@intentsolutions/audit-harness 1.1.6 → 1.1.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +40 -0
- package/bin/audit-harness.js +6 -5
- package/package.json +8 -1
- package/schemas/currency/pins.v1.json +164 -22
- package/scripts/arch-check.sh +20 -2
- package/scripts/bias-count.sh +18 -1
- package/scripts/caa-check.sh +143 -0
- package/scripts/crap-score.py +57 -6
- package/scripts/currency.py +70 -25
- package/scripts/dnssec-check.sh +158 -0
- package/scripts/emit-evidence.sh +79 -9
- package/scripts/escape-scan.sh +28 -3
- package/scripts/gherkin-lint.sh +5 -0
- package/scripts/harness-hash.sh +5 -0
- package/scripts/kernel-shadow-check.sh +132 -0
|
@@ -0,0 +1,132 @@
|
|
|
1
|
+
#!/usr/bin/env bash
|
|
2
|
+
# kernel-shadow-check.sh — flag local re-declarations of kernel-owned contracts.
|
|
3
|
+
#
|
|
4
|
+
# The kernel @intentsolutions/core is the single source of truth for the
|
|
5
|
+
# canonical platform contracts: the gate-result/v1 predicate shape and the
|
|
6
|
+
# evidence-bundle payload shape (and, downstream, the authoring/v1 artifact
|
|
7
|
+
# schemas). This repo (audit-harness) is a CONSUMER of those contracts — it
|
|
8
|
+
# emits gate-result rows and EvidenceBundles, it must NOT re-define their
|
|
9
|
+
# shapes. A local re-declaration ("shadow") is supply-chain drift: the harness
|
|
10
|
+
# would validate against its own stale copy instead of the kernel the dashboard
|
|
11
|
+
# verifies with.
|
|
12
|
+
#
|
|
13
|
+
# This detector greps for files that re-DECLARE a kernel-owned schema shape,
|
|
14
|
+
# as opposed to REFERENCING the kernel (importing from @intentsolutions/core,
|
|
15
|
+
# or naming the predicate URI in a gate_id string — both legitimate).
|
|
16
|
+
#
|
|
17
|
+
# A SHADOW is:
|
|
18
|
+
# * a JSON Schema document whose "$id" claims a kernel-owned canonical id
|
|
19
|
+
# (evals.intentsolutions.io/gate-result/... or .../evidence-bundle/...), OR
|
|
20
|
+
# * a TS/Python source file that DEFINES (not imports) a GateResultV1 /
|
|
21
|
+
# EvidenceBundle / EvidenceBundlePayload type/interface/class.
|
|
22
|
+
#
|
|
23
|
+
# NOT a shadow (allowlisted):
|
|
24
|
+
# * tests/fixtures/** — a frozen offline copy of the kernel schema, pinned
|
|
25
|
+
# deliberately so the regression suite runs without a
|
|
26
|
+
# network fetch. This is a test pin, not a contract.
|
|
27
|
+
# * ci/** — the CI-only emitter; it IMPORTS the kernel validators
|
|
28
|
+
# (@intentsolutions/core/validators/v1/*) and only
|
|
29
|
+
# declares emitter-internal plumbing types.
|
|
30
|
+
# * schemas/conform/** — the harness's OWN deterministic structural floor for
|
|
31
|
+
# authoring artifacts, namespaced under conform/v1.
|
|
32
|
+
# This is a separate, shallower contract from the
|
|
33
|
+
# kernel authoring/v1 validity SSoT — intentionally
|
|
34
|
+
# different, not a re-declaration.
|
|
35
|
+
#
|
|
36
|
+
# Background: iah-E02 (the architecture question — peerDep-only vs full TS port
|
|
37
|
+
# vs second-emitter — that historically blocked a standing kernel-shadow check)
|
|
38
|
+
# is now CLOSED, so this detector ships.
|
|
39
|
+
#
|
|
40
|
+
# Exit codes:
|
|
41
|
+
# 0 — no shadows found (or shadows found in advisory/default mode)
|
|
42
|
+
# 1 — shadows found AND --strict was passed (gate)
|
|
43
|
+
#
|
|
44
|
+
# Default mode is ADVISORY (exit 0, annotate). Pass --strict to make a shadow
|
|
45
|
+
# a hard failure. CI runs the advisory mode so the lane is green while still
|
|
46
|
+
# surfacing any shadow as a GitHub annotation.
|
|
47
|
+
|
|
48
|
+
set -euo pipefail
|
|
49
|
+
|
|
50
|
+
# Bash version floor: these gates rely on bash 4+ features. Refuse early with a
|
|
51
|
+
# clear message on bash 3.x (e.g. macOS system bash) instead of failing later
|
|
52
|
+
# with a cryptic syntax error (jcgw).
|
|
53
|
+
[ "${BASH_VERSINFO:-0}" -ge 4 ] || { echo 'audit-harness requires bash >= 4' >&2; exit 3; }
|
|
54
|
+
|
|
55
|
+
STRICT=0
|
|
56
|
+
ROOT="."
|
|
57
|
+
while [[ $# -gt 0 ]]; do
|
|
58
|
+
case "$1" in
|
|
59
|
+
--strict) STRICT=1; shift ;;
|
|
60
|
+
--root) ROOT="${2:-.}"; shift 2 ;;
|
|
61
|
+
--help|-h)
|
|
62
|
+
echo "Usage: kernel-shadow-check.sh [--strict] [--root DIR]"
|
|
63
|
+
echo " Flags local re-declarations of kernel-owned gate-result/evidence-bundle contracts."
|
|
64
|
+
echo " Default: advisory (exit 0). --strict: exit 1 on any shadow."
|
|
65
|
+
exit 0 ;;
|
|
66
|
+
*) echo "kernel-shadow-check: unknown arg '$1'" >&2; exit 2 ;;
|
|
67
|
+
esac
|
|
68
|
+
done
|
|
69
|
+
|
|
70
|
+
cd "$ROOT"
|
|
71
|
+
|
|
72
|
+
# Paths that are allowed to carry a kernel-shaped artifact (see header).
|
|
73
|
+
# A match is a shadow only if it is OUTSIDE all of these.
|
|
74
|
+
is_allowlisted() {
|
|
75
|
+
case "$1" in
|
|
76
|
+
tests/fixtures/*) return 0 ;;
|
|
77
|
+
ci/*) return 0 ;;
|
|
78
|
+
schemas/conform/*) return 0 ;;
|
|
79
|
+
node_modules/*) return 0 ;;
|
|
80
|
+
.git/*) return 0 ;;
|
|
81
|
+
*) return 1 ;;
|
|
82
|
+
esac
|
|
83
|
+
}
|
|
84
|
+
|
|
85
|
+
shadows=()
|
|
86
|
+
|
|
87
|
+
# 1. JSON Schema documents claiming a kernel-owned canonical $id.
|
|
88
|
+
# The kernel owns gate-result/<ver> and evidence-bundle/<ver> ids under
|
|
89
|
+
# evals.intentsolutions.io. conform/v1 ids are the harness's own (allowlisted
|
|
90
|
+
# structurally by the schemas/conform/ path skip below).
|
|
91
|
+
# shellcheck disable=SC2016 # the grep pattern's $id is a literal, not a shell var
|
|
92
|
+
while IFS= read -r f; do
|
|
93
|
+
[[ -z "$f" ]] && continue
|
|
94
|
+
rel="${f#./}"
|
|
95
|
+
is_allowlisted "$rel" && continue
|
|
96
|
+
shadows+=("$rel (re-declares a kernel-owned JSON Schema \$id)")
|
|
97
|
+
done < <(grep -rIlE '"\$id"[[:space:]]*:[[:space:]]*"https://evals\.intentsolutions\.io/(gate-result|evidence-bundle)/' \
|
|
98
|
+
--include='*.json' --exclude-dir=node_modules --exclude-dir=.git . 2>/dev/null || true)
|
|
99
|
+
|
|
100
|
+
# 2. TS/Python source DEFINING (not importing) a kernel-owned type/class.
|
|
101
|
+
# Definitions look like `interface GateResultV1`, `class EvidenceBundle`,
|
|
102
|
+
# `type EvidenceBundlePayload = ...`. Imports (`import { GateResultV1Schema }
|
|
103
|
+
# from '@intentsolutions/core/...'`) are NOT matched by these anchors.
|
|
104
|
+
while IFS= read -r f; do
|
|
105
|
+
[[ -z "$f" ]] && continue
|
|
106
|
+
rel="${f#./}"
|
|
107
|
+
is_allowlisted "$rel" && continue
|
|
108
|
+
shadows+=("$rel (defines a kernel-owned type — should import from @intentsolutions/core)")
|
|
109
|
+
done < <(grep -rIlE \
|
|
110
|
+
'(^|[[:space:]])(export[[:space:]]+)?(interface|class|type)[[:space:]]+(GateResultV1|EvidenceBundle|EvidenceBundlePayload)\b' \
|
|
111
|
+
--include='*.ts' --include='*.py' --exclude-dir=node_modules --exclude-dir=.git . 2>/dev/null || true)
|
|
112
|
+
|
|
113
|
+
if [[ ${#shadows[@]} -eq 0 ]]; then
|
|
114
|
+
echo "kernel-shadow-check: clean — no local re-declarations of kernel-owned contracts."
|
|
115
|
+
exit 0
|
|
116
|
+
fi
|
|
117
|
+
|
|
118
|
+
echo "kernel-shadow-check: found ${#shadows[@]} potential kernel shadow(s):" >&2
|
|
119
|
+
for s in "${shadows[@]}"; do
|
|
120
|
+
echo " - $s" >&2
|
|
121
|
+
# GitHub Actions annotation (surfaces in the PR even in advisory mode).
|
|
122
|
+
file_only="${s%% *}"
|
|
123
|
+
echo "::warning file=${file_only}::kernel shadow — this file re-declares a kernel-owned contract; reference @intentsolutions/core instead"
|
|
124
|
+
done
|
|
125
|
+
|
|
126
|
+
if [[ "$STRICT" -eq 1 ]]; then
|
|
127
|
+
echo "kernel-shadow-check: --strict — failing the build." >&2
|
|
128
|
+
exit 1
|
|
129
|
+
fi
|
|
130
|
+
|
|
131
|
+
echo "kernel-shadow-check: advisory mode — not failing the build (pass --strict to gate)." >&2
|
|
132
|
+
exit 0
|