codeharness 0.23.0 → 0.24.0

package/patches/observability/rust-function-no-tracing.yaml

@@ -0,0 +1,282 @@
+rules:
+  - id: rust-function-no-tracing
+    patterns:
+      - pattern-either:
+          - pattern: |
+              fn $FUNC(...) { ... }
+          - pattern: |
+              pub fn $FUNC(...) { ... }
+          - pattern: |
+              async fn $FUNC(...) { ... }
+          - pattern: |
+              pub async fn $FUNC(...) { ... }
+      - pattern-not: |
+          #[tracing::instrument]
+          fn $FUNC(...) { ... }
+      - pattern-not: |
+          #[tracing::instrument]
+          pub fn $FUNC(...) { ... }
+      - pattern-not: |
+          #[tracing::instrument]
+          async fn $FUNC(...) { ... }
+      - pattern-not: |
+          #[tracing::instrument]
+          pub async fn $FUNC(...) { ... }
+      - pattern-not: |
+          #[instrument]
+          fn $FUNC(...) { ... }
+      - pattern-not: |
+          #[instrument]
+          pub fn $FUNC(...) { ... }
+      - pattern-not: |
+          #[instrument]
+          async fn $FUNC(...) { ... }
+      - pattern-not: |
+          #[instrument]
+          pub async fn $FUNC(...) { ... }
+      - pattern-not: |
+          fn $FUNC(...) {
+            ...
+            tracing::debug!(...);
+            ...
+          }
+      - pattern-not: |
+          fn $FUNC(...) {
+            ...
+            tracing::info!(...);
+            ...
+          }
+      - pattern-not: |
+          fn $FUNC(...) {
+            ...
+            tracing::warn!(...);
+            ...
+          }
+      - pattern-not: |
+          fn $FUNC(...) {
+            ...
+            tracing::error!(...);
+            ...
+          }
+      - pattern-not: |
+          fn $FUNC(...) {
+            ...
+            tracing::trace!(...);
+            ...
+          }
+      - pattern-not: |
+          fn $FUNC(...) {
+            ...
+            debug!(...);
+            ...
+          }
+      - pattern-not: |
+          fn $FUNC(...) {
+            ...
+            info!(...);
+            ...
+          }
+      - pattern-not: |
+          fn $FUNC(...) {
+            ...
+            warn!(...);
+            ...
+          }
+      - pattern-not: |
+          fn $FUNC(...) {
+            ...
+            error!(...);
+            ...
+          }
+      - pattern-not: |
+          fn $FUNC(...) {
+            ...
+            trace!(...);
+            ...
+          }
+      - pattern-not: |
+          pub fn $FUNC(...) {
+            ...
+            tracing::debug!(...);
+            ...
+          }
+      - pattern-not: |
+          pub fn $FUNC(...) {
+            ...
+            tracing::info!(...);
+            ...
+          }
+      - pattern-not: |
+          pub fn $FUNC(...) {
+            ...
+            tracing::warn!(...);
+            ...
+          }
+      - pattern-not: |
+          pub fn $FUNC(...) {
+            ...
+            tracing::error!(...);
+            ...
+          }
+      - pattern-not: |
+          pub fn $FUNC(...) {
+            ...
+            tracing::trace!(...);
+            ...
+          }
+      - pattern-not: |
+          pub fn $FUNC(...) {
+            ...
+            debug!(...);
+            ...
+          }
+      - pattern-not: |
+          pub fn $FUNC(...) {
+            ...
+            info!(...);
+            ...
+          }
+      - pattern-not: |
+          pub fn $FUNC(...) {
+            ...
+            warn!(...);
+            ...
+          }
+      - pattern-not: |
+          pub fn $FUNC(...) {
+            ...
+            error!(...);
+            ...
+          }
+      - pattern-not: |
+          pub fn $FUNC(...) {
+            ...
+            trace!(...);
+            ...
+          }
+      - pattern-not: |
+          async fn $FUNC(...) {
+            ...
+            tracing::debug!(...);
+            ...
+          }
+      - pattern-not: |
+          async fn $FUNC(...) {
+            ...
+            tracing::info!(...);
+            ...
+          }
+      - pattern-not: |
+          async fn $FUNC(...) {
+            ...
+            tracing::warn!(...);
+            ...
+          }
+      - pattern-not: |
+          async fn $FUNC(...) {
+            ...
+            tracing::error!(...);
+            ...
+          }
+      - pattern-not: |
+          async fn $FUNC(...) {
+            ...
+            tracing::trace!(...);
+            ...
+          }
+      - pattern-not: |
+          async fn $FUNC(...) {
+            ...
+            debug!(...);
+            ...
+          }
+      - pattern-not: |
+          async fn $FUNC(...) {
+            ...
+            info!(...);
+            ...
+          }
+      - pattern-not: |
+          async fn $FUNC(...) {
+            ...
+            warn!(...);
+            ...
+          }
+      - pattern-not: |
+          async fn $FUNC(...) {
+            ...
+            error!(...);
+            ...
+          }
+      - pattern-not: |
+          async fn $FUNC(...) {
+            ...
+            trace!(...);
+            ...
+          }
+      - pattern-not: |
+          pub async fn $FUNC(...) {
+            ...
+            tracing::debug!(...);
+            ...
+          }
+      - pattern-not: |
+          pub async fn $FUNC(...) {
+            ...
+            tracing::info!(...);
+            ...
+          }
+      - pattern-not: |
+          pub async fn $FUNC(...) {
+            ...
+            tracing::warn!(...);
+            ...
+          }
+      - pattern-not: |
+          pub async fn $FUNC(...) {
+            ...
+            tracing::error!(...);
+            ...
+          }
+      - pattern-not: |
+          pub async fn $FUNC(...) {
+            ...
+            tracing::trace!(...);
+            ...
+          }
+      - pattern-not: |
+          pub async fn $FUNC(...) {
+            ...
+            debug!(...);
+            ...
+          }
+      - pattern-not: |
+          pub async fn $FUNC(...) {
+            ...
+            info!(...);
+            ...
+          }
+      - pattern-not: |
+          pub async fn $FUNC(...) {
+            ...
+            warn!(...);
+            ...
+          }
+      - pattern-not: |
+          pub async fn $FUNC(...) {
+            ...
+            error!(...);
+            ...
+          }
+      - pattern-not: |
+          pub async fn $FUNC(...) {
+            ...
+            trace!(...);
+            ...
+          }
+    message: "Rust function without tracing instrumentation — observability gap"
+    languages: [rust]
+    severity: INFO
+    metadata:
+      category: observability
+      cwe: "CWE-778: Insufficient Logging"

package/patches/review/enforcement.md

@@ -25,6 +25,15 @@ The proof must pass black-box enforcement:
 - `[FAIL]` verdicts outside code blocks cause the proof to fail
 - `[ESCALATE]` is acceptable only when all automated approaches are exhausted
 
+### Observability
+
+Run `semgrep scan --config patches/observability/ --json` against changed files and report gaps.
+
+- For each gap found, list it as a review issue: file path, line number, and description (e.g., "src/lib/docker.ts:42 — catch block without logging")
+- Semgrep JSON output fields to extract: `check_id`, `path`, `start.line`, `extra.message`
+- If zero observability gaps are found, this check passes silently — do not emit warnings
+- If Semgrep is not installed, report "static analysis skipped — install semgrep" as a warning and do NOT fail the review
+
 ### Code Quality
 
 - Coverage delta reported (before vs after)

package/patches/verify/story-verification.md

@@ -27,6 +27,29 @@ For each AC, append a tag indicating verification approach:
 
 **Do not over-tag.** Workflows, sprint planning, user sessions, slash commands, and agent behavior are all verifiable via `docker exec ... claude --print`. Only tag `integration-required` when there is genuinely no automated path.
 
+### Observability Evidence
+
+After each `docker exec` command, query the observability backend for log events from the last 30 seconds.
+Use the configured VictoriaLogs endpoint (default: `http://localhost:9428`):
+
+```bash
+curl 'http://localhost:9428/select/logsql/query?query=_stream_id:*&start=-30s&limit=100'
+```
+
+- If log entries are returned, note the count in the AC section as runtime observability evidence.
+- If **zero events** are returned, include `[OBSERVABILITY GAP]` in the AC section:
+  `[OBSERVABILITY GAP] No log events detected for this user interaction`
+- Every AC should produce at least one log entry when exercised. Gaps indicate silent code paths.
+- If the observability backend is **not reachable** (connection refused, timeout), report
+  "observability check skipped — backend not reachable" as a warning and do NOT fail the verification.
+  The functional verification result stands on its own.
+
+This ensures proof documents include both functional evidence (`docker exec` output) and
+observability evidence (log query results or `[OBSERVABILITY GAP]` tags) for each AC.
+
+The VictoriaLogs query pattern matches `verify-prompt.ts` Step 3.5 — see that template for
+the full observability check instructions used by the automated verifier agent.
+
 ### Testing Requirements
 
 - Unit tests for all new/changed code

package/templates/Dockerfile.verify.generic

@@ -0,0 +1,27 @@
+# Generic black-box verification environment
+# Minimal image with basic tools for projects with unrecognized stacks.
+# NO source code enters the image — only project metadata and basic utilities.
+FROM node:20-slim
+
+# System utilities for generic verification
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    bash \
+    curl \
+    jq \
+    git \
+  && rm -rf /var/lib/apt/lists/*
+
+# Verification tools + Claude Code CLI
+RUN npm install -g showboat @anthropic-ai/claude-code
+
+# OTEL environment pointing to host observability stack
+ENV OTEL_EXPORTER_OTLP_ENDPOINT=http://host.docker.internal:4318
+ENV OTEL_SERVICE_NAME=codeharness-verify
+ENV OTEL_TRACES_EXPORTER=otlp
+ENV OTEL_METRICS_EXPORTER=otlp
+ENV OTEL_LOGS_EXPORTER=otlp
+
+WORKDIR /workspace
+
+# Copy any build context files into the workspace
+COPY . /workspace/

package/templates/Dockerfile.verify.rust

@@ -0,0 +1,39 @@
+# Rust black-box verification environment
+# Provides Rust tooling, Semgrep, showboat, and cargo-tarpaulin for automated verification.
+# NO project source enters the image — the project is mounted at runtime.
+FROM rust:1.82-slim
+
+# System utilities + Python for Semgrep
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    python3 \
+    python3-pip \
+    python3-venv \
+    pipx \
+    curl \
+    jq \
+    git \
+  && rm -rf /var/lib/apt/lists/*
+
+# Semgrep for static analysis verification
+RUN pipx install semgrep && pipx ensurepath
+ENV PATH="/root/.local/bin:${PATH}"
+
+# Node.js 20 LTS (needed for showboat and claude-code npm packages)
+RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - && \
+    apt-get install -y nodejs && \
+    rm -rf /var/lib/apt/lists/*
+
+# Verification tools + Claude Code CLI
+RUN npm install -g showboat @anthropic-ai/claude-code
+
+# Rust coverage tool
+RUN cargo install cargo-tarpaulin
+
+# OTEL environment pointing to host observability stack
+ENV OTEL_EXPORTER_OTLP_ENDPOINT=http://host.docker.internal:4318
+ENV OTEL_SERVICE_NAME=codeharness-verify
+ENV OTEL_TRACES_EXPORTER=otlp
+ENV OTEL_METRICS_EXPORTER=otlp
+ENV OTEL_LOGS_EXPORTER=otlp
+
+WORKDIR /workspace