ecr-scan-verifier 0.1.0 → 0.1.2

package/.claude/hooks/integ-docs-gate.sh

@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+# integ-docs-gate.sh
+#
+# PreToolUse hook. Blocks `gh pr create` and `gh pr merge` unless the
+# `integ-docs` markgate marker is fresh for the current content of
+# .claude/skills/integ-test/SKILL.md, test/integ/README.md, and
+# scripts/integ.sh (see .markgate.yml).
+#
+# To unblock: edit the offending files into consistency, then run the
+# /verify-integ-docs skill (which calls scripts/verify-integ-docs.sh
+# and, on pass, `markgate set integ-docs`).
+
+set -u
+
+# Resolve repo root from script location (.claude/hooks/integ-docs-gate.sh -> repo root).
+REPO="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+
+cmd=$(jq -r '.tool_input.command // ""' 2>/dev/null || echo "")
+
+# Only gate `gh pr create` and `gh pr merge` — any other Bash invocation
+# passes through.
+if ! printf '%s' "$cmd" | grep -qE '\bgh[[:space:]]+pr[[:space:]]+(create|merge)\b'; then
+  exit 0
+fi
+
+cd "$REPO" 2>/dev/null || exit 0
+
+# Prefer mise-pinned markgate (.mise.toml) so the schema version matches
+# what the rest of the repo expects. Fall back to PATH binary.
+if command -v mise >/dev/null 2>&1; then
+  markgate=(mise exec -- markgate)
+elif command -v markgate >/dev/null 2>&1; then
+  markgate=(markgate)
+else
+  cat >&2 <<EOF
+Blocked by integ-docs-gate: markgate is not installed.
+
+Install via mise (preferred — matches the version pinned in .mise.toml):
+  mise install
+
+Or install markgate via your packager (Homebrew, ubi, source).
+EOF
+  exit 2
+fi
+
+if "${markgate[@]}" verify integ-docs >/dev/null 2>&1; then
+  exit 0
+fi
+
+cat >&2 <<EOF
+Blocked by integ-docs-gate: \`integ-docs\` markgate marker is stale or missing.
+
+The skill (.claude/skills/integ-test/SKILL.md) and README
+(test/integ/README.md) document the same workflow for two different
+audiences (Claude / human). If they drift, a human following the README
+hits a different code path than Claude following the skill — and bugs in
+one don't surface in the other.
+
+To unblock:
+
+  1. Run the consistency check:
+       ./scripts/verify-integ-docs.sh
+
+  2. Fix any drift it reports.
+
+  3. Flip the marker:
+       mise exec -- markgate set integ-docs
+
+     (Or invoke the /verify-integ-docs skill, which does steps 1+3.)
+
+If you genuinely have an emergency PR that has nothing to do with the
+integ docs (and you confirmed they didn't drift), you can also just run
+\`markgate set integ-docs\` directly — the marker just records that the
+files agree with whatever set-time content they had.
+EOF
+exit 2

package/.claude/settings.json

@@ -0,0 +1,18 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": ".claude/hooks/integ-docs-gate.sh",
+            "if": "Bash(gh pr create*) or Bash(gh pr merge*)",
+            "timeout": 10,
+            "statusMessage": "Checking integ-docs marker..."
+          }
+        ]
+      }
+    ]
+  }
+}

package/.claude/skills/integ-test/SKILL.md

@@ -0,0 +1,500 @@
+---
+name: integ-test
+description: Orchestrate ecr-scan-verifier integ tests against real AWS. Handles Inspector enable/disable + propagation waits, scan-on-push toggling, image signing (Notation / Cosign KMS / Cosign Public Key / ECR Managed Signing), and cleanup. Use whenever the user wants to run anything under `test/integ/`.
+argument-hint: "<status|basic|enhanced|signature|signature-notation|signature-cosign-kms|signature-cosign-publickey|signature-ecr-signing|all|cleanup|cleanup-signature> [--snapshot-only] [--no-restore]"
+---
+
+# integ-test
+
+End-to-end orchestrator for `test/integ/` tests. Replaces the manual checklist in `test/integ/README.md`.
+
+Most AWS-mutating primitives live in [`scripts/integ.sh`](../../../scripts/integ.sh) as shell functions. This skill **always sources that file first** and composes the functions per mode — keep primitives there, keep orchestration here.
+
+```bash
+. scripts/integ.sh
+```
+
+After sourcing you have: `account_id`, `default_region`, `inspector_status`, `inspector_status_all`, `inspector_enable_all`, `inspector_disable_all`, `wait_inspector_status`, `wait_inspector_status_all`, `scan_on_push_set`, `wait_enhanced_engine_warmup`, `enhanced_run_with_retry`, `signer_profile_ensure`, `cosign_minimal_signing_config`, `cleanup_signature_artifacts`, `ecr_signing_setup`, `ecr_signing_teardown`.
+
+In a worktree (or any clone without `node_modules`), run `pnpm install --frozen-lockfile` first — the `pnpm integ:*` scripts call `tsc` directly and will fail with `sh: tsc: command not found` otherwise.
+
+## Integ suite layout
+
+| Directory   | Regions exercised               | Required state                                              |
+| ----------- | ------------------------------- | ----------------------------------------------------------- |
+| `basic/`    | `us-east-1 us-east-2 us-west-2` | Enhanced scanning (Inspector) **DISABLED** in all regions   |
+| `enhanced/` | `us-east-1 us-east-2 us-west-2` | Enhanced scanning (Inspector) **ENABLED** in all regions    |
+| `signature/`| default region only             | Pre-signed images + SSM/KMS prerequisites (state-agnostic)  |
+
+Signature modes are single-region (resolved from `aws configure get region`). `basic`/`enhanced` always operate on **all three** regions.
+
+## Default behavior: real deploy
+
+The skill **deploys to AWS by default**. The `pnpm integ:*` scripts wrap `integ-runner`; without `--update-on-failed`, integ-runner does a *snapshot template comparison only* and never touches AWS. With `--update-on-failed` (which the skill passes by default), it actually deploys.
+
+If you only want the cheap snapshot comparison, pass `--snapshot-only`. The skill then degenerates to a single `pnpm integ:<mode>` call and **skips every AWS-mutating step** (Inspector toggle, scan-on-push toggle, signing setup).
+
+## Arguments
+
+- `status` — only triage current AWS state, propose no changes
+- `basic` — switch Inspector if needed, run `pnpm integ:basic:update`, restore
+- `enhanced` — switch Inspector if needed, warm engine, run `pnpm integ:enhanced:update`, restore
+- `signature` — run all four signature sub-modes back-to-back
+- `signature-notation` — Notation (AWS Signer) sign + run `integ.notation`
+- `signature-cosign-kms` — Cosign with KMS sign + run `integ.cosign-kms`
+- `signature-cosign-publickey` — Cosign keypair sign + run `integ.cosign-publickey`
+- `signature-ecr-signing` — ECR Managed Signing setup + run `integ.ecr-signing`
+- `all` — run **everything** (enhanced → all signatures → basic), then auto-run `cleanup`
+- `cleanup` — full teardown: signature artifacts + ECR signing repo + scan-on-push reset. Inspector state left alone (flip via `basic` / `enhanced` if needed). Idempotent.
+- `cleanup-signature` — narrower: only signature artifacts (SSM params, KMS key deletion, local cosign keypair). Subset of `cleanup`.
+
+Flags:
+
+- `--snapshot-only` — skip every AWS-mutating step; just run `pnpm integ:<mode>` (template comparison only). Mutually exclusive with the orchestration in each mode below.
+- `--no-restore` — skip restoring Inspector state at the end (useful when running multiple modes back-to-back). **Ignored by `all`**, which always restores.
+
+### When invoked without arguments
+
+Use `AskUserQuestion` to elicit BOTH the mode and the snapshot flag:
+
+1. **Target**:
+   - `basic`
+   - `enhanced`
+   - `signature` (all four signature sub-modes)
+   - `all` (everything end-to-end with auto-cleanup)
+   - `status` (just triage, no test run)
+2. **Run mode**:
+   - **Deploy** (default) — real AWS deploy, refresh snapshots
+   - **Snapshot-only** — template comparison only, no AWS calls
+
+Skip both prompts if the user already gave the target. If they gave the target but not the run-mode, only ask the second question.
+
+## `--snapshot-only` (any mode)
+
+Single command, no helpers, no setup. The skill exits after this:
+
+```bash
+pnpm integ            # all directories
+pnpm integ:basic      # or one directory
+pnpm integ:enhanced
+pnpm integ:signature
+```
+
+For per-test signature snapshots:
+
+```bash
+pnpm integ:signature --language javascript --test-regex "integ.notation.js$"
+```
+
+Nothing else in this document applies when `--snapshot-only` is set.
+
+## Post-run cleanup (deploy runs only)
+
+After ANY deploy-mode invocation (single mode or `all`), the skill must:
+
+1. Confirm Inspector state has been restored as documented in the mode (or, with `--no-restore`, explicitly report what was left as-is).
+2. For `all` and any `signature-*` deploy run, finish with `cleanup_signature_artifacts` from `scripts/integ.sh`. Single `signature-*` runs leave SSM/KMS in place by default so the user can chain modes — call cleanup at the very end of the session.
+3. Print the full reporting summary (see [Reporting](#reporting)) — never end silently.
+
+## Common preamble (deploy runs)
+
+```bash
+. scripts/integ.sh
+ACCOUNT="$(account_id)"
+ORIGINAL_STATE_EAST1="$(inspector_status us-east-1)"
+ORIGINAL_STATE_EAST2="$(inspector_status us-east-2)"
+ORIGINAL_STATE_WEST2="$(inspector_status us-west-2)"
+```
+
+If the three states differ, surface it — that itself is worth flagging before running anything.
+
+Build the Lambda once up front (every `pnpm integ:*` script chains this, but doing it once avoids repeating across modes):
+
+```bash
+pnpm tsc -p tsconfig.dev.json
+(cd assets/lambda && pnpm install --frozen-lockfile && pnpm build)
+```
+
+## Mode: `status`
+
+```bash
+inspector_status_all
+```
+
+Then recommend:
+
+- All ENABLED → `enhanced/` is ready. `basic/` requires a disable cycle.
+- All DISABLED → `basic/` is ready. `enhanced/` requires an enable cycle.
+- Mixed → flag as anomaly; ask before proceeding.
+
+Exit without changing any state.
+
+## Mode: `basic` (deploy)
+
+`pnpm integ:basic:update` runs **all** basic tests including `integ.scan-on-push`, so scan-on-push must be on **before** the run.
+
+```bash
+inspector_disable_all
+wait_inspector_status_all DISABLED || exit 1
+scan_on_push_set true
+
+# Run, then ALWAYS restore scan-on-push (use a trap or explicit if/then)
+if pnpm integ:basic:update; then status=0; else status=$?; fi
+scan_on_push_set false
+[ "$status" -eq 0 ] || exit "$status"
+```
+
+### Restore Inspector (unless `--no-restore`)
+
+If any region's `ORIGINAL_STATE_*` was `ENABLED`, restore that region. Simplest correct approach when all three were originally identical: re-enable everywhere if any was originally ENABLED.
+
+```bash
+if [ "$ORIGINAL_STATE_EAST1" = "ENABLED" ] || \
+   [ "$ORIGINAL_STATE_EAST2" = "ENABLED" ] || \
+   [ "$ORIGINAL_STATE_WEST2" = "ENABLED" ]; then
+  inspector_enable_all
+  wait_inspector_status_all ENABLED || exit 1
+fi
+```
+
+## Mode: `enhanced` (deploy)
+
+```bash
+# Capture the "was DISABLED in any region" condition BEFORE we flip,
+# because wait_enhanced_engine_warmup needs to know whether a real
+# transition is happening (the engine only lags on fresh enable).
+TRANSITION="ENABLED"
+if [ "$ORIGINAL_STATE_EAST1" != "ENABLED" ] || \
+   [ "$ORIGINAL_STATE_EAST2" != "ENABLED" ] || \
+   [ "$ORIGINAL_STATE_WEST2" != "ENABLED" ]; then
+  TRANSITION="DISABLED"
+fi
+
+inspector_enable_all
+wait_inspector_status_all ENABLED || exit 1
+
+# Engine warmup: empirically 20-30 min on a fresh enable.
+wait_enhanced_engine_warmup "$TRANSITION" 1200
+
+# Up to 3 attempts × 10 min gap. Calibrated to the warmup tail —
+# NOT to flaky tests. If 3 fail, stop.
+MAX_ATTEMPTS=3 RETRY_GAP_SECS=600 \
+  enhanced_run_with_retry pnpm integ:enhanced:update || exit 1
+```
+
+### Restore (unless `--no-restore`)
+
+If all three `ORIGINAL_STATE_*` were `DISABLED`, disable in all regions and poll until DISABLED. Otherwise leave as-is.
+
+## Signature modes — shared preamble (deploy)
+
+```bash
+rm -rf cdk.out/    # avoid stale assets manifests from prior signature runs
+REGION="$(default_region)"
+REGISTRY="${ACCOUNT}.dkr.ecr.${REGION}.amazonaws.com"
+REPO="cdk-hnb659fds-container-assets-${ACCOUNT}-${REGION}"
+```
+
+`signature-ecr-signing` uses its own dedicated repo (set up via `ecr_signing_setup`).
+
+## Mode: `signature-notation` (deploy)
+
+**Profile reuse**: AWS Signer profiles cannot be deleted (only canceled), and a canceled profile cannot be reused. We intentionally keep `EcrScanVerifierTestProfile` `Active` across runs. **`put-signing-profile` is NOT actually idempotent** — calling it for an existing Active profile returns `ProfileAlreadyExists`. Use `signer_profile_ensure` from `scripts/integ.sh` (or check with `get-signing-profile` first). If you find it `Canceled`, use a new name (e.g. `EcrScanVerifierTestProfile2`) and substitute throughout.
+
+Pre-flight: `notation version` should succeed. If absent, install via the AWS Signer installer pkg (see `test/integ/README.md` → Notation install — do not improvise URLs).
+
+```bash
+# 1. Ensure profile exists (idempotent wrapper; raw put-signing-profile is NOT)
+PROFILE_ARN="$(signer_profile_ensure)" || exit 1
+
+# 2. Synth + publish only the Docker asset (no stack deploy yet)
+npx cdk synth --app 'node test/integ/signature/integ.notation.js' -o cdk.out
+npx cdk-assets -p cdk.out/NotationSignatureStack.assets.json publish
+
+# 3. Resolve the test fixture digest (NOT the Lambda function image)
+ASSET_HASH=$(cat cdk.out/NotationSignatureStack.assets.json | tr ',' '\n' | \
+  grep '"imageTag"' | head -1 | cut -d'"' -f4)
+DIGEST=$(aws ecr describe-images --repository-name "${REPO}" \
+  --image-ids imageTag="${ASSET_HASH}" \
+  --query 'imageDetails[0].imageDigest' --output text)
+
+# 4. Sign
+aws ecr get-login-password | notation login --username AWS --password-stdin "${REGISTRY}"
+notation sign \
+  --plugin com.amazonaws.signer.notation.plugin \
+  --id "${PROFILE_ARN}" \
+  "${REGISTRY}/${REPO}@${DIGEST}"
+
+# 5. Run
+pnpm integ:signature:update --language javascript --test-regex "integ.notation.js$"
+```
+
+**Immutable-tag recovery**: If `notation sign` fails with `tag invalid: ... already exists ... cannot be overwritten because the tag is immutable`, a previous attempt left a partial referrers index tag. The bootstrap repo uses immutable tags, so the leftover must be deleted before retrying:
+
+```bash
+REFERRER_TAG="sha256-${DIGEST#sha256:}"
+aws ecr batch-delete-image --repository-name "${REPO}" \
+  --image-ids imageTag="${REFERRER_TAG}"
+```
+
+Then retry the `notation sign` step.
+
+## Mode: `signature-cosign-kms` (deploy)
+
+**Rekor note**: the Lambda verifier always skips Rekor. Sign with the same skip so the test matches Lambda behavior — verification then works offline / inside VPC without internet.
+
+Pre-flight: `cosign version` and `jq --version` should both succeed. Do NOT auto-install via brew — the user may not use brew. If either is missing, abort and tell the user which package + suggested install commands (`brew install cosign jq`, `apt install jq`, sigstore release page for cosign, etc.).
+
+```bash
+command -v cosign >/dev/null || { echo "cosign not installed. See https://docs.sigstore.dev/cosign/installation/" >&2; exit 1; }
+command -v jq >/dev/null || { echo "jq not installed." >&2; exit 1; }
+
+KMS_KEY_ID=$(aws kms create-key \
+  --key-usage SIGN_VERIFY --key-spec ECC_NIST_P256 \
+  --query 'KeyMetadata.KeyId' --output text)
+aws ssm put-parameter \
+  --name /ecr-scan-verifier/cosign-kms-key-id \
+  --value "${KMS_KEY_ID}" --type String --overwrite
+KMS_KEY_ARN=$(aws kms describe-key --key-id "${KMS_KEY_ID}" \
+  --query 'KeyMetadata.Arn' --output text)
+
+npx cdk synth --app 'node test/integ/signature/integ.cosign-kms.js' -o cdk.out
+npx cdk-assets -p cdk.out/CosignKmsSignatureStack.assets.json publish
+
+ASSET_HASH=$(cat cdk.out/CosignKmsSignatureStack.assets.json | tr ',' '\n' | \
+  grep '"imageTag"' | head -1 | cut -d'"' -f4)
+DIGEST=$(aws ecr describe-images --repository-name "${REPO}" \
+  --image-ids imageTag="${ASSET_HASH}" \
+  --query 'imageDetails[0].imageDigest' --output text)
+
+aws ecr get-login-password --region "${REGION}" | cosign login --username AWS --password-stdin "${REGISTRY}"
+# cosign 3.x requires stripping rekor + oidc + ca + tsa from the signing-config
+# when using --key (keyful). Leaving any of them in causes a silent hang on
+# "Signing artifact...". `cosign_minimal_signing_config` does the strip.
+cosign_minimal_signing_config /tmp/signing-config.json
+cosign sign --signing-config /tmp/signing-config.json \
+  --key "awskms:///${KMS_KEY_ARN}" "${REGISTRY}/${REPO}@${DIGEST}"
+
+pnpm integ:signature:update --language javascript --test-regex "integ.cosign-kms.js$"
+```
+
+## Mode: `signature-cosign-publickey` (deploy)
+
+Same Rekor-skip rule. `COSIGN_PASSWORD=""` required on `generate-key-pair` and `sign` to avoid the interactive password prompt blocking unattended runs.
+
+Same pre-flight as `signature-cosign-kms`: check `cosign` and `jq`, abort with install hint if missing — do not auto-brew-install.
+
+```bash
+command -v cosign >/dev/null || { echo "cosign not installed. See https://docs.sigstore.dev/cosign/installation/" >&2; exit 1; }
+command -v jq >/dev/null || { echo "jq not installed." >&2; exit 1; }
+
+COSIGN_PASSWORD="" cosign generate-key-pair
+aws ssm put-parameter \
+  --name /ecr-scan-verifier/cosign-public-key \
+  --value "$(cat cosign.pub)" --type String --overwrite
+
+npx cdk synth --app 'node test/integ/signature/integ.cosign-publickey.js' -o cdk.out
+npx cdk-assets -p cdk.out/CosignPublicKeySignatureStack.assets.json publish
+
+ASSET_HASH=$(cat cdk.out/CosignPublicKeySignatureStack.assets.json | tr ',' '\n' | \
+  grep '"imageTag"' | head -1 | cut -d'"' -f4)
+DIGEST=$(aws ecr describe-images --repository-name "${REPO}" \
+  --image-ids imageTag="${ASSET_HASH}" \
+  --query 'imageDetails[0].imageDigest' --output text)
+
+aws ecr get-login-password --region "${REGION}" | cosign login --username AWS --password-stdin "${REGISTRY}"
+# cosign 3.x requires stripping rekor + oidc + ca + tsa from the signing-config
+# when using --key (keyful). Leaving any of them in causes a silent hang on
+# "Signing artifact...". `cosign_minimal_signing_config` does the strip.
+cosign_minimal_signing_config /tmp/signing-config.json
+COSIGN_PASSWORD="" cosign sign --signing-config /tmp/signing-config.json \
+  --key cosign.key "${REGISTRY}/${REPO}@${DIGEST}"
+
+pnpm integ:signature:update --language javascript --test-regex "integ.cosign-publickey.js$"
+```
+
+`cosign.key` / `cosign.pub` are git-ignored. Do NOT commit them, and remove them via `cleanup-signature`.
+
+## Mode: `signature-ecr-signing` (deploy)
+
+ECR Managed Signing auto-signs on push when a signing-configuration matches the repository. The integ uses `ECRDeployment` to copy a CDK asset into a signing-enabled repo so that the push triggers a signature.
+
+**Regional gotcha**: `aws ecr put-signing-configuration` is not available in every region. If the API call returns `UnknownOperationException` or similar, abort and report — do not silently fall back.
+
+**Permissions gotcha**: the caller needs `signer:*` including `signer:SignPayload`. Surface a friendly error on `AccessDenied`.
+
+```bash
+ecr_signing_setup
+
+if pnpm integ:signature:update --language javascript --test-regex "integ.ecr-signing.js$"; then
+  status=0
+else
+  status=$?
+fi
+ecr_signing_teardown
+exit "$status"
+```
+
+## Mode: `signature` (deploy)
+
+Runs all four signature sub-modes back-to-back. They are state-agnostic w.r.t. Inspector, but each mutates SSM/KMS/ECR and synths into the shared `cdk.out/`, so order matters.
+
+Failures in earlier modes do NOT short-circuit later ones — capture per-mode status and surface them all in the final report. Each mode's preamble (`rm -rf cdk.out/`, REGION/REGISTRY/REPO export) must run anew per iteration.
+
+```bash
+sig_status=()
+for mode in signature-notation signature-cosign-kms signature-cosign-publickey signature-ecr-signing; do
+  echo "=== Running mode: $mode ==="
+  if run_mode "$mode"; then
+    sig_status+=("$mode: PASS")
+  else
+    sig_status+=("$mode: FAIL")
+  fi
+done
+printf '%s\n' "${sig_status[@]}"
+```
+
+After the loop, finish with `cleanup_signature_artifacts`.
+
+## Mode: `all` (deploy)
+
+Runs **every** integ test end-to-end with optimal Inspector state transitions.
+
+State-transition strategy (minimizes Inspector flips, which each cost a ~5 min poll + the ~20 min engine warmup on enable):
+
+1. **Enable Inspector** (if not already) and absorb the engine warmup. Serves both `enhanced` AND positions us for `signature-*` (state-agnostic but cheaper to keep ENABLED across them).
+2. **Run `enhanced`** with the 3-attempt retry loop.
+3. **Run all four `signature-*` modes**.
+4. **Flip Inspector to DISABLED** + poll.
+5. **Run `basic`** (proactive scan-on-push enable + unconditional restore).
+6. **Restore Inspector to `ORIGINAL_STATE_*`** — `all` IGNORES `--no-restore` because a both-directions sequence has no obvious "as-found" target.
+7. **Run `cleanup_signature_artifacts`** unconditionally.
+
+Pseudocode:
+
+```bash
+. scripts/integ.sh
+ACCOUNT="$(account_id)"
+ORIGINAL_STATE_EAST1="$(inspector_status us-east-1)"
+ORIGINAL_STATE_EAST2="$(inspector_status us-east-2)"
+ORIGINAL_STATE_WEST2="$(inspector_status us-west-2)"
+
+pnpm tsc -p tsconfig.dev.json
+(cd assets/lambda && pnpm install --frozen-lockfile && pnpm build)
+
+# --- 1+2: enhanced ---
+TRANSITION="ENABLED"
+if [ "$ORIGINAL_STATE_EAST1" != "ENABLED" ] || \
+   [ "$ORIGINAL_STATE_EAST2" != "ENABLED" ] || \
+   [ "$ORIGINAL_STATE_WEST2" != "ENABLED" ]; then
+  TRANSITION="DISABLED"
+fi
+inspector_enable_all
+wait_inspector_status_all ENABLED || exit 1
+wait_enhanced_engine_warmup "$TRANSITION" 1200
+
+results=()
+if MAX_ATTEMPTS=3 RETRY_GAP_SECS=600 \
+   enhanced_run_with_retry pnpm integ:enhanced:update; then
+  results+=("enhanced: PASS")
+else
+  results+=("enhanced: FAIL")
+fi
+
+# --- 3: all signatures ---
+for mode in signature-notation signature-cosign-kms signature-cosign-publickey signature-ecr-signing; do
+  if run_signature_mode "$mode"; then
+    results+=("$mode: PASS")
+  else
+    results+=("$mode: FAIL")
+  fi
+done
+
+# --- 4+5: basic ---
+inspector_disable_all
+wait_inspector_status_all DISABLED || exit 1
+scan_on_push_set true
+if pnpm integ:basic:update; then
+  results+=("basic: PASS")
+else
+  results+=("basic: FAIL")
+fi
+scan_on_push_set false
+
+# --- 6: restore Inspector (always for `all`) ---
+if [ "$ORIGINAL_STATE_EAST1" = "ENABLED" ] || \
+   [ "$ORIGINAL_STATE_EAST2" = "ENABLED" ] || \
+   [ "$ORIGINAL_STATE_WEST2" = "ENABLED" ]; then
+  inspector_enable_all
+  wait_inspector_status_all ENABLED || exit 1
+fi
+
+# --- 7: cleanup (full) ---
+cleanup_signature_artifacts
+ecr_signing_teardown
+scan_on_push_set false
+
+printf '%s\n' "${results[@]}"
+```
+
+Wall-clock budget for a clean `all` run: roughly 45–80 minutes depending on Inspector warmup and signature retries. Plan accordingly.
+
+## Mode: `cleanup`
+
+Full teardown of everything this skill can leave behind. Idempotent — safe to run any number of times, even when nothing was set up. Used as the final step of `all`, and useful on its own when interrupting a partial signature run.
+
+What it touches:
+
+- Signature artifacts (delegates to `cleanup_signature_artifacts`): SSM params, KMS key 7-day deletion schedule, local cosign keypair
+- ECR signing dedicated repo + signing-configuration (delegates to `ecr_signing_teardown`)
+- Bootstrap-repo scan-on-push reset to `false` in all three regions
+
+What it does NOT touch:
+
+- Inspector enable/disable state (per-account decision; flip via `basic` / `enhanced` if needed)
+- `EcrScanVerifierTestProfile` AWS Signer profile (cancellation is permanent — left Active by design)
+- Pushed Docker / signature artifacts in the bootstrap repo (immutable, cannot be cleaned)
+
+```bash
+. scripts/integ.sh
+cleanup_signature_artifacts
+ecr_signing_teardown          # idempotent (|| true on each step)
+scan_on_push_set false
+```
+
+Report what was actually removed vs what was already absent.
+
+## Mode: `cleanup-signature`
+
+```bash
+cleanup_signature_artifacts
+```
+
+The function resolves the KMS key id from SSM before deleting the param. If SSM is already gone and the id can't be recovered, it prints a WARN and skips KMS deletion — ask the user for the key id rather than guess.
+
+## Reporting
+
+At the end of every run, print:
+
+- Mode invoked + whether `--snapshot-only` was set + duration
+- `ORIGINAL_STATE_*` per region and whether each was restored (or "n/a" for snapshot-only)
+- Test pass/fail counts (parse from `integ-runner` output)
+- Any leftover side effects (e.g. `EcrScanVerifierTestProfile` left Active intentionally; signing-configuration disabled; `cosign.key` removed)
+
+Never end with stale state silently. If a restore step was skipped or failed, say so explicitly.
+
+## Important
+
+- **Deploy is the default.** Snapshot-only is opt-in via `--snapshot-only`, which collapses every mode to a single `pnpm integ:<mode>` call with no AWS calls and no state changes.
+- **Always operate on all three regions** (`us-east-1 us-east-2 us-west-2`) when toggling Inspector — partial toggles cause hard-to-debug test failures.
+- **Poll with a bounded loop** (`wait_inspector_status` from `scripts/integ.sh`) — never use a bare `sleep` for state convergence.
+- **`enhanced` engine lag is long**: status flipping to `ENABLED` is not the same as the scanning engine being ready. On a fresh DISABLED→ENABLED transition, sleep 1200s (20 min) before the first test attempt, then allow up to 3 total attempts with 600s (10 min) gaps. This worst-case ~40 min budget matches observed warmup. If all 3 fail, the cause is not propagation lag — stop waiting and investigate.
+- **Always enable scan-on-push proactively for `basic`** — `pnpm integ:basic:update` runs the `integ.scan-on-push` test in the same suite, so toggling on after a failure is too late.
+- **Never cancel `EcrScanVerifierTestProfile`** — cancellation is permanent and blocks future runs under the same name.
+- **`cosign generate-key-pair` and `cosign sign` need `COSIGN_PASSWORD=""`** when run unattended — otherwise they hang on a password prompt.
+- **Never commit `cosign.key` / `cosign.pub`** — they're git-ignored, keep it that way.
+- **Bootstrap repo uses immutable tags** — leftover Notation referrer tags from a failed `notation sign` MUST be deleted before retrying; do not work around with a fresh tag.
+- **`signature-ecr-signing` teardown is not optional** — wrap the test runner so `ecr_signing_teardown` runs even on failure.
+- **`cosign sign` looks hung** — on success it emits only `Signing artifact...` to stderr and then goes silent until the OCI referrer push completes. Use `cosign sign -d` for verbose HTTP logging when debugging.
+- **worktrees need `pnpm install --frozen-lockfile` first** — the `pnpm integ:*` scripts call `tsc` directly (not via `npx tsc`); without local `node_modules` the script fails with `sh: tsc: command not found`.
+- When in doubt about which test to run, call `AskUserQuestion` rather than guess.

package/.claude/skills/verify-integ-docs/SKILL.md

@@ -0,0 +1,145 @@
+---
+name: verify-integ-docs
+description: Verify the integ-test skill, test/integ/README.md, and scripts/integ.sh stay consistent. Runs the mechanical script checks PLUS LLM-only semantic checks (mode-description agreement, code-example coherence, cross-reference resolution, depth parity, helper-arg correctness) that a regex can't catch. Sets the `integ-docs` markgate marker on full pass.
+---
+
+# verify-integ-docs
+
+The integ workflow is documented in three places that must agree:
+
+| Source                              | Audience               |
+| ----------------------------------- | ---------------------- |
+| `.claude/skills/integ-test/SKILL.md`| Claude Code (automated)|
+| `test/integ/README.md`              | humans (manual runs)   |
+| `scripts/integ.sh`                  | shared shell helpers   |
+
+Both docs are intentionally redundant — the skill drives Claude through the workflow, the README lets a human run the same workflow by hand. This skill keeps them in lockstep using **two layers**:
+
+1. **Mechanical** (`scripts/verify-integ-docs.sh`) — name parity, dead-helper detection, anti-pattern grep. Cheap, deterministic, runnable in CI.
+2. **Semantic** (this skill) — does each mode actually mean the same thing in both docs? Do code examples produce equivalent results? Are cross-references valid? Only an LLM that reads both docs side-by-side can answer these.
+
+Both layers must pass before the marker flips. If only the mechanical layer matters, use `markgate run integ-docs -- ./scripts/verify-integ-docs.sh` directly instead of this skill — but you'll miss the kinds of drift listed under "Semantic checks" below.
+
+## Layer 1: mechanical (script)
+
+`scripts/verify-integ-docs.sh` enforces:
+
+1. **All three source files exist** — deleting one without the other would leave stale references.
+2. **Mode parity** — every mode in the SKILL's `argument-hint:` frontmatter must appear in both the SKILL's `## Arguments` list AND the README's `### Modes` table.
+3. **Helper parity** — every function defined in `scripts/integ.sh` must be referenced from at least one of the two docs (catches dead helpers and rename drift).
+4. **Both docs source the helpers** — both must reference `scripts/integ.sh`.
+5. **No raw `aws signer put-signing-profile`** — it's NOT idempotent (returns `ProfileAlreadyExists` on existing Active profile). Must use `signer_profile_ensure`.
+6. **No insufficient cosign signing-config strip** — `del(.rekorTlogUrls)` alone causes cosign 3.x to silently hang on `--key` signing. Must use `cosign_minimal_signing_config` (also strips oidc / ca / tsa).
+7. **`signature-*` mode test sources exist** — every `signature-<name>` mode must have a corresponding `test/integ/signature/integ.<name>.ts`.
+
+```bash
+./scripts/verify-integ-docs.sh
+```
+
+If it fails, fix the reported drift first; do NOT proceed to layer 2 or set the marker.
+
+## Layer 2: semantic (this skill, LLM-only)
+
+Run these AFTER layer 1 passes. Each catches a class of drift the script cannot.
+
+### S1. Per-mode description agreement
+
+For each mode in `argument-hint:`, compare:
+
+- the SKILL's `## Arguments` line: `` - `mode` — <SKILL description> ``
+- the README's `### Modes` table row: `` | `mode` | <README description> | ``
+
+These are written for different audiences (LLM vs human), so they should NOT be byte-identical. They MUST claim the same behavior. Flag drift such as:
+
+- **Contradictory claims**: SKILL says "switch Inspector if needed, run …, restore" but README says "Run …; no Inspector toggle" → one is wrong.
+- **Coverage mismatch**: SKILL describes 3 sub-steps, README describes only 1 → README is misleading; either expand it or compress the SKILL.
+- **Out-of-date defaults**: SKILL says "deploys by default" but README says "snapshot-only by default" → polarity skew.
+
+### S2. Code-example coherence
+
+For each mode that has a code example in BOTH docs (notation, cosign-kms, cosign-publickey, ecr-signing), read the SKILL and README versions side-by-side and verify they would produce the same result:
+
+- Same commands in the same order (allow trivial reordering only when results are independent).
+- Same flags (e.g., `--region "${REGION}"` vs no region).
+- Same helper invocations (e.g., both use `signer_profile_ensure`, not one with `aws signer put-signing-profile`).
+- Same env vars (`COSIGN_PASSWORD=""` present in both, etc.).
+
+If they diverge, ask: which is right? Usually the SKILL (more recently audited) — port the change to the README, or vice versa.
+
+### S3. Cross-reference resolution
+
+Every markdown link of the form `[text](#anchor)` in SKILL.md or README.md must resolve to an actual heading in the same document. Common breaks:
+
+- Heading renamed but the anchor link not updated.
+- Anchor uses underscore where the heading slug uses hyphen.
+- Link refers to a section that exists in the OTHER doc (not the same one).
+
+Also check that `[text](../../scripts/integ.sh)` and similar relative paths actually resolve from the doc's location.
+
+### S4. Helper-argument correctness
+
+For each helper from `scripts/integ.sh` that appears in either doc, confirm the call sites use valid arguments:
+
+- `scan_on_push_set true|false` — not `enable` / `on` / `yes`.
+- `wait_inspector_status_all ENABLED|DISABLED` — uppercase string literals.
+- `wait_enhanced_engine_warmup ENABLED|DISABLED [secs]` — same.
+- `signer_profile_ensure` — no args.
+
+The script's helper-parity check (mechanical #3) only verifies the **name** is mentioned; it cannot check the **arguments**.
+
+### S5. Depth parity
+
+For each mode, neither doc's explanation should be more than ~3× the length of the other. The two are for different audiences, but a 1-line README row plus a 50-line SKILL section means the README is silently lying about how complex the mode is. Flag and either expand the shorter side or trim the longer.
+
+### S6. Drift in "Important" / gotcha lists
+
+Compare the bullet lists at the end of each doc ("Important", "Important Note", trailing tips). Any caveat present in one but missing from the other is a candidate for porting. Examples that have bitten us before:
+
+- "Bootstrap repo uses immutable tags — must delete leftover Notation referrer tag before retrying"
+- "cosign 3.x signing-config needs oidc/ca/tsa stripped, not just rekor"
+- "AWS Signer profile cancellation is permanent"
+
+If any of those appear in one doc but not the other, port them.
+
+## When to run
+
+- After editing any of `.claude/skills/integ-test/SKILL.md`, `test/integ/README.md`, or `scripts/integ.sh`.
+- The `integ-docs-gate.sh` PreToolUse hook blocks `gh pr create` / `gh pr merge` when the marker is stale, so a missed run surfaces at PR time.
+- The `.github/workflows/verify-integ-docs.yml` workflow runs the mechanical script on every PR. **It does NOT run the semantic checks above** — those still require this skill (an LLM). CI catches the cheap drift; the skill catches the expensive drift.
+
+## Setting the marker
+
+ONLY after both layer 1 (script) and layer 2 (S1–S6) pass:
+
+```bash
+if command -v mise >/dev/null 2>&1; then
+  mise exec -- markgate set integ-docs
+else
+  markgate set integ-docs
+fi
+```
+
+If layer 1 failed → fix mechanical drift, re-run. If any semantic check (S1–S6) flagged something → fix the underlying doc drift (or surface to the user when the right answer isn't obvious), THEN set the marker. Setting the marker on a failed run defeats the entire gate.
+
+## Recovery from drift
+
+The most common failures and their fixes:
+
+- **Mode missing from one doc** (mech #2): add it to the missing place. Don't remove it from the other.
+- **Helper not referenced** (mech #3): either reference it from the appropriate doc OR delete it from `scripts/integ.sh` if truly unused.
+- **Raw `put-signing-profile`** (mech #5): replace with `signer_profile_ensure`.
+- **Raw `del(.rekorTlogUrls)`** (mech #6): replace with `cosign_minimal_signing_config /tmp/signing-config.json`.
+- **Signature mode without matching test** (mech #7): either add the test (`test/integ/signature/integ.<name>.ts` + build), or remove the mode from the skill and README.
+- **Per-mode description disagreement** (sem S1): pick the audience-appropriate wording for each, but make sure they describe the same behavior. Don't silently delete claims to "fix" the diff.
+- **Code example divergence** (sem S2): identify which version was changed last (git blame) and port to the other.
+- **Broken cross-reference** (sem S3): fix the anchor or rename the heading consistently.
+- **Wrong helper arg** (sem S4): fix the call site — the helper's contract is authoritative, not the doc.
+- **Depth imbalance** (sem S5): usually expand the README (the human audience needs MORE detail, not less, even though the SKILL can be terse with LLM context).
+- **Caveat in one doc only** (sem S6): port it.
+
+## Important
+
+- **Layer 2 is the skill's reason to exist.** If you only run the script, prefer `markgate run integ-docs -- ./scripts/verify-integ-docs.sh` and skip this skill entirely. The skill's value is doing what `grep` can't.
+- **Never set the marker on a failed run.** The gate's whole point is that the marker is an audit trail saying "yes, these files agree, and I personally read them." Setting it to silence a failure is the worst possible move.
+- **Adding a new helper to `scripts/integ.sh`** requires using it from at least one doc in the same change (mechanical check), AND documenting its arg contract (semantic check S4).
+- **Adding a new integ test file** alone does NOT invalidate the marker (only SKILL.md / README.md / scripts/integ.sh do, per `.markgate.yml` scope). New tests typically come with README changes anyway, which trip the marker naturally.

package/.jsii

@@ -5622,6 +5622,6 @@
       "symbolId": "src/signature-verification:VerificationOptions"
     }
   },
-  "version": "0.1.0",
-  "fingerprint": "eE+K+wUfGqQqUmqRaujP3LCH4sXfZKAEUOqL6KzhSQw="
+  "version": "0.1.2",
+  "fingerprint": "EPuVTblfXSkiSlj9KwfRbHNKkJE9igTQ8Rr0HbSceZQ="
 }

package/.markgate.yml

@@ -0,0 +1,25 @@
+# markgate configuration — https://github.com/go-to-k/markgate
+#
+# Gates:
+#   integ-docs — keeps the three integ-workflow sources in lockstep:
+#                .claude/skills/integ-test/SKILL.md (automated),
+#                test/integ/README.md (manual),
+#                scripts/integ.sh (shared helpers).
+#                Set by the /verify-integ-docs skill after
+#                scripts/verify-integ-docs.sh passes. The PreToolUse
+#                hook .claude/hooks/integ-docs-gate.sh blocks
+#                `gh pr create` / `gh pr merge` when stale.
+#
+# Scope is intentionally narrow — only the three files above. Integ
+# test files under test/integ/{basic,enhanced,signature}/ are NOT in
+# scope: adding a new test typically comes with a README/SKILL update
+# anyway, which trips the marker naturally. Gating on test file edits
+# directly would force re-verification on every test snapshot refresh.
+
+gates:
+  integ-docs:
+    hash: files
+    include:
+      - ".claude/skills/integ-test/SKILL.md"
+      - "test/integ/README.md"
+      - "scripts/integ.sh"

package/.mise.toml

@@ -0,0 +1,9 @@
+# mise tool pinning — https://mise.jdx.dev/
+#
+# Pinning markgate via mise ensures every contributor uses the same
+# schema version. Mixing 0.3.0 and 0.3.1+ binaries silently invalidates
+# each other's markers (the schema bumped in 0.3.1), so Homebrew vs
+# mise drift would constantly trip the integ-docs gate for no reason.
+
+[tools]
+"ubi:go-to-k/markgate" = "0.3.3"

package/assets/lambda/Dockerfile

@@ -0,0 +1,49 @@
+FROM public.ecr.aws/amazonlinux/amazonlinux:2023 AS builder
+
+# Notation CLI + AWS Signer plugin
+RUN curl -sLo /tmp/signer.rpm \
+    "https://d2hvyiie56hcat.cloudfront.net/linux/arm64/installer/rpm/latest/aws-signer-notation-cli_arm64.rpm" \
+    && rpm -ivh /tmp/signer.rpm && rm /tmp/signer.rpm
+
+# Cosign for ARM64 (Sigstore)
+ARG COSIGN_VERSION=3.0.5
+RUN curl -sLo /tmp/cosign \
+    "https://github.com/sigstore/cosign/releases/download/v${COSIGN_VERSION}/cosign-linux-arm64" \
+    && chmod +x /tmp/cosign
+
+FROM public.ecr.aws/lambda/nodejs:24-arm64
+
+# Notation binary
+COPY --from=builder /usr/local/bin/notation /var/task/bin/notation
+
+# Notation plugin (must be at plugins/<plugin-name>/<binary>)
+COPY --from=builder \
+    /opt/com.amazonaws.signer.notation.installer.rpm/notation_libexec/notation-com.amazonaws.signer.notation.plugin \
+    /var/task/notation-config/plugins/com.amazonaws.signer.notation.plugin/notation-com.amazonaws.signer.notation.plugin
+
+# Notation trust store (must be at truststore/x509/signingAuthority/<store-name>/<certs>)
+# Commercial regions
+COPY --from=builder \
+    /opt/com.amazonaws.signer.notation.installer.rpm/notation_config/aws-signer-notation-root.crt \
+    /var/task/notation-config/truststore/x509/signingAuthority/aws-signer-ts/aws-signer-notation-root.crt
+# GovCloud regions
+COPY --from=builder \
+    /opt/com.amazonaws.signer.notation.installer.rpm/notation_config/aws-us-gov-signer-notation-root.crt \
+    /var/task/notation-config/truststore/x509/signingAuthority/aws-us-gov-signer-ts/aws-us-gov-signer-notation-root.crt
+
+# Fix permissions (RPM installs with root-only 700/600 permissions)
+# Lambda base image doesn't have 'find', so use chmod -R and then fix executables
+RUN chmod -R 755 /var/task/notation-config && \
+    chmod 644 /var/task/notation-config/truststore/x509/signingAuthority/aws-signer-ts/*.crt && \
+    chmod 644 /var/task/notation-config/truststore/x509/signingAuthority/aws-us-gov-signer-ts/*.crt && \
+    chmod +x /var/task/bin/notation && \
+    chmod +x /var/task/notation-config/plugins/com.amazonaws.signer.notation.plugin/notation-com.amazonaws.signer.notation.plugin
+
+# Cosign
+COPY --from=builder /tmp/cosign /var/task/bin/cosign
+RUN chmod +x /var/task/bin/cosign
+
+# Lambda handler
+COPY dist/index.js ${LAMBDA_TASK_ROOT}/index.js
+
+CMD ["index.handler"]

package/lib/ecr-scan-verifier.js

@@ -156,5 +156,5 @@ class EcrScanVerifier extends constructs_1.Construct {
 }
 exports.EcrScanVerifier = EcrScanVerifier;
 _a = JSII_RTTI_SYMBOL_1;
-EcrScanVerifier[_a] = { fqn: "ecr-scan-verifier.EcrScanVerifier", version: "0.1.0" };
+EcrScanVerifier[_a] = { fqn: "ecr-scan-verifier.EcrScanVerifier", version: "0.1.2" };
 //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZWNyLXNjYW4tdmVyaWZpZXIuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi9zcmMvZWNyLXNjYW4tdmVyaWZpZXIudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7QUFBQSwrQkFBNEI7QUFDNUIsNkNBQWdHO0FBRWhHLCtEQUFzRDtBQUN0RCxpREFBc0Q7QUFDdEQsdURBTWdDO0FBR2hDLG1FQUF3RDtBQUN4RCwyQ0FBbUQ7QUFLbkQsbUNBQW1DO0FBa0huQzs7OztHQUlHO0FBQ0gsTUFBYSxlQUFnQixTQUFRLHNCQUFTO0lBRzVDLFlBQVksS0FBZ0IsRUFBRSxFQUFVLEVBQUUsS0FBMkI7UUFDbkUsS0FBSyxDQUFDLEtBQUssRUFBRSxFQUFFLENBQUMsQ0FBQztRQUVqQixJQUFJLENBQUMsZUFBZSxHQUFHLEtBQUssQ0FBQyxlQUFlLENBQUM7UUFDN0MsTUFBTSxhQUFhLEdBQUcsNkNBQTZDLENBQUM7UUFFcEUsTUFBTSxvQkFBb0IsR0FBRyxJQUFJLDhCQUFpQixDQUFDLElBQUksRUFBRSxzQkFBc0IsRUFBRTtZQUMvRSxJQUFJLEVBQUUsc0NBQXNDO1lBQzVDLGFBQWE7WUFDYixPQUFPLEVBQUUsb0JBQU8sQ0FBQyxVQUFVO1lBQzNCLE9BQU8sRUFBRSxvQkFBTyxDQUFDLFVBQVU7WUFDM0IsSUFBSSxFQUFFLHNCQUFTLENBQUMsY0FBYyxDQUFDLElBQUEsV0FBSSxFQUFDLFNBQVMsRUFBRSxrQkFBa0IsQ0FBQyxFQUFFO2dCQUNsRSxRQUFRLEVBQUUseUJBQVEsQ0FBQyxXQUFXO2dCQUM5QixVQUFVLEVBQUUsd0JBQVUsQ0FBQyxNQUFNO2FBQzlCLENBQUM7WUFDRixZQUFZLEVBQUUseUJBQVksQ0FBQyxNQUFNO1lBQ2pDLE9BQU8sRUFBRSxzQkFBUSxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUM7WUFDOUIsYUFBYSxFQUFFLENBQUM7WUFDaEIsUUFBUSxFQUFFLElBQUksQ0FBQyxlQUFlO1NBQy9CLENBQUMsQ0FBQztRQUVILE1BQU0sUUFBUSxHQUFHLEtBQUssQ0FBQyxRQUFRLElBQUksUUFBUSxDQUFDO1FBRTVDLE1BQU0sZ0JBQWdCLEdBQUcsS0FBSyxDQUFDLFVBQVUsQ0FBQyxJQUFJLEVBQUUsQ0FBQztRQUVqRCx5REFBeUQ7UUFDekQsSUFBSSxnQkFBZ0IsQ0FBQyxRQUFRLEtBQUssZ0JBQWdCLElBQUksQ0FBQyxLQUFLLENBQUMscUJBQXFCLEVBQUUsQ0FBQztZQUNuRixNQUFNLElBQUksS0FBSyxDQUFDLDRFQUE0RSxDQUFDLENBQUM7UUFDaEcsQ0FBQztRQUVELE1BQU0sYUFBYSxHQUFHLEtBQUssQ0FBQyxjQUFjLEVBQUUsSUFBSSxDQUFDLG9CQUFvQixDQUFDLENBQUM7UUFFdkUsc0NBQXNDO1FBQ3RDLE1BQU0sVUFBVSxHQUFHLGdCQUFnQixDQUFDLFVBQVUsRUFBRSxJQUFJLENBQUMsb0JBQW9CLENBQUMsQ0FBQztRQUUzRSx5QkFBeUI7UUFDekIsTUFBTSwyQkFBMkIsR0FBRyxLQUFLLENBQUMscUJBQXFCLEVBQUUsSUFBSSxDQUFDLG9CQUFvQixDQUFDLENBQUM7UUFFNUYsa0JBQWtCO1FBQ2xCLDREQUE0RDtRQUM1RCxnRUFBZ0U7UUFDaEUsTUFBTSxVQUFVLEdBQUcsQ0FBQyxvQkFBb0IsQ0FBQyxDQUFDO1FBQzFDLElBQUksZ0JBQWdCLENBQUMsUUFBUSxLQUFLLGdCQUFnQixFQUFFLENBQUM7WUFDbkQsVUFBVSxDQUFDLElBQUksQ0FBQywrQkFBK0IsQ0FBQyxDQUFDO1FBQ25ELENBQUM7UUFDRCxvQkFBb0IsQ0FBQyxlQUFlLENBQ2xDLElBQUkseUJBQWUsQ0FBQztZQUNsQixPQUFPLEVBQUUsVUFBVTtZQUNuQixTQUFTLEVBQUUsQ0FBQyxLQUFLLENBQUMsVUFBVSxDQUFDLGFBQWEsQ0FBQztTQUM1QyxDQUFDLENBQ0gsQ0FBQztRQUVGLElBQUksZ0JBQWdCLENBQUMsUUFBUSxLQUFLLFVBQVUsRUFBRSxDQUFDO1lBQzdDLG9CQUFvQixDQUFDLGVBQWUsQ0FDbEMsSUFBSSx5QkFBZSxDQUFDO2dCQUNsQixPQUFPLEVBQUUsQ0FBQyx5QkFBeUIsRUFBRSx5QkFBeUIsQ0FBQztnQkFDL0QsU0FBUyxFQUFFLENBQUMsR0FBRyxDQUFDO2FBQ2pCLENBQUMsQ0FDSCxDQUFDO1FBQ0osQ0FBQztRQUVELElBQUksZ0JBQWdCLENBQUMsU0FBUyxFQUFFLENBQUM7WUFDL0Isb0JBQW9CLENBQUMsZUFBZSxDQUNsQyxJQUFJLHlCQUFlLENBQUM7Z0JBQ2xCLE9BQU8sRUFBRSxDQUFDLG9CQUFvQixDQUFDO2dCQUMvQixTQUFTLEVBQUUsQ0FBQyxLQUFLLENBQUMsVUFBVSxDQUFDLGFBQWEsQ0FBQzthQUM1QyxDQUFDLENBQ0gsQ0FBQztRQUNKLENBQUM7UUFFRCxxQ0FBcUM7UUFDckMsSUFBSSwyQkFBMkIsRUFBRSxDQUFDO1lBQ2hDLG9CQUFvQixDQUFDLGVBQWUsQ0FDbEMsSUFBSSx5QkFBZSxDQUFDO2dCQUNsQixPQUFPLEVBQUUsQ0FBQywyQkFBMkIsQ0FBQztnQkFDdEMsU0FBUyxFQUFFLENBQUMsR0FBRyxDQUFDO2FBQ2pCLENBQUMsQ0FDSCxDQUFDO1lBQ0Ysb0JBQW9CLENBQUMsZUFBZSxDQUNsQyxJQUFJLHlCQUFlLENBQUM7Z0JBQ2xCLE9BQU8sRUFBRSxDQUFDLG1CQUFtQixFQUFFLDRCQUE0QixDQUFDO2dCQUM1RCxTQUFTLEVBQUUsQ0FBQyxLQUFLLENBQUMsVUFBVSxDQUFDLGFBQWEsQ0FBQzthQUM1QyxDQUFDLENBQ0gsQ0FBQztZQUVGLElBQUksMkJBQTJCLENBQUMsSUFBSSxLQUFLLFVBQVUsRUFBRSxDQUFDO2dCQUNwRCxvQkFBb0IsQ0FBQyxlQUFlLENBQ2xDLElBQUkseUJBQWUsQ0FBQztvQkFDbEIsT0FBTyxFQUFFLENBQUMsNEJBQTRCLENBQUM7b0JBQ3ZDLFNBQVMsRUFBRSxDQUFDLEdBQUcsQ0FBQztpQkFDakIsQ0FBQyxDQUNILENBQUM7WUFDSixDQUFDO1lBQ0QsOERBQThEO1FBQ2hFLENBQUM7UUFFRCx1REFBdUQ7UUFDdkQsSUFBSSxVQUFVLEVBQUUsQ0FBQztZQUNmLG9CQUFvQixDQUFDLGVBQWUsQ0FDbEMsSUFBSSx5QkFBZSxDQUFDO2dCQUNsQixPQUFPLEVBQUUsQ0FBQyw2QkFBNkIsRUFBRSwwQkFBMEIsQ0FBQztnQkFDcEUsU0FBUyxFQUFFLENBQUMsR0FBRyxDQUFDO2FBQ2pCLENBQUMsQ0FDSCxDQUFDO1FBQ0osQ0FBQztRQUVELElBQUksS0FBSyxDQUFDLHNCQUFzQixFQUFFLENBQUM7WUFDakMsS0FBSyxDQUFDLHNCQUFzQixDQUFDLFlBQVksQ0FBQyxvQkFBb0IsQ0FBQyxDQUFDO1FBQ2xFLENBQUM7UUFFRCxNQUFNLHVCQUF1QixHQUFHLEtBQUssQ0FBQyx1QkFBdUIsSUFBSSxJQUFJLENBQUM7UUFDdEUsSUFBSSx1QkFBdUIsRUFBRSxDQUFDO1lBQzVCLG9CQUFvQixDQUFDLGVBQWUsQ0FDbEMsSUFBSSx5QkFBZSxDQUFDO2dCQUNsQixPQUFPLEVBQUUsQ0FBQywrQkFBK0IsQ0FBQztnQkFDMUMsU0FBUyxFQUFFLENBQUMsbUJBQUssQ0FBQyxFQUFFLENBQUMsSUFBSSxDQUFDLENBQUMsT0FBTyxDQUFDO2FBQ3BDLENBQUMsQ0FDSCxDQUFDO1FBQ0osQ0FBQztRQUVELG9GQUFvRjtRQUNwRixxQkFBTyxDQUFDLEVBQUUsQ0FBQyxtQkFBSyxDQUFDLEVBQUUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFDLEdBQUcsQ0FBQztZQUM3QixLQUFLLEVBQUUsQ0FBQyxJQUFJLEVBQUUsRUFBRTtnQkFDZCxJQUNFLElBQUksWUFBWSxlQUFlO29CQUMvQixJQUFJLENBQUMsZ0JBQWdCLEVBQUUsSUFBSSxDQUFDLElBQUksS0FBSyxJQUFJLENBQUMsZUFBZSxFQUFFLElBQUksQ0FBQyxJQUFJLEVBQ3BFLENBQUM7b0JBQ0QseUJBQVcsQ0FBQyxFQUFFLENBQUMsSUFBSSxDQUFDLENBQUMsWUFBWSxDQUMvQixtREFBbUQsRUFDbkQsZ0hBQWdILENBQ2pILENBQUM7Z0JBQ0osQ0FBQztZQUNILENBQUM7U0FDRixDQUFDLENBQUM7UUFFSCxNQUFNLGdCQUFnQixHQUFHLElBQUksMkJBQVEsQ0FBQyxJQUFJLEVBQUUsVUFBVSxFQUFFO1lBQ3RELGNBQWMsRUFBRSxvQkFBb0I7U0FDckMsQ0FBQyxDQUFDO1FBRUgsTUFBTSxrQkFBa0IsR0FBK0I7WUFDckQsSUFBSSxFQUFFLElBQUksQ0FBQyxJQUFJLENBQUMsSUFBSTtZQUNwQixjQUFjLEVBQUUsS0FBSyxDQUFDLFVBQVUsQ0FBQyxjQUFjO1lBQy9DLFFBQVE7WUFDUixRQUFRLEVBQUUsZ0JBQWdCLENBQUMsUUFBUTtZQUNuQyxTQUFTLEVBQUUsTUFBTSxDQUFDLGdCQUFnQixDQUFDLFNBQVMsQ0FBQztZQUM3QyxRQUFRLEVBQUUsS0FBSyxDQUFDLFFBQVEsSUFBSSxDQUFDLGdCQUFRLENBQUMsUUFBUSxDQUFDO1lBQy9DLG1CQUFtQixFQUFFLE1BQU0sQ0FBQyxLQUFLLENBQUMsbUJBQW1CLElBQUksSUFBSSxDQUFDO1lBQzlELGNBQWMsRUFBRSxLQUFLLENBQUMsY0FBYyxJQUFJLEVBQUU7WUFDMUMsTUFBTSxFQUFFLGFBQWE7WUFDckIsSUFBSSxFQUFFLFVBQVU7WUFDaEIscUJBQXFCLEVBQUUsMkJBQTJCO2dCQUNoRCxDQUFDLENBQUM7b0JBQ0UsSUFBSSxFQUFFLDJCQUEyQixDQUFDLElBQUk7b0JBQ3RDLGlCQUFpQixFQUFFLDJCQUEyQixDQUFDLGlCQUFpQjtvQkFDaEUsU0FBUyxFQUFFLDJCQUEyQixDQUFDLFNBQVM7b0JBQ2hELFNBQVMsRUFBRSwyQkFBMkIsQ0FBQyxTQUFTO29CQUNoRCxjQUFjLEVBQUUsTUFBTSxDQUFDLDJCQUEyQixDQUFDLGNBQWMsQ0FBQztpQkFDbkU7Z0JBQ0gsQ0FBQyxDQUFDLFNBQVM7WUFDYix1QkFBdUIsRUFBRSxNQUFNLENBQUMsdUJBQXVCLENBQUM7WUFDeEQsYUFBYSxFQUFFLEtBQUssQ0FBQyxzQkFBc0IsRUFBRSxRQUFRO1lBQ3JELG1CQUFtQixFQUNqQixJQUFJLENBQUMsZUFBZSxFQUFFLFlBQVksSUFBSSxlQUFlLG9CQUFvQixDQUFDLFlBQVksRUFBRTtTQUMzRixDQUFDO1FBRUYsSUFBSSw0QkFBYyxDQUFDLElBQUksRUFBRSxVQUFVLEVBQUU7WUFDbkMsWUFBWSxFQUFFLHlCQUF5QjtZQUN2QyxVQUFVLEVBQUUsa0JBQWtCO1lBQzlCLFlBQVksRUFBRSxnQkFBZ0IsQ0FBQyxZQUFZO1NBQzVDLENBQUMsQ0FBQztRQUVILEtBQUssQ0FBQyxlQUFlLEVBQUUsT0FBTyxDQUFDLENBQUMsU0FBUyxFQUFFLEVBQUU7WUFDM0MsU0FBUyxDQUFDLElBQUksQ0FBQyxhQUFhLENBQUMsSUFBSSxDQUFDLENBQUM7UUFDckMsQ0FBQyxDQUFDLENBQUM7SUFDTCxDQUFDO0lBRUQsZ0JBQWdCO0lBQ2hCLElBQUksZ0JBQWdCO1FBQ2xCLE9BQU8sSUFBSSxDQUFDLGVBQWUsQ0FBQztJQUM5QixDQUFDOztBQXRMSCwwQ0F1TEMiLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQgeyBqb2luIH0gZnJvbSAncGF0aCc7XG5pbXBvcnQgeyBBbm5vdGF0aW9ucywgQXNwZWN0cywgQ3VzdG9tUmVzb3VyY2UsIER1cmF0aW9uLCBJZ25vcmVNb2RlLCBTdGFjayB9IGZyb20gJ2F3cy1jZGstbGliJztcbmltcG9ydCB7IElSZXBvc2l0b3J5IH0gZnJvbSAnYXdzLWNkay1saWIvYXdzLWVjcic7XG5pbXBvcnQgeyBQbGF0Zm9ybSB9IGZyb20gJ2F3cy1jZGstbGliL2F3cy1lY3ItYXNzZXRzJztcbmltcG9ydCB7IFBvbGljeVN0YXRlbWVudCB9IGZyb20gJ2F3cy1jZGstbGliL2F3cy1pYW0nO1xuaW1wb3J0IHtcbiAgQXJjaGl0ZWN0dXJlLFxuICBBc3NldENvZGUsXG4gIEhhbmRsZXIsXG4gIFJ1bnRpbWUsXG4gIFNpbmdsZXRvbkZ1bmN0aW9uLFxufSBmcm9tICdhd3MtY2RrLWxpYi9hd3MtbGFtYmRhJztcbmltcG9ydCB7IElMb2dHcm91cCB9IGZyb20gJ2F3cy1jZGstbGliL2F3cy1sb2dzJztcbmltcG9ydCB7IElUb3BpYyB9IGZyb20gJ2F3cy1jZGstbGliL2F3cy1zbnMnO1xuaW1wb3J0IHsgUHJvdmlkZXIgfSBmcm9tICdhd3MtY2RrLWxpYi9jdXN0b20tcmVzb3VyY2VzJztcbmltcG9ydCB7IENvbnN0cnVjdCwgSUNvbnN0cnVjdCB9IGZyb20gJ2NvbnN0cnVjdHMnO1xuaW1wb3J0IHsgU2Nhbm5lckN1c3RvbVJlc291cmNlUHJvcHMgfSBmcm9tICcuL2N1c3RvbS1yZXNvdXJjZS1wcm9wcyc7XG5pbXBvcnQgeyBTY2FuQ29uZmlnIH0gZnJvbSAnLi9zY2FuLWNvbmZpZyc7XG5pbXBvcnQgeyBTY2FuTG9nc091dHB1dCB9IGZyb20gJy4vc2Nhbi1sb2dzLW91dHB1dCc7XG5pbXBvcnQgeyBTaWduYXR1cmVWZXJpZmljYXRpb24gfSBmcm9tICcuL3NpZ25hdHVyZS12ZXJpZmljYXRpb24nO1xuaW1wb3J0IHsgU2V2ZXJpdHkgfSBmcm9tICcuL3R5cGVzJztcblxuLyoqXG4gKiBQcm9wZXJ0aWVzIGZvciBFY3JTY2FuVmVyaWZpZXIgQ29uc3RydWN0LlxuICovXG5leHBvcnQgaW50ZXJmYWNlIEVjclNjYW5WZXJpZmllclByb3BzIHtcbiAgLyoqXG4gICAqIEVDUiBSZXBvc2l0b3J5IHRvIHNjYW4uXG4gICAqL1xuICByZWFkb25seSByZXBvc2l0b3J5OiBJUmVwb3NpdG9yeTtcblxuICAvKipcbiAgICogSW1hZ2UgdGFnIG9yIGRpZ2VzdCB0byBzY2FuLlxuICAgKlxuICAgKiBZb3UgY2FuIHNwZWNpZnkgYSB0YWcgKGUuZy4sICd2MS4wJywgJ2xhdGVzdCcpIG9yIGEgZGlnZXN0IChlLmcuLCAnc2hhMjU2OmFiYzEyMy4uLicpLlxuICAgKiBJZiB0aGUgdmFsdWUgc3RhcnRzIHdpdGggJ3NoYTI1NjonLCBpdCBpcyB0cmVhdGVkIGFzIGEgZGlnZXN0LlxuICAgKlxuICAgKiBAZGVmYXVsdCAnbGF0ZXN0J1xuICAgKi9cbiAgcmVhZG9ubHkgaW1hZ2VUYWc/OiBzdHJpbmc7XG5cbiAgLyoqXG4gICAqIFNjYW4gY29uZmlndXJhdGlvbiDigJQgY2hvb3NlIGJhc2VkIG9uIHlvdXIgRUNSIHJlcG9zaXRvcnkvYWNjb3VudCBzZXR0aW5nczpcbiAgICpcbiAgICogLSBgU2NhbkNvbmZpZy5iYXNpYygpYCAoZGVmYXVsdDogYHN0YXJ0U2NhbjogdHJ1ZWApIOKAlCBzdGFydHMgYSBzY2FuIHZpYSB0aGUgRUNSIEFQSS5cbiAgICogICBObyBhZGRpdGlvbmFsIEVDUiBjb25maWd1cmF0aW9uIHJlcXVpcmVkLlxuICAgKiAtIGBTY2FuQ29uZmlnLmJhc2ljKHsgc3RhcnRTY2FuOiBmYWxzZSB9KWAg4oCUIHBvbGxzIGZvciBleGlzdGluZyByZXN1bHRzLlxuICAgKiAgIFJlcXVpcmVzIEJhc2ljIHNjYW4tb24tcHVzaCB0byBiZSBlbmFibGVkIG9uIHRoZSByZXBvc2l0b3J5LlxuICAgKiAtIGBTY2FuQ29uZmlnLmVuaGFuY2VkKClgIOKAlCB1c2VzIEFtYXpvbiBJbnNwZWN0b3IgZW5oYW5jZWQgc2Nhbm5pbmcuXG4gICAqICAgUmVxdWlyZXMgRW5oYW5jZWQgc2Nhbm5pbmcgdG8gYmUgZW5hYmxlZCBvbiB0aGUgYWNjb3VudC5cbiAgICpcbiAgICogSWYgdGhlIHJlcXVpcmVkIHNjYW5uaW5nIGNvbmZpZ3VyYXRpb24gaXMgbm90IGluIHBsYWNlIGFuZCBubyBwcmlvciBzY2FuIHJlc3VsdHMgZXhpc3QsXG4gICAqIHRoZSBkZXBsb3ltZW50IHdpbGwgZmFpbC5cbiAgICovXG4gIHJlYWRvbmx5IHNjYW5Db25maWc6IFNjYW5Db25maWc7XG5cbiAgLyoqXG4gICAqIFNldmVyaXR5IHRocmVzaG9sZCBmb3IgdnVsbmVyYWJpbGl0eSBkZXRlY3Rpb24uXG4gICAqXG4gICAqIElmIHZ1bG5lcmFiaWxpdGllcyBhdCBvciBhYm92ZSBhbnkgb2YgdGhlIHNwZWNpZmllZCBzZXZlcml0eSBsZXZlbHMgYXJlIGZvdW5kLFxuICAgKiB0aGUgc2NhbiB3aWxsIGJlIGNvbnNpZGVyZWQgYXMgaGF2aW5nIGZvdW5kIHZ1bG5lcmFiaWxpdGllcy5cbiAgICpcbiAgICogQGRlZmF1bHQgW1NldmVyaXR5LkNSSVRJQ0FMXVxuICAgKi9cbiAgcmVhZG9ubHkgc2V2ZXJpdHk/OiBTZXZlcml0eVtdO1xuXG4gIC8qKlxuICAgKiBXaGV0aGVyIHRvIGZhaWwgdGhlIENsb3VkRm9ybWF0aW9uIGRlcGxveW1lbnQgaWYgdnVsbmVyYWJpbGl0aWVzIGFyZSBkZXRlY3RlZFxuICAgKiBhYm92ZSB0aGUgc2V2ZXJpdHkgdGhyZXNob2xkLlxuICAgKlxuICAgKiBAZGVmYXVsdCB0cnVlXG4gICAqL1xuICByZWFkb25seSBmYWlsT25WdWxuZXJhYmlsaXR5PzogYm9vbGVhbjtcblxuICAvKipcbiAgICogRmluZGluZyBJRHMgdG8gaWdub3JlIGR1cmluZyB2dWxuZXJhYmlsaXR5IGV2YWx1YXRpb24uXG4gICAqXG4gICAqIEZvciBiYXNpYyBzY2FubmluZzogQ1ZFIElEcyAoZS5nLiwgJ0NWRS0yMDIzLTM3OTIwJylcbiAgICogRm9yIGVuaGFuY2VkIHNjYW5uaW5nOiBmaW5kaW5nIEFSTnMgb3IgQ1ZFIElEc1xuICAgKlxuICAgKiBAZGVmYXVsdCAtIG5vIGZpbmRpbmdzIGlnbm9yZWRcbiAgICovXG4gIHJlYWRvbmx5IGlnbm9yZUZpbmRpbmdzPzogc3RyaW5nW107XG5cbiAgLyoqXG4gICAqIENvbmZpZ3VyYXRpb24gZm9yIHNjYW4gbG9ncyBvdXRwdXQuXG4gICAqXG4gICAqIEBkZWZhdWx0IC0gc2NhbiBsb2dzIG91dHB1dCB0byBkZWZhdWx0IGxvZyBncm91cCBjcmVhdGVkIGJ5IFNjYW5uZXIgTGFtYmRhLlxuICAgKi9cbiAgcmVhZG9ubHkgc2NhbkxvZ3NPdXRwdXQ/OiBTY2FuTG9nc091dHB1dDtcblxuICAvKipcbiAgICogU2lnbmF0dXJlIHZlcmlmaWNhdGlvbiBjb25maWd1cmF0aW9uIGZvciB0aGUgY29udGFpbmVyIGltYWdlLlxuICAgKlxuICAgKiBWZXJpZmllcyB0aGUgaW1hZ2Ugc2lnbmF0dXJlIGJlZm9yZSBzY2FubmluZyB1c2luZyBOb3RhdGlvbiAoQVdTIFNpZ25lcikgb3IgQ29zaWduIChTaWdzdG9yZSkuXG4gICAqXG4gICAqIEBkZWZhdWx0IC0gbm8gc2lnbmF0dXJlIHZlcmlmaWNhdGlvblxuICAgKi9cbiAgcmVhZG9ubHkgc2lnbmF0dXJlVmVyaWZpY2F0aW9uPzogU2lnbmF0dXJlVmVyaWZpY2F0aW9uO1xuXG4gIC8qKlxuICAgKiBUaGUgU2Nhbm5lciBMYW1iZGEgZnVuY3Rpb24ncyBkZWZhdWx0IGxvZyBncm91cC5cbiAgICpcbiAgICogSWYgeW91IHVzZSBFY3JTY2FuVmVyaWZpZXIgY29uc3RydWN0IG11bHRpcGxlIHRpbWVzIGluIHRoZSBzYW1lIHN0YWNrLFxuICAgKiB5b3UgbXVzdCBzcGVjaWZ5IHRoZSBzYW1lIGxvZyBncm91cCBmb3IgZWFjaCBjb25zdHJ1Y3QuXG4gICAqXG4gICAqIEBkZWZhdWx0IC0gU2Nhbm5lciBMYW1iZGEgY3JlYXRlcyB0aGUgZGVmYXVsdCBsb2cgZ3JvdXAuXG4gICAqL1xuICByZWFkb25seSBkZWZhdWx0TG9nR3JvdXA/OiBJTG9nR3JvdXA7XG5cbiAgLyoqXG4gICAqIFN1cHByZXNzIGVycm9ycyBkdXJpbmcgcm9sbGJhY2sgc2Nhbm5lciBMYW1iZGEgZXhlY3V0aW9uLlxuICAgKlxuICAgKiBAZGVmYXVsdCB0cnVlXG4gICAqL1xuICByZWFkb25seSBzdXBwcmVzc0Vycm9yT25Sb2xsYmFjaz86IGJvb2xlYW47XG5cbiAgLyoqXG4gICAqIFNOUyB0b3BpYyBmb3IgdnVsbmVyYWJpbGl0eSBub3RpZmljYXRpb24uXG4gICAqXG4gICAqIFN1cHBvcnRzIEFXUyBDaGF0Ym90IG1lc3NhZ2UgZm9ybWF0LlxuICAgKlxuICAgKiBAZGVmYXVsdCAtIG5vIG5vdGlmaWNhdGlvblxuICAgKi9cbiAgcmVhZG9ubHkgdnVsbnNOb3RpZmljYXRpb25Ub3BpYz86IElUb3BpYztcblxuICAvKipcbiAgICogQ29uc3RydWN0cyB0byBibG9jayBpZiB2dWxuZXJhYmlsaXRpZXMgYXJlIGRldGVjdGVkLlxuICAgKlxuICAgKiBAZGVmYXVsdCAtIG5vIGNvbnN0cnVjdHMgdG8gYmxvY2tcbiAgICovXG4gIHJlYWRvbmx5IGJsb2NrQ29uc3RydWN0cz86IElDb25zdHJ1Y3RbXTtcbn1cblxuLyoqXG4gKiBBIENvbnN0cnVjdCB0aGF0IHZlcmlmaWVzIGNvbnRhaW5lciBpbWFnZSBzY2FuIGZpbmRpbmdzIHdpdGggRUNSIGltYWdlIHNjYW5uaW5nLlxuICogSXQgdXNlcyBhIExhbWJkYSBmdW5jdGlvbiBhcyBhIEN1c3RvbSBSZXNvdXJjZSBwcm92aWRlciB0byBjYWxsIEVDUiBzY2FuIEFQSXNcbiAqIGFuZCBldmFsdWF0ZSBzY2FuIGZpbmRpbmdzLlxuICovXG5leHBvcnQgY2xhc3MgRWNyU2NhblZlcmlmaWVyIGV4dGVuZHMgQ29uc3RydWN0IHtcbiAgcHJpdmF0ZSByZWFkb25seSBkZWZhdWx0TG9nR3JvdXA/OiBJTG9nR3JvdXA7XG5cbiAgY29uc3RydWN0b3Ioc2NvcGU6IENvbnN0cnVjdCwgaWQ6IHN0cmluZywgcHJvcHM6IEVjclNjYW5WZXJpZmllclByb3BzKSB7XG4gICAgc3VwZXIoc2NvcGUsIGlkKTtcblxuICAgIHRoaXMuZGVmYXVsdExvZ0dyb3VwID0gcHJvcHMuZGVmYXVsdExvZ0dyb3VwO1xuICAgIGNvbnN0IGxhbWJkYVB1cnBvc2UgPSAnQ3VzdG9tOjpFY3JTY2FuVmVyaWZpZXJDdXN0b21SZXNvdXJjZUxhbWJkYSc7XG5cbiAgICBjb25zdCBjdXN0b21SZXNvdXJjZUxhbWJkYSA9IG5ldyBTaW5nbGV0b25GdW5jdGlvbih0aGlzLCAnQ3VzdG9tUmVzb3VyY2VMYW1iZGEnLCB7XG4gICAgICB1dWlkOiAnYzU2Y2VlNmItNjc3NS01NDFiLWQxNzktYzE1MzVkODhhMGM4JyxcbiAgICAgIGxhbWJkYVB1cnBvc2UsXG4gICAgICBydW50aW1lOiBSdW50aW1lLkZST01fSU1BR0UsXG4gICAgICBoYW5kbGVyOiBIYW5kbGVyLkZST01fSU1BR0UsXG4gICAgICBjb2RlOiBBc3NldENvZGUuZnJvbUFzc2V0SW1hZ2Uoam9pbihfX2Rpcm5hbWUsICcuLi9hc3NldHMvbGFtYmRhJyksIHtcbiAgICAgICAgcGxhdGZvcm06IFBsYXRmb3JtLkxJTlVYX0FSTTY0LFxuICAgICAgICBpZ25vcmVNb2RlOiBJZ25vcmVNb2RlLkRPQ0tFUixcbiAgICAgIH0pLFxuICAgICAgYXJjaGl0ZWN0dXJlOiBBcmNoaXRlY3R1cmUuQVJNXzY0LFxuICAgICAgdGltZW91dDogRHVyYXRpb24uc2Vjb25kcyg5MDApLFxuICAgICAgcmV0cnlBdHRlbXB0czogMCxcbiAgICAgIGxvZ0dyb3VwOiB0aGlzLmRlZmF1bHRMb2dHcm91cCxcbiAgICB9KTtcblxuICAgIGNvbnN0IGltYWdlVGFnID0gcHJvcHMuaW1hZ2VUYWcgPz8gJ2xhdGVzdCc7XG5cbiAgICBjb25zdCBzY2FuQ29uZmlnT3V0cHV0ID0gcHJvcHMuc2NhbkNvbmZpZy5iaW5kKCk7XG5cbiAgICAvLyBWYWxpZGF0ZTogc2lnbmF0dXJlT25seSByZXF1aXJlcyBzaWduYXR1cmVWZXJpZmljYXRpb25cbiAgICBpZiAoc2NhbkNvbmZpZ091dHB1dC5zY2FuVHlwZSA9PT0gJ1NJR05BVFVSRV9PTkxZJyAmJiAhcHJvcHMuc2lnbmF0dXJlVmVyaWZpY2F0aW9uKSB7XG4gICAgICB0aHJvdyBuZXcgRXJyb3IoJ1NjYW5Db25maWcuc2lnbmF0dXJlT25seSgpIHJlcXVpcmVzIHNpZ25hdHVyZVZlcmlmaWNhdGlvbiB0byBiZSBzcGVjaWZpZWQuJyk7XG4gICAgfVxuXG4gICAgY29uc3Qgb3V0cHV0T3B0aW9ucyA9IHByb3BzLnNjYW5Mb2dzT3V0cHV0Py5iaW5kKGN1c3RvbVJlc291cmNlTGFtYmRhKTtcblxuICAgIC8vIFNCT00gb3V0cHV0IChmcm9tIHNjYW5Db25maWdPdXRwdXQpXG4gICAgY29uc3Qgc2JvbUNvbmZpZyA9IHNjYW5Db25maWdPdXRwdXQuc2JvbU91dHB1dD8uYmluZChjdXN0b21SZXNvdXJjZUxhbWJkYSk7XG5cbiAgICAvLyBTaWduYXR1cmUgdmVyaWZpY2F0aW9uXG4gICAgY29uc3Qgc2lnbmF0dXJlVmVyaWZpY2F0aW9uQ29uZmlnID0gcHJvcHMuc2lnbmF0dXJlVmVyaWZpY2F0aW9uPy5iaW5kKGN1c3RvbVJlc291cmNlTGFtYmRhKTtcblxuICAgIC8vIEVDUiBwZXJtaXNzaW9uc1xuICAgIC8vIERlc2NyaWJlSW1hZ2VzIGlzIGFsd2F5cyByZXF1aXJlZCAoZm9yIGRpZ2VzdCByZXNvbHV0aW9uKVxuICAgIC8vIERlc2NyaWJlSW1hZ2VTY2FuRmluZGluZ3MgaXMgb25seSByZXF1aXJlZCBmb3Igc2Nhbm5pbmcgbW9kZXNcbiAgICBjb25zdCBlY3JBY3Rpb25zID0gWydlY3I6RGVzY3JpYmVJbWFnZXMnXTtcbiAgICBpZiAoc2NhbkNvbmZpZ091dHB1dC5zY2FuVHlwZSAhPT0gJ1NJR05BVFVSRV9PTkxZJykge1xuICAgICAgZWNyQWN0aW9ucy5wdXNoKCdlY3I6RGVzY3JpYmVJbWFnZVNjYW5GaW5kaW5ncycpO1xuICAgIH1cbiAgICBjdXN0b21SZXNvdXJjZUxhbWJkYS5hZGRUb1JvbGVQb2xpY3koXG4gICAgICBuZXcgUG9saWN5U3RhdGVtZW50KHtcbiAgICAgICAgYWN0aW9uczogZWNyQWN0aW9ucyxcbiAgICAgICAgcmVzb3VyY2VzOiBbcHJvcHMucmVwb3NpdG9yeS5yZXBvc2l0b3J5QXJuXSxcbiAgICAgIH0pLFxuICAgICk7XG5cbiAgICBpZiAoc2NhbkNvbmZpZ091dHB1dC5zY2FuVHlwZSA9PT0gJ0VOSEFOQ0VEJykge1xuICAgICAgY3VzdG9tUmVzb3VyY2VMYW1iZGEuYWRkVG9Sb2xlUG9saWN5KFxuICAgICAgICBuZXcgUG9saWN5U3RhdGVtZW50KHtcbiAgICAgICAgICBhY3Rpb25zOiBbJ2luc3BlY3RvcjI6TGlzdENvdmVyYWdlJywgJ2luc3BlY3RvcjI6TGlzdEZpbmRpbmdzJ10sXG4gICAgICAgICAgcmVzb3VyY2VzOiBbJyonXSxcbiAgICAgICAgfSksXG4gICAgICApO1xuICAgIH1cblxuICAgIGlmIChzY2FuQ29uZmlnT3V0cHV0LnN0YXJ0U2Nhbikge1xuICAgICAgY3VzdG9tUmVzb3VyY2VMYW1iZGEuYWRkVG9Sb2xlUG9saWN5KFxuICAgICAgICBuZXcgUG9saWN5U3RhdGVtZW50KHtcbiAgICAgICAgICBhY3Rpb25zOiBbJ2VjcjpTdGFydEltYWdlU2NhbiddLFxuICAgICAgICAgIHJlc291cmNlczogW3Byb3BzLnJlcG9zaXRvcnkucmVwb3NpdG9yeUFybl0sXG4gICAgICAgIH0pLFxuICAgICAgKTtcbiAgICB9XG5cbiAgICAvLyBTaWduYXR1cmUgdmVyaWZpY2F0aW9uIHBlcm1pc3Npb25zXG4gICAgaWYgKHNpZ25hdHVyZVZlcmlmaWNhdGlvbkNvbmZpZykge1xuICAgICAgY3VzdG9tUmVzb3VyY2VMYW1iZGEuYWRkVG9Sb2xlUG9saWN5KFxuICAgICAgICBuZXcgUG9saWN5U3RhdGVtZW50KHtcbiAgICAgICAgICBhY3Rpb25zOiBbJ2VjcjpHZXRBdXRob3JpemF0aW9uVG9rZW4nXSxcbiAgICAgICAgICByZXNvdXJjZXM6IFsnKiddLFxuICAgICAgICB9KSxcbiAgICAgICk7XG4gICAgICBjdXN0b21SZXNvdXJjZUxhbWJkYS5hZGRUb1JvbGVQb2xpY3koXG4gICAgICAgIG5ldyBQb2xpY3lTdGF0ZW1lbnQoe1xuICAgICAgICAgIGFjdGlvbnM6IFsnZWNyOkJhdGNoR2V0SW1hZ2UnLCAnZWNyOkdldERvd25sb2FkVXJsRm9yTGF5ZXInXSxcbiAgICAgICAgICByZXNvdXJjZXM6IFtwcm9wcy5yZXBvc2l0b3J5LnJlcG9zaXRvcnlBcm5dLFxuICAgICAgICB9KSxcbiAgICAgICk7XG5cbiAgICAgIGlmIChzaWduYXR1cmVWZXJpZmljYXRpb25Db25maWcudHlwZSA9PT0gJ05PVEFUSU9OJykge1xuICAgICAgICBjdXN0b21SZXNvdXJjZUxhbWJkYS5hZGRUb1JvbGVQb2xpY3koXG4gICAgICAgICAgbmV3IFBvbGljeVN0YXRlbWVudCh7XG4gICAgICAgICAgICBhY3Rpb25zOiBbJ3NpZ25lcjpHZXRSZXZvY2F0aW9uU3RhdHVzJ10sXG4gICAgICAgICAgICByZXNvdXJjZXM6IFsnKiddLFxuICAgICAgICAgIH0pLFxuICAgICAgICApO1xuICAgICAgfVxuICAgICAgLy8gQ29zaWduIEtNUyBwZXJtaXNzaW9ucyBhcmUgZ3JhbnRlZCBieSBrZXkuZ3JhbnQoKSBpbiBiaW5kKClcbiAgICB9XG5cbiAgICAvLyBTQk9NIGV4cG9ydCBwZXJtaXNzaW9ucyAoSW5zcGVjdG9yIENyZWF0ZVNib21FeHBvcnQpXG4gICAgaWYgKHNib21Db25maWcpIHtcbiAgICAgIGN1c3RvbVJlc291cmNlTGFtYmRhLmFkZFRvUm9sZVBvbGljeShcbiAgICAgICAgbmV3IFBvbGljeVN0YXRlbWVudCh7XG4gICAgICAgICAgYWN0aW9uczogWydpbnNwZWN0b3IyOkNyZWF0ZVNib21FeHBvcnQnLCAnaW5zcGVjdG9yMjpHZXRTYm9tRXhwb3J0J10sXG4gICAgICAgICAgcmVzb3VyY2VzOiBbJyonXSxcbiAgICAgICAgfSksXG4gICAgICApO1xuICAgIH1cblxuICAgIGlmIChwcm9wcy52dWxuc05vdGlmaWNhdGlvblRvcGljKSB7XG4gICAgICBwcm9wcy52dWxuc05vdGlmaWNhdGlvblRvcGljLmdyYW50UHVibGlzaChjdXN0b21SZXNvdXJjZUxhbWJkYSk7XG4gICAgfVxuXG4gICAgY29uc3Qgc3VwcHJlc3NFcnJvck9uUm9sbGJhY2sgPSBwcm9wcy5zdXBwcmVzc0Vycm9yT25Sb2xsYmFjayA/PyB0cnVlO1xuICAgIGlmIChzdXBwcmVzc0Vycm9yT25Sb2xsYmFjaykge1xuICAgICAgY3VzdG9tUmVzb3VyY2VMYW1iZGEuYWRkVG9Sb2xlUG9saWN5KFxuICAgICAgICBuZXcgUG9saWN5U3RhdGVtZW50KHtcbiAgICAgICAgICBhY3Rpb25zOiBbJ2Nsb3VkZm9ybWF0aW9uOkRlc2NyaWJlU3RhY2tzJ10sXG4gICAgICAgICAgcmVzb3VyY2VzOiBbU3RhY2sub2YodGhpcykuc3RhY2tJZF0sXG4gICAgICAgIH0pLFxuICAgICAgKTtcbiAgICB9XG5cbiAgICAvLyBDaGVjayBmb3IgZGVmYXVsdExvZ0dyb3VwIGNvbnNpc3RlbmN5IGFjcm9zcyBtdWx0aXBsZSBpbnN0YW5jZXMgaW4gdGhlIHNhbWUgc3RhY2tcbiAgICBBc3BlY3RzLm9mKFN0YWNrLm9mKHRoaXMpKS5hZGQoe1xuICAgICAgdmlzaXQ6IChub2RlKSA9PiB7XG4gICAgICAgIGlmIChcbiAgICAgICAgICBub2RlIGluc3RhbmNlb2YgRWNyU2NhblZlcmlmaWVyICYmXG4gICAgICAgICAgbm9kZS5fZGVmYXVsdExvZ0dyb3VwPy5ub2RlLnBhdGggIT09IHRoaXMuZGVmYXVsdExvZ0dyb3VwPy5ub2RlLnBhdGhcbiAgICAgICAgKSB7XG4gICAgICAgICAgQW5ub3RhdGlvbnMub2YodGhpcykuYWRkV2FybmluZ1YyKFxuICAgICAgICAgICAgJ0BlY3Itc2Nhbi12ZXJpZmllcjpkdXBsaWNhdGVMYW1iZGFEZWZhdWx0TG9nR3JvdXAnLFxuICAgICAgICAgICAgXCJZb3UgaGF2ZSB0byBzZXQgdGhlIHNhbWUgbG9nIGdyb3VwIGZvciAnZGVmYXVsdExvZ0dyb3VwJyBmb3IgZWFjaCBFY3JTY2FuVmVyaWZpZXIgY29uc3RydWN0IGluIHRoZSBzYW1lIHN0YWNrLlwiLFxuICAgICAgICAgICk7XG4gICAgICAgIH1cbiAgICAgIH0sXG4gICAgfSk7XG5cbiAgICBjb25zdCB2ZXJpZmllclByb3ZpZGVyID0gbmV3IFByb3ZpZGVyKHRoaXMsICdQcm92aWRlcicsIHtcbiAgICAgIG9uRXZlbnRIYW5kbGVyOiBjdXN0b21SZXNvdXJjZUxhbWJkYSxcbiAgICB9KTtcblxuICAgIGNvbnN0IHZlcmlmaWVyUHJvcGVydGllczogU2Nhbm5lckN1c3RvbVJlc291cmNlUHJvcHMgPSB7XG4gICAgICBhZGRyOiB0aGlzLm5vZGUuYWRkcixcbiAgICAgIHJlcG9zaXRvcnlOYW1lOiBwcm9wcy5yZXBvc2l0b3J5LnJlcG9zaXRvcnlOYW1lLFxuICAgICAgaW1hZ2VUYWcsXG4gICAgICBzY2FuVHlwZTogc2NhbkNvbmZpZ091dHB1dC5zY2FuVHlwZSxcbiAgICAgIHN0YXJ0U2NhbjogU3RyaW5nKHNjYW5Db25maWdPdXRwdXQuc3RhcnRTY2FuKSxcbiAgICAgIHNldmVyaXR5OiBwcm9wcy5zZXZlcml0eSA/PyBbU2V2ZXJpdHkuQ1JJVElDQUxdLFxuICAgICAgZmFpbE9uVnVsbmVyYWJpbGl0eTogU3RyaW5nKHByb3BzLmZhaWxPblZ1bG5lcmFiaWxpdHkgPz8gdHJ1ZSksXG4gICAgICBpZ25vcmVGaW5kaW5nczogcHJvcHMuaWdub3JlRmluZGluZ3MgPz8gW10sXG4gICAgICBvdXRwdXQ6IG91dHB1dE9wdGlvbnMsXG4gICAgICBzYm9tOiBzYm9tQ29uZmlnLFxuICAgICAgc2lnbmF0dXJlVmVyaWZpY2F0aW9uOiBzaWduYXR1cmVWZXJpZmljYXRpb25Db25maWdcbiAgICAgICAgPyB7XG4gICAgICAgICAgICB0eXBlOiBzaWduYXR1cmVWZXJpZmljYXRpb25Db25maWcudHlwZSxcbiAgICAgICAgICAgIHRydXN0ZWRJZGVudGl0aWVzOiBzaWduYXR1cmVWZXJpZmljYXRpb25Db25maWcudHJ1c3RlZElkZW50aXRpZXMsXG4gICAgICAgICAgICBwdWJsaWNLZXk6IHNpZ25hdHVyZVZlcmlmaWNhdGlvbkNvbmZpZy5wdWJsaWNLZXksXG4gICAgICAgICAgICBrbXNLZXlBcm46IHNpZ25hdHVyZVZlcmlmaWNhdGlvbkNvbmZpZy5rbXNLZXlBcm4sXG4gICAgICAgICAgICBmYWlsT25VbnNpZ25lZDogU3RyaW5nKHNpZ25hdHVyZVZlcmlmaWNhdGlvbkNvbmZpZy5mYWlsT25VbnNpZ25lZCksXG4gICAgICAgICAgfVxuICAgICAgICA6IHVuZGVmaW5lZCxcbiAgICAgIHN1cHByZXNzRXJyb3JPblJvbGxiYWNrOiBTdHJpbmcoc3VwcHJlc3NFcnJvck9uUm9sbGJhY2spLFxuICAgICAgdnVsbnNUb3BpY0FybjogcHJvcHMudnVsbnNOb3RpZmljYXRpb25Ub3BpYz8udG9waWNBcm4sXG4gICAgICBkZWZhdWx0TG9nR3JvdXBOYW1lOlxuICAgICAgICB0aGlzLmRlZmF1bHRMb2dHcm91cD8ubG9nR3JvdXBOYW1lID8/IGAvYXdzL2xhbWJkYS8ke2N1c3RvbVJlc291cmNlTGFtYmRhLmZ1bmN0aW9uTmFtZX1gLFxuICAgIH07XG5cbiAgICBuZXcgQ3VzdG9tUmVzb3VyY2UodGhpcywgJ1Jlc291cmNlJywge1xuICAgICAgcmVzb3VyY2VUeXBlOiAnQ3VzdG9tOjpFY3JTY2FuVmVyaWZpZXInLFxuICAgICAgcHJvcGVydGllczogdmVyaWZpZXJQcm9wZXJ0aWVzLFxuICAgICAgc2VydmljZVRva2VuOiB2ZXJpZmllclByb3ZpZGVyLnNlcnZpY2VUb2tlbixcbiAgICB9KTtcblxuICAgIHByb3BzLmJsb2NrQ29uc3RydWN0cz8uZm9yRWFjaCgoY29uc3RydWN0KSA9PiB7XG4gICAgICBjb25zdHJ1Y3Qubm9kZS5hZGREZXBlbmRlbmN5KHRoaXMpO1xuICAgIH0pO1xuICB9XG5cbiAgLyoqIEBpbnRlcm5hbCAqL1xuICBnZXQgX2RlZmF1bHRMb2dHcm91cCgpOiBJTG9nR3JvdXAgfCB1bmRlZmluZWQge1xuICAgIHJldHVybiB0aGlzLmRlZmF1bHRMb2dHcm91cDtcbiAgfVxufVxuIl19

package/lib/sbom-output.js

@@ -30,7 +30,7 @@ class SbomOutput {
 }
 exports.SbomOutput = SbomOutput;
 _a = JSII_RTTI_SYMBOL_1;
-SbomOutput[_a] = { fqn: "ecr-scan-verifier.SbomOutput", version: "0.1.0" };
+SbomOutput[_a] = { fqn: "ecr-scan-verifier.SbomOutput", version: "0.1.2" };
 class SbomOutputImpl extends SbomOutput {
     constructor(props, format) {
         super();

package/lib/scan-config.js

@@ -44,7 +44,7 @@ class ScanConfig {
 }
 exports.ScanConfig = ScanConfig;
 _a = JSII_RTTI_SYMBOL_1;
-ScanConfig[_a] = { fqn: "ecr-scan-verifier.ScanConfig", version: "0.1.0" };
+ScanConfig[_a] = { fqn: "ecr-scan-verifier.ScanConfig", version: "0.1.2" };
 class BasicScanConfig extends ScanConfig {
     constructor(options) {
         super();

package/lib/scan-logs-output.js

@@ -43,7 +43,7 @@ class ScanLogsOutput {
 }
 exports.ScanLogsOutput = ScanLogsOutput;
 _a = JSII_RTTI_SYMBOL_1;
-ScanLogsOutput[_a] = { fqn: "ecr-scan-verifier.ScanLogsOutput", version: "0.1.0" };
+ScanLogsOutput[_a] = { fqn: "ecr-scan-verifier.ScanLogsOutput", version: "0.1.2" };
 class CloudWatchLogsOutput extends ScanLogsOutput {
     constructor(options) {
         super();

package/lib/signature-verification.js

@@ -47,7 +47,7 @@ class SignatureVerification {
 }
 exports.SignatureVerification = SignatureVerification;
 _a = JSII_RTTI_SYMBOL_1;
-SignatureVerification[_a] = { fqn: "ecr-scan-verifier.SignatureVerification", version: "0.1.0" };
+SignatureVerification[_a] = { fqn: "ecr-scan-verifier.SignatureVerification", version: "0.1.2" };
 class NotationSignatureVerification extends SignatureVerification {
     constructor(options) {
         super();

package/package.json

@@ -60,7 +60,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "0.1.0",
+  "version": "0.1.2",
   "types": "lib/index.d.ts",
   "stability": "stable",
   "jsii": {

package/scripts/integ.sh

@@ -0,0 +1,221 @@
+#!/usr/bin/env bash
+# Shared helpers for ecr-scan-verifier integ test orchestration.
+#
+# Source this from a shell or from the /integ-test skill:
+#   . scripts/integ.sh
+#
+# Functions are intentionally small and idempotent so the skill can chain
+# them without re-deriving region lists, account ids, or polling loops.
+
+set -u
+
+REGIONS=(us-east-1 us-east-2 us-west-2)
+
+account_id() {
+  aws sts get-caller-identity --query Account --output text
+}
+
+default_region() {
+  aws configure get region
+}
+
+# --- Inspector (Enhanced scanning) ------------------------------------------
+
+inspector_status() {
+  local region="$1"
+  aws inspector2 batch-get-account-status \
+    --region "$region" \
+    --query 'accounts[0].resourceState.ecr.status' \
+    --output text
+}
+
+inspector_status_all() {
+  for region in "${REGIONS[@]}"; do
+    echo "$region: $(inspector_status "$region")"
+  done
+}
+
+inspector_enable_all() {
+  for region in "${REGIONS[@]}"; do
+    aws inspector2 enable --resource-types ECR --region "$region"
+  done
+}
+
+inspector_disable_all() {
+  for region in "${REGIONS[@]}"; do
+    aws inspector2 disable --resource-types ECR --region "$region"
+  done
+}
+
+# Poll one region until inspector status equals $target. Cap at 5 min so we
+# fail loudly on stuck transitions instead of hanging.
+wait_inspector_status() {
+  local region="$1" target="$2" i=0
+  while [ "$(inspector_status "$region")" != "$target" ]; do
+    i=$((i + 1))
+    if [ "$i" -ge 20 ]; then
+      echo "ERROR: $region did not reach $target after 5 min" >&2
+      return 1
+    fi
+    sleep 15
+  done
+}
+
+wait_inspector_status_all() {
+  local target="$1"
+  for region in "${REGIONS[@]}"; do
+    wait_inspector_status "$region" "$target" || return 1
+  done
+}
+
+# --- scan-on-push on the CDK bootstrap asset repo ---------------------------
+
+# Usage: scan_on_push_set true|false
+scan_on_push_set() {
+  local enabled="$1"
+  local account
+  account="$(account_id)"
+  for region in "${REGIONS[@]}"; do
+    aws ecr put-image-scanning-configuration \
+      --repository-name "cdk-hnb659fds-container-assets-${account}-${region}" \
+      --image-scanning-configuration "scanOnPush=${enabled}" \
+      --region "$region"
+  done
+}
+
+# --- Enhanced engine warmup (DISABLED -> ENABLED) ---------------------------
+#
+# `batch-get-account-status` flipping to ENABLED is not the same as the
+# scanning engine being ready — empirically the lag is often 20-30 min on
+# a fresh enable. wait_enhanced_engine_warmup absorbs that with a long
+# initial sleep; enhanced_run_with_retry then retries the test up to N
+# more times with a fixed gap between attempts.
+
+# Initial wait after a DISABLED -> ENABLED transition. Skip if already
+# enabled (no transition happened).
+# Args: $1 = ORIGINAL_STATE (ENABLED|DISABLED), $2 = seconds (default 1200)
+wait_enhanced_engine_warmup() {
+  local original_state="$1" secs="${2:-1200}"
+  if [ "$original_state" = "DISABLED" ]; then
+    echo "Inspector engine warmup: sleeping ${secs}s after fresh enable..."
+    sleep "$secs"
+  fi
+}
+
+# Run `$@` (the test command). On failure, sleep $RETRY_GAP_SECS and retry,
+# up to $MAX_ATTEMPTS total attempts. Defaults: 3 attempts, 600s gap.
+# Tuned for "Inspector engine still warming up" — NOT for catching flaky
+# tests. If real findings change, surface them; don't burn time retrying.
+enhanced_run_with_retry() {
+  local max="${MAX_ATTEMPTS:-3}" gap="${RETRY_GAP_SECS:-600}" attempt=1
+  while true; do
+    echo "Attempt ${attempt}/${max}: $*"
+    if "$@"; then
+      return 0
+    fi
+    if [ "$attempt" -ge "$max" ]; then
+      echo "ERROR: failed after ${max} attempts across ~$((max * gap / 60)) min of waits." >&2
+      echo "       Stop waiting — the cause is not propagation lag." >&2
+      return 1
+    fi
+    echo "Attempt ${attempt} failed. Sleeping ${gap}s before retry..."
+    sleep "$gap"
+    attempt=$((attempt + 1))
+  done
+}
+
+# --- Signature test cleanup -------------------------------------------------
+#
+# Cleans up shared signature-test artifacts. AWS Signer profile is left
+# Active on purpose (cancellation is permanent and would block future runs).
+
+cleanup_signature_artifacts() {
+  local key_id
+  key_id="$(aws ssm get-parameter --name /ecr-scan-verifier/cosign-kms-key-id \
+    --query 'Parameter.Value' --output text 2>/dev/null || true)"
+
+  aws ssm delete-parameter --name /ecr-scan-verifier/cosign-kms-key-id 2>/dev/null || true
+  aws ssm delete-parameter --name /ecr-scan-verifier/cosign-public-key 2>/dev/null || true
+
+  if [ -n "$key_id" ]; then
+    aws kms schedule-key-deletion --key-id "$key_id" --pending-window-in-days 7
+  else
+    echo "WARN: KMS key id not in SSM. Ask the user before scheduling deletion." >&2
+  fi
+
+  rm -f cosign.key cosign.pub
+}
+
+# --- signature-ecr-signing repo setup / teardown ----------------------------
+
+ECR_SIGNING_REPO_NAME="${ECR_SIGNING_REPO_NAME:-ecr-scan-verifier-integ-ecr-signing}"
+SIGNER_PROFILE_NAME="${SIGNER_PROFILE_NAME:-EcrScanVerifierTestProfile}"
+
+# Idempotent-ish wrapper. `put-signing-profile` is NOT actually idempotent
+# (returns ProfileAlreadyExists for an existing Active profile), so check
+# first and only create if missing. Echoes the ARN on stdout.
+# Returns non-zero if the profile cannot be ensured — callers using
+# `var=$(signer_profile_ensure)` should also check `[ -n "$var" ]` since
+# command substitution swallows the inner exit code by default.
+signer_profile_ensure() {
+  local arn
+  arn="$(aws signer get-signing-profile --profile-name "$SIGNER_PROFILE_NAME" \
+    --query 'arn' --output text 2>/dev/null || true)"
+  if [ -z "$arn" ] || [ "$arn" = "None" ]; then
+    aws signer put-signing-profile \
+      --profile-name "$SIGNER_PROFILE_NAME" \
+      --platform-id Notation-OCI-SHA384-ECDSA >&2 || return 1
+    arn="$(aws signer get-signing-profile --profile-name "$SIGNER_PROFILE_NAME" \
+      --query 'arn' --output text 2>/dev/null || true)"
+  fi
+  if [ -z "$arn" ] || [ "$arn" = "None" ]; then
+    echo "ERROR: signer_profile_ensure: could not resolve ARN for $SIGNER_PROFILE_NAME" >&2
+    return 1
+  fi
+  echo "$arn"
+}
+
+# Build the cosign signing-config the Lambda verifier expects: no rekor
+# (transparency log), no fulcio CA, no OIDC, no TSA. cosign 3.x will try
+# keyless flows even with --key if these fields are present, which manifests
+# as a hung "Signing artifact..." with no further output. Stripping them
+# lets a `--key`-based sign complete.
+cosign_minimal_signing_config() {
+  local out="${1:-/tmp/signing-config.json}"
+  curl -fsSL https://raw.githubusercontent.com/sigstore/root-signing/refs/heads/main/targets/signing_config.v0.2.json | \
+    jq 'del(.rekorTlogUrls, .oidcUrls, .caUrls, .tsaUrls)' > "$out"
+  echo "$out"
+}
+
+ecr_signing_setup() {
+  local region profile_arn
+  region="$(default_region)"
+  profile_arn="$(signer_profile_ensure)"
+  aws ecr create-repository --repository-name "$ECR_SIGNING_REPO_NAME" 2>/dev/null || true
+
+  local cfg=/tmp/ecr-scan-verifier-signing-config.json
+  cat > "$cfg" <<EOF
+{
+  "rules": [
+    {
+      "signingProfileArn": "${profile_arn}",
+      "repositoryFilters": [
+        { "filter": "${ECR_SIGNING_REPO_NAME}", "filterType": "WILDCARD_MATCH" }
+      ]
+    }
+  ]
+}
+EOF
+  aws ecr put-signing-configuration --region "$region" \
+    --signing-configuration "file://${cfg}"
+  aws ecr get-signing-configuration --region "$region"
+}
+
+ecr_signing_teardown() {
+  local region cfg=/tmp/ecr-scan-verifier-signing-config-empty.json
+  region="$(default_region)"
+  printf '{ "rules": [] }\n' > "$cfg"
+  aws ecr put-signing-configuration --region "$region" \
+    --signing-configuration "file://${cfg}" || true
+  aws ecr delete-repository --repository-name "$ECR_SIGNING_REPO_NAME" --force || true
+}

package/scripts/verify-integ-docs.sh

@@ -0,0 +1,129 @@
+#!/usr/bin/env bash
+# verify-integ-docs.sh
+#
+# Verifies that the three sources documenting the integ workflow stay in
+# sync with each other:
+#
+#   .claude/skills/integ-test/SKILL.md  — automated (Claude Code skill)
+#   test/integ/README.md                 — manual (human-readable docs)
+#   scripts/integ.sh                     — shell helpers shared by both
+#
+# Both docs must exist (skill = automated, README = manual; deleting one
+# would leave the other lying about its counterpart). Both must mention
+# every helper that lives in scripts/integ.sh, and both must agree on
+# the mode list.
+#
+# Run via the /verify-integ-docs skill, which flips the `integ-docs`
+# markgate marker after this passes.
+
+set -u
+
+SKILL=".claude/skills/integ-test/SKILL.md"
+README="test/integ/README.md"
+HELPERS="scripts/integ.sh"
+
+fails=0
+fail() { echo "FAIL: $*" >&2; fails=$((fails + 1)); }
+ok()   { echo "ok:   $*"; }
+
+# --- 1. Source files exist --------------------------------------------------
+
+for f in "$SKILL" "$README" "$HELPERS"; do
+  if [ ! -f "$f" ]; then
+    fail "missing source file: $f"
+  fi
+done
+[ "$fails" -eq 0 ] || { echo "Aborting; source files missing." >&2; exit 1; }
+ok "all three source files exist"
+
+# --- 2. Mode parity ---------------------------------------------------------
+# Every mode in the skill's argument-hint must appear in both:
+#   - the SKILL's `## Arguments` list (one `- \`mode\` — desc` line each)
+#   - the README's `### Modes` table (one `| \`mode\` |` row each)
+
+modes_line=$(grep -E '^argument-hint:' "$SKILL" | head -1)
+modes=$(printf '%s\n' "$modes_line" | grep -oE '<[^>]+>' | head -1 | tr -d '<>' | tr '|' '\n')
+
+if [ -z "$modes" ]; then
+  fail "could not parse modes from SKILL argument-hint"
+else
+  for mode in $modes; do
+    grep -qE "^- \`$mode\`" "$SKILL" \
+      || fail "mode '$mode' in argument-hint but missing from SKILL '## Arguments' list"
+    grep -qE "\| \`$mode\` \|" "$README" \
+      || fail "mode '$mode' in argument-hint but missing from README modes table"
+  done
+  [ "$fails" -gt 0 ] || ok "all argument-hint modes present in SKILL Arguments + README table"
+fi
+
+# --- 3. Helper function parity ---------------------------------------------
+# Every shell function defined in scripts/integ.sh should be referenced
+# from at least one of SKILL/README (catches dead helpers and rename drift).
+
+functions=$(grep -E '^[a-z_][a-z0-9_]*\(\)' "$HELPERS" | sed 's/().*//')
+if [ -z "$functions" ]; then
+  fail "could not parse any functions from $HELPERS"
+else
+  for fn in $functions; do
+    if ! grep -qw "$fn" "$SKILL" && ! grep -qw "$fn" "$README"; then
+      fail "helper '$fn' defined in $HELPERS but not referenced from SKILL or README"
+    fi
+  done
+  [ "$fails" -gt 0 ] || ok "every helper function is referenced from at least one doc"
+fi
+
+# --- 4. Both docs reference scripts/integ.sh -------------------------------
+
+for f in "$SKILL" "$README"; do
+  grep -q "scripts/integ.sh" "$f" \
+    || fail "$f does not reference scripts/integ.sh"
+done
+[ "$fails" -gt 0 ] || ok "both docs reference scripts/integ.sh"
+
+# --- 5. No raw `aws signer put-signing-profile` ----------------------------
+# Raw form is NOT idempotent (returns ProfileAlreadyExists on existing
+# Active profile). Use signer_profile_ensure instead.
+
+for f in "$SKILL" "$README"; do
+  if grep -nE "aws signer put-signing-profile" "$f" >/dev/null; then
+    fail "$f has raw 'aws signer put-signing-profile' — use signer_profile_ensure (raw form is NOT idempotent)"
+  fi
+done
+
+# --- 6. No insufficient signing-config jq strip ----------------------------
+# cosign 3.x silently hangs when --key is combined with a signing-config
+# that still has oidc/ca/tsa fields. The correct strip is rekor+oidc+ca+tsa,
+# which lives in cosign_minimal_signing_config.
+
+for f in "$SKILL" "$README"; do
+  # Match `jq 'del(.rekorTlogUrls)'` (the OLD broken strip) — but not
+  # `del(.rekorTlogUrls, .oidcUrls, .caUrls, .tsaUrls)` (the helper's correct strip).
+  if grep -E "del\(\\.rekorTlogUrls\)" "$f" >/dev/null; then
+    fail "$f has insufficient 'del(.rekorTlogUrls)' — use cosign_minimal_signing_config (also strips oidc/ca/tsa)"
+  fi
+done
+
+# --- 7. signature mode list matches integ.signature/integ.<name>.ts -------
+# For every signature-* mode, the referenced integ test source must exist.
+# Check .ts (the source) not .js (the build artifact) — a fresh clone
+# without `pnpm tsc` would otherwise false-fail.
+
+for mode in $(printf '%s\n' "$modes" | grep '^signature-'); do
+  # signature-notation -> test/integ/signature/integ.notation.ts
+  fname=$(printf '%s' "$mode" | sed 's/^signature-//')
+  testfile="test/integ/signature/integ.${fname}.ts"
+  if [ ! -f "$testfile" ]; then
+    fail "mode '$mode' references missing test source $testfile"
+  fi
+done
+
+# --- 8. Final report -------------------------------------------------------
+
+if [ "$fails" -gt 0 ]; then
+  echo "" >&2
+  echo "verify-integ-docs: $fails failure(s). Fix above before setting integ-docs marker." >&2
+  exit 1
+fi
+
+echo ""
+echo "verify-integ-docs: all consistency checks passed."