bootproof 0.1.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,178 @@
1
+ # Repair Receipts
2
+
3
+ `bootproof fix` treats the normal BootProof verdict as an oracle. A signature-valid failed attestation is reused only when it identifies the exact current clean Git commit. Otherwise BootProof reproduces the failed run in a temporary copy. It applies one deterministic registered remediation there and reruns full verification.
4
+
5
+ No receipt is emitted unless both statements are signed evidence:
6
+
7
+ - before: the sandbox run failed with a classified failure
8
+ - after: the remediated sandbox run observed successful HTTP health
9
+
10
+ `bootproof fix` does not edit the original repository. A human may review the patch written under `.bootproof/` and explicitly invoke `bootproof apply-repair`.
11
+
12
+ ## Schema
13
+
14
+ ```text
15
+ bootproof/repair-receipt/v1
16
+ ```
17
+
18
+ ```json
19
+ {
20
+ "schema": "bootproof/repair-receipt/v1",
21
+ "tool": "bootproof@0.3.0",
22
+ "repo": {
23
+ "remote": null,
24
+ "commit": null,
25
+ "dirty": null
26
+ },
27
+ "environment": {
28
+ "os": "darwin 25.4.0",
29
+ "arch": "arm64",
30
+ "node": "v22.0.0"
31
+ },
32
+ "failure": {
33
+ "class": "service_port_allocated",
34
+ "beforeAttestationSha256": "..."
35
+ },
36
+ "repair": {
37
+ "id": "remap-conflicting-service-port",
38
+ "kind": "plan-step",
39
+ "description": "...",
40
+ "diff": null,
41
+ "filesChanged": [
42
+ "docker-compose.bootproof.override.yml"
43
+ ],
44
+ "fileChanges": [
45
+ {
46
+ "path": "docker-compose.bootproof.override.yml",
47
+ "beforeSha256": null,
48
+ "afterSha256": "...",
49
+ "beforeContent": null,
50
+ "afterContent": "..."
51
+ }
52
+ ],
53
+ "preconditions": [
54
+ {
55
+ "path": "docker-compose.yml",
56
+ "sha256": "..."
57
+ }
58
+ ],
59
+ "planDelta": "...",
60
+ "envDelta": null
61
+ },
62
+ "verification": {
63
+ "before": {
64
+ "booted": false,
65
+ "failureClass": "service_port_allocated",
66
+ "attestationSha256": "..."
67
+ },
68
+ "after": {
69
+ "booted": true,
70
+ "healthObservation": "HTTP 200 at http://localhost:4000/",
71
+ "attestationSha256": "..."
72
+ }
73
+ },
74
+ "startedAt": "...",
75
+ "finishedAt": "...",
76
+ "signer": {
77
+ "publicKey": "...",
78
+ "algorithm": "ed25519"
79
+ },
80
+ "signature": "..."
81
+ }
82
+ ```
83
+
84
+ The receipt uses the same Ed25519 canonical-body pattern as attestations: `signer` and `signature` are excluded from the signed body. Tampering with the repair, before result, or after result invalidates verification.
85
+
86
+ `beforeAttestationSha256` and both verification hashes are SHA-256 hashes of the corresponding attestation JSON objects.
87
+
88
+ `fileChanges` is a signed application manifest. It contains only allowlisted boot-plumbing files and binds the expected preimage and verified after-content to SHA-256 hashes. `preconditions` binds read-only source inputs, such as the repository Compose file from which a repaired copy was derived.
89
+
90
+ ## Result Interface
91
+
92
+ ```bash
93
+ bootproof fix . --json
94
+ ```
95
+
96
+ emits exactly one:
97
+
98
+ ```text
99
+ bootproof/repair-result/v1
100
+ ```
101
+
102
+ Exit `0` means a signed repair receipt was produced after observed HTTP health. Every unknown, inapplicable, failed, or unverified remediation exits `1`.
103
+
104
+ `bootproof fix . --dry-run` executes nothing, writes nothing, and produces no proof.
105
+
106
+ Local sandbox execution still requires:
107
+
108
+ ```bash
109
+ bootproof fix . --provider local --unsafe-local
110
+ ```
111
+
112
+ Remote repair accepts credential-free public HTTPS repositories from GitHub, GitLab, Bitbucket, and Codeberg and keeps all evidence in the retained clone:
113
+
114
+ ```bash
115
+ bootproof fix https://github.com/user/repo --provider local --unsafe-local
116
+ ```
117
+
118
+ Cloning is not execution consent. The existing local execution acknowledgement remains mandatory.
119
+
120
+ ## Explicit Application
121
+
122
+ Repair generation and repair application are separate operations:
123
+
124
+ ```bash
125
+ bootproof apply-repair .
126
+ ```
127
+
128
+ Application exits `0` only after all signed file changes are written and re-hashed. It writes nothing when:
129
+
130
+ - the receipt signature is invalid
131
+ - a path is outside the repair allowlist
132
+ - signed content hashes are inconsistent
133
+ - a signed read-only repair prerequisite changed
134
+ - the current file preimage differs from the verified preimage
135
+ - the receipt is environment-only or plan-only
136
+
137
+ `bootproof apply-repair . --dry-run` writes nothing. No repair is ever auto-applied by `bootproof fix`.
138
+
139
+ ## v0.3 Registry
140
+
141
+ | Failure class | Deterministic remediation |
142
+ |---|---|
143
+ | `service_port_allocated` | Remap a BootProof-generated Compose host port, or create a complete BootProof-owned repaired Compose copy beside the repository file without editing it. |
144
+ | `package_manager_version_mismatch` | Run the exact declared `corepack prepare <manager>@<version> --activate` command in the sandbox. |
145
+ | `migrations_missing` | Select one exact migration framework from repository markers plus preserved evidence: Prisma, Django, Rails, Knex, or Drizzle. Ambiguous matches refuse instead of guessing. |
146
+
147
+ There are no LLM calls in the repair registry.
148
+
149
+ Local host execution still requires `--unsafe-local`, and `fix` never auto-applies a repair. These are honesty boundaries. The separate application command exists so mutation is deliberate and independently verified.
150
+
151
+ ## Files
152
+
153
+ Successful repair output is kept in the original repository's BootProof output directory:
154
+
155
+ ```text
156
+ .bootproof/attestation.json
157
+ .bootproof/repair-receipt.json
158
+ .bootproof/repair-after-attestation.json
159
+ .bootproof/repair-<id>.patch
160
+ ```
161
+
162
+ The patch is present only when the repair produced a repository or repaired-Compose file change. Plan-only and environment-only repairs may have no patch.
163
+
164
+ The after attestation is retained so its signature and receipt hash can be inspected independently. Sandbox paths in that attestation describe where verification actually occurred.
165
+
166
+ ## Allowed Scope
167
+
168
+ Repair file changes are hard-limited to:
169
+
170
+ - `package.json`, and only its `engines` or `packageManager` keys
171
+ - lockfiles
172
+ - `*.bootproof.*` files
173
+ - `.env*.example` files
174
+ - Compose override files created by BootProof
175
+
176
+ Application source is outside repair scope. A remediation that attempts to edit it throws an honesty-contract violation.
177
+
178
+ Repository Compose repair files are complete copies invoked directly. They do not rely on the version-specific `!override` merge tag, and they are written beside the source Compose file so relative build contexts keep the same base directory.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "bootproof",
3
- "version": "0.1.0",
3
+ "version": "0.3.0",
4
4
  "description": "The honest run button for repos. Boots unfamiliar code when it safely can, tells the truth when it cannot, and signs proof of what happened.",
5
5
  "license": "Apache-2.0",
6
6
  "type": "module",
@@ -20,7 +20,7 @@
20
20
  "pack:check": "node scripts/pack-smoke.mjs",
21
21
  "release:check": "npm test && npm run build && npm run pack:check && npm publish --dry-run",
22
22
  "lint": "tsc -p tsconfig.json --noEmit",
23
- "test": "npm run build && node --test tests/*.test.mjs",
23
+ "test": "npm run build && node --test tests/unit.test.mjs tests/e2e.test.mjs",
24
24
  "ci": "npm run lint && npm run test"
25
25
  },
26
26
  "repository": {
@@ -48,5 +48,8 @@
48
48
  "bugs": {
49
49
  "url": "https://github.com/rossbuckley1990-hash/bootproof/issues"
50
50
  },
51
- "homepage": "https://github.com/rossbuckley1990-hash/bootproof#readme"
51
+ "homepage": "https://github.com/rossbuckley1990-hash/bootproof#readme",
52
+ "dependencies": {
53
+ "yaml": "^2.9.0"
54
+ }
52
55
  }