codeharness 0.23.0 → 0.24.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeharness",
-  "version": "0.23.0",
+  "version": "0.24.0",
   "type": "module",
   "description": "CLI for codeharness — makes autonomous coding agents produce software that actually works",
   "bin": {
@@ -11,6 +11,8 @@
     "bin",
     "patches",
     "templates/Dockerfile.verify",
+    "templates/Dockerfile.verify.rust",
+    "templates/Dockerfile.verify.generic",
     "ralph/**/*.sh",
     "ralph/AGENTS.md"
   ],

package/patches/dev/enforcement.md

@@ -18,6 +18,8 @@ Before writing code, read the relevant `AGENTS.md` file for the module being cha
 
 ### Observability
 
+Run `semgrep scan --config patches/observability/` before committing and fix any gaps.
+
 After running tests, verify telemetry is flowing:
 - Query VictoriaLogs to confirm log events from test runs
 - If observability is configured, traces should be visible for CLI operations
@@ -41,3 +43,11 @@ Write code that can be verified from the outside. Ask yourself:
 - Would a verifier with NO source access be able to tell if this works?
 
 If the answer is "no", the feature has a testability gap — fix the CLI/docs, not the verification process.
+
+### Dockerfile Maintenance
+
+If this story adds a new runtime dependency, check whether the Dockerfile needs updating:
+- New system package required at runtime (e.g., `libssl`, `ffmpeg`) — add to `apt-get install` line
+- New binary expected on PATH — add install step to Dockerfile
+- New Python package needed — add to `pip install` or `requirements.txt` COPY
+- Verify the updated Dockerfile still passes `validateDockerfile()` with zero gaps

package/patches/infra/dockerfile-rules.md

@@ -0,0 +1,62 @@
+# Dockerfile Rules
+
+Required elements for verification Dockerfiles. The `validateDockerfile()` function checks all six categories below. Gaps are reported through the audit infrastructure dimension.
+
+## Required Elements
+
+### 1. Pinned FROM Image
+
+Base images must use a specific version tag or digest. Using `:latest` or omitting a tag results in non-reproducible builds.
+
+- **Pass:** `FROM node:22-slim`, `FROM python:3.12-slim`, `FROM node@sha256:abc123`
+- **Fail:** `FROM node:latest`, `FROM node`
+
+### 2. Project Binary on PATH
+
+The container must install the project binary so it is available on PATH. This prevents "container missing binary" failures.
+
+- **Patterns:** `npm install -g`, `pip install`, `COPY --from=builder`
+
+### 3. Verification Tools
+
+Containers must include tools needed for health checks and diagnostics: `curl`, `jq`.
+
+- **Install via:** `apt-get install -y curl jq` or `apk add --no-cache curl jq`
+
+### 4. No Source Code COPY
+
+Containers should use build artifacts, not raw source. Copying source directories inflates image size and leaks code.
+
+- **Fail patterns:** `COPY src/`, `COPY lib/`, `COPY test/`
+- **Pass:** `COPY --from=builder /app/dist /app/dist`, `COPY dist/ /app/dist/`
+
+### 5. Non-root USER
+
+Containers must not run as root. Include a `USER` instruction with a non-root user.
+
+- **Pass:** `USER node`, `USER appuser`, `USER 1001`
+- **Fail:** no `USER` instruction, or only `USER root`
+
+### 6. Cache Cleanup
+
+Package manager caches must be cleaned to reduce image size.
+
+- **Patterns:** `rm -rf /var/lib/apt/lists/*`, `npm cache clean --force`, `pip cache purge`
+
+## Project-Type-Specific Notes
+
+### Node.js
+
+- Use `npm install -g <package>` to put the binary on PATH
+- Use `npm cache clean --force` after install
+- Prefer `node:22-slim` or `node:22-alpine` base images
+
+### Python
+
+- Use `pip install --no-cache-dir <package>` or `pip cache purge`
+- Prefer `python:3.12-slim` base images
+
+### Plugin (Claude Code)
+
+- Plugin containers typically use Node.js base
+- Ensure `codeharness` binary is installed globally via `npm install -g`

package/patches/observability/AGENTS.md

@@ -4,20 +4,40 @@ Standalone Semgrep YAML rules for static analysis of observability gaps. Each `.
 
 ## Rules
 
+### JavaScript / TypeScript
+
 | File | Purpose | Severity |
 |------|---------|----------|
 | catch-without-logging.yaml | Detects catch blocks without error/warn logging | WARNING |
 | function-no-debug-log.yaml | Detects functions without debug/info logging | INFO |
 | error-path-no-log.yaml | Detects error paths (throw/return err) without preceding log | WARNING |
 
+### Rust
+
+| File | Purpose | Severity |
+|------|---------|----------|
+| rust-function-no-tracing.yaml | Detects Rust functions without tracing instrumentation | INFO |
+| rust-catch-without-tracing.yaml | Detects Rust error match arms without tracing | WARNING |
+| rust-error-path-no-tracing.yaml | Detects Rust error-path closures (map_err/unwrap_or_else) without tracing | WARNING |
+
 ## Test Fixtures
 
+### JavaScript / TypeScript
+
 | File | Purpose |
 |------|---------|
 | catch-without-logging.ts | Test cases for catch-without-logging rule (annotated with `// ruleid:` / `// ok:`) |
 | function-no-debug-log.ts | Test cases for function-no-debug-log rule |
 | error-path-no-log.ts | Test cases for error-path-no-log rule |
 
+### Rust
+
+| File | Purpose |
+|------|---------|
+| rust-function-no-tracing.rs | Test cases for rust-function-no-tracing rule |
+| rust-catch-without-tracing.rs | Test cases for rust-catch-without-tracing rule |
+| rust-error-path-no-tracing.rs | Test cases for rust-error-path-no-tracing rule |
+
 ## Testing
 
 Run `semgrep --test patches/observability/` to execute all test fixtures against their rules.

package/patches/observability/rust-catch-without-tracing.rs

@@ -0,0 +1,65 @@
+// Test cases for rust-catch-without-tracing Semgrep rule
+
+fn bad_match_no_logging(result: Result<i32, String>) {
+    match result {
+        Ok(val) => println!("{}", val),
+        // ruleid: rust-catch-without-tracing
+        Err(e) => {
+            cleanup();
+        }
+    }
+}
+
+fn bad_match_wildcard(result: Result<i32, String>) {
+    match result {
+        Ok(val) => println!("{}", val),
+        // ruleid: rust-catch-without-tracing
+        Err(_) => {
+            fallback();
+        }
+    }
+}
+
+fn good_match_with_tracing_error(result: Result<i32, String>) {
+    match result {
+        Ok(val) => println!("{}", val),
+        // ok: rust-catch-without-tracing
+        Err(e) => {
+            tracing::error!("operation failed: {}", e);
+            cleanup();
+        }
+    }
+}
+
+fn good_match_with_tracing_warn(result: Result<i32, String>) {
+    match result {
+        Ok(val) => println!("{}", val),
+        // ok: rust-catch-without-tracing
+        Err(e) => {
+            tracing::warn!("operation failed: {}", e);
+            cleanup();
+        }
+    }
+}
+
+fn good_match_with_bare_error(result: Result<i32, String>) {
+    match result {
+        Ok(val) => println!("{}", val),
+        // ok: rust-catch-without-tracing
+        Err(e) => {
+            error!("operation failed: {}", e);
+            cleanup();
+        }
+    }
+}
+
+fn good_match_with_bare_warn(result: Result<i32, String>) {
+    match result {
+        Ok(val) => println!("{}", val),
+        // ok: rust-catch-without-tracing
+        Err(e) => {
+            warn!("operation failed: {}", e);
+            cleanup();
+        }
+    }
+}

package/patches/observability/rust-catch-without-tracing.yaml

@@ -0,0 +1,19 @@
+rules:
+  - id: rust-catch-without-tracing
+    patterns:
+      - pattern: |
+          match $X { Err($E) => { ... } }
+      - pattern-not: |
+          match $X { Err($E) => { ... tracing::error!(...); ... } }
+      - pattern-not: |
+          match $X { Err($E) => { ... tracing::warn!(...); ... } }
+      - pattern-not: |
+          match $X { Err($E) => { ... error!(...); ... } }
+      - pattern-not: |
+          match $X { Err($E) => { ... warn!(...); ... } }
+    message: "Rust error match arm without tracing — observability gap"
+    languages: [rust]
+    severity: WARNING
+    metadata:
+      category: observability
+      cwe: "CWE-778: Insufficient Logging"

package/patches/observability/rust-error-path-no-tracing.rs

@@ -0,0 +1,79 @@
+// Test cases for rust-error-path-no-tracing Semgrep rule
+
+fn bad_map_err() {
+    // ruleid: rust-error-path-no-tracing
+    let result = some_operation().map_err(|e| {
+        CustomError::new(e)
+    });
+}
+
+fn bad_unwrap_or_else() {
+    // ruleid: rust-error-path-no-tracing
+    let value = some_operation().unwrap_or_else(|e| {
+        default_value()
+    });
+}
+
+fn good_map_err_with_tracing_error() {
+    // ok: rust-error-path-no-tracing
+    let result = some_operation().map_err(|e| {
+        tracing::error!("operation failed: {}", e);
+        CustomError::new(e)
+    });
+}
+
+fn good_map_err_with_tracing_warn() {
+    // ok: rust-error-path-no-tracing
+    let result = some_operation().map_err(|e| {
+        tracing::warn!("operation failed: {}", e);
+        CustomError::new(e)
+    });
+}
+
+fn good_map_err_with_bare_error() {
+    // ok: rust-error-path-no-tracing
+    let result = some_operation().map_err(|e| {
+        error!("operation failed: {}", e);
+        CustomError::new(e)
+    });
+}
+
+fn good_map_err_with_bare_warn() {
+    // ok: rust-error-path-no-tracing
+    let result = some_operation().map_err(|e| {
+        warn!("operation failed: {}", e);
+        CustomError::new(e)
+    });
+}
+
+fn good_unwrap_or_else_with_tracing_error() {
+    // ok: rust-error-path-no-tracing
+    let value = some_operation().unwrap_or_else(|e| {
+        tracing::error!("falling back: {}", e);
+        default_value()
+    });
+}
+
+fn good_unwrap_or_else_with_tracing_warn() {
+    // ok: rust-error-path-no-tracing
+    let value = some_operation().unwrap_or_else(|e| {
+        tracing::warn!("falling back: {}", e);
+        default_value()
+    });
+}
+
+fn good_unwrap_or_else_with_bare_error() {
+    // ok: rust-error-path-no-tracing
+    let value = some_operation().unwrap_or_else(|e| {
+        error!("falling back: {}", e);
+        default_value()
+    });
+}
+
+fn good_unwrap_or_else_with_bare_warn() {
+    // ok: rust-error-path-no-tracing
+    let value = some_operation().unwrap_or_else(|e| {
+        warn!("falling back: {}", e);
+        default_value()
+    });
+}

package/patches/observability/rust-error-path-no-tracing.yaml

@@ -0,0 +1,62 @@
+rules:
+  - id: rust-error-path-no-tracing
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $X.map_err(|$E| { ... })
+          - pattern: |
+              $X.unwrap_or_else(|$E| { ... })
+      - pattern-not: |
+          $X.map_err(|$E| {
+            ...
+            tracing::error!(...);
+            ...
+          })
+      - pattern-not: |
+          $X.map_err(|$E| {
+            ...
+            tracing::warn!(...);
+            ...
+          })
+      - pattern-not: |
+          $X.map_err(|$E| {
+            ...
+            error!(...);
+            ...
+          })
+      - pattern-not: |
+          $X.map_err(|$E| {
+            ...
+            warn!(...);
+            ...
+          })
+      - pattern-not: |
+          $X.unwrap_or_else(|$E| {
+            ...
+            tracing::error!(...);
+            ...
+          })
+      - pattern-not: |
+          $X.unwrap_or_else(|$E| {
+            ...
+            tracing::warn!(...);
+            ...
+          })
+      - pattern-not: |
+          $X.unwrap_or_else(|$E| {
+            ...
+            error!(...);
+            ...
+          })
+      - pattern-not: |
+          $X.unwrap_or_else(|$E| {
+            ...
+            warn!(...);
+            ...
+          })
+    message: "Rust error-path closure without tracing — observability gap"
+    languages: [rust]
+    severity: WARNING
+    metadata:
+      category: observability
+      cwe: "CWE-778: Insufficient Logging"

package/patches/observability/rust-function-no-tracing.rs

@@ -0,0 +1,119 @@
+// Test cases for rust-function-no-tracing Semgrep rule
+
+// ruleid: rust-function-no-tracing
+fn process_data(input: &str) -> String {
+    input.trim().to_string()
+}
+
+// ruleid: rust-function-no-tracing
+pub fn handle_request(req: Request) -> Response {
+    let result = compute(req);
+    result
+}
+
+// ruleid: rust-function-no-tracing
+async fn fetch_data(url: &str) -> Result<String, Error> {
+    let resp = client.get(url).send().await?;
+    resp.text().await
+}
+
+// ruleid: rust-function-no-tracing
+pub async fn serve(addr: &str) -> Result<(), Error> {
+    let listener = TcpListener::bind(addr).await?;
+    loop {
+        let (stream, _) = listener.accept().await?;
+        handle(stream).await;
+    }
+}
+
+// ok: rust-function-no-tracing
+fn process_with_debug(input: &str) -> String {
+    tracing::debug!("processing input");
+    input.trim().to_string()
+}
+
+// ok: rust-function-no-tracing
+pub fn handle_with_info(req: Request) -> Response {
+    tracing::info!("handling request");
+    let result = compute(req);
+    result
+}
+
+// ok: rust-function-no-tracing
+async fn fetch_with_warn(url: &str) -> Result<String, Error> {
+    tracing::warn!("fetching data from {}", url);
+    let resp = client.get(url).send().await?;
+    resp.text().await
+}
+
+// ok: rust-function-no-tracing
+pub async fn serve_with_error(addr: &str) -> Result<(), Error> {
+    tracing::error!("starting server on {}", addr);
+    let listener = TcpListener::bind(addr).await?;
+    loop {
+        let (stream, _) = listener.accept().await?;
+        handle(stream).await;
+    }
+}
+
+// ok: rust-function-no-tracing
+fn process_with_bare_debug(input: &str) -> String {
+    debug!("processing input");
+    input.trim().to_string()
+}
+
+// ok: rust-function-no-tracing
+pub fn handle_with_bare_info(req: Request) -> Response {
+    info!("handling request");
+    let result = compute(req);
+    result
+}
+
+// ok: rust-function-no-tracing
+async fn fetch_with_bare_error(url: &str) -> Result<String, Error> {
+    error!("fetching data from {}", url);
+    let resp = client.get(url).send().await?;
+    resp.text().await
+}
+
+// ok: rust-function-no-tracing
+fn traced_with_namespaced_trace(input: &str) -> String {
+    tracing::trace!("trace-level log");
+    input.trim().to_string()
+}
+
+// ok: rust-function-no-tracing
+fn traced_with_bare_trace(input: &str) -> String {
+    trace!("trace-level log");
+    input.trim().to_string()
+}
+
+// ok: rust-function-no-tracing
+#[tracing::instrument]
+fn instrumented_function(input: &str) -> String {
+    input.trim().to_string()
+}
+
+// ok: rust-function-no-tracing
+#[instrument]
+pub fn instrumented_pub_function(req: Request) -> Response {
+    let result = compute(req);
+    result
+}
+
+// ok: rust-function-no-tracing
+#[tracing::instrument]
+async fn instrumented_async(url: &str) -> Result<String, Error> {
+    let resp = client.get(url).send().await?;
+    resp.text().await
+}
+
+// ok: rust-function-no-tracing
+#[instrument]
+pub async fn instrumented_pub_async(addr: &str) -> Result<(), Error> {
+    let listener = TcpListener::bind(addr).await?;
+    loop {
+        let (stream, _) = listener.accept().await?;
+        handle(stream).await;
+    }
+}