bootproof 0.1.0 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +84 -8
- package/dist/cli.js +230 -16
- package/dist/diagnosis.js +13 -1
- package/dist/exec.js +21 -4
- package/dist/infer.js +281 -32
- package/dist/plan.d.ts +2 -0
- package/dist/plan.js +47 -7
- package/dist/proof.d.ts +1 -1
- package/dist/proof.js +2 -2
- package/dist/remote.d.ts +12 -1
- package/dist/remote.js +62 -18
- package/dist/repair.d.ts +110 -0
- package/dist/repair.js +857 -0
- package/dist/run.d.ts +3 -1
- package/dist/run.js +182 -20
- package/dist/taxonomy.d.ts +1 -0
- package/dist/taxonomy.js +28 -4
- package/dist/types.d.ts +18 -2
- package/docs/CI_ACTION.md +4 -3
- package/docs/FAILURE_TAXONOMY.md +3 -1
- package/docs/HONESTY_CONTRACT.md +30 -1
- package/docs/REAL_REPO_EVIDENCE.md +77 -0
- package/docs/RELEASE_CHECKLIST.md +9 -1
- package/docs/REPAIR_RECEIPT.md +178 -0
- package/package.json +6 -3
|
@@ -0,0 +1,178 @@
|
|
|
1
|
+
# Repair Receipts
|
|
2
|
+
|
|
3
|
+
`bootproof fix` treats the normal BootProof verdict as an oracle. A signature-valid failed attestation is reused only when it identifies the exact current clean Git commit. Otherwise BootProof reproduces the failed run in a temporary copy. It applies one deterministic registered remediation there and reruns full verification.
|
|
4
|
+
|
|
5
|
+
No receipt is emitted unless both statements are signed evidence:
|
|
6
|
+
|
|
7
|
+
- before: the sandbox run failed with a classified failure
|
|
8
|
+
- after: the remediated sandbox run observed successful HTTP health
|
|
9
|
+
|
|
10
|
+
`bootproof fix` does not edit the original repository. A human may review the patch written under `.bootproof/` and explicitly invoke `bootproof apply-repair`.
|
|
11
|
+
|
|
12
|
+
## Schema
|
|
13
|
+
|
|
14
|
+
```text
|
|
15
|
+
bootproof/repair-receipt/v1
|
|
16
|
+
```
|
|
17
|
+
|
|
18
|
+
```json
|
|
19
|
+
{
|
|
20
|
+
"schema": "bootproof/repair-receipt/v1",
|
|
21
|
+
"tool": "bootproof@0.3.0",
|
|
22
|
+
"repo": {
|
|
23
|
+
"remote": null,
|
|
24
|
+
"commit": null,
|
|
25
|
+
"dirty": null
|
|
26
|
+
},
|
|
27
|
+
"environment": {
|
|
28
|
+
"os": "darwin 25.4.0",
|
|
29
|
+
"arch": "arm64",
|
|
30
|
+
"node": "v22.0.0"
|
|
31
|
+
},
|
|
32
|
+
"failure": {
|
|
33
|
+
"class": "service_port_allocated",
|
|
34
|
+
"beforeAttestationSha256": "..."
|
|
35
|
+
},
|
|
36
|
+
"repair": {
|
|
37
|
+
"id": "remap-conflicting-service-port",
|
|
38
|
+
"kind": "plan-step",
|
|
39
|
+
"description": "...",
|
|
40
|
+
"diff": null,
|
|
41
|
+
"filesChanged": [
|
|
42
|
+
"docker-compose.bootproof.override.yml"
|
|
43
|
+
],
|
|
44
|
+
"fileChanges": [
|
|
45
|
+
{
|
|
46
|
+
"path": "docker-compose.bootproof.override.yml",
|
|
47
|
+
"beforeSha256": null,
|
|
48
|
+
"afterSha256": "...",
|
|
49
|
+
"beforeContent": null,
|
|
50
|
+
"afterContent": "..."
|
|
51
|
+
}
|
|
52
|
+
],
|
|
53
|
+
"preconditions": [
|
|
54
|
+
{
|
|
55
|
+
"path": "docker-compose.yml",
|
|
56
|
+
"sha256": "..."
|
|
57
|
+
}
|
|
58
|
+
],
|
|
59
|
+
"planDelta": "...",
|
|
60
|
+
"envDelta": null
|
|
61
|
+
},
|
|
62
|
+
"verification": {
|
|
63
|
+
"before": {
|
|
64
|
+
"booted": false,
|
|
65
|
+
"failureClass": "service_port_allocated",
|
|
66
|
+
"attestationSha256": "..."
|
|
67
|
+
},
|
|
68
|
+
"after": {
|
|
69
|
+
"booted": true,
|
|
70
|
+
"healthObservation": "HTTP 200 at http://localhost:4000/",
|
|
71
|
+
"attestationSha256": "..."
|
|
72
|
+
}
|
|
73
|
+
},
|
|
74
|
+
"startedAt": "...",
|
|
75
|
+
"finishedAt": "...",
|
|
76
|
+
"signer": {
|
|
77
|
+
"publicKey": "...",
|
|
78
|
+
"algorithm": "ed25519"
|
|
79
|
+
},
|
|
80
|
+
"signature": "..."
|
|
81
|
+
}
|
|
82
|
+
```
|
|
83
|
+
|
|
84
|
+
The receipt uses the same Ed25519 canonical-body pattern as attestations: `signer` and `signature` are excluded from the signed body. Tampering with the repair, before result, or after result invalidates verification.
|
|
85
|
+
|
|
86
|
+
`beforeAttestationSha256` and both verification hashes are SHA-256 hashes of the corresponding attestation JSON objects.
|
|
87
|
+
|
|
88
|
+
`fileChanges` is a signed application manifest. It contains only allowlisted boot-plumbing files and binds the expected preimage and verified after-content to SHA-256 hashes. `preconditions` binds read-only source inputs, such as the repository Compose file from which a repaired copy was derived.
|
|
89
|
+
|
|
90
|
+
## Result Interface
|
|
91
|
+
|
|
92
|
+
```bash
|
|
93
|
+
bootproof fix . --json
|
|
94
|
+
```
|
|
95
|
+
|
|
96
|
+
emits exactly one:
|
|
97
|
+
|
|
98
|
+
```text
|
|
99
|
+
bootproof/repair-result/v1
|
|
100
|
+
```
|
|
101
|
+
|
|
102
|
+
Exit `0` means a signed repair receipt was produced after observed HTTP health. Every unknown, inapplicable, failed, or unverified remediation exits `1`.
|
|
103
|
+
|
|
104
|
+
`bootproof fix . --dry-run` executes nothing, writes nothing, and produces no proof.
|
|
105
|
+
|
|
106
|
+
Local sandbox execution still requires:
|
|
107
|
+
|
|
108
|
+
```bash
|
|
109
|
+
bootproof fix . --provider local --unsafe-local
|
|
110
|
+
```
|
|
111
|
+
|
|
112
|
+
Remote repair accepts credential-free public HTTPS repositories from GitHub, GitLab, Bitbucket, and Codeberg and keeps all evidence in the retained clone:
|
|
113
|
+
|
|
114
|
+
```bash
|
|
115
|
+
bootproof fix https://github.com/user/repo --provider local --unsafe-local
|
|
116
|
+
```
|
|
117
|
+
|
|
118
|
+
Cloning is not execution consent. The existing local execution acknowledgement remains mandatory.
|
|
119
|
+
|
|
120
|
+
## Explicit Application
|
|
121
|
+
|
|
122
|
+
Repair generation and repair application are separate operations:
|
|
123
|
+
|
|
124
|
+
```bash
|
|
125
|
+
bootproof apply-repair .
|
|
126
|
+
```
|
|
127
|
+
|
|
128
|
+
Application exits `0` only after all signed file changes are written and re-hashed. It writes nothing when:
|
|
129
|
+
|
|
130
|
+
- the receipt signature is invalid
|
|
131
|
+
- a path is outside the repair allowlist
|
|
132
|
+
- signed content hashes are inconsistent
|
|
133
|
+
- a signed read-only repair prerequisite changed
|
|
134
|
+
- the current file preimage differs from the verified preimage
|
|
135
|
+
- the receipt is environment-only or plan-only
|
|
136
|
+
|
|
137
|
+
`bootproof apply-repair . --dry-run` writes nothing. No repair is ever auto-applied by `bootproof fix`.
|
|
138
|
+
|
|
139
|
+
## v0.3 Registry
|
|
140
|
+
|
|
141
|
+
| Failure class | Deterministic remediation |
|
|
142
|
+
|---|---|
|
|
143
|
+
| `service_port_allocated` | Remap a BootProof-generated Compose host port, or create a complete BootProof-owned repaired Compose copy beside the repository file without editing it. |
|
|
144
|
+
| `package_manager_version_mismatch` | Run the exact declared `corepack prepare <manager>@<version> --activate` command in the sandbox. |
|
|
145
|
+
| `migrations_missing` | Select one exact migration framework from repository markers plus preserved evidence: Prisma, Django, Rails, Knex, or Drizzle. Ambiguous matches refuse instead of guessing. |
|
|
146
|
+
|
|
147
|
+
There are no LLM calls in the repair registry.
|
|
148
|
+
|
|
149
|
+
Local host execution still requires `--unsafe-local`, and `fix` never auto-applies a repair. These are honesty boundaries. The separate application command exists so mutation is deliberate and independently verified.
|
|
150
|
+
|
|
151
|
+
## Files
|
|
152
|
+
|
|
153
|
+
Successful repair output is kept in the original repository's BootProof output directory:
|
|
154
|
+
|
|
155
|
+
```text
|
|
156
|
+
.bootproof/attestation.json
|
|
157
|
+
.bootproof/repair-receipt.json
|
|
158
|
+
.bootproof/repair-after-attestation.json
|
|
159
|
+
.bootproof/repair-<id>.patch
|
|
160
|
+
```
|
|
161
|
+
|
|
162
|
+
The patch is present only when the repair produced a repository or repaired-Compose file change. Plan-only and environment-only repairs may have no patch.
|
|
163
|
+
|
|
164
|
+
The after attestation is retained so its signature and receipt hash can be inspected independently. Sandbox paths in that attestation describe where verification actually occurred.
|
|
165
|
+
|
|
166
|
+
## Allowed Scope
|
|
167
|
+
|
|
168
|
+
Repair file changes are hard-limited to:
|
|
169
|
+
|
|
170
|
+
- `package.json`, and only its `engines` or `packageManager` keys
|
|
171
|
+
- lockfiles
|
|
172
|
+
- `*.bootproof.*` files
|
|
173
|
+
- `.env*.example` files
|
|
174
|
+
- Compose override files created by BootProof
|
|
175
|
+
|
|
176
|
+
Application source is outside repair scope. A remediation that attempts to edit it throws an honesty-contract violation.
|
|
177
|
+
|
|
178
|
+
Repository Compose repair files are complete copies invoked directly. They do not rely on the version-specific `!override` merge tag, and they are written beside the source Compose file so relative build contexts keep the same base directory.
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "bootproof",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.3.0",
|
|
4
4
|
"description": "The honest run button for repos. Boots unfamiliar code when it safely can, tells the truth when it cannot, and signs proof of what happened.",
|
|
5
5
|
"license": "Apache-2.0",
|
|
6
6
|
"type": "module",
|
|
@@ -20,7 +20,7 @@
|
|
|
20
20
|
"pack:check": "node scripts/pack-smoke.mjs",
|
|
21
21
|
"release:check": "npm test && npm run build && npm run pack:check && npm publish --dry-run",
|
|
22
22
|
"lint": "tsc -p tsconfig.json --noEmit",
|
|
23
|
-
"test": "npm run build && node --test tests
|
|
23
|
+
"test": "npm run build && node --test tests/unit.test.mjs tests/e2e.test.mjs",
|
|
24
24
|
"ci": "npm run lint && npm run test"
|
|
25
25
|
},
|
|
26
26
|
"repository": {
|
|
@@ -48,5 +48,8 @@
|
|
|
48
48
|
"bugs": {
|
|
49
49
|
"url": "https://github.com/rossbuckley1990-hash/bootproof/issues"
|
|
50
50
|
},
|
|
51
|
-
"homepage": "https://github.com/rossbuckley1990-hash/bootproof#readme"
|
|
51
|
+
"homepage": "https://github.com/rossbuckley1990-hash/bootproof#readme",
|
|
52
|
+
"dependencies": {
|
|
53
|
+
"yaml": "^2.9.0"
|
|
54
|
+
}
|
|
52
55
|
}
|