@opengsd/gsd-core 1.2.0-rc.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.ja-JP.md +870 -0
- package/README.ko-KR.md +861 -0
- package/README.md +301 -0
- package/README.pt-BR.md +492 -0
- package/README.zh-CN.md +842 -0
- package/agents/gsd-advisor-researcher.md +127 -0
- package/agents/gsd-ai-researcher.md +133 -0
- package/agents/gsd-assumptions-analyzer.md +105 -0
- package/agents/gsd-code-fixer.md +668 -0
- package/agents/gsd-code-reviewer.md +387 -0
- package/agents/gsd-codebase-mapper.md +853 -0
- package/agents/gsd-debug-session-manager.md +314 -0
- package/agents/gsd-debugger.md +1452 -0
- package/agents/gsd-doc-classifier.md +168 -0
- package/agents/gsd-doc-synthesizer.md +204 -0
- package/agents/gsd-doc-verifier.md +217 -0
- package/agents/gsd-doc-writer.md +615 -0
- package/agents/gsd-domain-researcher.md +153 -0
- package/agents/gsd-eval-auditor.md +191 -0
- package/agents/gsd-eval-planner.md +154 -0
- package/agents/gsd-executor.md +772 -0
- package/agents/gsd-framework-selector.md +160 -0
- package/agents/gsd-integration-checker.md +470 -0
- package/agents/gsd-intel-updater.md +342 -0
- package/agents/gsd-nyquist-auditor.md +203 -0
- package/agents/gsd-pattern-mapper.md +335 -0
- package/agents/gsd-phase-researcher.md +928 -0
- package/agents/gsd-plan-checker.md +978 -0
- package/agents/gsd-planner.md +1218 -0
- package/agents/gsd-project-researcher.md +677 -0
- package/agents/gsd-research-synthesizer.md +255 -0
- package/agents/gsd-roadmapper.md +688 -0
- package/agents/gsd-security-auditor.md +155 -0
- package/agents/gsd-ui-auditor.md +495 -0
- package/agents/gsd-ui-checker.md +309 -0
- package/agents/gsd-ui-researcher.md +380 -0
- package/agents/gsd-user-profiler.md +171 -0
- package/agents/gsd-verifier.md +917 -0
- package/bin/install.js +10936 -0
- package/bin/lib/ui-safety-gate.cjs +107 -0
- package/commands/gsd/add-tests.md +42 -0
- package/commands/gsd/ai-integration-phase.md +37 -0
- package/commands/gsd/audit-fix.md +34 -0
- package/commands/gsd/audit-milestone.md +37 -0
- package/commands/gsd/audit-uat.md +24 -0
- package/commands/gsd/autonomous.md +46 -0
- package/commands/gsd/capture.md +62 -0
- package/commands/gsd/cleanup.md +24 -0
- package/commands/gsd/code-review.md +59 -0
- package/commands/gsd/complete-milestone.md +143 -0
- package/commands/gsd/config.md +56 -0
- package/commands/gsd/debug.md +52 -0
- package/commands/gsd/discuss-phase.md +76 -0
- package/commands/gsd/docs-update.md +49 -0
- package/commands/gsd/eval-review.md +33 -0
- package/commands/gsd/execute-phase.md +64 -0
- package/commands/gsd/explore.md +27 -0
- package/commands/gsd/extract-learnings.md +23 -0
- package/commands/gsd/fast.md +31 -0
- package/commands/gsd/forensics.md +57 -0
- package/commands/gsd/graphify.md +199 -0
- package/commands/gsd/health.md +31 -0
- package/commands/gsd/help.md +28 -0
- package/commands/gsd/import.md +41 -0
- package/commands/gsd/inbox.md +39 -0
- package/commands/gsd/ingest-docs.md +42 -0
- package/commands/gsd/manager.md +45 -0
- package/commands/gsd/map-codebase.md +83 -0
- package/commands/gsd/milestone-summary.md +51 -0
- package/commands/gsd/mvp-phase.md +45 -0
- package/commands/gsd/new-milestone.md +45 -0
- package/commands/gsd/new-project.md +47 -0
- package/commands/gsd/ns-context.md +23 -0
- package/commands/gsd/ns-ideate.md +24 -0
- package/commands/gsd/ns-manage.md +29 -0
- package/commands/gsd/ns-project.md +22 -0
- package/commands/gsd/ns-review.md +26 -0
- package/commands/gsd/ns-workflow.md +28 -0
- package/commands/gsd/pause-work.md +43 -0
- package/commands/gsd/phase.md +56 -0
- package/commands/gsd/plan-phase.md +62 -0
- package/commands/gsd/plan-review-convergence.md +59 -0
- package/commands/gsd/pr-branch.md +26 -0
- package/commands/gsd/profile-user.md +46 -0
- package/commands/gsd/progress.md +47 -0
- package/commands/gsd/quick.md +174 -0
- package/commands/gsd/resume-work.md +30 -0
- package/commands/gsd/review-backlog.md +63 -0
- package/commands/gsd/review.md +41 -0
- package/commands/gsd/secure-phase.md +36 -0
- package/commands/gsd/settings.md +29 -0
- package/commands/gsd/ship.md +24 -0
- package/commands/gsd/sketch.md +60 -0
- package/commands/gsd/spec-phase.md +63 -0
- package/commands/gsd/spike.md +57 -0
- package/commands/gsd/stats.md +19 -0
- package/commands/gsd/surface.md +155 -0
- package/commands/gsd/thread.md +24 -0
- package/commands/gsd/ui-phase.md +35 -0
- package/commands/gsd/ui-review.md +33 -0
- package/commands/gsd/ultraplan-phase.md +34 -0
- package/commands/gsd/undo.md +35 -0
- package/commands/gsd/update.md +48 -0
- package/commands/gsd/validate-phase.md +36 -0
- package/commands/gsd/verify-work.md +39 -0
- package/commands/gsd/workspace.md +52 -0
- package/commands/gsd/workstreams.md +70 -0
- package/get-shit-done/bin/check-latest-version.cjs +106 -0
- package/get-shit-done/bin/gsd-tools.cjs +1676 -0
- package/get-shit-done/bin/lib/active-workstream-store.cjs +302 -0
- package/get-shit-done/bin/lib/adr-parser.cjs +394 -0
- package/get-shit-done/bin/lib/agent-command-router.cjs +65 -0
- package/get-shit-done/bin/lib/artifacts.cjs +53 -0
- package/get-shit-done/bin/lib/audit.cjs +755 -0
- package/get-shit-done/bin/lib/check-command-router.cjs +333 -0
- package/get-shit-done/bin/lib/cjs-command-router-adapter.cjs +118 -0
- package/get-shit-done/bin/lib/clock.cjs +96 -0
- package/get-shit-done/bin/lib/clusters.cjs +135 -0
- package/get-shit-done/bin/lib/code-review-flags.cjs +74 -0
- package/get-shit-done/bin/lib/command-aliases.cjs +815 -0
- package/get-shit-done/bin/lib/command-arg-projection.cjs +62 -0
- package/get-shit-done/bin/lib/command-routing-hub.cjs +388 -0
- package/get-shit-done/bin/lib/commands.cjs +1188 -0
- package/get-shit-done/bin/lib/config-schema.cjs +31 -0
- package/get-shit-done/bin/lib/config.cjs +728 -0
- package/get-shit-done/bin/lib/configuration.cjs +248 -0
- package/get-shit-done/bin/lib/context-utilization.cjs +47 -0
- package/get-shit-done/bin/lib/core.cjs +2121 -0
- package/get-shit-done/bin/lib/decisions.cjs +116 -0
- package/get-shit-done/bin/lib/docs.cjs +270 -0
- package/get-shit-done/bin/lib/drift.cjs +388 -0
- package/get-shit-done/bin/lib/fallow-runner.cjs +109 -0
- package/get-shit-done/bin/lib/frontmatter.cjs +389 -0
- package/get-shit-done/bin/lib/gap-checker.cjs +205 -0
- package/get-shit-done/bin/lib/graphify.cjs +592 -0
- package/get-shit-done/bin/lib/gsd2-import.cjs +514 -0
- package/get-shit-done/bin/lib/init-command-router.cjs +58 -0
- package/get-shit-done/bin/lib/init.cjs +2112 -0
- package/get-shit-done/bin/lib/install-profiles.cjs +603 -0
- package/get-shit-done/bin/lib/installer-migration-authoring.cjs +117 -0
- package/get-shit-done/bin/lib/installer-migration-report.cjs +354 -0
- package/get-shit-done/bin/lib/installer-migrations/000-first-time-baseline.cjs +220 -0
- package/get-shit-done/bin/lib/installer-migrations/001-legacy-orphan-files.cjs +41 -0
- package/get-shit-done/bin/lib/installer-migrations/002-codex-legacy-hooks-json.cjs +80 -0
- package/get-shit-done/bin/lib/installer-migrations.cjs +778 -0
- package/get-shit-done/bin/lib/intel.cjs +708 -0
- package/get-shit-done/bin/lib/learnings.cjs +421 -0
- package/get-shit-done/bin/lib/milestone.cjs +314 -0
- package/get-shit-done/bin/lib/model-catalog.cjs +212 -0
- package/get-shit-done/bin/lib/model-profiles.cjs +31 -0
- package/get-shit-done/bin/lib/observability/event.cjs +82 -0
- package/get-shit-done/bin/lib/observability/logger.cjs +174 -0
- package/get-shit-done/bin/lib/observability/redaction.cjs +50 -0
- package/get-shit-done/bin/lib/package-identity.cjs +31 -0
- package/get-shit-done/bin/lib/phase-command-router.cjs +191 -0
- package/get-shit-done/bin/lib/phase-lifecycle.cjs +80 -0
- package/get-shit-done/bin/lib/phase.cjs +1607 -0
- package/get-shit-done/bin/lib/phases-command-router.cjs +39 -0
- package/get-shit-done/bin/lib/plan-scan.cjs +97 -0
- package/get-shit-done/bin/lib/planning-workspace.cjs +238 -0
- package/get-shit-done/bin/lib/profile-output.cjs +1141 -0
- package/get-shit-done/bin/lib/profile-pipeline.cjs +539 -0
- package/get-shit-done/bin/lib/project-root.cjs +112 -0
- package/get-shit-done/bin/lib/prompt-budget.cjs +399 -0
- package/get-shit-done/bin/lib/review-reviewer-selection.cjs +125 -0
- package/get-shit-done/bin/lib/roadmap-command-router.cjs +28 -0
- package/get-shit-done/bin/lib/roadmap.cjs +650 -0
- package/get-shit-done/bin/lib/runtime-artifact-layout.cjs +301 -0
- package/get-shit-done/bin/lib/runtime-homes.cjs +222 -0
- package/get-shit-done/bin/lib/runtime-name-policy.cjs +83 -0
- package/get-shit-done/bin/lib/runtime-slash.cjs +112 -0
- package/get-shit-done/bin/lib/schema-detect.cjs +165 -0
- package/get-shit-done/bin/lib/secrets.cjs +32 -0
- package/get-shit-done/bin/lib/security.cjs +600 -0
- package/get-shit-done/bin/lib/semver-compare.cjs +35 -0
- package/get-shit-done/bin/lib/shell-command-projection.cjs +500 -0
- package/get-shit-done/bin/lib/state-command-router.cjs +252 -0
- package/get-shit-done/bin/lib/state-document.cjs +263 -0
- package/get-shit-done/bin/lib/state.cjs +2038 -0
- package/get-shit-done/bin/lib/surface.cjs +470 -0
- package/get-shit-done/bin/lib/task-command-router.cjs +81 -0
- package/get-shit-done/bin/lib/template.cjs +228 -0
- package/get-shit-done/bin/lib/uat.cjs +289 -0
- package/get-shit-done/bin/lib/update-context.cjs +209 -0
- package/get-shit-done/bin/lib/validate-command-router.cjs +83 -0
- package/get-shit-done/bin/lib/validate.cjs +92 -0
- package/get-shit-done/bin/lib/verify-command-router.cjs +40 -0
- package/get-shit-done/bin/lib/verify.cjs +1511 -0
- package/get-shit-done/bin/lib/workstream-inventory-builder.cjs +74 -0
- package/get-shit-done/bin/lib/workstream-inventory.cjs +146 -0
- package/get-shit-done/bin/lib/workstream-name-policy.cjs +94 -0
- package/get-shit-done/bin/lib/workstream.cjs +389 -0
- package/get-shit-done/bin/lib/worktree-safety.cjs +985 -0
- package/get-shit-done/bin/shared/config-defaults.manifest.json +97 -0
- package/get-shit-done/bin/shared/config-schema.manifest.json +175 -0
- package/get-shit-done/bin/shared/model-catalog.json +122 -0
- package/get-shit-done/bin/shared/runtime-aliases.manifest.json +75 -0
- package/get-shit-done/bin/verify-reapply-patches.cjs +352 -0
- package/get-shit-done/contexts/dev.md +21 -0
- package/get-shit-done/contexts/research.md +22 -0
- package/get-shit-done/contexts/review.md +23 -0
- package/get-shit-done/references/agent-contracts.md +79 -0
- package/get-shit-done/references/ai-evals.md +156 -0
- package/get-shit-done/references/ai-frameworks.md +186 -0
- package/get-shit-done/references/artifact-types.md +131 -0
- package/get-shit-done/references/autonomous-smart-discuss.md +277 -0
- package/get-shit-done/references/checkpoints.md +814 -0
- package/get-shit-done/references/common-bug-patterns.md +114 -0
- package/get-shit-done/references/context-budget.md +85 -0
- package/get-shit-done/references/continuation-format.md +253 -0
- package/get-shit-done/references/debugger-philosophy.md +76 -0
- package/get-shit-done/references/decimal-phase-calculation.md +64 -0
- package/get-shit-done/references/doc-conflict-engine.md +91 -0
- package/get-shit-done/references/domain-probes.md +125 -0
- package/get-shit-done/references/execute-mvp-tdd.md +81 -0
- package/get-shit-done/references/executor-examples.md +110 -0
- package/get-shit-done/references/few-shot-examples/plan-checker.md +73 -0
- package/get-shit-done/references/few-shot-examples/verifier.md +109 -0
- package/get-shit-done/references/gate-prompts.md +100 -0
- package/get-shit-done/references/gates.md +70 -0
- package/get-shit-done/references/git-integration.md +298 -0
- package/get-shit-done/references/git-planning-commit.md +40 -0
- package/get-shit-done/references/ios-scaffold.md +123 -0
- package/get-shit-done/references/mandatory-initial-read.md +2 -0
- package/get-shit-done/references/model-profile-resolution.md +38 -0
- package/get-shit-done/references/model-profiles.md +245 -0
- package/get-shit-done/references/mvp-concepts.md +49 -0
- package/get-shit-done/references/phase-argument-parsing.md +61 -0
- package/get-shit-done/references/planner-antipatterns.md +89 -0
- package/get-shit-done/references/planner-chunked.md +49 -0
- package/get-shit-done/references/planner-gap-closure.md +62 -0
- package/get-shit-done/references/planner-graphify-auto-update.md +67 -0
- package/get-shit-done/references/planner-human-verify-mode.md +57 -0
- package/get-shit-done/references/planner-interface-context.md +62 -0
- package/get-shit-done/references/planner-mvp-mode.md +53 -0
- package/get-shit-done/references/planner-reviews.md +39 -0
- package/get-shit-done/references/planner-revision.md +87 -0
- package/get-shit-done/references/planner-source-audit.md +73 -0
- package/get-shit-done/references/planning-config.md +471 -0
- package/get-shit-done/references/project-skills-discovery.md +19 -0
- package/get-shit-done/references/questioning.md +162 -0
- package/get-shit-done/references/revision-loop.md +97 -0
- package/get-shit-done/references/scout-codebase.md +51 -0
- package/get-shit-done/references/skeleton-template.md +48 -0
- package/get-shit-done/references/sketch-interactivity.md +41 -0
- package/get-shit-done/references/sketch-theme-system.md +94 -0
- package/get-shit-done/references/sketch-tooling.md +45 -0
- package/get-shit-done/references/sketch-variant-patterns.md +81 -0
- package/get-shit-done/references/spidr-splitting.md +69 -0
- package/get-shit-done/references/tdd.md +330 -0
- package/get-shit-done/references/thinking-models-debug.md +44 -0
- package/get-shit-done/references/thinking-models-execution.md +50 -0
- package/get-shit-done/references/thinking-models-planning.md +62 -0
- package/get-shit-done/references/thinking-models-research.md +50 -0
- package/get-shit-done/references/thinking-models-verification.md +55 -0
- package/get-shit-done/references/thinking-partner.md +96 -0
- package/get-shit-done/references/ui-brand.md +160 -0
- package/get-shit-done/references/universal-anti-patterns.md +63 -0
- package/get-shit-done/references/user-profiling.md +681 -0
- package/get-shit-done/references/user-story-template.md +58 -0
- package/get-shit-done/references/verification-overrides.md +227 -0
- package/get-shit-done/references/verification-patterns.md +612 -0
- package/get-shit-done/references/verify-mvp-mode.md +85 -0
- package/get-shit-done/references/workstream-flag.md +111 -0
- package/get-shit-done/references/worktree-path-safety.md +89 -0
- package/get-shit-done/templates/AI-SPEC.md +246 -0
- package/get-shit-done/templates/DEBUG.md +169 -0
- package/get-shit-done/templates/README.md +77 -0
- package/get-shit-done/templates/SECURITY.md +61 -0
- package/get-shit-done/templates/UAT.md +265 -0
- package/get-shit-done/templates/UI-SPEC.md +100 -0
- package/get-shit-done/templates/VALIDATION.md +76 -0
- package/get-shit-done/templates/claude-md.md +145 -0
- package/get-shit-done/templates/codebase/architecture.md +255 -0
- package/get-shit-done/templates/codebase/concerns.md +310 -0
- package/get-shit-done/templates/codebase/conventions.md +307 -0
- package/get-shit-done/templates/codebase/integrations.md +280 -0
- package/get-shit-done/templates/codebase/stack.md +186 -0
- package/get-shit-done/templates/codebase/structure.md +285 -0
- package/get-shit-done/templates/codebase/testing.md +480 -0
- package/get-shit-done/templates/config.json +62 -0
- package/get-shit-done/templates/context.md +352 -0
- package/get-shit-done/templates/continue-here.md +78 -0
- package/get-shit-done/templates/copilot-instructions.md +7 -0
- package/get-shit-done/templates/debug-subagent-prompt.md +91 -0
- package/get-shit-done/templates/dev-preferences.md +21 -0
- package/get-shit-done/templates/discovery.md +146 -0
- package/get-shit-done/templates/discussion-log.md +63 -0
- package/get-shit-done/templates/milestone-archive.md +123 -0
- package/get-shit-done/templates/milestone.md +115 -0
- package/get-shit-done/templates/phase-prompt.md +610 -0
- package/get-shit-done/templates/planner-subagent-prompt.md +117 -0
- package/get-shit-done/templates/project.md +186 -0
- package/get-shit-done/templates/requirements.md +231 -0
- package/get-shit-done/templates/research-project/ARCHITECTURE.md +204 -0
- package/get-shit-done/templates/research-project/FEATURES.md +147 -0
- package/get-shit-done/templates/research-project/PITFALLS.md +200 -0
- package/get-shit-done/templates/research-project/STACK.md +120 -0
- package/get-shit-done/templates/research-project/SUMMARY.md +170 -0
- package/get-shit-done/templates/research.md +592 -0
- package/get-shit-done/templates/retrospective.md +54 -0
- package/get-shit-done/templates/roadmap.md +202 -0
- package/get-shit-done/templates/spec.md +307 -0
- package/get-shit-done/templates/state.md +195 -0
- package/get-shit-done/templates/summary-complex.md +59 -0
- package/get-shit-done/templates/summary-minimal.md +41 -0
- package/get-shit-done/templates/summary-standard.md +48 -0
- package/get-shit-done/templates/summary.md +248 -0
- package/get-shit-done/templates/user-profile.md +146 -0
- package/get-shit-done/templates/user-setup.md +311 -0
- package/get-shit-done/templates/verification-report.md +322 -0
- package/get-shit-done/workflows/_runtime-launcher.snippet.sh +1 -0
- package/get-shit-done/workflows/add-backlog.md +91 -0
- package/get-shit-done/workflows/add-phase.md +113 -0
- package/get-shit-done/workflows/add-tests.md +355 -0
- package/get-shit-done/workflows/add-todo.md +161 -0
- package/get-shit-done/workflows/ai-integration-phase.md +295 -0
- package/get-shit-done/workflows/analyze-dependencies.md +96 -0
- package/get-shit-done/workflows/audit-fix.md +178 -0
- package/get-shit-done/workflows/audit-milestone.md +358 -0
- package/get-shit-done/workflows/audit-uat.md +110 -0
- package/get-shit-done/workflows/autonomous.md +795 -0
- package/get-shit-done/workflows/check-todos.md +180 -0
- package/get-shit-done/workflows/cleanup.md +155 -0
- package/get-shit-done/workflows/code-review-fix.md +502 -0
- package/get-shit-done/workflows/code-review.md +656 -0
- package/get-shit-done/workflows/complete-milestone.md +855 -0
- package/get-shit-done/workflows/debug.md +232 -0
- package/get-shit-done/workflows/diagnose-issues.md +241 -0
- package/get-shit-done/workflows/discovery-phase.md +291 -0
- package/get-shit-done/workflows/discuss-phase/modes/advisor.md +176 -0
- package/get-shit-done/workflows/discuss-phase/modes/all.md +28 -0
- package/get-shit-done/workflows/discuss-phase/modes/analyze.md +44 -0
- package/get-shit-done/workflows/discuss-phase/modes/auto.md +57 -0
- package/get-shit-done/workflows/discuss-phase/modes/batch.md +52 -0
- package/get-shit-done/workflows/discuss-phase/modes/chain.md +98 -0
- package/get-shit-done/workflows/discuss-phase/modes/default.md +141 -0
- package/get-shit-done/workflows/discuss-phase/modes/power.md +44 -0
- package/get-shit-done/workflows/discuss-phase/modes/text.md +55 -0
- package/get-shit-done/workflows/discuss-phase/templates/checkpoint.json +18 -0
- package/get-shit-done/workflows/discuss-phase/templates/context.md +136 -0
- package/get-shit-done/workflows/discuss-phase/templates/discussion-log.md +50 -0
- package/get-shit-done/workflows/discuss-phase-assumptions.md +675 -0
- package/get-shit-done/workflows/discuss-phase-power.md +291 -0
- package/get-shit-done/workflows/discuss-phase.md +499 -0
- package/get-shit-done/workflows/do.md +111 -0
- package/get-shit-done/workflows/docs-update.md +1162 -0
- package/get-shit-done/workflows/edit-phase.md +295 -0
- package/get-shit-done/workflows/eval-review.md +156 -0
- package/get-shit-done/workflows/execute-phase/steps/codebase-drift-gate.md +82 -0
- package/get-shit-done/workflows/execute-phase/steps/per-plan-worktree-gate.md +94 -0
- package/get-shit-done/workflows/execute-phase/steps/post-merge-gate.md +117 -0
- package/get-shit-done/workflows/execute-phase.md +1709 -0
- package/get-shit-done/workflows/execute-plan.md +526 -0
- package/get-shit-done/workflows/explore.md +144 -0
- package/get-shit-done/workflows/extract-learnings.md +243 -0
- package/get-shit-done/workflows/fast.md +124 -0
- package/get-shit-done/workflows/forensics.md +279 -0
- package/get-shit-done/workflows/graduation.md +196 -0
- package/get-shit-done/workflows/health.md +224 -0
- package/get-shit-done/workflows/help/modes/brief.md +22 -0
- package/get-shit-done/workflows/help/modes/default.md +50 -0
- package/get-shit-done/workflows/help/modes/full.md +784 -0
- package/get-shit-done/workflows/help/modes/topic.md +74 -0
- package/get-shit-done/workflows/help.md +24 -0
- package/get-shit-done/workflows/import.md +254 -0
- package/get-shit-done/workflows/inbox.md +387 -0
- package/get-shit-done/workflows/ingest-docs.md +339 -0
- package/get-shit-done/workflows/insert-phase.md +152 -0
- package/get-shit-done/workflows/list-phase-assumptions.md +178 -0
- package/get-shit-done/workflows/list-workspaces.md +57 -0
- package/get-shit-done/workflows/manager.md +393 -0
- package/get-shit-done/workflows/map-codebase.md +444 -0
- package/get-shit-done/workflows/milestone-summary.md +224 -0
- package/get-shit-done/workflows/mvp-phase.md +222 -0
- package/get-shit-done/workflows/new-milestone.md +635 -0
- package/get-shit-done/workflows/new-project.md +1555 -0
- package/get-shit-done/workflows/new-workspace.md +240 -0
- package/get-shit-done/workflows/next.md +299 -0
- package/get-shit-done/workflows/node-repair.md +92 -0
- package/get-shit-done/workflows/note.md +158 -0
- package/get-shit-done/workflows/pause-work.md +244 -0
- package/get-shit-done/workflows/plan-milestone-gaps.md +281 -0
- package/get-shit-done/workflows/plan-phase.md +1809 -0
- package/get-shit-done/workflows/plan-review-convergence.md +346 -0
- package/get-shit-done/workflows/plant-seed.md +230 -0
- package/get-shit-done/workflows/pr-branch.md +157 -0
- package/get-shit-done/workflows/profile-user.md +453 -0
- package/get-shit-done/workflows/progress.md +699 -0
- package/get-shit-done/workflows/quick.md +1039 -0
- package/get-shit-done/workflows/reapply-patches.md +426 -0
- package/get-shit-done/workflows/remove-phase.md +156 -0
- package/get-shit-done/workflows/remove-workspace.md +108 -0
- package/get-shit-done/workflows/resume-project.md +332 -0
- package/get-shit-done/workflows/review.md +623 -0
- package/get-shit-done/workflows/scan.md +105 -0
- package/get-shit-done/workflows/secure-phase.md +180 -0
- package/get-shit-done/workflows/session-report.md +146 -0
- package/get-shit-done/workflows/settings-advanced.md +620 -0
- package/get-shit-done/workflows/settings-integrations.md +312 -0
- package/get-shit-done/workflows/settings.md +552 -0
- package/get-shit-done/workflows/ship.md +356 -0
- package/get-shit-done/workflows/sketch-wrap-up.md +286 -0
- package/get-shit-done/workflows/sketch.md +361 -0
- package/get-shit-done/workflows/spec-phase.md +262 -0
- package/get-shit-done/workflows/spike-wrap-up.md +307 -0
- package/get-shit-done/workflows/spike.md +453 -0
- package/get-shit-done/workflows/stats.md +80 -0
- package/get-shit-done/workflows/sync-skills.md +182 -0
- package/get-shit-done/workflows/thread.md +222 -0
- package/get-shit-done/workflows/transition.md +694 -0
- package/get-shit-done/workflows/ui-phase.md +328 -0
- package/get-shit-done/workflows/ui-review.md +193 -0
- package/get-shit-done/workflows/ultraplan-phase.md +199 -0
- package/get-shit-done/workflows/undo.md +314 -0
- package/get-shit-done/workflows/update.md +443 -0
- package/get-shit-done/workflows/validate-phase.md +179 -0
- package/get-shit-done/workflows/verify-phase.md +544 -0
- package/get-shit-done/workflows/verify-work.md +781 -0
- package/hooks/dist/gsd-check-update-worker.js +95 -0
- package/hooks/dist/gsd-check-update.js +64 -0
- package/hooks/dist/gsd-context-monitor.js +195 -0
- package/hooks/dist/gsd-graphify-update.sh +158 -0
- package/hooks/dist/gsd-phase-boundary.sh +47 -0
- package/hooks/dist/gsd-prompt-guard.js +97 -0
- package/hooks/dist/gsd-read-guard.js +101 -0
- package/hooks/dist/gsd-read-injection-scanner.js +203 -0
- package/hooks/dist/gsd-session-state.sh +59 -0
- package/hooks/dist/gsd-statusline.js +548 -0
- package/hooks/dist/gsd-update-banner.js +134 -0
- package/hooks/dist/gsd-validate-commit.sh +57 -0
- package/hooks/dist/gsd-workflow-guard.js +166 -0
- package/hooks/dist/lib/git-cmd.js +150 -0
- package/hooks/dist/lib/gsd-graphify-rebuild.sh +65 -0
- package/hooks/gsd-check-update-worker.js +95 -0
- package/hooks/gsd-check-update.js +64 -0
- package/hooks/gsd-context-monitor.js +195 -0
- package/hooks/gsd-graphify-update.sh +158 -0
- package/hooks/gsd-phase-boundary.sh +47 -0
- package/hooks/gsd-prompt-guard.js +97 -0
- package/hooks/gsd-read-guard.js +101 -0
- package/hooks/gsd-read-injection-scanner.js +203 -0
- package/hooks/gsd-session-state.sh +59 -0
- package/hooks/gsd-statusline.js +548 -0
- package/hooks/gsd-update-banner.js +134 -0
- package/hooks/gsd-validate-commit.sh +57 -0
- package/hooks/gsd-workflow-guard.js +166 -0
- package/hooks/lib/git-cmd.js +150 -0
- package/hooks/lib/gsd-graphify-rebuild.sh +65 -0
- package/hooks/managed-hooks-registry.cjs +34 -0
- package/package.json +102 -0
- package/scripts/affected-tests-lib.cjs +541 -0
- package/scripts/audit-workflow-script-paths.cjs +73 -0
- package/scripts/base64-scan.sh +339 -0
- package/scripts/build-hooks.js +236 -0
- package/scripts/changeset/README.md +129 -0
- package/scripts/changeset/cli.cjs +392 -0
- package/scripts/changeset/github-release-notes.cjs +199 -0
- package/scripts/changeset/lint.cjs +110 -0
- package/scripts/changeset/new.cjs +137 -0
- package/scripts/changeset/parse.cjs +114 -0
- package/scripts/changeset/render.cjs +34 -0
- package/scripts/changeset/serialize.cjs +130 -0
- package/scripts/check-alias-drift.cjs +108 -0
- package/scripts/check-env.cjs +302 -0
- package/scripts/check-npm-integrity.cjs +209 -0
- package/scripts/ci-guard-runner.cjs +16 -0
- package/scripts/ci-prepare-test-scope.cjs +46 -0
- package/scripts/ci-rebase-check.cjs +85 -0
- package/scripts/ci-test-scope.cjs +302 -0
- package/scripts/command-contract-helpers.cjs +64 -0
- package/scripts/diff-touches-shipped-paths.cjs +147 -0
- package/scripts/fix-slash-commands.cjs +147 -0
- package/scripts/gen-inventory-manifest.cjs +109 -0
- package/scripts/generate-package-identity.cjs +104 -0
- package/scripts/lint-command-contract.cjs +108 -0
- package/scripts/lint-descriptions.cjs +83 -0
- package/scripts/lint-docs-required.cjs +222 -0
- package/scripts/lint-no-source-grep-extras.cjs +81 -0
- package/scripts/lint-no-source-grep.cjs +174 -0
- package/scripts/lint-package-identity-drift.cjs +141 -0
- package/scripts/lint-pr-check-project-dir.cjs +98 -0
- package/scripts/lint-shared-module-handsync.cjs +388 -0
- package/scripts/lint-shell-command-projection-drift.cjs +57 -0
- package/scripts/lint-skill-deps.cjs +180 -0
- package/scripts/lint-test-file-count.allowlist.json +36 -0
- package/scripts/lint-test-file-count.cjs +190 -0
- package/scripts/pr-template-policy.cjs +268 -0
- package/scripts/prompt-injection-scan.sh +203 -0
- package/scripts/release-tarball-smoke.cjs +627 -0
- package/scripts/run-affected-tests.cjs +6 -0
- package/scripts/run-cross-platform-tests.cjs +63 -0
- package/scripts/run-tests.cjs +282 -0
- package/scripts/secret-scan-lint.sh +231 -0
- package/scripts/secret-scan.sh +358 -0
- package/scripts/setup-branch-protection.sh +236 -0
- package/scripts/shared-module-handsync-allowlist.json +183 -0
- package/scripts/strip-prose-atrefs.cjs +106 -0
- package/scripts/sync-rulesets.sh +34 -0
- package/scripts/sync-runtime-launcher.cjs +402 -0
- package/scripts/test-failure-reasons.cjs +34 -0
- package/scripts/workflow-policy.cjs +450 -0
|
@@ -0,0 +1,358 @@
|
|
|
1
|
+
#!/usr/bin/env bash
|
|
2
|
+
# secret-scan.sh — Check files for accidentally committed secrets/credentials
|
|
3
|
+
#
|
|
4
|
+
# Usage:
|
|
5
|
+
# scripts/secret-scan.sh --diff origin/main # CI mode: scan changed files
|
|
6
|
+
# scripts/secret-scan.sh --file path/to/file # Scan a single file
|
|
7
|
+
# scripts/secret-scan.sh --dir agents/ # Scan all files in a directory
|
|
8
|
+
# scripts/secret-scan.sh --diff origin/main --strict # Strict/release mode
|
|
9
|
+
#
|
|
10
|
+
# Flags:
|
|
11
|
+
# --strict Reduced-exclusion mode for release and security-audit CI lanes.
|
|
12
|
+
# Under --strict:
|
|
13
|
+
# - Grandfathered (un-annotated) .secretscanignore entries are
|
|
14
|
+
# treated as FAILURES rather than silently honoured.
|
|
15
|
+
# - Exclusions whose 'expires' date is in the past are ignored
|
|
16
|
+
# (the file IS scanned, not skipped).
|
|
17
|
+
# This flag does not change secret-detection logic — only which
|
|
18
|
+
# exclusions are applied.
|
|
19
|
+
#
|
|
20
|
+
# Exit codes:
|
|
21
|
+
# 0 = clean
|
|
22
|
+
# 1 = findings detected
|
|
23
|
+
# 2 = usage error
|
|
24
|
+
#
|
|
25
|
+
# Annotation format for .secretscanignore (required for --strict compliance):
|
|
26
|
+
# # allow: <pattern> reason="..." owner="..." expires="YYYY-MM-DD" [rule-id="..."]
|
|
27
|
+
# <pattern>
|
|
28
|
+
#
|
|
29
|
+
# Design references:
|
|
30
|
+
# - GitGuardian exclusion annotation convention:
|
|
31
|
+
# https://docs.gitguardian.com/internal-repositories-monitoring/integrations/cli/secrets
|
|
32
|
+
# - CNCF Security TAG threat-model exception lifecycle:
|
|
33
|
+
# https://github.com/cncf/tag-security/blob/main/community/working-groups/threat-modeling/templates/threats.md
|
|
34
|
+
#
|
|
35
|
+
# Periodic reduced-exclusion scan procedure:
|
|
36
|
+
# Run this script with --strict on every release branch and during scheduled
|
|
37
|
+
# security reviews. This mode intentionally skips grandfathered entries and
|
|
38
|
+
# expired exclusions so that accumulated technical debt in the ignore-list
|
|
39
|
+
# cannot permanently hide secrets. See SECURITY.md for the audit runbook.
|
|
40
|
+
set -euo pipefail
|
|
41
|
+
|
|
42
|
+
# ─── Global mode flag ─────────────────────────────────────────────────────────
|
|
43
|
+
STRICT_MODE=false
|
|
44
|
+
|
|
45
|
+
# ─── Secret Patterns ─────────────────────────────────────────────────────────
|
|
46
|
+
# Format: "LABEL:::REGEX"
|
|
47
|
+
# Each entry is a human label paired with a POSIX extended regex.
|
|
48
|
+
|
|
49
|
+
SECRET_PATTERNS=(
|
|
50
|
+
# AWS
|
|
51
|
+
"AWS Access Key:::AKIA[0-9A-Z]{16}"
|
|
52
|
+
"AWS Secret Key:::aws_secret_access_key[[:space:]]*=[[:space:]]*[A-Za-z0-9/+=]{40}"
|
|
53
|
+
|
|
54
|
+
# OpenAI / Anthropic / AI providers
|
|
55
|
+
"OpenAI API Key:::sk-[A-Za-z0-9]{20,}"
|
|
56
|
+
"Anthropic API Key:::sk-ant-[A-Za-z0-9_-]{20,}"
|
|
57
|
+
|
|
58
|
+
# GitHub
|
|
59
|
+
"GitHub PAT:::ghp_[A-Za-z0-9]{36}"
|
|
60
|
+
"GitHub OAuth:::gho_[A-Za-z0-9]{36}"
|
|
61
|
+
"GitHub App Token:::ghs_[A-Za-z0-9]{36}"
|
|
62
|
+
"GitHub Fine-grained PAT:::github_pat_[A-Za-z0-9_]{20,}"
|
|
63
|
+
|
|
64
|
+
# Stripe
|
|
65
|
+
"Stripe Secret Key:::sk_live_[A-Za-z0-9]{24,}"
|
|
66
|
+
"Stripe Publishable Key:::pk_live_[A-Za-z0-9]{24,}"
|
|
67
|
+
|
|
68
|
+
# Generic patterns
|
|
69
|
+
"Private Key Header:::-----BEGIN[[:space:]]+(RSA|EC|DSA|OPENSSH)?[[:space:]]*PRIVATE[[:space:]]+KEY-----"
|
|
70
|
+
"Generic API Key Assignment:::api[_-]?key[[:space:]]*[:=][[:space:]]*['\"][A-Za-z0-9_-]{20,}['\"]"
|
|
71
|
+
"Generic Secret Assignment:::secret[[:space:]]*[:=][[:space:]]*['\"][A-Za-z0-9_-]{20,}['\"]"
|
|
72
|
+
"Generic Token Assignment:::token[[:space:]]*[:=][[:space:]]*['\"][A-Za-z0-9_-]{20,}['\"]"
|
|
73
|
+
"Generic Password Assignment:::password[[:space:]]*[:=][[:space:]]*['\"][^'\"]{8,}['\"]"
|
|
74
|
+
|
|
75
|
+
# Slack
|
|
76
|
+
"Slack Bot Token:::xoxb-[0-9]{10,}-[A-Za-z0-9]{20,}"
|
|
77
|
+
"Slack Webhook:::hooks\.slack\.com/services/T[A-Z0-9]{8,}/B[A-Z0-9]{8,}/[A-Za-z0-9]{24}"
|
|
78
|
+
|
|
79
|
+
# Google
|
|
80
|
+
"Google API Key:::AIza[A-Za-z0-9_-]{35}"
|
|
81
|
+
|
|
82
|
+
# NPM
|
|
83
|
+
"NPM Token:::npm_[A-Za-z0-9]{36}"
|
|
84
|
+
|
|
85
|
+
# .env file content (key=value with sensitive-looking keys)
|
|
86
|
+
"Env Variable Leak:::(DATABASE_URL|DB_PASSWORD|REDIS_URL|MONGO_URI|JWT_SECRET|SESSION_SECRET|ENCRYPTION_KEY)[[:space:]]*=[[:space:]]*[^[:space:]]{8,}"
|
|
87
|
+
)
|
|
88
|
+
|
|
89
|
+
# ─── Ignorelist ──────────────────────────────────────────────────────────────
|
|
90
|
+
#
|
|
91
|
+
# Entries in IGNORED_FILES are loaded from .secretscanignore.
|
|
92
|
+
# In --strict mode, only fully-annotated entries with a future 'expires' date
|
|
93
|
+
# are loaded. Grandfathered entries and expired entries are skipped (the
|
|
94
|
+
# corresponding files ARE scanned, not excluded).
|
|
95
|
+
#
|
|
96
|
+
# Annotation format (structured comment must immediately precede the path):
|
|
97
|
+
# # allow: <pattern> reason="..." owner="..." expires="YYYY-MM-DD" [rule-id="..."]
|
|
98
|
+
# <pattern>
|
|
99
|
+
#
|
|
100
|
+
# Entries without a structured annotation are grandfathered:
|
|
101
|
+
# - Default mode: accepted (file excluded), deprecation warning emitted
|
|
102
|
+
# - Strict mode: rejected (file scanned, no exclusion applied)
|
|
103
|
+
|
|
104
|
+
IGNOREFILE=".secretscanignore"
|
|
105
|
+
IGNORED_FILES=()
|
|
106
|
+
|
|
107
|
+
# Returns value of key="value" annotation pair from a string
|
|
108
|
+
_extract_annotation_key() {
|
|
109
|
+
local str="$1"
|
|
110
|
+
local key="$2"
|
|
111
|
+
echo "$str" | grep -oE "${key}=['\"][^'\"]+['\"]" | head -1 | sed "s/${key}=['\"]//;s/['\"]$//" || true
|
|
112
|
+
}
|
|
113
|
+
|
|
114
|
+
# Returns today as YYYY-MM-DD
|
|
115
|
+
_today() {
|
|
116
|
+
date +%Y-%m-%d
|
|
117
|
+
}
|
|
118
|
+
|
|
119
|
+
# Returns 0 (true) if a date string YYYY-MM-DD is strictly in the past
|
|
120
|
+
_date_is_past() {
|
|
121
|
+
local d="$1"
|
|
122
|
+
[[ "$d" < "$(_today)" ]]
|
|
123
|
+
}
|
|
124
|
+
|
|
125
|
+
load_ignorelist() {
|
|
126
|
+
if [[ ! -f "$IGNOREFILE" ]]; then
|
|
127
|
+
return
|
|
128
|
+
fi
|
|
129
|
+
|
|
130
|
+
local prev_comment=""
|
|
131
|
+
|
|
132
|
+
while IFS= read -r line || [[ -n "$line" ]]; do
|
|
133
|
+
# Empty line resets context
|
|
134
|
+
if [[ -z "${line// }" ]]; then
|
|
135
|
+
prev_comment=""
|
|
136
|
+
continue
|
|
137
|
+
fi
|
|
138
|
+
|
|
139
|
+
# Accumulate comment
|
|
140
|
+
if [[ "$line" =~ ^[[:space:]]*# ]]; then
|
|
141
|
+
prev_comment="$line"
|
|
142
|
+
continue
|
|
143
|
+
fi
|
|
144
|
+
|
|
145
|
+
# This is a path entry
|
|
146
|
+
local pattern="$line"
|
|
147
|
+
|
|
148
|
+
# Determine if preceding comment is a structured annotation
|
|
149
|
+
local is_structured=false
|
|
150
|
+
if [[ "$prev_comment" =~ ^#[[:space:]]+allow:[[:space:]] ]]; then
|
|
151
|
+
is_structured=true
|
|
152
|
+
fi
|
|
153
|
+
|
|
154
|
+
if [[ "$is_structured" == true ]]; then
|
|
155
|
+
# Parse structured annotation
|
|
156
|
+
local expires
|
|
157
|
+
expires=$(_extract_annotation_key "$prev_comment" "expires")
|
|
158
|
+
|
|
159
|
+
if [[ -n "$expires" ]] && _date_is_past "$expires"; then
|
|
160
|
+
# Expired exclusion — never apply, regardless of mode
|
|
161
|
+
echo "secret-scan: WARNING: exclusion '$pattern' has expired (expires=$expires) — entry ignored" >&2
|
|
162
|
+
prev_comment=""
|
|
163
|
+
continue
|
|
164
|
+
fi
|
|
165
|
+
|
|
166
|
+
# Valid structured annotation — always apply
|
|
167
|
+
IGNORED_FILES+=("$pattern")
|
|
168
|
+
|
|
169
|
+
else
|
|
170
|
+
# Grandfathered (plain comment or no comment)
|
|
171
|
+
if [[ "$STRICT_MODE" == true ]]; then
|
|
172
|
+
# Strict mode: do NOT apply grandfathered exclusion
|
|
173
|
+
echo "secret-scan: WARNING (--strict): grandfathered exclusion '$pattern' not applied" >&2
|
|
174
|
+
else
|
|
175
|
+
# Default mode: apply but warn
|
|
176
|
+
echo "secret-scan: DEPRECATION WARNING: '$pattern' has no structured annotation — grandfather applied" >&2
|
|
177
|
+
echo " Migrate to: # allow: $pattern reason=\"...\" owner=\"...\" expires=\"YYYY-MM-DD\"" >&2
|
|
178
|
+
IGNORED_FILES+=("$pattern")
|
|
179
|
+
fi
|
|
180
|
+
fi
|
|
181
|
+
|
|
182
|
+
prev_comment=""
|
|
183
|
+
done < "$IGNOREFILE"
|
|
184
|
+
}
|
|
185
|
+
|
|
186
|
+
is_ignored() {
|
|
187
|
+
local file="$1"
|
|
188
|
+
if [[ ${#IGNORED_FILES[@]} -eq 0 ]]; then
|
|
189
|
+
return 1
|
|
190
|
+
fi
|
|
191
|
+
for pattern in "${IGNORED_FILES[@]}"; do
|
|
192
|
+
# Support glob-style matching
|
|
193
|
+
# shellcheck disable=SC2254
|
|
194
|
+
case "$file" in
|
|
195
|
+
$pattern) return 0 ;;
|
|
196
|
+
esac
|
|
197
|
+
done
|
|
198
|
+
return 1
|
|
199
|
+
}
|
|
200
|
+
|
|
201
|
+
# ─── Skip Rules ──────────────────────────────────────────────────────────────
|
|
202
|
+
|
|
203
|
+
should_skip_file() {
|
|
204
|
+
local file="$1"
|
|
205
|
+
# Skip binary files
|
|
206
|
+
case "$file" in
|
|
207
|
+
*.png|*.jpg|*.jpeg|*.gif|*.ico|*.woff|*.woff2|*.ttf|*.eot|*.otf) return 0 ;;
|
|
208
|
+
*.zip|*.tar|*.gz|*.bz2|*.xz|*.7z) return 0 ;;
|
|
209
|
+
*.pdf|*.doc|*.docx|*.xls|*.xlsx) return 0 ;;
|
|
210
|
+
esac
|
|
211
|
+
# Skip lockfiles and node_modules
|
|
212
|
+
case "$file" in
|
|
213
|
+
*/node_modules/*) return 0 ;;
|
|
214
|
+
*/package-lock.json) return 0 ;;
|
|
215
|
+
*/yarn.lock) return 0 ;;
|
|
216
|
+
*/pnpm-lock.yaml) return 0 ;;
|
|
217
|
+
esac
|
|
218
|
+
# Skip the scan scripts themselves and test files
|
|
219
|
+
case "$file" in
|
|
220
|
+
*/secret-scan.sh) return 0 ;;
|
|
221
|
+
*/secret-scan-lint.test.cjs) return 0 ;;
|
|
222
|
+
*/security-scan.test.cjs) return 0 ;;
|
|
223
|
+
*/security-prompt-injection.test.cjs) return 0 ;;
|
|
224
|
+
tests/fixtures/adversarial/security/*|*/tests/fixtures/adversarial/security/*) return 0 ;;
|
|
225
|
+
esac
|
|
226
|
+
return 1
|
|
227
|
+
}
|
|
228
|
+
|
|
229
|
+
# ─── File Collection ─────────────────────────────────────────────────────────
|
|
230
|
+
|
|
231
|
+
collect_files() {
|
|
232
|
+
local mode="$1"
|
|
233
|
+
shift
|
|
234
|
+
|
|
235
|
+
case "$mode" in
|
|
236
|
+
--diff)
|
|
237
|
+
local base="${1:-origin/main}"
|
|
238
|
+
git diff --name-only --diff-filter=ACMR "$base"...HEAD 2>/dev/null \
|
|
239
|
+
| grep -vE '\.(png|jpg|jpeg|gif|ico|woff|woff2|ttf|eot|otf|zip|tar|gz|pdf)$' || true
|
|
240
|
+
;;
|
|
241
|
+
--file)
|
|
242
|
+
if [[ -f "$1" ]]; then
|
|
243
|
+
echo "$1"
|
|
244
|
+
else
|
|
245
|
+
echo "Error: file not found: $1" >&2
|
|
246
|
+
exit 2
|
|
247
|
+
fi
|
|
248
|
+
;;
|
|
249
|
+
--dir)
|
|
250
|
+
local dir="$1"
|
|
251
|
+
if [[ ! -d "$dir" ]]; then
|
|
252
|
+
echo "Error: directory not found: $dir" >&2
|
|
253
|
+
exit 2
|
|
254
|
+
fi
|
|
255
|
+
find "$dir" -type f ! -path '*/node_modules/*' ! -path '*/.git/*' ! -path '*/dist/*' \
|
|
256
|
+
! -name '*.png' ! -name '*.jpg' ! -name '*.gif' ! -name '*.woff*' 2>/dev/null || true
|
|
257
|
+
;;
|
|
258
|
+
--stdin)
|
|
259
|
+
cat
|
|
260
|
+
;;
|
|
261
|
+
*)
|
|
262
|
+
echo "Usage: $0 --diff [base] | --file <path> | --dir <path> | --stdin" >&2
|
|
263
|
+
exit 2
|
|
264
|
+
;;
|
|
265
|
+
esac
|
|
266
|
+
}
|
|
267
|
+
|
|
268
|
+
# ─── Scanner ─────────────────────────────────────────────────────────────────
|
|
269
|
+
|
|
270
|
+
scan_file() {
|
|
271
|
+
local file="$1"
|
|
272
|
+
local found=0
|
|
273
|
+
|
|
274
|
+
if is_ignored "$file"; then
|
|
275
|
+
return 0
|
|
276
|
+
fi
|
|
277
|
+
|
|
278
|
+
for entry in "${SECRET_PATTERNS[@]}"; do
|
|
279
|
+
local label="${entry%%:::*}"
|
|
280
|
+
local pattern="${entry#*:::}"
|
|
281
|
+
|
|
282
|
+
local matches
|
|
283
|
+
matches=$(grep -nE -e "$pattern" "$file" 2>/dev/null || true)
|
|
284
|
+
if [[ -n "$matches" ]]; then
|
|
285
|
+
if [[ $found -eq 0 ]]; then
|
|
286
|
+
echo "FAIL: $file"
|
|
287
|
+
found=1
|
|
288
|
+
fi
|
|
289
|
+
echo "$matches" | while IFS= read -r line; do
|
|
290
|
+
echo " [$label] $line"
|
|
291
|
+
done
|
|
292
|
+
fi
|
|
293
|
+
done
|
|
294
|
+
|
|
295
|
+
return $found
|
|
296
|
+
}
|
|
297
|
+
|
|
298
|
+
# ─── Main ────────────────────────────────────────────────────────────────────
|
|
299
|
+
|
|
300
|
+
main() {
|
|
301
|
+
if [[ $# -eq 0 ]]; then
|
|
302
|
+
echo "Usage: $0 --diff [base] | --file <path> | --dir <path> [--strict]" >&2
|
|
303
|
+
exit 2
|
|
304
|
+
fi
|
|
305
|
+
|
|
306
|
+
# Parse --strict flag first (may appear anywhere in argv)
|
|
307
|
+
local remaining_args=()
|
|
308
|
+
for arg in "$@"; do
|
|
309
|
+
if [[ "$arg" == "--strict" ]]; then
|
|
310
|
+
STRICT_MODE=true
|
|
311
|
+
else
|
|
312
|
+
remaining_args+=("$arg")
|
|
313
|
+
fi
|
|
314
|
+
done
|
|
315
|
+
set -- "${remaining_args[@]}"
|
|
316
|
+
|
|
317
|
+
if [[ $# -eq 0 ]]; then
|
|
318
|
+
echo "Usage: $0 --diff [base] | --file <path> | --dir <path> [--strict]" >&2
|
|
319
|
+
exit 2
|
|
320
|
+
fi
|
|
321
|
+
|
|
322
|
+
load_ignorelist
|
|
323
|
+
|
|
324
|
+
local mode="$1"
|
|
325
|
+
shift
|
|
326
|
+
|
|
327
|
+
local files
|
|
328
|
+
files=$(collect_files "$mode" "$@")
|
|
329
|
+
|
|
330
|
+
if [[ -z "$files" ]]; then
|
|
331
|
+
echo "secret-scan: no files to scan"
|
|
332
|
+
exit 0
|
|
333
|
+
fi
|
|
334
|
+
|
|
335
|
+
local total=0
|
|
336
|
+
local failed=0
|
|
337
|
+
|
|
338
|
+
while IFS= read -r file; do
|
|
339
|
+
[[ -z "$file" ]] && continue
|
|
340
|
+
if should_skip_file "$file"; then
|
|
341
|
+
continue
|
|
342
|
+
fi
|
|
343
|
+
total=$((total + 1))
|
|
344
|
+
if ! scan_file "$file"; then
|
|
345
|
+
failed=$((failed + 1))
|
|
346
|
+
fi
|
|
347
|
+
done <<< "$files"
|
|
348
|
+
|
|
349
|
+
echo ""
|
|
350
|
+
echo "secret-scan: scanned $total files, $failed with findings"
|
|
351
|
+
|
|
352
|
+
if [[ $failed -gt 0 ]]; then
|
|
353
|
+
exit 1
|
|
354
|
+
fi
|
|
355
|
+
exit 0
|
|
356
|
+
}
|
|
357
|
+
|
|
358
|
+
main "$@"
|
|
@@ -0,0 +1,236 @@
|
|
|
1
|
+
#!/usr/bin/env bash
|
|
2
|
+
# setup-branch-protection.sh
|
|
3
|
+
#
|
|
4
|
+
# Apply branch protection rules to `main` and `next` for the GSD repo.
|
|
5
|
+
# Idempotent — run as many times as you like. Re-running brings the live
|
|
6
|
+
# rules back to what this script declares, so the script IS the source of
|
|
7
|
+
# truth for branch protection.
|
|
8
|
+
#
|
|
9
|
+
# Usage:
|
|
10
|
+
# bash scripts/setup-branch-protection.sh # apply both
|
|
11
|
+
# bash scripts/setup-branch-protection.sh main # apply only main
|
|
12
|
+
# bash scripts/setup-branch-protection.sh next # apply only next
|
|
13
|
+
# DRY_RUN=1 bash scripts/setup-branch-protection.sh # show payloads, don't apply
|
|
14
|
+
#
|
|
15
|
+
# Requirements:
|
|
16
|
+
# - gh CLI authenticated against open-gsd/gsd-core with admin scope
|
|
17
|
+
# - jq installed
|
|
18
|
+
#
|
|
19
|
+
# What it sets:
|
|
20
|
+
#
|
|
21
|
+
# main (strict — production):
|
|
22
|
+
# - 2 required approving reviews
|
|
23
|
+
# - dismiss stale reviews on push
|
|
24
|
+
# - require code-owner review when CODEOWNERS applies
|
|
25
|
+
# - all required status checks must pass (defined in REQUIRED_CHECKS_MAIN below)
|
|
26
|
+
# - require branches to be up to date before merging (ON — `main` is production)
|
|
27
|
+
# - require linear history (OFF — release back-merges use merge commits)
|
|
28
|
+
# - require conversation resolution
|
|
29
|
+
# - require signed commits
|
|
30
|
+
# - block force-push and deletion
|
|
31
|
+
# - admins included
|
|
32
|
+
#
|
|
33
|
+
# next (loose — integration):
|
|
34
|
+
# - 1 required approving review
|
|
35
|
+
# - dismiss stale reviews on push
|
|
36
|
+
# - require code-owner review when CODEOWNERS applies
|
|
37
|
+
# - all required status checks must pass (defined in REQUIRED_CHECKS_NEXT below)
|
|
38
|
+
# - require branches to be up to date before merging (OFF — this is the whole point)
|
|
39
|
+
# - require linear history (OFF — auto-backmerge from main needs merge commits
|
|
40
|
+
# to preserve the link from next's history to main's release tags;
|
|
41
|
+
# feature PRs still squash-merge by repo merge-strategy setting)
|
|
42
|
+
# - require conversation resolution
|
|
43
|
+
# - require signed commits (OFF on next — easier for contributors)
|
|
44
|
+
# - block force-push and deletion
|
|
45
|
+
# - admins included
|
|
46
|
+
#
|
|
47
|
+
# See: docs/adr/XXXX-introduce-next-integration-branch.md
|
|
48
|
+
# See: docs/branching.md
|
|
49
|
+
|
|
50
|
+
set -euo pipefail
|
|
51
|
+
|
|
52
|
+
REPO="${REPO:-open-gsd/gsd-core}"
|
|
53
|
+
DRY_RUN="${DRY_RUN:-0}"
|
|
54
|
+
|
|
55
|
+
# Required status checks. Adjust as your CI suite evolves.
|
|
56
|
+
# The names must match the JOB NAME (not the workflow name) that GitHub
|
|
57
|
+
# records — check existing PRs to confirm.
|
|
58
|
+
REQUIRED_CHECKS_MAIN=(
|
|
59
|
+
"test"
|
|
60
|
+
"install-smoke"
|
|
61
|
+
"security-scan"
|
|
62
|
+
"Changeset Required / changeset-lint"
|
|
63
|
+
"Docs Required / docs-lint"
|
|
64
|
+
"PR Gate / size-check"
|
|
65
|
+
"Validate Branch Name / check-branch"
|
|
66
|
+
)
|
|
67
|
+
|
|
68
|
+
REQUIRED_CHECKS_NEXT=(
|
|
69
|
+
"test"
|
|
70
|
+
"PR Gate / size-check"
|
|
71
|
+
"Validate Branch Name / check-branch"
|
|
72
|
+
"Changeset Required / changeset-lint"
|
|
73
|
+
"Docs Required / docs-lint"
|
|
74
|
+
"PR Target Validator / validate-target"
|
|
75
|
+
)
|
|
76
|
+
|
|
77
|
+
require_cmd() {
|
|
78
|
+
command -v "$1" >/dev/null 2>&1 || {
|
|
79
|
+
echo "ERROR: missing required command: $1" >&2
|
|
80
|
+
exit 1
|
|
81
|
+
}
|
|
82
|
+
}
|
|
83
|
+
|
|
84
|
+
require_cmd gh
|
|
85
|
+
require_cmd jq
|
|
86
|
+
|
|
87
|
+
verify_auth() {
|
|
88
|
+
if ! gh auth status >/dev/null 2>&1; then
|
|
89
|
+
echo "ERROR: gh CLI is not authenticated. Run 'gh auth login' first." >&2
|
|
90
|
+
exit 1
|
|
91
|
+
fi
|
|
92
|
+
}
|
|
93
|
+
|
|
94
|
+
build_payload() {
|
|
95
|
+
local branch="$1"
|
|
96
|
+
shift
|
|
97
|
+
local checks_array=("$@")
|
|
98
|
+
|
|
99
|
+
# Branch-specific knobs.
|
|
100
|
+
local approvals require_up_to_date linear_history signed_commits
|
|
101
|
+
case "$branch" in
|
|
102
|
+
main)
|
|
103
|
+
approvals=2
|
|
104
|
+
require_up_to_date=true
|
|
105
|
+
linear_history=false
|
|
106
|
+
signed_commits=true
|
|
107
|
+
;;
|
|
108
|
+
next)
|
|
109
|
+
approvals=1
|
|
110
|
+
require_up_to_date=false
|
|
111
|
+
# linear_history=false: auto-backmerge from main needs merge commits to
|
|
112
|
+
# preserve the link to release tags. Feature PRs still produce one
|
|
113
|
+
# commit each via repo-level "squash and merge" default — that gives
|
|
114
|
+
# us a clean log without enforcing linearity at the protection layer.
|
|
115
|
+
linear_history=false
|
|
116
|
+
signed_commits=false
|
|
117
|
+
;;
|
|
118
|
+
*)
|
|
119
|
+
echo "ERROR: unknown branch '$branch'" >&2
|
|
120
|
+
exit 1
|
|
121
|
+
;;
|
|
122
|
+
esac
|
|
123
|
+
|
|
124
|
+
# Build the contexts array via jq for safe quoting.
|
|
125
|
+
local contexts_json
|
|
126
|
+
contexts_json=$(printf '%s\n' "${checks_array[@]}" | jq -R . | jq -s .)
|
|
127
|
+
|
|
128
|
+
jq -n \
|
|
129
|
+
--argjson contexts "$contexts_json" \
|
|
130
|
+
--argjson approvals "$approvals" \
|
|
131
|
+
--argjson require_up_to_date "$require_up_to_date" \
|
|
132
|
+
--argjson linear_history "$linear_history" \
|
|
133
|
+
--argjson signed_commits "$signed_commits" \
|
|
134
|
+
'{
|
|
135
|
+
required_status_checks: {
|
|
136
|
+
strict: $require_up_to_date,
|
|
137
|
+
contexts: $contexts
|
|
138
|
+
},
|
|
139
|
+
enforce_admins: true,
|
|
140
|
+
required_pull_request_reviews: {
|
|
141
|
+
dismiss_stale_reviews: true,
|
|
142
|
+
require_code_owner_reviews: true,
|
|
143
|
+
required_approving_review_count: $approvals,
|
|
144
|
+
require_last_push_approval: false
|
|
145
|
+
},
|
|
146
|
+
restrictions: null,
|
|
147
|
+
required_linear_history: $linear_history,
|
|
148
|
+
allow_force_pushes: false,
|
|
149
|
+
allow_deletions: false,
|
|
150
|
+
required_conversation_resolution: true,
|
|
151
|
+
required_signatures: $signed_commits,
|
|
152
|
+
lock_branch: false,
|
|
153
|
+
allow_fork_syncing: true
|
|
154
|
+
}'
|
|
155
|
+
}
|
|
156
|
+
|
|
157
|
+
apply_protection() {
|
|
158
|
+
local branch="$1"
|
|
159
|
+
local checks_var_name
|
|
160
|
+
if [ "$branch" = "main" ]; then
|
|
161
|
+
checks_var_name="REQUIRED_CHECKS_MAIN"
|
|
162
|
+
else
|
|
163
|
+
checks_var_name="REQUIRED_CHECKS_NEXT"
|
|
164
|
+
fi
|
|
165
|
+
|
|
166
|
+
# Expand the array indirectly (bash 3 compatible — macOS default).
|
|
167
|
+
eval "local checks=(\"\${${checks_var_name}[@]}\")"
|
|
168
|
+
|
|
169
|
+
local payload
|
|
170
|
+
payload=$(build_payload "$branch" "${checks[@]}")
|
|
171
|
+
|
|
172
|
+
echo "──────────────────────────────────────────"
|
|
173
|
+
echo "Branch: $branch"
|
|
174
|
+
echo "Required checks (${#checks[@]}):"
|
|
175
|
+
printf ' - %s\n' "${checks[@]}"
|
|
176
|
+
echo "──────────────────────────────────────────"
|
|
177
|
+
|
|
178
|
+
if [ "$DRY_RUN" = "1" ]; then
|
|
179
|
+
echo "[DRY RUN] Would PUT to /repos/${REPO}/branches/${branch}/protection:"
|
|
180
|
+
echo "$payload" | jq .
|
|
181
|
+
return 0
|
|
182
|
+
fi
|
|
183
|
+
|
|
184
|
+
echo "Applying branch protection..."
|
|
185
|
+
echo "$payload" | gh api \
|
|
186
|
+
-X PUT \
|
|
187
|
+
-H "Accept: application/vnd.github+json" \
|
|
188
|
+
-H "X-GitHub-Api-Version: 2022-11-28" \
|
|
189
|
+
--input - \
|
|
190
|
+
"/repos/${REPO}/branches/${branch}/protection" \
|
|
191
|
+
>/dev/null
|
|
192
|
+
echo "✓ Protection rules applied to $branch."
|
|
193
|
+
}
|
|
194
|
+
|
|
195
|
+
ensure_branch_exists() {
|
|
196
|
+
local branch="$1"
|
|
197
|
+
if ! gh api "/repos/${REPO}/branches/${branch}" >/dev/null 2>&1; then
|
|
198
|
+
echo "ERROR: branch '$branch' does not exist in $REPO." >&2
|
|
199
|
+
if [ "$branch" = "next" ]; then
|
|
200
|
+
cat <<EOF >&2
|
|
201
|
+
|
|
202
|
+
Create the next branch first:
|
|
203
|
+
git checkout main && git pull --ff-only
|
|
204
|
+
git checkout -b next && git push -u origin next
|
|
205
|
+
|
|
206
|
+
Then re-run this script.
|
|
207
|
+
EOF
|
|
208
|
+
fi
|
|
209
|
+
exit 1
|
|
210
|
+
fi
|
|
211
|
+
}
|
|
212
|
+
|
|
213
|
+
main() {
|
|
214
|
+
verify_auth
|
|
215
|
+
|
|
216
|
+
local targets=()
|
|
217
|
+
if [ $# -eq 0 ]; then
|
|
218
|
+
targets=(main next)
|
|
219
|
+
else
|
|
220
|
+
targets=("$@")
|
|
221
|
+
fi
|
|
222
|
+
|
|
223
|
+
for branch in "${targets[@]}"; do
|
|
224
|
+
if [ "$branch" != "main" ] && [ "$branch" != "next" ]; then
|
|
225
|
+
echo "ERROR: unsupported branch '$branch'. Use 'main' or 'next'." >&2
|
|
226
|
+
exit 1
|
|
227
|
+
fi
|
|
228
|
+
ensure_branch_exists "$branch"
|
|
229
|
+
apply_protection "$branch"
|
|
230
|
+
done
|
|
231
|
+
|
|
232
|
+
echo ""
|
|
233
|
+
echo "Done. To verify: gh api /repos/${REPO}/branches/<branch>/protection | jq ."
|
|
234
|
+
}
|
|
235
|
+
|
|
236
|
+
main "$@"
|