|
37
|
+
echo "Checking complexity for source files..."
|
|
38
|
+
|
|
39
|
+
# Run lizard with CCN threshold
|
|
40
|
+
CC_OUTPUT=$($LIZARD_PATH -C $CCN_THRESHOLD $CC_FILES 2>&1 || true)
|
|
41
|
+
|
|
42
|
+
# Parse warning count from the summary table: "Warning cnt 8"
|
|
43
|
+
# Use anchored grep to avoid matching lizard table headers (e.g. "Rt" column)
|
|
44
|
+
CC_WARNINGS=$(echo "$CC_OUTPUT" | grep "^Warning cnt" | awk '{print $NF}' | tr -d '[:space:]' | sed 's/[^0-9]//g' || true)
|
|
45
|
+
CC_WARNINGS=${CC_WARNINGS:-0}
|
|
46
|
+
|
|
47
|
+
if [ "$CC_WARNINGS" -gt 0 ]; then
|
|
48
|
+
echo "$CC_OUTPUT"
|
|
49
|
+
echo ""
|
|
50
|
+
echo "❌ BLOCKED - $CC_WARNINGS functions with CCN > $CCN_THRESHOLD found."
|
|
51
|
+
echo "Refactor high-complexity functions to keep below $CCN_THRESHOLD complexity."
|
|
52
|
+
exit 1
|
|
53
|
+
else
|
|
54
|
+
echo "✅ PASSED - All functions within complexity threshold ($CCN_THRESHOLD)."
|
|
55
|
+
GATE_3_STATUS="PASS"
|
|
56
|
+
fi
|
|
57
|
+
else
|
|
58
|
+
echo "⏭️ SKIPPED - Complexity (no source files to check)."
|
|
59
|
+
GATE_3_STATUS="SKIP"
|
|
60
|
+
fi
|
|
61
|
+
else
|
|
62
|
+
echo "⚠️ WARN - lizard not installed, complexity check not performed"
|
|
63
|
+
echo " Install with: pip install --user lizard"
|
|
64
|
+
echo " Gate 3: Complexity check (WARN, tool not available)"
|
|
65
|
+
GATE_3_STATUS="WARN"
|
|
66
|
+
fi
|
|
67
|
+
fi
|
|
68
|
+
record_gate_audit "gate-3" "complexity" "$GATE_3_STATUS" "${CC_WARNINGS:-0}" "$GATE_3_START"
|
package/gate-4.sh
ADDED
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
# ============================================================================
|
|
2
|
+
# GATE 4: Principles Checker (Clean Code + SOLID)
|
|
3
|
+
# Reuses existing principles checker logic
|
|
4
|
+
# ============================================================================
|
|
5
|
+
|
|
6
|
+
2>&1 echo ""
|
|
7
|
+
2>&1 echo "→ Gate 4: Principles checker (Clean Code + SOLID)..."
|
|
8
|
+
GATE_4_START=$(gate_start_ms)
|
|
9
|
+
|
|
10
|
+
GATE_4_STATUS=""
|
|
11
|
+
|
|
12
|
+
if [ "$PROJECT_LANG" = "documentation-only" ]; then
|
|
13
|
+
echo "⏭️ SKIPPED - Principles check (documentation project)."
|
|
14
|
+
GATE_4_STATUS="SKIP"
|
|
15
|
+
|
|
16
|
+
else
|
|
17
|
+
# Get source files to check against principles
|
|
18
|
+
PRINCIPLES_FILES=$(echo "$CHANGED_FILES" | grep -E '\.(ts|tsx|js|jsx|py|go|java|kt|dart|swift|cpp|c|hpp|h|m|mm)$' || true)
|
|
19
|
+
|
|
20
|
+
if [ -n "$PRINCIPLES_FILES" ]; then
|
|
21
|
+
# Check for principles checker in installed modules first, then project src/
|
|
22
|
+
PRINCIPLES_DIR=""
|
|
23
|
+
if [ -d ".xp-gate/modules/principles" ]; then
|
|
24
|
+
PRINCIPLES_DIR=".xp-gate/modules/principles"
|
|
25
|
+
elif [ -f "src/principles/index.ts" ]; then
|
|
26
|
+
PRINCIPLES_DIR="src/principles"
|
|
27
|
+
elif [ -d "$HOME/.config/xp-gate/modules/principles" ]; then
|
|
28
|
+
PRINCIPLES_DIR="$HOME/.config/xp-gate/modules/principles"
|
|
29
|
+
fi
|
|
30
|
+
|
|
31
|
+
if [ -n "$PRINCIPLES_DIR" ]; then
|
|
32
|
+
echo "Checking Clean Code + SOLID principles..."
|
|
33
|
+
|
|
34
|
+
if command -v npx > /dev/null 2>&1; then
|
|
35
|
+
# Run principles checker and store results
|
|
36
|
+
if npx tsx $PRINCIPLES_DIR/index.ts --files $PRINCIPLES_FILES --format json > /tmp/principles-output.json 2>/dev/null; then
|
|
37
|
+
# Check severity levels
|
|
38
|
+
ERROR_COUNT=$(grep -c '"severity":"error"' /tmp/principles-output.json 2>/dev/null || true)
|
|
39
|
+
ERROR_COUNT=${ERROR_COUNT:-0}
|
|
40
|
+
WARNING_COUNT=$(grep -c '"severity":"warning"' /tmp/principles-output.json 2>/dev/null || true)
|
|
41
|
+
WARNING_COUNT=${WARNING_COUNT:-0}
|
|
42
|
+
|
|
43
|
+
if [ "$ERROR_COUNT" -gt 0 ]; then
|
|
44
|
+
echo ""
|
|
45
|
+
echo "❌ BLOCKED - $ERROR_COUNT principle ERROR(S) found"
|
|
46
|
+
echo "Critical violations must be fixed before commit:"
|
|
47
|
+
echo " - error-handling violations"
|
|
48
|
+
echo " - SOLID principle violations"
|
|
49
|
+
echo " - architectural violations"
|
|
50
|
+
npx tsx $PRINCIPLES_DIR/index.ts --files $PRINCIPLES_FILES --format console
|
|
51
|
+
GATE_4_STATUS="FAIL"
|
|
52
|
+
exit 1
|
|
53
|
+
fi
|
|
54
|
+
|
|
55
|
+
echo "✅ PASSED - Principles checker (no errors found)."
|
|
56
|
+
GATE_4_STATUS="PASS"
|
|
57
|
+
if [ "$WARNING_COUNT" -gt 0 ]; then
|
|
58
|
+
echo "ℹ️ $WARNING_COUNT warnings found (will be handled by Boy Scout Rule)."
|
|
59
|
+
fi
|
|
60
|
+
else
|
|
61
|
+
echo "⚠️ Warning: Principles checker execution failed"
|
|
62
|
+
echo "⏭️ SKIPPED - Principles check (execution issue)"
|
|
63
|
+
GATE_4_STATUS="SKIP"
|
|
64
|
+
fi
|
|
65
|
+
else
|
|
66
|
+
echo "ℹ️ npx not available - skipping principles check"
|
|
67
|
+
echo "⏭️ SKIPPED - Principles check (no Node.js/npx)"
|
|
68
|
+
GATE_4_STATUS="SKIP"
|
|
69
|
+
fi
|
|
70
|
+
else
|
|
71
|
+
echo "ℹ️ Principles checker not found in project - skipping"
|
|
72
|
+
echo "⏭️ SKIPPED - Principles check (checker not in project)"
|
|
73
|
+
GATE_4_STATUS="SKIP"
|
|
74
|
+
fi
|
|
75
|
+
else
|
|
76
|
+
echo "⏭️ SKIPPED - Principles check (no matching source files changed)"
|
|
77
|
+
GATE_4_STATUS="SKIP"
|
|
78
|
+
fi
|
|
79
|
+
fi
|
|
80
|
+
record_gate_audit "gate-4" "principles" "$GATE_4_STATUS" "${WARNING_COUNT:-0}" "$GATE_4_START"
|
package/gate-7.sh
ADDED
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
# ============================================================================
|
|
2
|
+
# GATE 7: IaC Security Scanning (Terraform, Kubernetes, Docker)
|
|
3
|
+
# Detects security issues in Infrastructure as Code files
|
|
4
|
+
# Tools: checkov (recommended), hadolint, kube-score, tflint
|
|
5
|
+
# ============================================================================
|
|
6
|
+
|
|
7
|
+
2>&1 echo ""
|
|
8
|
+
2>&1 echo "→ Gate 7: IaC Security Scanning (Terraform, Kubernetes, Docker)..."
|
|
9
|
+
GATE_7_START=$(gate_start_ms)
|
|
10
|
+
|
|
11
|
+
# Check if any IaC files are changed
|
|
12
|
+
IAC_FILES=$(git diff --cached --name-only --diff-filter=ACM 2>/dev/null | grep -E "\.(tf|yaml|yml)$|Dockerfile" || true)
|
|
13
|
+
if [ -z "$IAC_FILES" ]; then
|
|
14
|
+
echo "✅ PASSED - No IaC files detected in changes."
|
|
15
|
+
GATE_7_STATUS="PASS"
|
|
16
|
+
else
|
|
17
|
+
# Run IaC adapter
|
|
18
|
+
if [ -f "githooks/adapters/iac.sh" ]; then
|
|
19
|
+
# shellcheck source=githooks/adapters/iac.sh
|
|
20
|
+
source "githooks/adapters/iac.sh"
|
|
21
|
+
|
|
22
|
+
# Run static analysis for IaC files
|
|
23
|
+
IAC_OUTPUT=$(run_static_analysis "$IAC_FILES" 2>&1)
|
|
24
|
+
IAC_EXIT=$?
|
|
25
|
+
|
|
26
|
+
echo "$IAC_OUTPUT"
|
|
27
|
+
|
|
28
|
+
if [ $IAC_EXIT -eq 0 ]; then
|
|
29
|
+
echo "✅ PASSED - IaC security scan."
|
|
30
|
+
GATE_7_STATUS="PASS"
|
|
31
|
+
else
|
|
32
|
+
echo ""
|
|
33
|
+
echo "❌ BLOCKED - IaC security issues detected"
|
|
34
|
+
echo "Fix the security issues above before committing."
|
|
35
|
+
echo "Tip: Install checkov for comprehensive IaC scanning: pip install checkov"
|
|
36
|
+
GATE_7_STATUS="FAIL"
|
|
37
|
+
exit 1
|
|
38
|
+
fi
|
|
39
|
+
else
|
|
40
|
+
echo "ℹ️ SKIP - IaC adapter not found"
|
|
41
|
+
echo "⏭️ SKIPPED - IaC security (no IaC adapter found)"
|
|
42
|
+
GATE_7_STATUS="SKIP"
|
|
43
|
+
fi
|
|
44
|
+
fi
|
|
45
|
+
record_gate_audit "gate-7" "iac-security" "$GATE_7_STATUS" "0" "$GATE_7_START"
|
package/gate-8.sh
ADDED
|
@@ -0,0 +1,56 @@
|
|
|
1
|
+
# ============================================================================
|
|
2
|
+
# GATE 8: Secret Scanning (gitleaks)
|
|
3
|
+
# Detects secrets (API keys, passwords, tokens) in staged files
|
|
4
|
+
# Tool: gitleaks -- https://github.com/gitleaks/gitleaks
|
|
5
|
+
# ============================================================================
|
|
6
|
+
|
|
7
|
+
2>&1 echo ""
|
|
8
|
+
2>&1 echo "→ Gate 8: Secret scanning (gitleaks)..."
|
|
9
|
+
GATE_8_START=$(gate_start_ms)
|
|
10
|
+
|
|
11
|
+
# Gitleaks availability check
|
|
12
|
+
GITLEAKS_CMD=""
|
|
13
|
+
if command -v gitleaks >/dev/null 2>&1; then
|
|
14
|
+
GITLEAKS_CMD="gitleaks"
|
|
15
|
+
elif [ -f "$HOME/.local/bin/gitleaks" ]; then
|
|
16
|
+
GIBLEAKS_CMD="$HOME/.local/bin/gitleaks"
|
|
17
|
+
fi
|
|
18
|
+
|
|
19
|
+
if [ -n "$GITLEAKS_CMD" ]; then
|
|
20
|
+
GITLEAKS_CONFIG=""
|
|
21
|
+
if [ -f ".gitleaks.toml" ]; then
|
|
22
|
+
GITLEAKS_CONFIG="--config=.gitleaks.toml"
|
|
23
|
+
fi
|
|
24
|
+
|
|
25
|
+
# Run gitleaks on staged changes only (pre-commit mode for speed)
|
|
26
|
+
GITLEAKS_OUTPUT=$($GITLEAKS_CMD git --pre-commit --redact --no-banner $GITLEAKS_CONFIG --report-format=json --report-path=/tmp/gitleaks-report.json 2>&1)
|
|
27
|
+
GITLEAKS_EXIT=$?
|
|
28
|
+
|
|
29
|
+
if [ "$GITLEAKS_EXIT" -eq 0 ]; then
|
|
30
|
+
echo " ✅ PASSED - No secrets detected."
|
|
31
|
+
GATE_8_STATUS="PASS"
|
|
32
|
+
elif [ "$GITLEAKS_EXIT" -eq 1 ]; then
|
|
33
|
+
# Secrets found — output details
|
|
34
|
+
echo "$GITLEAKS_OUTPUT"
|
|
35
|
+
echo ""
|
|
36
|
+
echo "❌ BLOCKED - Secrets detected in staged files."
|
|
37
|
+
echo ""
|
|
38
|
+
echo "Remediation options:"
|
|
39
|
+
echo " 1. Remove the secret and use environment variables instead"
|
|
40
|
+
echo " 2. Add a false positive to .gitleaks.toml allowlist"
|
|
41
|
+
echo " 3. Use git secret or vault for sensitive data"
|
|
42
|
+
echo ""
|
|
43
|
+
echo "See: https://github.com/gitleaks/gitleaks"
|
|
44
|
+
exit 1
|
|
45
|
+
else
|
|
46
|
+
echo " ⚠️ gitleaks exited with code $GITLEAKS_EXIT - skipping gate"
|
|
47
|
+
echo " ✅ Secret Scanning (SKIP, gitleaks error)"
|
|
48
|
+
GATE_8_STATUS="SKIP"
|
|
49
|
+
fi
|
|
50
|
+
else
|
|
51
|
+
echo " ℹ️ gitleaks not installed — secret scanning unavailable"
|
|
52
|
+
echo " Install: brew install gitleaks (macOS) | winget install gitleaks (Windows) | scripts/install-gitleaks.sh (Linux)"
|
|
53
|
+
echo " ⏭️ SKIPPED - Secret scanning (gitleaks not installed)"
|
|
54
|
+
GATE_8_STATUS="SKIP"
|
|
55
|
+
fi
|
|
56
|
+
record_gate_audit "gate-8" "secret-scanning" "$GATE_8_STATUS" "0" "$GATE_8_START"
|
package/gate-9.sh
ADDED
|
@@ -0,0 +1,130 @@
|
|
|
1
|
+
# ============================================================================
|
|
2
|
+
# GATE 9: Semgrep SAST Security Scan
|
|
3
|
+
# Detects security vulnerabilities (SQL injection, XSS, etc.) in staged files
|
|
4
|
+
# Tool: semgrep -- https://semgrep.dev
|
|
5
|
+
# ============================================================================
|
|
6
|
+
|
|
7
|
+
2>&1 echo ""
|
|
8
|
+
2>&1 echo "→ Gate 9: Semgrep SAST Security Scan..."
|
|
9
|
+
GATE_9_START=$(gate_start_ms)
|
|
10
|
+
|
|
11
|
+
GATE_9_STATUS=""
|
|
12
|
+
|
|
13
|
+
# Semgrep availability check
|
|
14
|
+
SEMGREP_CMD=""
|
|
15
|
+
if command -v semgrep >/dev/null 2>&1; then
|
|
16
|
+
SEMGREP_CMD="semgrep"
|
|
17
|
+
elif [ -f "$HOME/.local/bin/semgrep" ]; then
|
|
18
|
+
SEMGREP_CMD="$HOME/.local/bin/semgrep"
|
|
19
|
+
fi
|
|
20
|
+
|
|
21
|
+
if [ -z "$SEMGREP_CMD" ]; then
|
|
22
|
+
echo " ⚠️ WARN - semgrep not installed — SAST scanning unavailable"
|
|
23
|
+
echo " Install: brew install semgrep (macOS) | pip install semgrep (Linux) | pip install semgrep (Windows)"
|
|
24
|
+
echo " Pre-cache rules: semgrep --config=p/security-audit"
|
|
25
|
+
echo " Gate 9: SAST Security (WARN, semgrep not installed)"
|
|
26
|
+
GATE_9_STATUS="WARN"
|
|
27
|
+
else
|
|
28
|
+
# Get staged files filtered to Semgrep-supported languages
|
|
29
|
+
SEMGREP_FILES=$(git diff --cached --name-only --diff-filter=ACM 2>/dev/null | grep -E '\.(ts|tsx|js|jsx|py|go|java|c|cpp|cs|rb|php|scala|swift)$' || true)
|
|
30
|
+
|
|
31
|
+
if [ -z "$SEMGREP_FILES" ]; then
|
|
32
|
+
echo " ⏭️ SKIPPED - SAST (no supported language files changed)"
|
|
33
|
+
GATE_9_STATUS="SKIP"
|
|
34
|
+
else
|
|
35
|
+
# Run semgrep with JSON output
|
|
36
|
+
# --config=p/security-audit: explicit security ruleset
|
|
37
|
+
# --json: machine-readable output
|
|
38
|
+
# --disable-version-check: skip network call
|
|
39
|
+
SEMGREP_OUTPUT=$($SEMGREP_CMD scan --config=p/security-audit --json --disable-version-check $SEMGREP_FILES 2>&1)
|
|
40
|
+
SEMGREP_EXIT=$?
|
|
41
|
+
|
|
42
|
+
if [ "$SEMGREP_EXIT" -eq 0 ]; then
|
|
43
|
+
echo " ✅ PASSED - No security vulnerabilities found."
|
|
44
|
+
GATE_9_STATUS="PASS"
|
|
45
|
+
elif [ "$SEMGREP_EXIT" -eq 1 ]; then
|
|
46
|
+
# Findings detected - parse JSON to categorize
|
|
47
|
+
CRITICAL_HIGH=$(echo "$SEMGREP_OUTPUT" | python3 -c "
|
|
48
|
+
import sys, json
|
|
49
|
+
try:
|
|
50
|
+
data = json.load(sys.stdin)
|
|
51
|
+
results = data.get('results', [])
|
|
52
|
+
count = 0
|
|
53
|
+
for r in results:
|
|
54
|
+
extra = r.get('extra', {})
|
|
55
|
+
severity = extra.get('severity', '').upper()
|
|
56
|
+
if severity in ('CRITICAL', 'HIGH'):
|
|
57
|
+
count += 1
|
|
58
|
+
print(count)
|
|
59
|
+
except:
|
|
60
|
+
print('0')
|
|
61
|
+
" 2>/dev/null || echo "0")
|
|
62
|
+
|
|
63
|
+
MEDIUM_LOW=$(echo "$SEMGREP_OUTPUT" | python3 -c "
|
|
64
|
+
import sys, json
|
|
65
|
+
try:
|
|
66
|
+
data = json.load(sys.stdin)
|
|
67
|
+
results = data.get('results', [])
|
|
68
|
+
count = 0
|
|
69
|
+
for r in results:
|
|
70
|
+
extra = r.get('extra', {})
|
|
71
|
+
severity = extra.get('severity', '').upper()
|
|
72
|
+
if severity in ('MEDIUM', 'LOW'):
|
|
73
|
+
count += 1
|
|
74
|
+
print(count)
|
|
75
|
+
except:
|
|
76
|
+
print('0')
|
|
77
|
+
" 2>/dev/null || echo "0")
|
|
78
|
+
|
|
79
|
+
# Extract top finding details
|
|
80
|
+
FINDING_DETAILS=$(echo "$SEMGREP_OUTPUT" | python3 -c "
|
|
81
|
+
import sys, json
|
|
82
|
+
try:
|
|
83
|
+
data = json.load(sys.stdin)
|
|
84
|
+
results = data.get('results', [])
|
|
85
|
+
for r in results[:5]: # Show top 5
|
|
86
|
+
extra = r.get('extra', {})
|
|
87
|
+
severity = extra.get('severity', 'UNKNOWN').upper()
|
|
88
|
+
rule_id = r.get('check_id', 'unknown')
|
|
89
|
+
path = r.get('path', 'unknown')
|
|
90
|
+
start_line = r.get('start', {}).get('line', '?')
|
|
91
|
+
message = extra.get('message', '')[:80]
|
|
92
|
+
print(f' [{severity}] {rule_id}')
|
|
93
|
+
print(f' {path}:{start_line} → {message}')
|
|
94
|
+
print()
|
|
95
|
+
except:
|
|
96
|
+
print(' (Failed to parse semgrep output)')
|
|
97
|
+
" 2>/dev/null || echo " (Failed to parse semgrep output)")
|
|
98
|
+
|
|
99
|
+
if [ "$CRITICAL_HIGH" -gt 0 ]; then
|
|
100
|
+
echo ""
|
|
101
|
+
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
|
102
|
+
echo " GATE 9: Semgrep Security Gate"
|
|
103
|
+
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
|
104
|
+
echo " CRITICAL/HIGH: ${CRITICAL_HIGH} ❌ BLOCKED"
|
|
105
|
+
echo " MEDIUM/LOW: ${MEDIUM_LOW} ⚠️ warning"
|
|
106
|
+
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
|
107
|
+
echo " ❌ BLOCKED — Critical/High vulnerability found"
|
|
108
|
+
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
|
109
|
+
echo "$FINDING_DETAILS"
|
|
110
|
+
echo " Run 'semgrep scan --config=p/security-audit' to review all findings."
|
|
111
|
+
GATE_9_STATUS="FAIL"
|
|
112
|
+
exit 1
|
|
113
|
+
else
|
|
114
|
+
echo ""
|
|
115
|
+
echo " ✅ PASSED - No critical/high vulnerabilities"
|
|
116
|
+
if [ "$MEDIUM_LOW" -gt 0 ]; then
|
|
117
|
+
echo " ⚠️ ${MEDIUM_LOW} medium/low findings (warnings only)"
|
|
118
|
+
echo "$FINDING_DETAILS"
|
|
119
|
+
fi
|
|
120
|
+
GATE_9_STATUS="PASS"
|
|
121
|
+
fi
|
|
122
|
+
else
|
|
123
|
+
# semgrep runtime error (timeout, config error, etc.)
|
|
124
|
+
echo " ⚠️ semgrep exited with code ${SEMGREP_EXIT} — skipping gate"
|
|
125
|
+
echo " ⏭️ SKIPPED - SAST (semgrep runtime error)"
|
|
126
|
+
GATE_9_STATUS="SKIP"
|
|
127
|
+
fi
|
|
128
|
+
fi
|
|
129
|
+
fi
|
|
130
|
+
record_gate_audit "gate-9" "sast-security" "$GATE_9_STATUS" "0" "$GATE_9_START"
|
package/mock-policy/AGENTS.md
CHANGED
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
# SRC/MOCK-POLICY KNOWLEDGE BASE
|
|
2
2
|
|
|
3
3
|
**Generated:** 2026-07-01
|
|
4
|
-
**Commit:**
|
|
4
|
+
**Commit:** 58ec6df
|
|
5
5
|
**Branch:** main
|
|
6
|
-
**Version:** 0.12.
|
|
6
|
+
**Version:** 0.12.2.0
|
|
7
7
|
|
|
8
8
|
## OVERVIEW
|
|
9
9
|
Mock layering policy enforcement — Gate M3 of pre-push hook. Ensures integration tests use real implementations for internal dependencies, mock external dependencies, and annotate pending mocks with removal plans. Combines project scope scanning, mock decision engine, and per-file validation into a single pipeline.
|
package/mutation/AGENTS.md
CHANGED
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
# SRC/MUTATION KNOWLEDGE BASE
|
|
2
2
|
|
|
3
3
|
**Generated:** 2026-07-01
|
|
4
|
-
**Commit:**
|
|
4
|
+
**Commit:** 58ec6df
|
|
5
5
|
**Branch:** main
|
|
6
|
-
**Version:** 0.12.
|
|
6
|
+
**Version:** 0.12.2.0
|
|
7
7
|
|
|
8
8
|
## OVERVIEW
|
|
9
9
|
**Gate M** (incremental mutation testing) + **Gate M2** helpers (test-layer detection used by `src/mock-policy/`). Pre-push quality gate. TypeScript-only; uses Stryker.
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@boyingliu01/xp-gate",
|
|
3
|
-
"version": "0.12.
|
|
3
|
+
"version": "0.12.2",
|
|
4
4
|
"description": "AI-driven development workflow: 6 quality gates + Delphi review + Sprint Flow",
|
|
5
5
|
"bin": {
|
|
6
6
|
"xp-gate": "./bin/xp-gate.js"
|
|
@@ -16,7 +16,12 @@
|
|
|
16
16
|
"principles/",
|
|
17
17
|
"mutation/",
|
|
18
18
|
"mock-policy/",
|
|
19
|
-
"build-integrity/"
|
|
19
|
+
"build-integrity/",
|
|
20
|
+
"gate-3.sh",
|
|
21
|
+
"gate-4.sh",
|
|
22
|
+
"gate-7.sh",
|
|
23
|
+
"gate-8.sh",
|
|
24
|
+
"gate-9.sh"
|
|
20
25
|
],
|
|
21
26
|
"exports": {
|
|
22
27
|
"./tui": "./plugins/opencode/tui-plugin.ts"
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "xp-gate",
|
|
3
|
-
"version": "0.12.
|
|
3
|
+
"version": "0.12.2",
|
|
4
4
|
"displayName": "XP-Gate",
|
|
5
5
|
"description": "Extreme Programming quality gates + AI workflow skills for Claude Code. Includes 10 quality gates (Gate 0-9), Sprint Flow (11 phases), and Delphi multi-expert review (>=90% consensus).",
|
|
6
6
|
"author": {
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
# SKILLS/DELPHI-REVIEW KNOWLEDGE BASE
|
|
2
2
|
|
|
3
3
|
**Generated:** 2026-07-01
|
|
4
|
-
**Commit:**
|
|
4
|
+
**Commit:** 58ec6df
|
|
5
5
|
**Branch:** main
|
|
6
|
-
**Version:** 0.12.
|
|
6
|
+
**Version:** 0.12.2.0
|
|
7
7
|
|
|
8
8
|
## OVERVIEW
|
|
9
9
|
Delphi Consensus Review — multi-round anonymous expert review (≥90% threshold, 3 experts from ≥2 providers, domestic models only). Supports design + code-walkthrough modes.
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
# SKILLS/SPRINT-FLOW KNOWLEDGE BASE
|
|
2
2
|
|
|
3
3
|
**Generated:** 2026-07-01
|
|
4
|
-
**Commit:**
|
|
4
|
+
**Commit:** 58ec6df
|
|
5
5
|
**Branch:** main
|
|
6
|
-
**Version:** 0.12.
|
|
6
|
+
**Version:** 0.12.2.0
|
|
7
7
|
|
|
8
8
|
## OVERVIEW
|
|
9
9
|
**11-phase** development pipeline: ISOLATE → AUTO-ESTIMATE → THINK → PLAN → BUILD → REVIEW → SHIP → LAND → USER ACCEPTANCE → FEEDBACK → CLEANUP. Phase 2 default build mode is **ralph-loop** (REQ-level iteration, 40-67% token savings vs parallel). HARD-GATE in Phase 1: design must pass Delphi review (≥90% consensus) before any coding.
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
# SKILLS/TEST-SPECIFICATION-ALIGNMENT KNOWLEDGE BASE
|
|
2
2
|
|
|
3
3
|
**Generated:** 2026-07-01
|
|
4
|
-
**Commit:**
|
|
4
|
+
**Commit:** 58ec6df
|
|
5
5
|
**Branch:** main
|
|
6
|
-
**Version:** 0.12.
|
|
6
|
+
**Version:** 0.12.2.0
|
|
7
7
|
|
|
8
8
|
## OVERVIEW
|
|
9
9
|
Test-Specification Alignment Engine — two-stage validation ensuring tests accurately reflect requirements and design specs.
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
# SKILLS/DELPHI-REVIEW KNOWLEDGE BASE
|
|
2
2
|
|
|
3
3
|
**Generated:** 2026-07-01
|
|
4
|
-
**Commit:**
|
|
4
|
+
**Commit:** 58ec6df
|
|
5
5
|
**Branch:** main
|
|
6
|
-
**Version:** 0.12.
|
|
6
|
+
**Version:** 0.12.2.0
|
|
7
7
|
|
|
8
8
|
## OVERVIEW
|
|
9
9
|
Delphi Consensus Review — multi-round anonymous expert review (≥90% threshold, 3 experts from ≥2 providers, domestic models only). Supports design + code-walkthrough modes.
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
# SKILLS/SPRINT-FLOW KNOWLEDGE BASE
|
|
2
2
|
|
|
3
3
|
**Generated:** 2026-07-01
|
|
4
|
-
**Commit:**
|
|
4
|
+
**Commit:** 58ec6df
|
|
5
5
|
**Branch:** main
|
|
6
|
-
**Version:** 0.12.
|
|
6
|
+
**Version:** 0.12.2.0
|
|
7
7
|
|
|
8
8
|
## OVERVIEW
|
|
9
9
|
**11-phase** development pipeline: ISOLATE → AUTO-ESTIMATE → THINK → PLAN → BUILD → REVIEW → SHIP → LAND → USER ACCEPTANCE → FEEDBACK → CLEANUP. Phase 2 default build mode is **ralph-loop** (REQ-level iteration, 40-67% token savings vs parallel). HARD-GATE in Phase 1: design must pass Delphi review (≥90% consensus) before any coding.
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
# SKILLS/TEST-SPECIFICATION-ALIGNMENT KNOWLEDGE BASE
|
|
2
2
|
|
|
3
3
|
**Generated:** 2026-07-01
|
|
4
|
-
**Commit:**
|
|
4
|
+
**Commit:** 58ec6df
|
|
5
5
|
**Branch:** main
|
|
6
|
-
**Version:** 0.12.
|
|
6
|
+
**Version:** 0.12.2.0
|
|
7
7
|
|
|
8
8
|
## OVERVIEW
|
|
9
9
|
Test-Specification Alignment Engine — two-stage validation ensuring tests accurately reflect requirements and design specs.
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "xp-gate",
|
|
3
|
-
"version": "0.12.
|
|
3
|
+
"version": "0.12.2",
|
|
4
4
|
"displayName": "XP-Gate",
|
|
5
5
|
"description": "Extreme Programming quality gates + AI workflow skills for Qoder. Includes 10 quality gates (Gate 0-9), Sprint Flow (11 phases), and Delphi multi-expert review (>=90% consensus).",
|
|
6
6
|
"author": {
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
# SKILLS/DELPHI-REVIEW KNOWLEDGE BASE
|
|
2
2
|
|
|
3
3
|
**Generated:** 2026-07-01
|
|
4
|
-
**Commit:**
|
|
4
|
+
**Commit:** 58ec6df
|
|
5
5
|
**Branch:** main
|
|
6
|
-
**Version:** 0.12.
|
|
6
|
+
**Version:** 0.12.2.0
|
|
7
7
|
|
|
8
8
|
## OVERVIEW
|
|
9
9
|
Delphi Consensus Review — multi-round anonymous expert review (≥90% threshold, 3 experts from ≥2 providers, domestic models only). Supports design + code-walkthrough modes.
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
# SKILLS/SPRINT-FLOW KNOWLEDGE BASE
|
|
2
2
|
|
|
3
3
|
**Generated:** 2026-07-01
|
|
4
|
-
**Commit:**
|
|
4
|
+
**Commit:** 58ec6df
|
|
5
5
|
**Branch:** main
|
|
6
|
-
**Version:** 0.12.
|
|
6
|
+
**Version:** 0.12.2.0
|
|
7
7
|
|
|
8
8
|
## OVERVIEW
|
|
9
9
|
**11-phase** development pipeline: ISOLATE → AUTO-ESTIMATE → THINK → PLAN → BUILD → REVIEW → USER ACCEPTANCE → FEEDBACK → SHIP → LAND → CLEANUP. Phase 2 default build mode is **ralph-loop** (REQ-level iteration, 40-67% token savings vs parallel). HARD-GATE in Phase 1: design must pass Delphi review (≥90% consensus) before any coding.
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
# SKILLS/TEST-SPECIFICATION-ALIGNMENT KNOWLEDGE BASE
|
|
2
2
|
|
|
3
3
|
**Generated:** 2026-07-01
|
|
4
|
-
**Commit:**
|
|
4
|
+
**Commit:** 58ec6df
|
|
5
5
|
**Branch:** main
|
|
6
|
-
**Version:** 0.12.
|
|
6
|
+
**Version:** 0.12.2.0
|
|
7
7
|
|
|
8
8
|
## OVERVIEW
|
|
9
9
|
Test-Specification Alignment Engine — two-stage validation ensuring tests accurately reflect requirements and design specs.
|
package/principles/AGENTS.md
CHANGED
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
# PRINCIPLES CHECKER MODULE
|
|
2
2
|
|
|
3
3
|
**Generated:** 2026-07-01
|
|
4
|
-
**Commit:**
|
|
4
|
+
**Commit:** 58ec6df
|
|
5
5
|
**Branch:** main
|
|
6
|
-
**Version:** 0.12.
|
|
6
|
+
**Version:** 0.12.2.0
|
|
7
7
|
|
|
8
8
|
## OVERVIEW
|
|
9
9
|
Clean Code & SOLID principles checker — **Gate 4** of pre-commit. 14 rules × 9 language adapters, SARIF 2.1.0 output. Houses the **Boy Scout Rule** enforcement engine (Gate 6) and warning-baseline storage.
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
# SKILLS/DELPHI-REVIEW KNOWLEDGE BASE
|
|
2
2
|
|
|
3
3
|
**Generated:** 2026-07-01
|
|
4
|
-
**Commit:**
|
|
4
|
+
**Commit:** 58ec6df
|
|
5
5
|
**Branch:** main
|
|
6
|
-
**Version:** 0.12.
|
|
6
|
+
**Version:** 0.12.2.0
|
|
7
7
|
|
|
8
8
|
## OVERVIEW
|
|
9
9
|
Delphi Consensus Review — multi-round anonymous expert review (≥90% threshold, 3 experts from ≥2 providers, domestic models only). Supports design + code-walkthrough modes.
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
# SKILLS/SPRINT-FLOW KNOWLEDGE BASE
|
|
2
2
|
|
|
3
3
|
**Generated:** 2026-07-01
|
|
4
|
-
**Commit:**
|
|
4
|
+
**Commit:** 58ec6df
|
|
5
5
|
**Branch:** main
|
|
6
|
-
**Version:** 0.12.
|
|
6
|
+
**Version:** 0.12.2.0
|
|
7
7
|
|
|
8
8
|
## OVERVIEW
|
|
9
9
|
**11-phase** development pipeline: ISOLATE → AUTO-ESTIMATE → THINK → PLAN → BUILD → REVIEW → SHIP → LAND → USER ACCEPTANCE → FEEDBACK → CLEANUP. Phase 2 default build mode is **ralph-loop** (REQ-level iteration, 40-67% token savings vs parallel). HARD-GATE in Phase 1: design must pass Delphi review (≥90% consensus) before any coding.
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
# SKILLS/TEST-SPECIFICATION-ALIGNMENT KNOWLEDGE BASE
|
|
2
2
|
|
|
3
3
|
**Generated:** 2026-07-01
|
|
4
|
-
**Commit:**
|
|
4
|
+
**Commit:** 58ec6df
|
|
5
5
|
**Branch:** main
|
|
6
|
-
**Version:** 0.12.
|
|
6
|
+
**Version:** 0.12.2.0
|
|
7
7
|
|
|
8
8
|
## OVERVIEW
|
|
9
9
|
Test-Specification Alignment Engine — two-stage validation ensuring tests accurately reflect requirements and design specs.
|