@intentsolutions/audit-harness 0.1.0 → 1.1.5

package/scripts/escape-scan.sh

@@ -19,14 +19,32 @@
 #   bash escape-scan.sh path/to/change.patch
 #   bash escape-scan.sh --staged          # git diff --cached
 #   bash escape-scan.sh --range HEAD~1..HEAD
+#   bash escape-scan.sh --staged --json   # machine-readable JSON to stdout
+#
+# JSON mode:
+#   stdout = single JSON object suitable for piping to `audit-harness emit-evidence`
+#   stderr = unchanged human-readable [SEVERITY] notes (preserves backward-compat)
+#   exit codes unchanged
 
 set -euo pipefail
 
 DIFF_SRC=""
 VERIFY_HASH=1
+JSON_OUT=0
 ROOT="${ROOT:-$(pwd)}"
 HASH_SCRIPT="$(dirname "$0")/harness-hash.sh"
 
+# First-pass arg parse: peel --json off the tail (any position) so primary
+# arg parsing below is unchanged.
+_filtered_args=()
+for arg in "$@"; do
+  case "$arg" in
+    --json) JSON_OUT=1 ;;
+    *) _filtered_args+=("$arg") ;;
+  esac
+done
+set -- "${_filtered_args[@]+"${_filtered_args[@]}"}"
+
 if [[ "$#" -eq 0 ]]; then
   echo "escape-scan: pass a diff source (- for stdin, --staged, --range, or a patch file)" >&2
   exit 2
@@ -34,11 +52,20 @@ fi
 
 case "$1" in
   -) DIFF_SRC="/dev/stdin" ;;
-  --staged) DIFF_SRC=$(mktemp); git diff --cached > "$DIFF_SRC" ;;
-  --range) DIFF_SRC=$(mktemp); git diff "$2" > "$DIFF_SRC"; shift ;;
+  --staged)
+    DIFF_SRC=$(mktemp)
+    trap 'rm -f "$DIFF_SRC"' EXIT
+    git diff --cached > "$DIFF_SRC"
+    ;;
+  --range)
+    DIFF_SRC=$(mktemp)
+    trap 'rm -f "$DIFF_SRC"' EXIT
+    git diff "$2" > "$DIFF_SRC"
+    shift
+    ;;
   --no-hash) VERIFY_HASH=0; shift; DIFF_SRC="$1" ;;
   --help|-h)
-    sed -n '2,22p' "$0"; exit 0 ;;
+    sed -n '2,26p' "$0"; exit 0 ;;
   *) DIFF_SRC="$1" ;;
 esac
 
@@ -159,7 +186,34 @@ if echo "$added_lines" | grep -Eq 'toBeDefined\(\)|\.is not None'; then
 fi
 
 # --- Summary & exit ---
-echo "escape-scan: REFUSE=$REFUSE CHALLENGE=$CHALLENGE FLAG=$FLAG"
+if [[ "$JSON_OUT" -eq 1 ]]; then
+  # Result mapping (per intent-eval-lab evidence-bundle SPEC § 5 R6):
+  #   any REFUSE → FAIL
+  #   any CHALLENGE (no REFUSE) → FAIL  (exit 1 = blocking, requires human)
+  #   only FLAG → ADVISORY (exit 0 — informational)
+  #   none → PASS
+  result="PASS"
+  if [[ "$REFUSE" -gt 0 || "$CHALLENGE" -gt 0 ]]; then
+    result="FAIL"
+  elif [[ "$FLAG" -gt 0 ]]; then
+    result="ADVISORY"
+  fi
+  input_hash=$(sha256sum "$DIFF_SRC" | awk '{print "sha256:"$1}')
+  policy_hash="sha256:0000000000000000000000000000000000000000000000000000000000000000"
+  if [[ -f "$TESTING_MD" ]]; then
+    policy_hash=$(sha256sum "$TESTING_MD" | awk '{print "sha256:"$1}')
+  fi
+  printf '{"gate_id":"audit-harness:%s:escape-scan","result":"%s","input_hash":"%s","policy_hash":"%s","metadata":{"refuse":%d,"challenge":%d,"flag":%d,"coverage_line_floor":%d,"coverage_branch_floor":%d,"mutation_floor":%d}' \
+    "${AUDIT_HARNESS_SIDE:-ci}" "$result" "$input_hash" "$policy_hash" "$REFUSE" "$CHALLENGE" "$FLAG" \
+    "$COVERAGE_LINE_FLOOR" "$COVERAGE_BRANCH_FLOOR" "$MUTATION_FLOOR"
+  if [[ "$result" == "ADVISORY" ]]; then
+    printf ',"advisory_severity":"info"'
+  fi
+  printf '}\n'
+  echo "escape-scan: REFUSE=$REFUSE CHALLENGE=$CHALLENGE FLAG=$FLAG" >&2
+else
+  echo "escape-scan: REFUSE=$REFUSE CHALLENGE=$CHALLENGE FLAG=$FLAG"
+fi
 if [[ "$REFUSE" -gt 0 ]]; then
   echo "escape-scan: pipeline halted (REFUSE)" >&2
   exit 2

package/scripts/gherkin-lint.sh

@@ -15,11 +15,13 @@ set -euo pipefail
 
 PATH_ARG="features/"
 STRICT=0
+JSON_OUT=0
 
 while [[ $# -gt 0 ]]; do
   case "$1" in
     --path) PATH_ARG="$2"; shift 2 ;;
     --strict) STRICT=1; shift ;;
+    --json) JSON_OUT=1; shift ;;
     --help|-h)
       sed -n '2,15p' "$0"; exit 0 ;;
     *) echo "gherkin-lint: unknown flag $1" >&2; exit 2 ;;
@@ -27,15 +29,40 @@ while [[ $# -gt 0 ]]; do
 done
 
 if [[ ! -d "$PATH_ARG" ]]; then
+  if [[ "$JSON_OUT" -eq 1 ]]; then
+    printf '{"gate_id":"audit-harness:%s:gherkin-lint","result":"NOT_APPLICABLE","input_hash":"sha256:0000000000000000000000000000000000000000000000000000000000000000","policy_hash":"sha256:0000000000000000000000000000000000000000000000000000000000000000","metadata":{"reason":"path not found","path":"%s"}}\n' \
+      "${AUDIT_HARNESS_SIDE:-ci}" "$PATH_ARG"
+  fi
   echo "gherkin-lint: path not found: $PATH_ARG" >&2
   exit 2
 fi
 
+INPUT_HASH=$(find "$PATH_ARG" -name "*.feature" -type f -exec sha256sum {} \; 2>/dev/null | sort | sha256sum | awk '{print "sha256:"$1}')
+
+if [[ "$JSON_OUT" -eq 1 ]]; then
+  exec 3>&1
+  exec 1>&2
+fi
+
 WARN_COUNT=0
 ERROR_COUNT=0
 
 warn() { echo "WARN  $1:$2 $3"; WARN_COUNT=$((WARN_COUNT + 1)); }
-err()  { echo "ERROR $1:$2 $3"; ERROR_COUNT=$((ERROR_COUNT + 1)); }
+
+# process_awk_output — funnel awk-printed WARN/ERROR lines through the bash
+# counters so the summary + exit code reflect awk-fallback findings (the
+# subprocesses below can't otherwise touch the parent-shell counters).
+# Single-pass awk counts both at once; no-match handled cleanly under
+# set -euo pipefail via the `+0` numeric coercions.
+process_awk_output() {
+  local out="$1"
+  [ -z "$out" ] && return 0
+  local w=0 e=0
+  read -r w e < <(awk '/^WARN /{w++} /^ERROR /{e++} END {print w+0, e+0}' <<< "$out")
+  WARN_COUNT=$((WARN_COUNT + w))
+  ERROR_COUNT=$((ERROR_COUNT + e))
+  printf '%s\n' "$out"
+}
 
 # 1. Prefer official gherkin-lint if available
 if command -v gherkin-lint >/dev/null 2>&1; then
@@ -48,7 +75,7 @@ else
 
   while IFS= read -r -d '' feature; do
     # Imperative verbs / CSS selectors in steps (declarative warning)
-    awk -v file="$feature" '
+    process_awk_output "$(awk -v file="$feature" '
       /^[[:space:]]*(Given|When|Then|And|But)/ {
         line = $0
         if (line ~ /click|type|fill[ _]in|press|select.*from[ _]dropdown/) {
@@ -58,10 +85,10 @@ else
           printf "WARN  %s:%d CSS selector / xpath in step (prefer business language)\n", file, NR
         }
       }
-    ' "$feature"
+    ' "$feature")"
 
     # Scenario length (> 10 steps)
-    awk -v file="$feature" '
+    process_awk_output "$(awk -v file="$feature" '
       /^[[:space:]]*Scenario/ { sc = NR; steps = 0; sn = $0; next }
       /^[[:space:]]*(Given|When|Then|And|But)/ { if (sc) steps++ }
       /^[[:space:]]*Scenario|^[[:space:]]*Feature|^$/ {
@@ -75,7 +102,7 @@ else
           printf "WARN  %s:%d scenario has %d steps (>10 is too long)\n", file, sc, steps
         }
       }
-    ' "$feature"
+    ' "$feature")"
 
     # Repeated Givens without Background (3+ identical Given lines)
     dupe=$(awk '/^[[:space:]]*Given/ { print }' "$feature" | sort | uniq -c | awk '$1 >= 3 { print }')
@@ -84,9 +111,7 @@ else
     fi
 
     # "And" at scenario start (grammar error)
-    awk -v file="$feature" '
-      prev_blank = 1
-      /^[[:space:]]*$/ { prev_blank = 1; next }
+    process_awk_output "$(awk -v file="$feature" '
       /^[[:space:]]*Scenario/ { in_scenario = 1; step_count = 0; next }
       /^[[:space:]]*(Given|When|Then|And|But)/ {
         if (in_scenario && step_count == 0 && /^[[:space:]]*And/) {
@@ -94,7 +119,7 @@ else
         }
         step_count++
       }
-    ' "$feature"
+    ' "$feature")"
 
   done < <(find "$PATH_ARG" -name "*.feature" -print0)
 fi
@@ -102,6 +127,25 @@ fi
 echo ""
 echo "gherkin-lint summary: $WARN_COUNT warning(s), $ERROR_COUNT error(s)"
 
+if [[ "$JSON_OUT" -eq 1 ]]; then
+  exec 1>&3 3>&-
+  result="PASS"
+  sev_block=""
+  if [[ "$ERROR_COUNT" -gt 0 ]]; then
+    result="FAIL"
+  elif [[ "$WARN_COUNT" -gt 0 ]]; then
+    if [[ "$STRICT" -eq 1 ]]; then
+      result="FAIL"
+    else
+      result="ADVISORY"
+      sev_block=',"advisory_severity":"warn"'
+    fi
+  fi
+  printf '{"gate_id":"audit-harness:%s:gherkin-lint","result":"%s"%s,"input_hash":"%s","policy_hash":"sha256:0000000000000000000000000000000000000000000000000000000000000000","metadata":{"warnings":%d,"errors":%d,"strict":%s,"path":"%s"}}\n' \
+    "${AUDIT_HARNESS_SIDE:-ci}" "$result" "$sev_block" "$INPUT_HASH" "$WARN_COUNT" "$ERROR_COUNT" \
+    "$([[ "$STRICT" -eq 1 ]] && echo true || echo false)" "$PATH_ARG"
+fi
+
 if [[ "$ERROR_COUNT" -gt 0 ]]; then
   exit 1
 fi

package/scripts/harness-hash.sh

@@ -6,19 +6,48 @@
 # causes escape-scan.sh to REFUSE the AI diff.
 #
 # Usage:
-#   bash harness-hash.sh --init      # write manifest (engineer-initiated)
-#   bash harness-hash.sh --verify    # compare current hashes to manifest
-#   bash harness-hash.sh --list      # show which files are pinned
+#   bash harness-hash.sh --init           # write manifest (engineer-initiated)
+#   bash harness-hash.sh --verify         # compare current hashes to manifest
+#   bash harness-hash.sh --verify --json  # machine-readable JSON to stdout (verify only)
+#   bash harness-hash.sh --list           # show which files are pinned
 #
 # Exit codes:
 #   0 — OK (pin matches, or init succeeded)
 #   2 — HARNESS_TAMPERED (hash mismatch)
 #   3 — no manifest found (--verify without --init)
+#
+# JSON mode:
+#   stdout = single JSON object suitable for piping to `audit-harness emit-evidence`
+#   stderr = unchanged human-readable summary (preserves backward-compat)
+#   exit codes unchanged
 
 set -euo pipefail
 
+# Cross-platform SHA-256: `sha256sum` ships with GNU coreutils (Linux);
+# macOS only has `shasum -a 256`. Both produce identical `<hash>  <file>`
+# output, so downstream awk parsing is unchanged.
+if command -v sha256sum >/dev/null 2>&1; then
+  SHA256_CMD=(sha256sum)
+elif command -v shasum >/dev/null 2>&1; then
+  SHA256_CMD=(shasum -a 256)
+else
+  echo "harness-hash: neither sha256sum nor shasum found in PATH" >&2
+  exit 2
+fi
+
 ROOT="${ROOT:-$(pwd)}"
 MANIFEST="${ROOT}/.harness-hash"
+JSON_OUT=0
+
+# Peel --json from anywhere in args (additive, doesn't disturb existing arg shape)
+_filtered_args=()
+for arg in "$@"; do
+  case "$arg" in
+    --json) JSON_OUT=1 ;;
+    *) _filtered_args+=("$arg") ;;
+  esac
+done
+set -- "${_filtered_args[@]+"${_filtered_args[@]}"}"
 
 PATTERNS=(
   # Wall 1: acceptance
@@ -42,6 +71,27 @@ PATTERNS=(
   "stryker.config.js"
 )
 
+# Optional per-repo extra patterns appended from .harness-hash-extra-patterns
+# at the repo root. Used by repos whose policy files don't match the default
+# canonical patterns above — e.g., the audit-harness repo itself pins its own
+# scripts (scripts/*.sh + scripts/*.py + bin/audit-harness.js), which are the
+# policy enforcement surface but aren't covered by the consumer-facing
+# defaults. Lines beginning with `#` are comments; blank lines are ignored.
+# This mechanism is additive — repos without the file get exactly the
+# default behavior, so consumer repos are not affected.
+EXTRA_PATTERNS_FILE="${ROOT}/.harness-hash-extra-patterns"
+if [[ -f "${EXTRA_PATTERNS_FILE}" ]]; then
+  while IFS= read -r line || [[ -n "${line}" ]]; do
+    # strip inline comments
+    line="${line%%#*}"
+    # trim leading + trailing whitespace
+    line="${line#"${line%%[![:space:]]*}"}"
+    line="${line%"${line##*[![:space:]]}"}"
+    [[ -z "${line}" ]] && continue
+    PATTERNS+=("${line}")
+  done < "${EXTRA_PATTERNS_FILE}"
+fi
+
 collect_files() {
   local out=()
   shopt -s nullglob globstar
@@ -61,7 +111,7 @@ hash_files() {
     return 0
   fi
   while IFS= read -r f; do
-    printf '%s  %s\n' "$(sha256sum "$f" | awk '{print $1}')" "$f"
+    printf '%s  %s\n' "$("${SHA256_CMD[@]}" "$f" | awk '{print $1}')" "$f"
   done <<< "$files"
 }
 
@@ -76,6 +126,10 @@ cmd_init() {
 cmd_verify() {
   cd "$ROOT"
   if [[ ! -f "$MANIFEST" ]]; then
+    if [[ "$JSON_OUT" -eq 1 ]]; then
+      printf '{"gate_id":"audit-harness:%s:harness-hash","result":"NOT_APPLICABLE","input_hash":"sha256:0000000000000000000000000000000000000000000000000000000000000000","policy_hash":"sha256:0000000000000000000000000000000000000000000000000000000000000000","metadata":{"reason":"no manifest at %s (run --init)"}}\n' \
+        "${AUDIT_HARNESS_SIDE:-ci}" "$MANIFEST"
+    fi
     echo "harness-hash: no manifest at $MANIFEST (run --init)" >&2
     exit 3
   fi
@@ -84,13 +138,32 @@ cmd_verify() {
   local expected
   expected=$(cat "$MANIFEST")
 
+  local manifest_hash
+  manifest_hash=$("${SHA256_CMD[@]}" "$MANIFEST" | awk '{print "sha256:"$1}')
+
+  local pinned_count
+  pinned_count=$(echo "$expected" | grep -c '^' || true)
+
   # Compare sorted manifests so order doesn't matter
   local diff_out
   diff_out=$(diff <(echo "$expected" | sort) <(echo "$current" | sort) || true)
   if [[ -z "$diff_out" ]]; then
-    echo "harness-hash: OK"
+    if [[ "$JSON_OUT" -eq 1 ]]; then
+      printf '{"gate_id":"audit-harness:%s:harness-hash","result":"PASS","input_hash":"%s","policy_hash":"%s","metadata":{"pinned_count":%d}}\n' \
+        "${AUDIT_HARNESS_SIDE:-ci}" "$manifest_hash" "$manifest_hash" "$pinned_count"
+      echo "harness-hash: OK" >&2
+    else
+      echo "harness-hash: OK"
+    fi
     exit 0
   fi
+  if [[ "$JSON_OUT" -eq 1 ]]; then
+    # diff output may contain quotes/newlines; encode as a single-line escaped string
+    local diff_escaped
+    diff_escaped=$(printf '%s' "$diff_out" | python3 -c 'import sys, json; print(json.dumps(sys.stdin.read()))')
+    printf '{"gate_id":"audit-harness:%s:harness-hash","result":"FAIL","failure_mode":"HARNESS_TAMPERED","input_hash":"%s","policy_hash":"%s","metadata":{"pinned_count":%d,"diff":%s}}\n' \
+      "${AUDIT_HARNESS_SIDE:-ci}" "$manifest_hash" "$manifest_hash" "$pinned_count" "$diff_escaped"
+  fi
   echo "HARNESS_TAMPERED: pinned artifact changed" >&2
   echo "$diff_out" >&2
   exit 2