@oddessentials/repo-standards 4.4.0 → 5.0.0

package/dist/config/standards.rust.json

@@ -1,6 +1,72 @@
 {
   "checklist": {
     "core": [
+      {
+        "ciHints": {
+          "azure-devops": {
+            "notes": "Run CRLF detection early in pipeline before other checks.",
+            "stage": "quality"
+          },
+          "github-actions": {
+            "job": "ci",
+            "notes": "Add .gitattributes check as first step in CI job."
+          }
+        },
+        "description": "Enforce line endings at the Git layer using .gitattributes. Mark text files with appropriate EOL handling (eol=lf for shell scripts, eol=auto for most files) and binary files as binary to prevent corruption. This prevents 'works locally, fails in CI' issues caused by CRLF/LF mismatches.",
+        "id": "gitattributes-eol",
+        "label": "Git Attributes (Line Endings)",
+        "stack": {
+          "exampleConfigFiles": [
+            ".gitattributes",
+            ".editorconfig"
+          ],
+          "exampleTools": [
+            "git"
+          ],
+          "machineCheck": {
+            "command": "git ls-files --eol | grep -E 'w/crlf.*\\.sh$' && exit 1 || exit 0",
+            "description": "Verify no CRLF in shell scripts",
+            "expectExitCode": 0
+          },
+          "notes": "Mark *.rs, *.toml as text with auto EOL handling. Mark shell scripts as eol=lf. Binary files (*.exe, *.dll) should be marked as binary.",
+          "optionalFiles": [
+            ".editorconfig"
+          ],
+          "requiredFiles": [
+            ".gitattributes"
+          ],
+          "verification": "Run 'git ls-files --eol' to verify EOL consistency."
+        }
+      },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "notes": "Run CRLF detection as the first quality check before linting or testing.",
+            "stage": "quality"
+          },
+          "github-actions": {
+            "job": "ci",
+            "notes": "Add CRLF detection step before main CI steps."
+          }
+        },
+        "description": "Fail CI early for Linux-executed files containing CRLF line endings. Shell scripts, Python files, and other interpreted files fail silently or with cryptic errors when they contain \\r characters. Detect this before running deeper CI steps.",
+        "id": "crlf-detection",
+        "label": "CRLF Detection in CI",
+        "stack": {
+          "exampleConfigFiles": [],
+          "exampleTools": [
+            "file",
+            "grep"
+          ],
+          "machineCheck": {
+            "command": "git ls-files --eol | grep -E 'w/crlf.*\\.(sh|bash)$' && exit 1 || exit 0",
+            "description": "Detect CRLF in shell scripts",
+            "expectExitCode": 0
+          },
+          "notes": "Rust build scripts (build.rs) and shell scripts must not have CRLF. Cargo tolerates CRLF in .rs files but shell invocations fail.",
+          "verification": "Run CRLF detection on shell and build scripts."
+        }
+      },
       {
         "ciHints": {
           "azure-devops": {
@@ -195,6 +261,31 @@
           "verification": "Trigger the release pipeline and confirm all artifacts share the same version number and tag."
         }
       },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "notes": "Set HUSKY=0 or equivalent in release pipeline to disable hooks.",
+            "stage": "release"
+          },
+          "github-actions": {
+            "job": "release",
+            "notes": "Set HUSKY=0 or equivalent in release job to disable hooks."
+          }
+        },
+        "description": "Release automation must bypass local developer hooks (HUSKY=0, --no-verify) and rely solely on CI gates for validation. This ensures idempotent, reproducible releases that don't fail due to hook environment differences.",
+        "id": "release-hook-bypass",
+        "label": "Release Hook Bypass",
+        "stack": {
+          "exampleConfigFiles": [
+            ".github/workflows/release.yml"
+          ],
+          "exampleTools": [
+            "cargo-release"
+          ],
+          "notes": "Use --no-verify with git commands in release scripts. If using pre-commit, set SKIP=all.",
+          "verification": "Check release workflow for hook bypass."
+        }
+      },
       {
         "ciHints": {
           "azure-devops": {
@@ -323,13 +414,15 @@
       {
         "ciHints": {
           "azure-devops": {
+            "notes": "Hooks and CI must invoke identical verification commands. Use npm run verify or equivalent.",
             "stage": "quality"
           },
           "github-actions": {
-            "job": "ci"
+            "job": "ci",
+            "notes": "Hooks and CI must invoke identical verification commands. Use npm run verify or equivalent."
           }
         },
-        "description": "Use git hooks to run linting, formatting, tests, and commit linting before changes are committed.",
+        "description": "Use git hooks to run linting, formatting, and commit linting before changes are committed. Hooks should CHECK by default (not auto-fix), be fast, and scope to changed files only. Use a single entry hook mechanism (e.g., Husky as entry point calling pre-commit or lint-staged).",
         "id": "pre-commit-hooks",
         "label": "Pre-Commit Hooks",
         "stack": {
@@ -340,8 +433,61 @@
             "pre-commit",
             "cargo-husky"
           ],
-          "notes": "Use pre-commit with rust hooks for cargo fmt and cargo clippy on staged files. cargo-husky is an alternative.",
-          "verification": "Inspect .pre-commit-config.yaml and confirm that hooks run cargo fmt --check and cargo clippy before commits."
+          "notes": "Use pre-commit with rust hooks for 'cargo fmt --check' and 'cargo clippy' on staged files. Pin rust-toolchain.toml for determinism across environments.",
+          "verification": "Confirm hooks run cargo fmt --check (not cargo fmt) and cargo clippy before commits."
+        }
+      },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "notes": "CI should call the same verify script that hooks use locally.",
+            "stage": "quality"
+          },
+          "github-actions": {
+            "job": "ci",
+            "notes": "CI should call the same verify script that hooks use locally."
+          }
+        },
+        "description": "Local hooks and CI must invoke identical verification commands to prevent 'works locally, fails in CI' issues. Use a single canonical verify entrypoint (e.g., npm run verify) that both hooks and CI call.",
+        "id": "hook-ci-parity",
+        "label": "Hook/CI Parity",
+        "stack": {
+          "exampleConfigFiles": [
+            "Makefile",
+            "Cargo.toml"
+          ],
+          "exampleTools": [
+            "cargo",
+            "make"
+          ],
+          "notes": "Define a verify target (make verify or cargo make verify) that runs fmt --check, clippy, and test. Both hooks and CI should use this target.",
+          "verification": "Compare hook commands with CI commands and confirm they invoke the same cargo commands."
+        }
+      },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "notes": "Also run secret scanning in CI as a safety net for commits that bypassed hooks.",
+            "stage": "quality"
+          },
+          "github-actions": {
+            "job": "ci",
+            "notes": "Enable GitHub secret scanning and also run gitleaks in CI."
+          }
+        },
+        "description": "Scan staged diffs for credentials, API keys, and secrets before they reach the remote repository. Catch secrets at commit time rather than after they're pushed.",
+        "id": "secret-scanning-precommit",
+        "label": "Pre-commit Secret Scanning",
+        "stack": {
+          "exampleConfigFiles": [
+            ".gitleaks.toml",
+            ".pre-commit-config.yaml"
+          ],
+          "exampleTools": [
+            "gitleaks"
+          ],
+          "notes": "Add gitleaks to pre-commit hooks. Configure Rust-specific patterns if needed.",
+          "verification": "Run 'gitleaks protect --staged' and verify it catches test secrets."
         }
       },
       {
@@ -589,6 +735,87 @@
           ],
           "verification": "LICENSE file is present; CODE_OF_CONDUCT.md and CONTRIBUTING.md provide contribution guidance."
         }
+      },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "notes": "CI should call the canonical verify command, not duplicate check logic.",
+            "stage": "quality"
+          },
+          "github-actions": {
+            "job": "ci",
+            "notes": "CI should call the canonical verify command, not duplicate check logic."
+          }
+        },
+        "description": "Provide one canonical 'verify' command per repository/stack that all stages call with appropriate flags. This prevents duplication, drift, and ensures consistency between local development and CI.",
+        "id": "canonical-verify",
+        "label": "Canonical Verify Entrypoint",
+        "stack": {
+          "exampleConfigFiles": [
+            "Makefile",
+            "Makefile.toml"
+          ],
+          "exampleTools": [
+            "cargo",
+            "make",
+            "cargo-make"
+          ],
+          "notes": "Define 'make verify' or 'cargo make verify' that runs fmt --check, clippy, and test. Both hooks and CI use this entrypoint.",
+          "verification": "Makefile or Makefile.toml contains a 'verify' task."
+        }
+      },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "notes": "Ensure CI reads from authoritative configs, not duplicated settings.",
+            "stage": "quality"
+          },
+          "github-actions": {
+            "job": "ci",
+            "notes": "Ensure CI reads from authoritative configs, not duplicated settings."
+          }
+        },
+        "description": "Each configuration rule must live in exactly one authoritative config file. Avoid duplication across .editorconfig, linter configs, and CI definitions. Document which file is authoritative for each concern.",
+        "id": "config-authority",
+        "label": "Config File Authority Rules",
+        "stack": {
+          "exampleConfigFiles": [
+            ".gitattributes",
+            "Cargo.toml",
+            "rustfmt.toml",
+            "clippy.toml"
+          ],
+          "exampleTools": [],
+          "notes": "Authority mapping: .gitattributes for EOL, Cargo.toml for project config, rustfmt.toml for formatting, clippy.toml for linting. Each concern has one file.",
+          "verification": "Review configs and confirm no rules are duplicated across files."
+        }
+      },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "notes": "CI should read skip paths from config files, not hardcode them in pipeline.",
+            "stage": "quality"
+          },
+          "github-actions": {
+            "job": "ci",
+            "notes": "CI should read skip paths from config files, not hardcode them in pipeline."
+          }
+        },
+        "description": "Encode path exclusions and skip rules deterministically in config files, not through ad-hoc human judgment. Make it clear which paths are excluded from checks and why.",
+        "id": "explicit-skip-paths",
+        "label": "Explicit Skip Paths",
+        "stack": {
+          "exampleConfigFiles": [
+            "rustfmt.toml",
+            ".clippy.toml"
+          ],
+          "exampleTools": [
+            "rustfmt",
+            "clippy"
+          ],
+          "notes": "Use #[rustfmt::skip] or #[allow(clippy::*)] sparingly and document why. For directory-level exclusions, use Cargo.toml workspace exclude.",
+          "verification": "Search for skip annotations and confirm each is documented."
+        }
       }
     ],
     "optionalEnhancements": [
@@ -817,6 +1044,137 @@
           "verification": "For web-facing Rust apps, run accessibility audits against key routes using axe or pa11y."
         }
       },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "notes": "Run AI drift detection in a scheduled nightly pipeline separate from main CI.",
+            "stage": "nightly"
+          },
+          "github-actions": {
+            "job": "nightly",
+            "notes": "Use scheduled workflow (cron) to run AI drift detection nightly."
+          }
+        },
+        "description": "Run nightly or scheduled checks comparing AI-generated outputs against pinned baselines to detect model drift, prompt drift, or code changes affecting AI behavior. Attribute regressions to code changes vs model updates vs prompt changes.",
+        "id": "ai-drift-detection",
+        "label": "AI Drift Detection",
+        "stack": {
+          "exampleConfigFiles": [
+            "snapshots/",
+            "ai-baselines/"
+          ],
+          "exampleTools": [
+            "insta",
+            "custom baseline tests"
+          ],
+          "notes": "Use insta for snapshot testing of AI outputs. Pin model versions and prompt templates. Run nightly to detect drift.",
+          "verification": "Run 'cargo insta test' and confirm AI outputs match baselines."
+        }
+      },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "notes": "Run schema validation tests as part of quality gates.",
+            "stage": "quality"
+          },
+          "github-actions": {
+            "job": "ci",
+            "notes": "Include AI output schema validation in CI test suite."
+          }
+        },
+        "description": "Validate all AI-generated outputs against strict JSON schemas or type definitions at system boundaries. Reject invalid outputs early rather than letting malformed data propagate through the system.",
+        "id": "ai-schema-enforcement",
+        "label": "AI Output Schema Enforcement",
+        "stack": {
+          "exampleConfigFiles": [
+            "src/schemas/"
+          ],
+          "exampleTools": [
+            "serde",
+            "jsonschema",
+            "validator"
+          ],
+          "notes": "Use serde with #[serde(deny_unknown_fields)] for strict deserialization of AI outputs. Add validator derives for business rule validation.",
+          "verification": "Review AI integration code and confirm strict deserialization is enforced."
+        }
+      },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "notes": "Run AI golden tests as part of the test stage.",
+            "stage": "test"
+          },
+          "github-actions": {
+            "job": "ci",
+            "notes": "Include AI golden contract tests in CI test suite."
+          }
+        },
+        "description": "Validate AI tool-generated patches, configs, and code against exact expected formats. Test that AI outputs respect forbidden paths, file patterns, and format constraints through golden contract tests.",
+        "id": "ai-golden-tests",
+        "label": "AI Golden Contract Tests",
+        "stack": {
+          "exampleConfigFiles": [
+            "snapshots/"
+          ],
+          "exampleTools": [
+            "insta"
+          ],
+          "notes": "Use insta for snapshot testing AI-generated code and configs. Test format compliance and forbidden path restrictions.",
+          "verification": "Run 'cargo insta test' and confirm AI outputs match snapshots."
+        }
+      },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "notes": "Run AI safety tests as part of security stage on main branch.",
+            "stage": "security"
+          },
+          "github-actions": {
+            "job": "security",
+            "notes": "Run AI safety checks on main branch merges."
+          }
+        },
+        "description": "Test AI integrations for prompt injection resistance, input sanitization, output filtering, and data exfiltration prevention. Include adversarial test cases that attempt to manipulate AI behavior.",
+        "id": "ai-safety-checks",
+        "label": "AI Adversarial & Safety Testing",
+        "stack": {
+          "exampleConfigFiles": [
+            "tests/ai_safety/"
+          ],
+          "exampleTools": [
+            "proptest",
+            "custom tests"
+          ],
+          "notes": "Use proptest for property-based testing of AI input validation. Test that malicious inputs don't escape sandboxing.",
+          "verification": "Run AI safety tests with adversarial inputs."
+        }
+      },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "notes": "Verify AI provenance logging is implemented in quality checks.",
+            "stage": "quality"
+          },
+          "github-actions": {
+            "job": "ci",
+            "notes": "Check AI provenance logging implementation in CI."
+          }
+        },
+        "description": "Log AI provider, model version, prompt template version, parameters, and tool versions for all AI operations. Enable attribution of outputs to specific model+prompt combinations for debugging and compliance.",
+        "id": "ai-provenance-tracking",
+        "label": "AI Provenance & Audit Logging",
+        "stack": {
+          "exampleConfigFiles": [
+            "src/ai/provenance.rs"
+          ],
+          "exampleTools": [
+            "tracing",
+            "OpenTelemetry"
+          ],
+          "notes": "Use tracing spans to capture AI call provenance. Include model version, prompt hash, and parameters as span attributes.",
+          "verification": "Review AI integration and confirm provenance is logged."
+        }
+      },
       {
         "ciHints": {
           "azure-devops": {
@@ -898,27 +1256,41 @@
     },
     "migrationGuide": [
       {
-        "description": "Start by adding pre-commit hooks and core formatting/linting so developers get fast feedback without touching CI.",
+        "description": "Configure .gitattributes for cross-platform line ending correctness and establish the canonical verify entrypoint before adding any checks. This prevents 'works locally, fails in CI' issues from day one.",
+        "focusIds": [
+          "gitattributes-eol",
+          "canonical-verify",
+          "hook-ci-parity",
+          "config-authority"
+        ],
+        "notes": "Start here to avoid debugging cryptic CRLF failures later. Use .gitattributes as the authority for EOL (not .editorconfig). Run 'git add --renormalize .' after adding .gitattributes to fix existing files.",
+        "step": 0,
+        "title": "Foundation: Line Endings and Hook Entry Point"
+      },
+      {
+        "description": "Add pre-commit hooks with secret scanning, formatting, and linting. Hooks should CHECK (not auto-fix) and scope to changed files only for speed.",
         "focusIds": [
           "pre-commit-hooks",
+          "secret-scanning-precommit",
           "linting",
           "code-formatter"
         ],
-        "notes": "Keep hooks fast and focused on changed files to avoid slowing down day-to-day work.",
+        "notes": "Keep hooks fast by scoping to staged files. Use Husky as entry point calling lint-staged or pre-commit. Hooks should check, not fix, to keep developers aware of issues.",
         "step": 1,
         "title": "Establish Local Safety Nets First"
       },
       {
-        "description": "Introduce CI quality gates that mirror local checks, but treat existing violations as warnings wherever possible.",
+        "description": "Introduce CI quality gates that mirror local hooks exactly. Add CRLF detection early in pipeline. Treat existing violations as warnings where possible.",
         "focusIds": [
+          "crlf-detection",
           "ci-quality-gates",
           "linting",
           "code-formatter",
           "commit-linting"
         ],
-        "notes": "Use diff-based tools or baselines so only new violations break builds; legacy issues remain visible but non-blocking.",
+        "notes": "CI must call the same verify scripts that hooks use. Add CRLF detection before other checks to fail fast on line ending issues. Use diff-based tools so only new violations break builds.",
         "step": 2,
-        "title": "Mirror Local Checks in CI (Soft-Fail on Legacy)"
+        "title": "Mirror Local Checks in CI with CRLF Detection"
       },
       {
         "description": "Enable type-checking, coverage thresholds, and dependency/vulnerability scanning with gradual enforcement.",
@@ -943,9 +1315,22 @@
           "complexity-analysis",
           "accessibility-auditing"
         ],
-        "notes": "Tackle recommended items in order of business value; backend-only repos can skip web-focused checks like accessibility. For AI/ML-heavy Python teams, consider extending containerization with data versioning (DVC) and unit tests with data quality checks (e.g., Great Expectations) as part of this step.",
+        "notes": "Tackle recommended items in order of business value; backend-only repos can skip web-focused checks like accessibility.",
         "step": 4,
         "title": "Layer in Docs, Governance, and Recommended Checks"
+      },
+      {
+        "description": "For repos using or building with generative AI, add drift detection, schema enforcement, golden contract tests, safety testing, and provenance tracking.",
+        "focusIds": [
+          "ai-drift-detection",
+          "ai-schema-enforcement",
+          "ai-golden-tests",
+          "ai-safety-checks",
+          "ai-provenance-tracking"
+        ],
+        "notes": "Skip this step if your repo has no AI/ML components. For AI-heavy repos: add nightly drift detection to catch model changes, enforce strict schemas at AI output boundaries, and log provenance for debugging 'why did AI do X?'",
+        "step": 5,
+        "title": "AI/ML Governance (If Applicable)"
       }
     ],
     "qualityGatePolicy": {

package/dist/config/standards.schema.json

@@ -164,6 +164,10 @@
           "$ref": "#/$defs/Enforcement",
           "description": "Enforcement level. Defaults: core=required, recommended=recommended, optionalEnhancements=optional."
         },
+        "executionStage": {
+          "$ref": "#/$defs/ExecutionStage",
+          "description": "When this check should execute in the development lifecycle."
+        },
         "id": {
           "description": "Unique identifier for the checklist item.",
           "pattern": "^[a-z][a-z0-9-]*$",
@@ -172,6 +176,10 @@
         "label": {
           "type": "string"
         },
+        "scopeToChangedFiles": {
+          "description": "Whether this check can/should be scoped to changed files only for faster execution.",
+          "type": "boolean"
+        },
         "severity": {
           "$ref": "#/$defs/Severity",
           "description": "Violation severity. Defaults: core=error, recommended=warn, optionalEnhancements=info."
@@ -202,7 +210,8 @@
         "id",
         "label",
         "description",
-        "appliesTo"
+        "appliesTo",
+        "executionStage"
       ],
       "type": "object"
     },
@@ -238,6 +247,18 @@
       ],
       "type": "string"
     },
+    "ExecutionStage": {
+      "description": "Development lifecycle stage when a check should execute.",
+      "enum": [
+        "pre-commit",
+        "pre-push",
+        "ci-pr",
+        "ci-main",
+        "release",
+        "nightly"
+      ],
+      "type": "string"
+    },
     "ExecutorHints": {
       "additionalProperties": false,
       "description": "Advisory execution substrate hints. Bazel is the first supported executor; future monorepo executors may follow the same pattern.",
@@ -324,7 +345,8 @@
           "type": "string"
         },
         "step": {
-          "minimum": 1,
+          "description": "Step number in migration sequence. Step 0 is foundation/prerequisites.",
+          "minimum": 0,
           "type": "integer"
         },
         "title": {