npm - ecr-scan-verifier - Versions diffs - 0.1.1 → 0.1.2 - Mend

ecr-scan-verifier 0.1.1 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/.claude/hooks/integ-docs-gate.sh +76 -0
package/.claude/settings.json +18 -0
package/.claude/skills/integ-test/SKILL.md +500 -0
package/.claude/skills/verify-integ-docs/SKILL.md +145 -0
package/.jsii +2 -2
package/.markgate.yml +25 -0
package/.mise.toml +9 -0
package/lib/ecr-scan-verifier.js +1 -1
package/lib/sbom-output.js +1 -1
package/lib/scan-config.js +1 -1
package/lib/scan-logs-output.js +1 -1
package/lib/signature-verification.js +1 -1
package/package.json +1 -1
package/scripts/integ.sh +221 -0
package/scripts/verify-integ-docs.sh +129 -0

package/.claude/hooks/integ-docs-gate.sh ADDED Viewed

@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+# integ-docs-gate.sh
+#
+# PreToolUse hook. Blocks `gh pr create` and `gh pr merge` unless the
+# `integ-docs` markgate marker is fresh for the current content of
+# .claude/skills/integ-test/SKILL.md, test/integ/README.md, and
+# scripts/integ.sh (see .markgate.yml).
+#
+# To unblock: edit the offending files into consistency, then run the
+# /verify-integ-docs skill (which calls scripts/verify-integ-docs.sh
+# and, on pass, `markgate set integ-docs`).
+set -u
+# Resolve repo root from script location (.claude/hooks/integ-docs-gate.sh -> repo root).
+REPO="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+cmd=$(jq -r '.tool_input.command // ""' 2>/dev/null || echo "")
+# Only gate `gh pr create` and `gh pr merge` — any other Bash invocation
+# passes through.
+if ! printf '%s' "$cmd" | grep -qE '\bgh[[:space:]]+pr[[:space:]]+(create|merge)\b'; then
+  exit 0
+fi
+cd "$REPO" 2>/dev/null || exit 0
+# Prefer mise-pinned markgate (.mise.toml) so the schema version matches
+# what the rest of the repo expects. Fall back to PATH binary.
+if command -v mise >/dev/null 2>&1; then
+  markgate=(mise exec -- markgate)
+elif command -v markgate >/dev/null 2>&1; then
+  markgate=(markgate)
+else
+  cat >&2 <<EOF
+Blocked by integ-docs-gate: markgate is not installed.
+Install via mise (preferred — matches the version pinned in .mise.toml):
+  mise install
+Or install markgate via your packager (Homebrew, ubi, source).
+EOF
+  exit 2
+fi
+if "${markgate[@]}" verify integ-docs >/dev/null 2>&1; then
+  exit 0
+fi
+cat >&2 <<EOF
+Blocked by integ-docs-gate: \`integ-docs\` markgate marker is stale or missing.
+The skill (.claude/skills/integ-test/SKILL.md) and README
+(test/integ/README.md) document the same workflow for two different
+audiences (Claude / human). If they drift, a human following the README
+hits a different code path than Claude following the skill — and bugs in
+one don't surface in the other.
+To unblock:
+  1. Run the consistency check:
+       ./scripts/verify-integ-docs.sh
+  2. Fix any drift it reports.
+  3. Flip the marker:
+       mise exec -- markgate set integ-docs
+     (Or invoke the /verify-integ-docs skill, which does steps 1+3.)
+If you genuinely have an emergency PR that has nothing to do with the
+integ docs (and you confirmed they didn't drift), you can also just run
+\`markgate set integ-docs\` directly — the marker just records that the
+files agree with whatever set-time content they had.
+EOF
+exit 2

package/.claude/settings.json ADDED Viewed

@@ -0,0 +1,18 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": ".claude/hooks/integ-docs-gate.sh",
+            "if": "Bash(gh pr create*) or Bash(gh pr merge*)",
+            "timeout": 10,
+            "statusMessage": "Checking integ-docs marker..."
+          }
+        ]
+      }
+    ]
+  }
+}

package/.claude/skills/integ-test/SKILL.md ADDED Viewed

@@ -0,0 +1,500 @@
+---
+name: integ-test
+description: Orchestrate ecr-scan-verifier integ tests against real AWS. Handles Inspector enable/disable + propagation waits, scan-on-push toggling, image signing (Notation / Cosign KMS / Cosign Public Key / ECR Managed Signing), and cleanup. Use whenever the user wants to run anything under `test/integ/`.
+argument-hint: "<status|basic|enhanced|signature|signature-notation|signature-cosign-kms|signature-cosign-publickey|signature-ecr-signing|all|cleanup|cleanup-signature> [--snapshot-only] [--no-restore]"
+---
+# integ-test
+End-to-end orchestrator for `test/integ/` tests. Replaces the manual checklist in `test/integ/README.md`.
+Most AWS-mutating primitives live in [`scripts/integ.sh`](../../../scripts/integ.sh) as shell functions. This skill **always sources that file first** and composes the functions per mode — keep primitives there, keep orchestration here.
+```bash
+. scripts/integ.sh
+```
+After sourcing you have: `account_id`, `default_region`, `inspector_status`, `inspector_status_all`, `inspector_enable_all`, `inspector_disable_all`, `wait_inspector_status`, `wait_inspector_status_all`, `scan_on_push_set`, `wait_enhanced_engine_warmup`, `enhanced_run_with_retry`, `signer_profile_ensure`, `cosign_minimal_signing_config`, `cleanup_signature_artifacts`, `ecr_signing_setup`, `ecr_signing_teardown`.
+In a worktree (or any clone without `node_modules`), run `pnpm install --frozen-lockfile` first — the `pnpm integ:*` scripts call `tsc` directly and will fail with `sh: tsc: command not found` otherwise.
+## Integ suite layout
+| Directory   | Regions exercised               | Required state                                              |
+| ----------- | ------------------------------- | ----------------------------------------------------------- |
+| `basic/`    | `us-east-1 us-east-2 us-west-2` | Enhanced scanning (Inspector) **DISABLED** in all regions   |
+| `enhanced/` | `us-east-1 us-east-2 us-west-2` | Enhanced scanning (Inspector) **ENABLED** in all regions    |
+| `signature/`| default region only             | Pre-signed images + SSM/KMS prerequisites (state-agnostic)  |
+Signature modes are single-region (resolved from `aws configure get region`). `basic`/`enhanced` always operate on **all three** regions.
+## Default behavior: real deploy
+The skill **deploys to AWS by default**. The `pnpm integ:*` scripts wrap `integ-runner`; without `--update-on-failed`, integ-runner does a *snapshot template comparison only* and never touches AWS. With `--update-on-failed` (which the skill passes by default), it actually deploys.
+If you only want the cheap snapshot comparison, pass `--snapshot-only`. The skill then degenerates to a single `pnpm integ:<mode>` call and **skips every AWS-mutating step** (Inspector toggle, scan-on-push toggle, signing setup).
+## Arguments
+- `status` — only triage current AWS state, propose no changes
+- `basic` — switch Inspector if needed, run `pnpm integ:basic:update`, restore
+- `enhanced` — switch Inspector if needed, warm engine, run `pnpm integ:enhanced:update`, restore
+- `signature` — run all four signature sub-modes back-to-back
+- `signature-notation` — Notation (AWS Signer) sign + run `integ.notation`
+- `signature-cosign-kms` — Cosign with KMS sign + run `integ.cosign-kms`
+- `signature-cosign-publickey` — Cosign keypair sign + run `integ.cosign-publickey`
+- `signature-ecr-signing` — ECR Managed Signing setup + run `integ.ecr-signing`
+- `all` — run **everything** (enhanced → all signatures → basic), then auto-run `cleanup`
+- `cleanup` — full teardown: signature artifacts + ECR signing repo + scan-on-push reset. Inspector state left alone (flip via `basic` / `enhanced` if needed). Idempotent.
+- `cleanup-signature` — narrower: only signature artifacts (SSM params, KMS key deletion, local cosign keypair). Subset of `cleanup`.
+Flags:
+- `--snapshot-only` — skip every AWS-mutating step; just run `pnpm integ:<mode>` (template comparison only). Mutually exclusive with the orchestration in each mode below.
+- `--no-restore` — skip restoring Inspector state at the end (useful when running multiple modes back-to-back). **Ignored by `all`**, which always restores.
+### When invoked without arguments
+Use `AskUserQuestion` to elicit BOTH the mode and the snapshot flag:
+1. **Target**:
+   - `basic`
+   - `enhanced`
+   - `signature` (all four signature sub-modes)
+   - `all` (everything end-to-end with auto-cleanup)
+   - `status` (just triage, no test run)
+2. **Run mode**:
+   - **Deploy** (default) — real AWS deploy, refresh snapshots
+   - **Snapshot-only** — template comparison only, no AWS calls
+Skip both prompts if the user already gave the target. If they gave the target but not the run-mode, only ask the second question.
+## `--snapshot-only` (any mode)
+Single command, no helpers, no setup. The skill exits after this:
+```bash
+pnpm integ            # all directories
+pnpm integ:basic      # or one directory
+pnpm integ:enhanced
+pnpm integ:signature
+```
+For per-test signature snapshots:
+```bash
+pnpm integ:signature --language javascript --test-regex "integ.notation.js$"
+```
+Nothing else in this document applies when `--snapshot-only` is set.
+## Post-run cleanup (deploy runs only)
+After ANY deploy-mode invocation (single mode or `all`), the skill must:
+1. Confirm Inspector state has been restored as documented in the mode (or, with `--no-restore`, explicitly report what was left as-is).
+2. For `all` and any `signature-*` deploy run, finish with `cleanup_signature_artifacts` from `scripts/integ.sh`. Single `signature-*` runs leave SSM/KMS in place by default so the user can chain modes — call cleanup at the very end of the session.
+3. Print the full reporting summary (see [Reporting](#reporting)) — never end silently.
+## Common preamble (deploy runs)
+```bash
+. scripts/integ.sh
+ACCOUNT="$(account_id)"
+ORIGINAL_STATE_EAST1="$(inspector_status us-east-1)"
+ORIGINAL_STATE_EAST2="$(inspector_status us-east-2)"
+ORIGINAL_STATE_WEST2="$(inspector_status us-west-2)"
+```
+If the three states differ, surface it — that itself is worth flagging before running anything.
+Build the Lambda once up front (every `pnpm integ:*` script chains this, but doing it once avoids repeating across modes):
+```bash
+pnpm tsc -p tsconfig.dev.json
+(cd assets/lambda && pnpm install --frozen-lockfile && pnpm build)
+```
+## Mode: `status`
+```bash
+inspector_status_all
+```
+Then recommend:
+- All ENABLED → `enhanced/` is ready. `basic/` requires a disable cycle.
+- All DISABLED → `basic/` is ready. `enhanced/` requires an enable cycle.
+- Mixed → flag as anomaly; ask before proceeding.
+Exit without changing any state.
+## Mode: `basic` (deploy)
+`pnpm integ:basic:update` runs **all** basic tests including `integ.scan-on-push`, so scan-on-push must be on **before** the run.
+```bash
+inspector_disable_all
+wait_inspector_status_all DISABLED || exit 1
+scan_on_push_set true
+# Run, then ALWAYS restore scan-on-push (use a trap or explicit if/then)
+if pnpm integ:basic:update; then status=0; else status=$?; fi
+scan_on_push_set false
+[ "$status" -eq 0 ] || exit "$status"
+```
+### Restore Inspector (unless `--no-restore`)
+If any region's `ORIGINAL_STATE_*` was `ENABLED`, restore that region. Simplest correct approach when all three were originally identical: re-enable everywhere if any was originally ENABLED.
+```bash
+if [ "$ORIGINAL_STATE_EAST1" = "ENABLED" ] || \
+   [ "$ORIGINAL_STATE_EAST2" = "ENABLED" ] || \
+   [ "$ORIGINAL_STATE_WEST2" = "ENABLED" ]; then
+  inspector_enable_all
+  wait_inspector_status_all ENABLED || exit 1
+fi
+```
+## Mode: `enhanced` (deploy)
+```bash
+# Capture the "was DISABLED in any region" condition BEFORE we flip,
+# because wait_enhanced_engine_warmup needs to know whether a real
+# transition is happening (the engine only lags on fresh enable).
+TRANSITION="ENABLED"
+if [ "$ORIGINAL_STATE_EAST1" != "ENABLED" ] || \
+   [ "$ORIGINAL_STATE_EAST2" != "ENABLED" ] || \
+   [ "$ORIGINAL_STATE_WEST2" != "ENABLED" ]; then
+  TRANSITION="DISABLED"
+fi
+inspector_enable_all
+wait_inspector_status_all ENABLED || exit 1
+# Engine warmup: empirically 20-30 min on a fresh enable.
+wait_enhanced_engine_warmup "$TRANSITION" 1200
+# Up to 3 attempts × 10 min gap. Calibrated to the warmup tail —
+# NOT to flaky tests. If 3 fail, stop.
+MAX_ATTEMPTS=3 RETRY_GAP_SECS=600 \
+  enhanced_run_with_retry pnpm integ:enhanced:update || exit 1
+```
+### Restore (unless `--no-restore`)
+If all three `ORIGINAL_STATE_*` were `DISABLED`, disable in all regions and poll until DISABLED. Otherwise leave as-is.
+## Signature modes — shared preamble (deploy)
+```bash
+rm -rf cdk.out/    # avoid stale assets manifests from prior signature runs
+REGION="$(default_region)"
+REGISTRY="${ACCOUNT}.dkr.ecr.${REGION}.amazonaws.com"
+REPO="cdk-hnb659fds-container-assets-${ACCOUNT}-${REGION}"
+```
+`signature-ecr-signing` uses its own dedicated repo (set up via `ecr_signing_setup`).
+## Mode: `signature-notation` (deploy)
+**Profile reuse**: AWS Signer profiles cannot be deleted (only canceled), and a canceled profile cannot be reused. We intentionally keep `EcrScanVerifierTestProfile` `Active` across runs. **`put-signing-profile` is NOT actually idempotent** — calling it for an existing Active profile returns `ProfileAlreadyExists`. Use `signer_profile_ensure` from `scripts/integ.sh` (or check with `get-signing-profile` first). If you find it `Canceled`, use a new name (e.g. `EcrScanVerifierTestProfile2`) and substitute throughout.
+Pre-flight: `notation version` should succeed. If absent, install via the AWS Signer installer pkg (see `test/integ/README.md` → Notation install — do not improvise URLs).
+```bash
+# 1. Ensure profile exists (idempotent wrapper; raw put-signing-profile is NOT)
+PROFILE_ARN="$(signer_profile_ensure)" || exit 1
+# 2. Synth + publish only the Docker asset (no stack deploy yet)
+npx cdk synth --app 'node test/integ/signature/integ.notation.js' -o cdk.out
+npx cdk-assets -p cdk.out/NotationSignatureStack.assets.json publish
+# 3. Resolve the test fixture digest (NOT the Lambda function image)
+ASSET_HASH=$(cat cdk.out/NotationSignatureStack.assets.json | tr ',' '\n' | \
+  grep '"imageTag"' | head -1 | cut -d'"' -f4)
+DIGEST=$(aws ecr describe-images --repository-name "${REPO}" \
+  --image-ids imageTag="${ASSET_HASH}" \
+  --query 'imageDetails[0].imageDigest' --output text)
+# 4. Sign
+aws ecr get-login-password | notation login --username AWS --password-stdin "${REGISTRY}"
+notation sign \
+  --plugin com.amazonaws.signer.notation.plugin \
+  --id "${PROFILE_ARN}" \
+  "${REGISTRY}/${REPO}@${DIGEST}"
+# 5. Run
+pnpm integ:signature:update --language javascript --test-regex "integ.notation.js$"
+```
+**Immutable-tag recovery**: If `notation sign` fails with `tag invalid: ... already exists ... cannot be overwritten because the tag is immutable`, a previous attempt left a partial referrers index tag. The bootstrap repo uses immutable tags, so the leftover must be deleted before retrying:
+```bash
+REFERRER_TAG="sha256-${DIGEST#sha256:}"
+aws ecr batch-delete-image --repository-name "${REPO}" \
+  --image-ids imageTag="${REFERRER_TAG}"
+```
+Then retry the `notation sign` step.
+## Mode: `signature-cosign-kms` (deploy)
+**Rekor note**: the Lambda verifier always skips Rekor. Sign with the same skip so the test matches Lambda behavior — verification then works offline / inside VPC without internet.
+Pre-flight: `cosign version` and `jq --version` should both succeed. Do NOT auto-install via brew — the user may not use brew. If either is missing, abort and tell the user which package + suggested install commands (`brew install cosign jq`, `apt install jq`, sigstore release page for cosign, etc.).
+```bash
+command -v cosign >/dev/null || { echo "cosign not installed. See https://docs.sigstore.dev/cosign/installation/" >&2; exit 1; }
+command -v jq >/dev/null || { echo "jq not installed." >&2; exit 1; }
+KMS_KEY_ID=$(aws kms create-key \
+  --key-usage SIGN_VERIFY --key-spec ECC_NIST_P256 \
+  --query 'KeyMetadata.KeyId' --output text)
+aws ssm put-parameter \
+  --name /ecr-scan-verifier/cosign-kms-key-id \
+  --value "${KMS_KEY_ID}" --type String --overwrite
+KMS_KEY_ARN=$(aws kms describe-key --key-id "${KMS_KEY_ID}" \
+  --query 'KeyMetadata.Arn' --output text)
+npx cdk synth --app 'node test/integ/signature/integ.cosign-kms.js' -o cdk.out
+npx cdk-assets -p cdk.out/CosignKmsSignatureStack.assets.json publish
+ASSET_HASH=$(cat cdk.out/CosignKmsSignatureStack.assets.json | tr ',' '\n' | \
+  grep '"imageTag"' | head -1 | cut -d'"' -f4)
+DIGEST=$(aws ecr describe-images --repository-name "${REPO}" \
+  --image-ids imageTag="${ASSET_HASH}" \
+  --query 'imageDetails[0].imageDigest' --output text)
+aws ecr get-login-password --region "${REGION}" | cosign login --username AWS --password-stdin "${REGISTRY}"
+# cosign 3.x requires stripping rekor + oidc + ca + tsa from the signing-config
+# when using --key (keyful). Leaving any of them in causes a silent hang on
+# "Signing artifact...". `cosign_minimal_signing_config` does the strip.
+cosign_minimal_signing_config /tmp/signing-config.json
+cosign sign --signing-config /tmp/signing-config.json \
+  --key "awskms:///${KMS_KEY_ARN}" "${REGISTRY}/${REPO}@${DIGEST}"
+pnpm integ:signature:update --language javascript --test-regex "integ.cosign-kms.js$"
+```
+## Mode: `signature-cosign-publickey` (deploy)
+Same Rekor-skip rule. `COSIGN_PASSWORD=""` required on `generate-key-pair` and `sign` to avoid the interactive password prompt blocking unattended runs.
+Same pre-flight as `signature-cosign-kms`: check `cosign` and `jq`, abort with install hint if missing — do not auto-brew-install.
+```bash
+command -v cosign >/dev/null || { echo "cosign not installed. See https://docs.sigstore.dev/cosign/installation/" >&2; exit 1; }
+command -v jq >/dev/null || { echo "jq not installed." >&2; exit 1; }
+COSIGN_PASSWORD="" cosign generate-key-pair
+aws ssm put-parameter \
+  --name /ecr-scan-verifier/cosign-public-key \
+  --value "$(cat cosign.pub)" --type String --overwrite
+npx cdk synth --app 'node test/integ/signature/integ.cosign-publickey.js' -o cdk.out
+npx cdk-assets -p cdk.out/CosignPublicKeySignatureStack.assets.json publish
+ASSET_HASH=$(cat cdk.out/CosignPublicKeySignatureStack.assets.json | tr ',' '\n' | \
+  grep '"imageTag"' | head -1 | cut -d'"' -f4)
+DIGEST=$(aws ecr describe-images --repository-name "${REPO}" \
+  --image-ids imageTag="${ASSET_HASH}" \
+  --query 'imageDetails[0].imageDigest' --output text)
+aws ecr get-login-password --region "${REGION}" | cosign login --username AWS --password-stdin "${REGISTRY}"
+# cosign 3.x requires stripping rekor + oidc + ca + tsa from the signing-config
+# when using --key (keyful). Leaving any of them in causes a silent hang on
+# "Signing artifact...". `cosign_minimal_signing_config` does the strip.
+cosign_minimal_signing_config /tmp/signing-config.json
+COSIGN_PASSWORD="" cosign sign --signing-config /tmp/signing-config.json \
+  --key cosign.key "${REGISTRY}/${REPO}@${DIGEST}"
+pnpm integ:signature:update --language javascript --test-regex "integ.cosign-publickey.js$"
+```
+`cosign.key` / `cosign.pub` are git-ignored. Do NOT commit them, and remove them via `cleanup-signature`.
+## Mode: `signature-ecr-signing` (deploy)
+ECR Managed Signing auto-signs on push when a signing-configuration matches the repository. The integ uses `ECRDeployment` to copy a CDK asset into a signing-enabled repo so that the push triggers a signature.
+**Regional gotcha**: `aws ecr put-signing-configuration` is not available in every region. If the API call returns `UnknownOperationException` or similar, abort and report — do not silently fall back.
+**Permissions gotcha**: the caller needs `signer:*` including `signer:SignPayload`. Surface a friendly error on `AccessDenied`.
+```bash
+ecr_signing_setup
+if pnpm integ:signature:update --language javascript --test-regex "integ.ecr-signing.js$"; then
+  status=0
+else
+  status=$?
+fi
+ecr_signing_teardown
+exit "$status"
+```
+## Mode: `signature` (deploy)
+Runs all four signature sub-modes back-to-back. They are state-agnostic w.r.t. Inspector, but each mutates SSM/KMS/ECR and synths into the shared `cdk.out/`, so order matters.
+Failures in earlier modes do NOT short-circuit later ones — capture per-mode status and surface them all in the final report. Each mode's preamble (`rm -rf cdk.out/`, REGION/REGISTRY/REPO export) must run anew per iteration.
+```bash
+sig_status=()
+for mode in signature-notation signature-cosign-kms signature-cosign-publickey signature-ecr-signing; do
+  echo "=== Running mode: $mode ==="
+  if run_mode "$mode"; then
+    sig_status+=("$mode: PASS")
+  else
+    sig_status+=("$mode: FAIL")
+  fi
+done
+printf '%s\n' "${sig_status[@]}"
+```
+After the loop, finish with `cleanup_signature_artifacts`.
+## Mode: `all` (deploy)
+Runs **every** integ test end-to-end with optimal Inspector state transitions.
+State-transition strategy (minimizes Inspector flips, which each cost a ~5 min poll + the ~20 min engine warmup on enable):
+1. **Enable Inspector** (if not already) and absorb the engine warmup. Serves both `enhanced` AND positions us for `signature-*` (state-agnostic but cheaper to keep ENABLED across them).
+2. **Run `enhanced`** with the 3-attempt retry loop.
+3. **Run all four `signature-*` modes**.
+4. **Flip Inspector to DISABLED** + poll.
+5. **Run `basic`** (proactive scan-on-push enable + unconditional restore).
+6. **Restore Inspector to `ORIGINAL_STATE_*`** — `all` IGNORES `--no-restore` because a both-directions sequence has no obvious "as-found" target.
+7. **Run `cleanup_signature_artifacts`** unconditionally.
+Pseudocode:
+```bash
+. scripts/integ.sh
+ACCOUNT="$(account_id)"
+ORIGINAL_STATE_EAST1="$(inspector_status us-east-1)"
+ORIGINAL_STATE_EAST2="$(inspector_status us-east-2)"
+ORIGINAL_STATE_WEST2="$(inspector_status us-west-2)"
+pnpm tsc -p tsconfig.dev.json
+(cd assets/lambda && pnpm install --frozen-lockfile && pnpm build)
+# --- 1+2: enhanced ---
+TRANSITION="ENABLED"
+if [ "$ORIGINAL_STATE_EAST1" != "ENABLED" ] || \
+   [ "$ORIGINAL_STATE_EAST2" != "ENABLED" ] || \
+   [ "$ORIGINAL_STATE_WEST2" != "ENABLED" ]; then
+  TRANSITION="DISABLED"
+fi
+inspector_enable_all
+wait_inspector_status_all ENABLED || exit 1
+wait_enhanced_engine_warmup "$TRANSITION" 1200
+results=()
+if MAX_ATTEMPTS=3 RETRY_GAP_SECS=600 \
+   enhanced_run_with_retry pnpm integ:enhanced:update; then
+  results+=("enhanced: PASS")
+else
+  results+=("enhanced: FAIL")
+fi
+# --- 3: all signatures ---
+for mode in signature-notation signature-cosign-kms signature-cosign-publickey signature-ecr-signing; do
+  if run_signature_mode "$mode"; then
+    results+=("$mode: PASS")
+  else
+    results+=("$mode: FAIL")
+  fi
+done
+# --- 4+5: basic ---
+inspector_disable_all
+wait_inspector_status_all DISABLED || exit 1
+scan_on_push_set true
+if pnpm integ:basic:update; then
+  results+=("basic: PASS")
+else
+  results+=("basic: FAIL")
+fi
+scan_on_push_set false
+# --- 6: restore Inspector (always for `all`) ---
+if [ "$ORIGINAL_STATE_EAST1" = "ENABLED" ] || \
+   [ "$ORIGINAL_STATE_EAST2" = "ENABLED" ] || \
+   [ "$ORIGINAL_STATE_WEST2" = "ENABLED" ]; then
+  inspector_enable_all
+  wait_inspector_status_all ENABLED || exit 1
+fi
+# --- 7: cleanup (full) ---
+cleanup_signature_artifacts
+ecr_signing_teardown
+scan_on_push_set false
+printf '%s\n' "${results[@]}"
+```
+Wall-clock budget for a clean `all` run: roughly 45–80 minutes depending on Inspector warmup and signature retries. Plan accordingly.
+## Mode: `cleanup`
+Full teardown of everything this skill can leave behind. Idempotent — safe to run any number of times, even when nothing was set up. Used as the final step of `all`, and useful on its own when interrupting a partial signature run.
+What it touches:
+- Signature artifacts (delegates to `cleanup_signature_artifacts`): SSM params, KMS key 7-day deletion schedule, local cosign keypair
+- ECR signing dedicated repo + signing-configuration (delegates to `ecr_signing_teardown`)
+- Bootstrap-repo scan-on-push reset to `false` in all three regions
+What it does NOT touch:
+- Inspector enable/disable state (per-account decision; flip via `basic` / `enhanced` if needed)
+- `EcrScanVerifierTestProfile` AWS Signer profile (cancellation is permanent — left Active by design)
+- Pushed Docker / signature artifacts in the bootstrap repo (immutable, cannot be cleaned)
+```bash
+. scripts/integ.sh
+cleanup_signature_artifacts
+ecr_signing_teardown          # idempotent (|| true on each step)
+scan_on_push_set false
+```
+Report what was actually removed vs what was already absent.
+## Mode: `cleanup-signature`
+```bash
+cleanup_signature_artifacts
+```
+The function resolves the KMS key id from SSM before deleting the param. If SSM is already gone and the id can't be recovered, it prints a WARN and skips KMS deletion — ask the user for the key id rather than guess.
+## Reporting
+At the end of every run, print:
+- Mode invoked + whether `--snapshot-only` was set + duration
+- `ORIGINAL_STATE_*` per region and whether each was restored (or "n/a" for snapshot-only)
+- Test pass/fail counts (parse from `integ-runner` output)
+- Any leftover side effects (e.g. `EcrScanVerifierTestProfile` left Active intentionally; signing-configuration disabled; `cosign.key` removed)
+Never end with stale state silently. If a restore step was skipped or failed, say so explicitly.
+## Important
+- **Deploy is the default.** Snapshot-only is opt-in via `--snapshot-only`, which collapses every mode to a single `pnpm integ:<mode>` call with no AWS calls and no state changes.
+- **Always operate on all three regions** (`us-east-1 us-east-2 us-west-2`) when toggling Inspector — partial toggles cause hard-to-debug test failures.
+- **Poll with a bounded loop** (`wait_inspector_status` from `scripts/integ.sh`) — never use a bare `sleep` for state convergence.
+- **`enhanced` engine lag is long**: status flipping to `ENABLED` is not the same as the scanning engine being ready. On a fresh DISABLED→ENABLED transition, sleep 1200s (20 min) before the first test attempt, then allow up to 3 total attempts with 600s (10 min) gaps. This worst-case ~40 min budget matches observed warmup. If all 3 fail, the cause is not propagation lag — stop waiting and investigate.
+- **Always enable scan-on-push proactively for `basic`** — `pnpm integ:basic:update` runs the `integ.scan-on-push` test in the same suite, so toggling on after a failure is too late.
+- **Never cancel `EcrScanVerifierTestProfile`** — cancellation is permanent and blocks future runs under the same name.
+- **`cosign generate-key-pair` and `cosign sign` need `COSIGN_PASSWORD=""`** when run unattended — otherwise they hang on a password prompt.
+- **Never commit `cosign.key` / `cosign.pub`** — they're git-ignored, keep it that way.
+- **Bootstrap repo uses immutable tags** — leftover Notation referrer tags from a failed `notation sign` MUST be deleted before retrying; do not work around with a fresh tag.
+- **`signature-ecr-signing` teardown is not optional** — wrap the test runner so `ecr_signing_teardown` runs even on failure.
+- **`cosign sign` looks hung** — on success it emits only `Signing artifact...` to stderr and then goes silent until the OCI referrer push completes. Use `cosign sign -d` for verbose HTTP logging when debugging.
+- **worktrees need `pnpm install --frozen-lockfile` first** — the `pnpm integ:*` scripts call `tsc` directly (not via `npx tsc`); without local `node_modules` the script fails with `sh: tsc: command not found`.
+- When in doubt about which test to run, call `AskUserQuestion` rather than guess.

package/.claude/skills/verify-integ-docs/SKILL.md ADDED Viewed

@@ -0,0 +1,145 @@
+---
+name: verify-integ-docs
+description: Verify the integ-test skill, test/integ/README.md, and scripts/integ.sh stay consistent. Runs the mechanical script checks PLUS LLM-only semantic checks (mode-description agreement, code-example coherence, cross-reference resolution, depth parity, helper-arg correctness) that a regex can't catch. Sets the `integ-docs` markgate marker on full pass.
+---
+# verify-integ-docs
+The integ workflow is documented in three places that must agree:
+| Source                              | Audience               |
+| ----------------------------------- | ---------------------- |
+| `.claude/skills/integ-test/SKILL.md`| Claude Code (automated)|
+| `test/integ/README.md`              | humans (manual runs)   |
+| `scripts/integ.sh`                  | shared shell helpers   |
+Both docs are intentionally redundant — the skill drives Claude through the workflow, the README lets a human run the same workflow by hand. This skill keeps them in lockstep using **two layers**:
+1. **Mechanical** (`scripts/verify-integ-docs.sh`) — name parity, dead-helper detection, anti-pattern grep. Cheap, deterministic, runnable in CI.
+2. **Semantic** (this skill) — does each mode actually mean the same thing in both docs? Do code examples produce equivalent results? Are cross-references valid? Only an LLM that reads both docs side-by-side can answer these.
+Both layers must pass before the marker flips. If only the mechanical layer matters, use `markgate run integ-docs -- ./scripts/verify-integ-docs.sh` directly instead of this skill — but you'll miss the kinds of drift listed under "Semantic checks" below.
+## Layer 1: mechanical (script)
+`scripts/verify-integ-docs.sh` enforces:
+1. **All three source files exist** — deleting one without the other would leave stale references.
+2. **Mode parity** — every mode in the SKILL's `argument-hint:` frontmatter must appear in both the SKILL's `## Arguments` list AND the README's `### Modes` table.
+3. **Helper parity** — every function defined in `scripts/integ.sh` must be referenced from at least one of the two docs (catches dead helpers and rename drift).
+4. **Both docs source the helpers** — both must reference `scripts/integ.sh`.
+5. **No raw `aws signer put-signing-profile`** — it's NOT idempotent (returns `ProfileAlreadyExists` on existing Active profile). Must use `signer_profile_ensure`.
+6. **No insufficient cosign signing-config strip** — `del(.rekorTlogUrls)` alone causes cosign 3.x to silently hang on `--key` signing. Must use `cosign_minimal_signing_config` (also strips oidc / ca / tsa).
+7. **`signature-*` mode test sources exist** — every `signature-<name>` mode must have a corresponding `test/integ/signature/integ.<name>.ts`.
+```bash
+./scripts/verify-integ-docs.sh
+```
+If it fails, fix the reported drift first; do NOT proceed to layer 2 or set the marker.
+## Layer 2: semantic (this skill, LLM-only)
+Run these AFTER layer 1 passes. Each catches a class of drift the script cannot.
+### S1. Per-mode description agreement
+For each mode in `argument-hint:`, compare:
+- the SKILL's `## Arguments` line: `` - `mode` — <SKILL description> ``
+- the README's `### Modes` table row: `` | `mode` | <README description> | ``
+These are written for different audiences (LLM vs human), so they should NOT be byte-identical. They MUST claim the same behavior. Flag drift such as:
+- **Contradictory claims**: SKILL says "switch Inspector if needed, run …, restore" but README says "Run …; no Inspector toggle" → one is wrong.
+- **Coverage mismatch**: SKILL describes 3 sub-steps, README describes only 1 → README is misleading; either expand it or compress the SKILL.
+- **Out-of-date defaults**: SKILL says "deploys by default" but README says "snapshot-only by default" → polarity skew.
+### S2. Code-example coherence
+For each mode that has a code example in BOTH docs (notation, cosign-kms, cosign-publickey, ecr-signing), read the SKILL and README versions side-by-side and verify they would produce the same result:
+- Same commands in the same order (allow trivial reordering only when results are independent).
+- Same flags (e.g., `--region "${REGION}"` vs no region).
+- Same helper invocations (e.g., both use `signer_profile_ensure`, not one with `aws signer put-signing-profile`).
+- Same env vars (`COSIGN_PASSWORD=""` present in both, etc.).
+If they diverge, ask: which is right? Usually the SKILL (more recently audited) — port the change to the README, or vice versa.
+### S3. Cross-reference resolution
+Every markdown link of the form `[text](#anchor)` in SKILL.md or README.md must resolve to an actual heading in the same document. Common breaks:
+- Heading renamed but the anchor link not updated.
+- Anchor uses underscore where the heading slug uses hyphen.
+- Link refers to a section that exists in the OTHER doc (not the same one).
+Also check that `[text](../../scripts/integ.sh)` and similar relative paths actually resolve from the doc's location.
+### S4. Helper-argument correctness
+For each helper from `scripts/integ.sh` that appears in either doc, confirm the call sites use valid arguments:
+- `scan_on_push_set true|false` — not `enable` / `on` / `yes`.
+- `wait_inspector_status_all ENABLED|DISABLED` — uppercase string literals.
+- `wait_enhanced_engine_warmup ENABLED|DISABLED [secs]` — same.
+- `signer_profile_ensure` — no args.
+The script's helper-parity check (mechanical #3) only verifies the **name** is mentioned; it cannot check the **arguments**.
+### S5. Depth parity
+For each mode, neither doc's explanation should be more than ~3× the length of the other. The two are for different audiences, but a 1-line README row plus a 50-line SKILL section means the README is silently lying about how complex the mode is. Flag and either expand the shorter side or trim the longer.
+### S6. Drift in "Important" / gotcha lists
+Compare the bullet lists at the end of each doc ("Important", "Important Note", trailing tips). Any caveat present in one but missing from the other is a candidate for porting. Examples that have bitten us before:
+- "Bootstrap repo uses immutable tags — must delete leftover Notation referrer tag before retrying"
+- "cosign 3.x signing-config needs oidc/ca/tsa stripped, not just rekor"
+- "AWS Signer profile cancellation is permanent"
+If any of those appear in one doc but not the other, port them.
+## When to run
+- After editing any of `.claude/skills/integ-test/SKILL.md`, `test/integ/README.md`, or `scripts/integ.sh`.
+- The `integ-docs-gate.sh` PreToolUse hook blocks `gh pr create` / `gh pr merge` when the marker is stale, so a missed run surfaces at PR time.
+- The `.github/workflows/verify-integ-docs.yml` workflow runs the mechanical script on every PR. **It does NOT run the semantic checks above** — those still require this skill (an LLM). CI catches the cheap drift; the skill catches the expensive drift.
+## Setting the marker
+ONLY after both layer 1 (script) and layer 2 (S1–S6) pass:
+```bash
+if command -v mise >/dev/null 2>&1; then
+  mise exec -- markgate set integ-docs
+else
+  markgate set integ-docs
+fi
+```
+If layer 1 failed → fix mechanical drift, re-run. If any semantic check (S1–S6) flagged something → fix the underlying doc drift (or surface to the user when the right answer isn't obvious), THEN set the marker. Setting the marker on a failed run defeats the entire gate.
+## Recovery from drift
+The most common failures and their fixes:
+- **Mode missing from one doc** (mech #2): add it to the missing place. Don't remove it from the other.
+- **Helper not referenced** (mech #3): either reference it from the appropriate doc OR delete it from `scripts/integ.sh` if truly unused.
+- **Raw `put-signing-profile`** (mech #5): replace with `signer_profile_ensure`.
+- **Raw `del(.rekorTlogUrls)`** (mech #6): replace with `cosign_minimal_signing_config /tmp/signing-config.json`.
+- **Signature mode without matching test** (mech #7): either add the test (`test/integ/signature/integ.<name>.ts` + build), or remove the mode from the skill and README.
+- **Per-mode description disagreement** (sem S1): pick the audience-appropriate wording for each, but make sure they describe the same behavior. Don't silently delete claims to "fix" the diff.
+- **Code example divergence** (sem S2): identify which version was changed last (git blame) and port to the other.
+- **Broken cross-reference** (sem S3): fix the anchor or rename the heading consistently.
+- **Wrong helper arg** (sem S4): fix the call site — the helper's contract is authoritative, not the doc.
+- **Depth imbalance** (sem S5): usually expand the README (the human audience needs MORE detail, not less, even though the SKILL can be terse with LLM context).
+- **Caveat in one doc only** (sem S6): port it.
+## Important
+- **Layer 2 is the skill's reason to exist.** If you only run the script, prefer `markgate run integ-docs -- ./scripts/verify-integ-docs.sh` and skip this skill entirely. The skill's value is doing what `grep` can't.
+- **Never set the marker on a failed run.** The gate's whole point is that the marker is an audit trail saying "yes, these files agree, and I personally read them." Setting it to silence a failure is the worst possible move.
+- **Adding a new helper to `scripts/integ.sh`** requires using it from at least one doc in the same change (mechanical check), AND documenting its arg contract (semantic check S4).
+- **Adding a new integ test file** alone does NOT invalidate the marker (only SKILL.md / README.md / scripts/integ.sh do, per `.markgate.yml` scope). New tests typically come with README changes anyway, which trip the marker naturally.

package/.jsii CHANGED Viewed

@@ -5622,6 +5622,6 @@
       "symbolId": "src/signature-verification:VerificationOptions"
     }
   },
-  "version": "0.1.1",
-  "fingerprint": "6WYnUY67CfmrtryCWmZ/LFsrWjftPnD0AbNKSfJKXG8="
+  "version": "0.1.2",
+  "fingerprint": "EPuVTblfXSkiSlj9KwfRbHNKkJE9igTQ8Rr0HbSceZQ="
 }

package/.markgate.yml ADDED Viewed

@@ -0,0 +1,25 @@
+# markgate configuration — https://github.com/go-to-k/markgate
+#
+# Gates:
+#   integ-docs — keeps the three integ-workflow sources in lockstep:
+#                .claude/skills/integ-test/SKILL.md (automated),
+#                test/integ/README.md (manual),
+#                scripts/integ.sh (shared helpers).
+#                Set by the /verify-integ-docs skill after
+#                scripts/verify-integ-docs.sh passes. The PreToolUse
+#                hook .claude/hooks/integ-docs-gate.sh blocks
+#                `gh pr create` / `gh pr merge` when stale.
+#
+# Scope is intentionally narrow — only the three files above. Integ
+# test files under test/integ/{basic,enhanced,signature}/ are NOT in
+# scope: adding a new test typically comes with a README/SKILL update
+# anyway, which trips the marker naturally. Gating on test file edits
+# directly would force re-verification on every test snapshot refresh.
+gates:
+  integ-docs:
+    hash: files
+    include:
+      - ".claude/skills/integ-test/SKILL.md"
+      - "test/integ/README.md"
+      - "scripts/integ.sh"

package/.mise.toml ADDED Viewed

@@ -0,0 +1,9 @@
+# mise tool pinning — https://mise.jdx.dev/
+#
+# Pinning markgate via mise ensures every contributor uses the same
+# schema version. Mixing 0.3.0 and 0.3.1+ binaries silently invalidates
+# each other's markers (the schema bumped in 0.3.1), so Homebrew vs
+# mise drift would constantly trip the integ-docs gate for no reason.
+[tools]
+"ubi:go-to-k/markgate" = "0.3.3"

package/lib/ecr-scan-verifier.js CHANGED Viewed

@@ -156,5 +156,5 @@ class EcrScanVerifier extends constructs_1.Construct {
 }
 exports.EcrScanVerifier = EcrScanVerifier;
 _a = JSII_RTTI_SYMBOL_1;
-EcrScanVerifier[_a] = { fqn: "ecr-scan-verifier.EcrScanVerifier", version: "0.1.1" };
+EcrScanVerifier[_a] = { fqn: "ecr-scan-verifier.EcrScanVerifier", version: "0.1.2" };
 //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZWNyLXNjYW4tdmVyaWZpZXIuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi9zcmMvZWNyLXNjYW4tdmVyaWZpZXIudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7QUFBQSwrQkFBNEI7QUFDNUIsNkNBQWdHO0FBRWhHLCtEQUFzRDtBQUN0RCxpREFBc0Q7QUFDdEQsdURBTWdDO0FBR2hDLG1FQUF3RDtBQUN4RCwyQ0FBbUQ7QUFLbkQsbUNBQW1DO0FBa0huQzs7OztHQUlHO0FBQ0gsTUFBYSxlQUFnQixTQUFRLHNCQUFTO0lBRzVDLFlBQVksS0FBZ0IsRUFBRSxFQUFVLEVBQUUsS0FBMkI7UUFDbkUsS0FBSyxDQUFDLEtBQUssRUFBRSxFQUFFLENBQUMsQ0FBQztRQUVqQixJQUFJLENBQUMsZUFBZSxHQUFHLEtBQUssQ0FBQyxlQUFlLENBQUM7UUFDN0MsTUFBTSxhQUFhLEdBQUcsNkNBQTZDLENBQUM7UUFFcEUsTUFBTSxvQkFBb0IsR0FBRyxJQUFJLDhCQUFpQixDQUFDLElBQUksRUFBRSxzQkFBc0IsRUFBRTtZQUMvRSxJQUFJLEVBQUUsc0NBQXNDO1lBQzVDLGFBQWE7WUFDYixPQUFPLEVBQUUsb0JBQU8sQ0FBQyxVQUFVO1lBQzNCLE9BQU8sRUFBRSxvQkFBTyxDQUFDLFVBQVU7WUFDM0IsSUFBSSxFQUFFLHNCQUFTLENBQUMsY0FBYyxDQUFDLElBQUEsV0FBSSxFQUFDLFNBQVMsRUFBRSxrQkFBa0IsQ0FBQyxFQUFFO2dCQUNsRSxRQUFRLEVBQUUseUJBQVEsQ0FBQyxXQUFXO2dCQUM5QixVQUFVLEVBQUUsd0JBQVUsQ0FBQyxNQUFNO2FBQzlCLENBQUM7WUFDRixZQUFZLEVBQUUseUJBQVksQ0FBQyxNQUFNO1lBQ2pDLE9BQU8sRUFBRSxzQkFBUSxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUM7WUFDOUIsYUFBYSxFQUFFLENBQUM7WUFDaEIsUUFBUSxFQUFFLElBQUksQ0FBQyxlQUFlO1NBQy9CLENBQUMsQ0FBQztRQUVILE1BQU0sUUFBUSxHQUFHLEtBQUssQ0FBQyxRQUFRLElBQUksUUFBUSxDQUFDO1FBRTVDLE1BQU0sZ0JBQWdCLEdBQUcsS0FBSyxDQUFDLFVBQVUsQ0FBQyxJQUFJLEVBQUUsQ0FBQztRQUVqRCx5REFBeUQ7UUFDekQsSUFBSSxnQkFBZ0IsQ0FBQyxRQUFRLEtBQUssZ0JBQWdCLElBQUksQ0FBQyxLQUFLLENBQUMscUJBQXFCLEVBQUUsQ0FBQztZQUNuRixNQUFNLElBQUksS0FBSyxDQUFDLDRFQUE0RSxDQUFDLENBQUM7UUFDaEcsQ0FBQztRQUVELE1BQU0sYUFBYSxHQUFHLEtBQUssQ0FBQyxjQUFjLEVBQUUsSUFBSSxDQUFDLG9CQUFvQixDQUFDLENBQUM7UUFFdkUsc0NBQXNDO1FBQ3RDLE1BQU0sVUFBVSxHQUFHLGdCQUFnQixDQUFDLFVBQVUsRUFBRSxJQUFJLENBQUMsb0JBQW9CLENBQUMsQ0FBQztRQUUzRSx5QkFBeUI7UUFDekIsTUFBTSwyQkFBMkIsR0FBRyxLQUFLLENBQUMscUJBQXFCLEVBQUUsSUFBSSxDQUFDLG9CQUFvQixDQUFDLENBQUM7UUFFNUYsa0JBQWtCO1FBQ2xCLDREQUE0RDtRQUM1RCxnRUFBZ0U7UUFDaEUsTUFBTSxVQUFVLEdBQUcsQ0FBQyxvQkFBb0IsQ0FBQyxDQUFDO1FBQzFDLElBQUksZ0JBQWdCLENBQUMsUUFBUSxLQUFLLGdCQUFnQixFQUFFLENBQUM7WUFDbkQsVUFBVSxDQUFDLElBQUksQ0FBQywrQkFBK0IsQ0FBQyxDQUFDO1FBQ25ELENBQUM7UUFDRCxvQkFBb0IsQ0FBQyxlQUFlLENBQ2xDLElBQUkseUJBQWUsQ0FBQztZQUNsQixPQUFPLEVBQUUsVUFBVTtZQUNuQixTQUFTLEVBQUUsQ0FBQyxLQUFLLENBQUMsVUFBVSxDQUFDLGFBQWEsQ0FBQztTQUM1QyxDQUFDLENBQ0gsQ0FBQztRQUVGLElBQUksZ0JBQWdCLENBQUMsUUFBUSxLQUFLLFVBQVUsRUFBRSxDQUFDO1lBQzdDLG9CQUFvQixDQUFDLGVBQWUsQ0FDbEMsSUFBSSx5QkFBZSxDQUFDO2dCQUNsQixPQUFPLEVBQUUsQ0FBQyx5QkFBeUIsRUFBRSx5QkFBeUIsQ0FBQztnQkFDL0QsU0FBUyxFQUFFLENBQUMsR0FBRyxDQUFDO2FBQ2pCLENBQUMsQ0FDSCxDQUFDO1FBQ0osQ0FBQztRQUVELElBQUksZ0JBQWdCLENBQUMsU0FBUyxFQUFFLENBQUM7WUFDL0Isb0JBQW9CLENBQUMsZUFBZSxDQUNsQyxJQUFJLHlCQUFlLENBQUM7Z0JBQ2xCLE9BQU8sRUFBRSxDQUFDLG9CQUFvQixDQUFDO2dCQUMvQixTQUFTLEVBQUUsQ0FBQyxLQUFLLENBQUMsVUFBVSxDQUFDLGFBQWEsQ0FBQzthQUM1QyxDQUFDLENBQ0gsQ0FBQztRQUNKLENBQUM7UUFFRCxxQ0FBcUM7UUFDckMsSUFBSSwyQkFBMkIsRUFBRSxDQUFDO1lBQ2hDLG9CQUFvQixDQUFDLGVBQWUsQ0FDbEMsSUFBSSx5QkFBZSxDQUFDO2dCQUNsQixPQUFPLEVBQUUsQ0FBQywyQkFBMkIsQ0FBQztnQkFDdEMsU0FBUyxFQUFFLENBQUMsR0FBRyxDQUFDO2FBQ2pCLENBQUMsQ0FDSCxDQUFDO1lBQ0Ysb0JBQW9CLENBQUMsZUFBZSxDQUNsQyxJQUFJLHlCQUFlLENBQUM7Z0JBQ2xCLE9BQU8sRUFBRSxDQUFDLG1CQUFtQixFQUFFLDRCQUE0QixDQUFDO2dCQUM1RCxTQUFTLEVBQUUsQ0FBQyxLQUFLLENBQUMsVUFBVSxDQUFDLGFBQWEsQ0FBQzthQUM1QyxDQUFDLENBQ0gsQ0FBQztZQUVGLElBQUksMkJBQTJCLENBQUMsSUFBSSxLQUFLLFVBQVUsRUFBRSxDQUFDO2dCQUNwRCxvQkFBb0IsQ0FBQyxlQUFlLENBQ2xDLElBQUkseUJBQWUsQ0FBQztvQkFDbEIsT0FBTyxFQUFFLENBQUMsNEJBQTRCLENBQUM7b0JBQ3ZDLFNBQVMsRUFBRSxDQUFDLEdBQUcsQ0FBQztpQkFDakIsQ0FBQyxDQUNILENBQUM7WUFDSixDQUFDO1lBQ0QsOERBQThEO1FBQ2hFLENBQUM7UUFFRCx1REFBdUQ7UUFDdkQsSUFBSSxVQUFVLEVBQUUsQ0FBQztZQUNmLG9CQUFvQixDQUFDLGVBQWUsQ0FDbEMsSUFBSSx5QkFBZSxDQUFDO2dCQUNsQixPQUFPLEVBQUUsQ0FBQyw2QkFBNkIsRUFBRSwwQkFBMEIsQ0FBQztnQkFDcEUsU0FBUyxFQUFFLENBQUMsR0FBRyxDQUFDO2FBQ2pCLENBQUMsQ0FDSCxDQUFDO1FBQ0osQ0FBQztRQUVELElBQUksS0FBSyxDQUFDLHNCQUFzQixFQUFFLENBQUM7WUFDakMsS0FBSyxDQUFDLHNCQUFzQixDQUFDLFlBQVksQ0FBQyxvQkFBb0IsQ0FBQyxDQUFDO1FBQ2xFLENBQUM7UUFFRCxNQUFNLHVCQUF1QixHQUFHLEtBQUssQ0FBQyx1QkFBdUIsSUFBSSxJQUFJLENBQUM7UUFDdEUsSUFBSSx1QkFBdUIsRUFBRSxDQUFDO1lBQzVCLG9CQUFvQixDQUFDLGVBQWUsQ0FDbEMsSUFBSSx5QkFBZSxDQUFDO2dCQUNsQixPQUFPLEVBQUUsQ0FBQywrQkFBK0IsQ0FBQztnQkFDMUMsU0FBUyxFQUFFLENBQUMsbUJBQUssQ0FBQyxFQUFFLENBQUMsSUFBSSxDQUFDLENBQUMsT0FBTyxDQUFDO2FBQ3BDLENBQUMsQ0FDSCxDQUFDO1FBQ0osQ0FBQztRQUVELG9GQUFvRjtRQUNwRixxQkFBTyxDQUFDLEVBQUUsQ0FBQyxtQkFBSyxDQUFDLEVBQUUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFDLEdBQUcsQ0FBQztZQUM3QixLQUFLLEVBQUUsQ0FBQyxJQUFJLEVBQUUsRUFBRTtnQkFDZCxJQUNFLElBQUksWUFBWSxlQUFlO29CQUMvQixJQUFJLENBQUMsZ0JBQWdCLEVBQUUsSUFBSSxDQUFDLElBQUksS0FBSyxJQUFJLENBQUMsZUFBZSxFQUFFLElBQUksQ0FBQyxJQUFJLEVBQ3BFLENBQUM7b0JBQ0QseUJBQVcsQ0FBQyxFQUFFLENBQUMsSUFBSSxDQUFDLENBQUMsWUFBWSxDQUMvQixtREFBbUQsRUFDbkQsZ0hBQWdILENBQ2pILENBQUM7Z0JBQ0osQ0FBQztZQUNILENBQUM7U0FDRixDQUFDLENBQUM7UUFFSCxNQUFNLGdCQUFnQixHQUFHLElBQUksMkJBQVEsQ0FBQyxJQUFJLEVBQUUsVUFBVSxFQUFFO1lBQ3RELGNBQWMsRUFBRSxvQkFBb0I7U0FDckMsQ0FBQyxDQUFDO1FBRUgsTUFBTSxrQkFBa0IsR0FBK0I7WUFDckQsSUFBSSxFQUFFLElBQUksQ0FBQyxJQUFJLENBQUMsSUFBSTtZQUNwQixjQUFjLEVBQUUsS0FBSyxDQUFDLFVBQVUsQ0FBQyxjQUFjO1lBQy9DLFFBQVE7WUFDUixRQUFRLEVBQUUsZ0JBQWdCLENBQUMsUUFBUTtZQUNuQyxTQUFTLEVBQUUsTUFBTSxDQUFDLGdCQUFnQixDQUFDLFNBQVMsQ0FBQztZQUM3QyxRQUFRLEVBQUUsS0FBSyxDQUFDLFFBQVEsSUFBSSxDQUFDLGdCQUFRLENBQUMsUUFBUSxDQUFDO1lBQy9DLG1CQUFtQixFQUFFLE1BQU0sQ0FBQyxLQUFLLENBQUMsbUJBQW1CLElBQUksSUFBSSxDQUFDO1lBQzlELGNBQWMsRUFBRSxLQUFLLENBQUMsY0FBYyxJQUFJLEVBQUU7WUFDMUMsTUFBTSxFQUFFLGFBQWE7WUFDckIsSUFBSSxFQUFFLFVBQVU7WUFDaEIscUJBQXFCLEVBQUUsMkJBQTJCO2dCQUNoRCxDQUFDLENBQUM7b0JBQ0UsSUFBSSxFQUFFLDJCQUEyQixDQUFDLElBQUk7b0JBQ3RDLGlCQUFpQixFQUFFLDJCQUEyQixDQUFDLGlCQUFpQjtvQkFDaEUsU0FBUyxFQUFFLDJCQUEyQixDQUFDLFNBQVM7b0JBQ2hELFNBQVMsRUFBRSwyQkFBMkIsQ0FBQyxTQUFTO29CQUNoRCxjQUFjLEVBQUUsTUFBTSxDQUFDLDJCQUEyQixDQUFDLGNBQWMsQ0FBQztpQkFDbkU7Z0JBQ0gsQ0FBQyxDQUFDLFNBQVM7WUFDYix1QkFBdUIsRUFBRSxNQUFNLENBQUMsdUJBQXVCLENBQUM7WUFDeEQsYUFBYSxFQUFFLEtBQUssQ0FBQyxzQkFBc0IsRUFBRSxRQUFRO1lBQ3JELG1CQUFtQixFQUNqQixJQUFJLENBQUMsZUFBZSxFQUFFLFlBQVksSUFBSSxlQUFlLG9CQUFvQixDQUFDLFlBQVksRUFBRTtTQUMzRixDQUFDO1FBRUYsSUFBSSw0QkFBYyxDQUFDLElBQUksRUFBRSxVQUFVLEVBQUU7WUFDbkMsWUFBWSxFQUFFLHlCQUF5QjtZQUN2QyxVQUFVLEVBQUUsa0JBQWtCO1lBQzlCLFlBQVksRUFBRSxnQkFBZ0IsQ0FBQyxZQUFZO1NBQzVDLENBQUMsQ0FBQztRQUVILEtBQUssQ0FBQyxlQUFlLEVBQUUsT0FBTyxDQUFDLENBQUMsU0FBUyxFQUFFLEVBQUU7WUFDM0MsU0FBUyxDQUFDLElBQUksQ0FBQyxhQUFhLENBQUMsSUFBSSxDQUFDLENBQUM7UUFDckMsQ0FBQyxDQUFDLENBQUM7SUFDTCxDQUFDO0lBRUQsZ0JBQWdCO0lBQ2hCLElBQUksZ0JBQWdCO1FBQ2xCLE9BQU8sSUFBSSxDQUFDLGVBQWUsQ0FBQztJQUM5QixDQUFDOztBQXRMSCwwQ0F1TEMiLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQgeyBqb2luIH0gZnJvbSAncGF0aCc7XG5pbXBvcnQgeyBBbm5vdGF0aW9ucywgQXNwZWN0cywgQ3VzdG9tUmVzb3VyY2UsIER1cmF0aW9uLCBJZ25vcmVNb2RlLCBTdGFjayB9IGZyb20gJ2F3cy1jZGstbGliJztcbmltcG9ydCB7IElSZXBvc2l0b3J5IH0gZnJvbSAnYXdzLWNkay1saWIvYXdzLWVjcic7XG5pbXBvcnQgeyBQbGF0Zm9ybSB9IGZyb20gJ2F3cy1jZGstbGliL2F3cy1lY3ItYXNzZXRzJztcbmltcG9ydCB7IFBvbGljeVN0YXRlbWVudCB9IGZyb20gJ2F3cy1jZGstbGliL2F3cy1pYW0nO1xuaW1wb3J0IHtcbiAgQXJjaGl0ZWN0dXJlLFxuICBBc3NldENvZGUsXG4gIEhhbmRsZXIsXG4gIFJ1bnRpbWUsXG4gIFNpbmdsZXRvbkZ1bmN0aW9uLFxufSBmcm9tICdhd3MtY2RrLWxpYi9hd3MtbGFtYmRhJztcbmltcG9ydCB7IElMb2dHcm91cCB9IGZyb20gJ2F3cy1jZGstbGliL2F3cy1sb2dzJztcbmltcG9ydCB7IElUb3BpYyB9IGZyb20gJ2F3cy1jZGstbGliL2F3cy1zbnMnO1xuaW1wb3J0IHsgUHJvdmlkZXIgfSBmcm9tICdhd3MtY2RrLWxpYi9jdXN0b20tcmVzb3VyY2VzJztcbmltcG9ydCB7IENvbnN0cnVjdCwgSUNvbnN0cnVjdCB9IGZyb20gJ2NvbnN0cnVjdHMnO1xuaW1wb3J0IHsgU2Nhbm5lckN1c3RvbVJlc291cmNlUHJvcHMgfSBmcm9tICcuL2N1c3RvbS1yZXNvdXJjZS1wcm9wcyc7XG5pbXBvcnQgeyBTY2FuQ29uZmlnIH0gZnJvbSAnLi9zY2FuLWNvbmZpZyc7XG5pbXBvcnQgeyBTY2FuTG9nc091dHB1dCB9IGZyb20gJy4vc2Nhbi1sb2dzLW91dHB1dCc7XG5pbXBvcnQgeyBTaWduYXR1cmVWZXJpZmljYXRpb24gfSBmcm9tICcuL3NpZ25hdHVyZS12ZXJpZmljYXRpb24nO1xuaW1wb3J0IHsgU2V2ZXJpdHkgfSBmcm9tICcuL3R5cGVzJztcblxuLyoqXG4gKiBQcm9wZXJ0aWVzIGZvciBFY3JTY2FuVmVyaWZpZXIgQ29uc3RydWN0LlxuICovXG5leHBvcnQgaW50ZXJmYWNlIEVjclNjYW5WZXJpZmllclByb3BzIHtcbiAgLyoqXG4gICAqIEVDUiBSZXBvc2l0b3J5IHRvIHNjYW4uXG4gICAqL1xuICByZWFkb25seSByZXBvc2l0b3J5OiBJUmVwb3NpdG9yeTtcblxuICAvKipcbiAgICogSW1hZ2UgdGFnIG9yIGRpZ2VzdCB0byBzY2FuLlxuICAgKlxuICAgKiBZb3UgY2FuIHNwZWNpZnkgYSB0YWcgKGUuZy4sICd2MS4wJywgJ2xhdGVzdCcpIG9yIGEgZGlnZXN0IChlLmcuLCAnc2hhMjU2OmFiYzEyMy4uLicpLlxuICAgKiBJZiB0aGUgdmFsdWUgc3RhcnRzIHdpdGggJ3NoYTI1NjonLCBpdCBpcyB0cmVhdGVkIGFzIGEgZGlnZXN0LlxuICAgKlxuICAgKiBAZGVmYXVsdCAnbGF0ZXN0J1xuICAgKi9cbiAgcmVhZG9ubHkgaW1hZ2VUYWc/OiBzdHJpbmc7XG5cbiAgLyoqXG4gICAqIFNjYW4gY29uZmlndXJhdGlvbiDigJQgY2hvb3NlIGJhc2VkIG9uIHlvdXIgRUNSIHJlcG9zaXRvcnkvYWNjb3VudCBzZXR0aW5nczpcbiAgICpcbiAgICogLSBgU2NhbkNvbmZpZy5iYXNpYygpYCAoZGVmYXVsdDogYHN0YXJ0U2NhbjogdHJ1ZWApIOKAlCBzdGFydHMgYSBzY2FuIHZpYSB0aGUgRUNSIEFQSS5cbiAgICogICBObyBhZGRpdGlvbmFsIEVDUiBjb25maWd1cmF0aW9uIHJlcXVpcmVkLlxuICAgKiAtIGBTY2FuQ29uZmlnLmJhc2ljKHsgc3RhcnRTY2FuOiBmYWxzZSB9KWAg4oCUIHBvbGxzIGZvciBleGlzdGluZyByZXN1bHRzLlxuICAgKiAgIFJlcXVpcmVzIEJhc2ljIHNjYW4tb24tcHVzaCB0byBiZSBlbmFibGVkIG9uIHRoZSByZXBvc2l0b3J5LlxuICAgKiAtIGBTY2FuQ29uZmlnLmVuaGFuY2VkKClgIOKAlCB1c2VzIEFtYXpvbiBJbnNwZWN0b3IgZW5oYW5jZWQgc2Nhbm5pbmcuXG4gICAqICAgUmVxdWlyZXMgRW5oYW5jZWQgc2Nhbm5pbmcgdG8gYmUgZW5hYmxlZCBvbiB0aGUgYWNjb3VudC5cbiAgICpcbiAgICogSWYgdGhlIHJlcXVpcmVkIHNjYW5uaW5nIGNvbmZpZ3VyYXRpb24gaXMgbm90IGluIHBsYWNlIGFuZCBubyBwcmlvciBzY2FuIHJlc3VsdHMgZXhpc3QsXG4gICAqIHRoZSBkZXBsb3ltZW50IHdpbGwgZmFpbC5cbiAgICovXG4gIHJlYWRvbmx5IHNjYW5Db25maWc6IFNjYW5Db25maWc7XG5cbiAgLyoqXG4gICAqIFNldmVyaXR5IHRocmVzaG9sZCBmb3IgdnVsbmVyYWJpbGl0eSBkZXRlY3Rpb24uXG4gICAqXG4gICAqIElmIHZ1bG5lcmFiaWxpdGllcyBhdCBvciBhYm92ZSBhbnkgb2YgdGhlIHNwZWNpZmllZCBzZXZlcml0eSBsZXZlbHMgYXJlIGZvdW5kLFxuICAgKiB0aGUgc2NhbiB3aWxsIGJlIGNvbnNpZGVyZWQgYXMgaGF2aW5nIGZvdW5kIHZ1bG5lcmFiaWxpdGllcy5cbiAgICpcbiAgICogQGRlZmF1bHQgW1NldmVyaXR5LkNSSVRJQ0FMXVxuICAgKi9cbiAgcmVhZG9ubHkgc2V2ZXJpdHk/OiBTZXZlcml0eVtdO1xuXG4gIC8qKlxuICAgKiBXaGV0aGVyIHRvIGZhaWwgdGhlIENsb3VkRm9ybWF0aW9uIGRlcGxveW1lbnQgaWYgdnVsbmVyYWJpbGl0aWVzIGFyZSBkZXRlY3RlZFxuICAgKiBhYm92ZSB0aGUgc2V2ZXJpdHkgdGhyZXNob2xkLlxuICAgKlxuICAgKiBAZGVmYXVsdCB0cnVlXG4gICAqL1xuICByZWFkb25seSBmYWlsT25WdWxuZXJhYmlsaXR5PzogYm9vbGVhbjtcblxuICAvKipcbiAgICogRmluZGluZyBJRHMgdG8gaWdub3JlIGR1cmluZyB2dWxuZXJhYmlsaXR5IGV2YWx1YXRpb24uXG4gICAqXG4gICAqIEZvciBiYXNpYyBzY2FubmluZzogQ1ZFIElEcyAoZS5nLiwgJ0NWRS0yMDIzLTM3OTIwJylcbiAgICogRm9yIGVuaGFuY2VkIHNjYW5uaW5nOiBmaW5kaW5nIEFSTnMgb3IgQ1ZFIElEc1xuICAgKlxuICAgKiBAZGVmYXVsdCAtIG5vIGZpbmRpbmdzIGlnbm9yZWRcbiAgICovXG4gIHJlYWRvbmx5IGlnbm9yZUZpbmRpbmdzPzogc3RyaW5nW107XG5cbiAgLyoqXG4gICAqIENvbmZpZ3VyYXRpb24gZm9yIHNjYW4gbG9ncyBvdXRwdXQuXG4gICAqXG4gICAqIEBkZWZhdWx0IC0gc2NhbiBsb2dzIG91dHB1dCB0byBkZWZhdWx0IGxvZyBncm91cCBjcmVhdGVkIGJ5IFNjYW5uZXIgTGFtYmRhLlxuICAgKi9cbiAgcmVhZG9ubHkgc2NhbkxvZ3NPdXRwdXQ/OiBTY2FuTG9nc091dHB1dDtcblxuICAvKipcbiAgICogU2lnbmF0dXJlIHZlcmlmaWNhdGlvbiBjb25maWd1cmF0aW9uIGZvciB0aGUgY29udGFpbmVyIGltYWdlLlxuICAgKlxuICAgKiBWZXJpZmllcyB0aGUgaW1hZ2Ugc2lnbmF0dXJlIGJlZm9yZSBzY2FubmluZyB1c2luZyBOb3RhdGlvbiAoQVdTIFNpZ25lcikgb3IgQ29zaWduIChTaWdzdG9yZSkuXG4gICAqXG4gICAqIEBkZWZhdWx0IC0gbm8gc2lnbmF0dXJlIHZlcmlmaWNhdGlvblxuICAgKi9cbiAgcmVhZG9ubHkgc2lnbmF0dXJlVmVyaWZpY2F0aW9uPzogU2lnbmF0dXJlVmVyaWZpY2F0aW9uO1xuXG4gIC8qKlxuICAgKiBUaGUgU2Nhbm5lciBMYW1iZGEgZnVuY3Rpb24ncyBkZWZhdWx0IGxvZyBncm91cC5cbiAgICpcbiAgICogSWYgeW91IHVzZSBFY3JTY2FuVmVyaWZpZXIgY29uc3RydWN0IG11bHRpcGxlIHRpbWVzIGluIHRoZSBzYW1lIHN0YWNrLFxuICAgKiB5b3UgbXVzdCBzcGVjaWZ5IHRoZSBzYW1lIGxvZyBncm91cCBmb3IgZWFjaCBjb25zdHJ1Y3QuXG4gICAqXG4gICAqIEBkZWZhdWx0IC0gU2Nhbm5lciBMYW1iZGEgY3JlYXRlcyB0aGUgZGVmYXVsdCBsb2cgZ3JvdXAuXG4gICAqL1xuICByZWFkb25seSBkZWZhdWx0TG9nR3JvdXA/OiBJTG9nR3JvdXA7XG5cbiAgLyoqXG4gICAqIFN1cHByZXNzIGVycm9ycyBkdXJpbmcgcm9sbGJhY2sgc2Nhbm5lciBMYW1iZGEgZXhlY3V0aW9uLlxuICAgKlxuICAgKiBAZGVmYXVsdCB0cnVlXG4gICAqL1xuICByZWFkb25seSBzdXBwcmVzc0Vycm9yT25Sb2xsYmFjaz86IGJvb2xlYW47XG5cbiAgLyoqXG4gICAqIFNOUyB0b3BpYyBmb3IgdnVsbmVyYWJpbGl0eSBub3RpZmljYXRpb24uXG4gICAqXG4gICAqIFN1cHBvcnRzIEFXUyBDaGF0Ym90IG1lc3NhZ2UgZm9ybWF0LlxuICAgKlxuICAgKiBAZGVmYXVsdCAtIG5vIG5vdGlmaWNhdGlvblxuICAgKi9cbiAgcmVhZG9ubHkgdnVsbnNOb3RpZmljYXRpb25Ub3BpYz86IElUb3BpYztcblxuICAvKipcbiAgICogQ29uc3RydWN0cyB0byBibG9jayBpZiB2dWxuZXJhYmlsaXRpZXMgYXJlIGRldGVjdGVkLlxuICAgKlxuICAgKiBAZGVmYXVsdCAtIG5vIGNvbnN0cnVjdHMgdG8gYmxvY2tcbiAgICovXG4gIHJlYWRvbmx5IGJsb2NrQ29uc3RydWN0cz86IElDb25zdHJ1Y3RbXTtcbn1cblxuLyoqXG4gKiBBIENvbnN0cnVjdCB0aGF0IHZlcmlmaWVzIGNvbnRhaW5lciBpbWFnZSBzY2FuIGZpbmRpbmdzIHdpdGggRUNSIGltYWdlIHNjYW5uaW5nLlxuICogSXQgdXNlcyBhIExhbWJkYSBmdW5jdGlvbiBhcyBhIEN1c3RvbSBSZXNvdXJjZSBwcm92aWRlciB0byBjYWxsIEVDUiBzY2FuIEFQSXNcbiAqIGFuZCBldmFsdWF0ZSBzY2FuIGZpbmRpbmdzLlxuICovXG5leHBvcnQgY2xhc3MgRWNyU2NhblZlcmlmaWVyIGV4dGVuZHMgQ29uc3RydWN0IHtcbiAgcHJpdmF0ZSByZWFkb25seSBkZWZhdWx0TG9nR3JvdXA/OiBJTG9nR3JvdXA7XG5cbiAgY29uc3RydWN0b3Ioc2NvcGU6IENvbnN0cnVjdCwgaWQ6IHN0cmluZywgcHJvcHM6IEVjclNjYW5WZXJpZmllclByb3BzKSB7XG4gICAgc3VwZXIoc2NvcGUsIGlkKTtcblxuICAgIHRoaXMuZGVmYXVsdExvZ0dyb3VwID0gcHJvcHMuZGVmYXVsdExvZ0dyb3VwO1xuICAgIGNvbnN0IGxhbWJkYVB1cnBvc2UgPSAnQ3VzdG9tOjpFY3JTY2FuVmVyaWZpZXJDdXN0b21SZXNvdXJjZUxhbWJkYSc7XG5cbiAgICBjb25zdCBjdXN0b21SZXNvdXJjZUxhbWJkYSA9IG5ldyBTaW5nbGV0b25GdW5jdGlvbih0aGlzLCAnQ3VzdG9tUmVzb3VyY2VMYW1iZGEnLCB7XG4gICAgICB1dWlkOiAnYzU2Y2VlNmItNjc3NS01NDFiLWQxNzktYzE1MzVkODhhMGM4JyxcbiAgICAgIGxhbWJkYVB1cnBvc2UsXG4gICAgICBydW50aW1lOiBSdW50aW1lLkZST01fSU1BR0UsXG4gICAgICBoYW5kbGVyOiBIYW5kbGVyLkZST01fSU1BR0UsXG4gICAgICBjb2RlOiBBc3NldENvZGUuZnJvbUFzc2V0SW1hZ2Uoam9pbihfX2Rpcm5hbWUsICcuLi9hc3NldHMvbGFtYmRhJyksIHtcbiAgICAgICAgcGxhdGZvcm06IFBsYXRmb3JtLkxJTlVYX0FSTTY0LFxuICAgICAgICBpZ25vcmVNb2RlOiBJZ25vcmVNb2RlLkRPQ0tFUixcbiAgICAgIH0pLFxuICAgICAgYXJjaGl0ZWN0dXJlOiBBcmNoaXRlY3R1cmUuQVJNXzY0LFxuICAgICAgdGltZW91dDogRHVyYXRpb24uc2Vjb25kcyg5MDApLFxuICAgICAgcmV0cnlBdHRlbXB0czogMCxcbiAgICAgIGxvZ0dyb3VwOiB0aGlzLmRlZmF1bHRMb2dHcm91cCxcbiAgICB9KTtcblxuICAgIGNvbnN0IGltYWdlVGFnID0gcHJvcHMuaW1hZ2VUYWcgPz8gJ2xhdGVzdCc7XG5cbiAgICBjb25zdCBzY2FuQ29uZmlnT3V0cHV0ID0gcHJvcHMuc2NhbkNvbmZpZy5iaW5kKCk7XG5cbiAgICAvLyBWYWxpZGF0ZTogc2lnbmF0dXJlT25seSByZXF1aXJlcyBzaWduYXR1cmVWZXJpZmljYXRpb25cbiAgICBpZiAoc2NhbkNvbmZpZ091dHB1dC5zY2FuVHlwZSA9PT0gJ1NJR05BVFVSRV9PTkxZJyAmJiAhcHJvcHMuc2lnbmF0dXJlVmVyaWZpY2F0aW9uKSB7XG4gICAgICB0aHJvdyBuZXcgRXJyb3IoJ1NjYW5Db25maWcuc2lnbmF0dXJlT25seSgpIHJlcXVpcmVzIHNpZ25hdHVyZVZlcmlmaWNhdGlvbiB0byBiZSBzcGVjaWZpZWQuJyk7XG4gICAgfVxuXG4gICAgY29uc3Qgb3V0cHV0T3B0aW9ucyA9IHByb3BzLnNjYW5Mb2dzT3V0cHV0Py5iaW5kKGN1c3RvbVJlc291cmNlTGFtYmRhKTtcblxuICAgIC8vIFNCT00gb3V0cHV0IChmcm9tIHNjYW5Db25maWdPdXRwdXQpXG4gICAgY29uc3Qgc2JvbUNvbmZpZyA9IHNjYW5Db25maWdPdXRwdXQuc2JvbU91dHB1dD8uYmluZChjdXN0b21SZXNvdXJjZUxhbWJkYSk7XG5cbiAgICAvLyBTaWduYXR1cmUgdmVyaWZpY2F0aW9uXG4gICAgY29uc3Qgc2lnbmF0dXJlVmVyaWZpY2F0aW9uQ29uZmlnID0gcHJvcHMuc2lnbmF0dXJlVmVyaWZpY2F0aW9uPy5iaW5kKGN1c3RvbVJlc291cmNlTGFtYmRhKTtcblxuICAgIC8vIEVDUiBwZXJtaXNzaW9uc1xuICAgIC8vIERlc2NyaWJlSW1hZ2VzIGlzIGFsd2F5cyByZXF1aXJlZCAoZm9yIGRpZ2VzdCByZXNvbHV0aW9uKVxuICAgIC8vIERlc2NyaWJlSW1hZ2VTY2FuRmluZGluZ3MgaXMgb25seSByZXF1aXJlZCBmb3Igc2Nhbm5pbmcgbW9kZXNcbiAgICBjb25zdCBlY3JBY3Rpb25zID0gWydlY3I6RGVzY3JpYmVJbWFnZXMnXTtcbiAgICBpZiAoc2NhbkNvbmZpZ091dHB1dC5zY2FuVHlwZSAhPT0gJ1NJR05BVFVSRV9PTkxZJykge1xuICAgICAgZWNyQWN0aW9ucy5wdXNoKCdlY3I6RGVzY3JpYmVJbWFnZVNjYW5GaW5kaW5ncycpO1xuICAgIH1cbiAgICBjdXN0b21SZXNvdXJjZUxhbWJkYS5hZGRUb1JvbGVQb2xpY3koXG4gICAgICBuZXcgUG9saWN5U3RhdGVtZW50KHtcbiAgICAgICAgYWN0aW9uczogZWNyQWN0aW9ucyxcbiAgICAgICAgcmVzb3VyY2VzOiBbcHJvcHMucmVwb3NpdG9yeS5yZXBvc2l0b3J5QXJuXSxcbiAgICAgIH0pLFxuICAgICk7XG5cbiAgICBpZiAoc2NhbkNvbmZpZ091dHB1dC5zY2FuVHlwZSA9PT0gJ0VOSEFOQ0VEJykge1xuICAgICAgY3VzdG9tUmVzb3VyY2VMYW1iZGEuYWRkVG9Sb2xlUG9saWN5KFxuICAgICAgICBuZXcgUG9saWN5U3RhdGVtZW50KHtcbiAgICAgICAgICBhY3Rpb25zOiBbJ2luc3BlY3RvcjI6TGlzdENvdmVyYWdlJywgJ2luc3BlY3RvcjI6TGlzdEZpbmRpbmdzJ10sXG4gICAgICAgICAgcmVzb3VyY2VzOiBbJyonXSxcbiAgICAgICAgfSksXG4gICAgICApO1xuICAgIH1cblxuICAgIGlmIChzY2FuQ29uZmlnT3V0cHV0LnN0YXJ0U2Nhbikge1xuICAgICAgY3VzdG9tUmVzb3VyY2VMYW1iZGEuYWRkVG9Sb2xlUG9saWN5KFxuICAgICAgICBuZXcgUG9saWN5U3RhdGVtZW50KHtcbiAgICAgICAgICBhY3Rpb25zOiBbJ2VjcjpTdGFydEltYWdlU2NhbiddLFxuICAgICAgICAgIHJlc291cmNlczogW3Byb3BzLnJlcG9zaXRvcnkucmVwb3NpdG9yeUFybl0sXG4gICAgICAgIH0pLFxuICAgICAgKTtcbiAgICB9XG5cbiAgICAvLyBTaWduYXR1cmUgdmVyaWZpY2F0aW9uIHBlcm1pc3Npb25zXG4gICAgaWYgKHNpZ25hdHVyZVZlcmlmaWNhdGlvbkNvbmZpZykge1xuICAgICAgY3VzdG9tUmVzb3VyY2VMYW1iZGEuYWRkVG9Sb2xlUG9saWN5KFxuICAgICAgICBuZXcgUG9saWN5U3RhdGVtZW50KHtcbiAgICAgICAgICBhY3Rpb25zOiBbJ2VjcjpHZXRBdXRob3JpemF0aW9uVG9rZW4nXSxcbiAgICAgICAgICByZXNvdXJjZXM6IFsnKiddLFxuICAgICAgICB9KSxcbiAgICAgICk7XG4gICAgICBjdXN0b21SZXNvdXJjZUxhbWJkYS5hZGRUb1JvbGVQb2xpY3koXG4gICAgICAgIG5ldyBQb2xpY3lTdGF0ZW1lbnQoe1xuICAgICAgICAgIGFjdGlvbnM6IFsnZWNyOkJhdGNoR2V0SW1hZ2UnLCAnZWNyOkdldERvd25sb2FkVXJsRm9yTGF5ZXInXSxcbiAgICAgICAgICByZXNvdXJjZXM6IFtwcm9wcy5yZXBvc2l0b3J5LnJlcG9zaXRvcnlBcm5dLFxuICAgICAgICB9KSxcbiAgICAgICk7XG5cbiAgICAgIGlmIChzaWduYXR1cmVWZXJpZmljYXRpb25Db25maWcudHlwZSA9PT0gJ05PVEFUSU9OJykge1xuICAgICAgICBjdXN0b21SZXNvdXJjZUxhbWJkYS5hZGRUb1JvbGVQb2xpY3koXG4gICAgICAgICAgbmV3IFBvbGljeVN0YXRlbWVudCh7XG4gICAgICAgICAgICBhY3Rpb25zOiBbJ3NpZ25lcjpHZXRSZXZvY2F0aW9uU3RhdHVzJ10sXG4gICAgICAgICAgICByZXNvdXJjZXM6IFsnKiddLFxuICAgICAgICAgIH0pLFxuICAgICAgICApO1xuICAgICAgfVxuICAgICAgLy8gQ29zaWduIEtNUyBwZXJtaXNzaW9ucyBhcmUgZ3JhbnRlZCBieSBrZXkuZ3JhbnQoKSBpbiBiaW5kKClcbiAgICB9XG5cbiAgICAvLyBTQk9NIGV4cG9ydCBwZXJtaXNzaW9ucyAoSW5zcGVjdG9yIENyZWF0ZVNib21FeHBvcnQpXG4gICAgaWYgKHNib21Db25maWcpIHtcbiAgICAgIGN1c3RvbVJlc291cmNlTGFtYmRhLmFkZFRvUm9sZVBvbGljeShcbiAgICAgICAgbmV3IFBvbGljeVN0YXRlbWVudCh7XG4gICAgICAgICAgYWN0aW9uczogWydpbnNwZWN0b3IyOkNyZWF0ZVNib21FeHBvcnQnLCAnaW5zcGVjdG9yMjpHZXRTYm9tRXhwb3J0J10sXG4gICAgICAgICAgcmVzb3VyY2VzOiBbJyonXSxcbiAgICAgICAgfSksXG4gICAgICApO1xuICAgIH1cblxuICAgIGlmIChwcm9wcy52dWxuc05vdGlmaWNhdGlvblRvcGljKSB7XG4gICAgICBwcm9wcy52dWxuc05vdGlmaWNhdGlvblRvcGljLmdyYW50UHVibGlzaChjdXN0b21SZXNvdXJjZUxhbWJkYSk7XG4gICAgfVxuXG4gICAgY29uc3Qgc3VwcHJlc3NFcnJvck9uUm9sbGJhY2sgPSBwcm9wcy5zdXBwcmVzc0Vycm9yT25Sb2xsYmFjayA/PyB0cnVlO1xuICAgIGlmIChzdXBwcmVzc0Vycm9yT25Sb2xsYmFjaykge1xuICAgICAgY3VzdG9tUmVzb3VyY2VMYW1iZGEuYWRkVG9Sb2xlUG9saWN5KFxuICAgICAgICBuZXcgUG9saWN5U3RhdGVtZW50KHtcbiAgICAgICAgICBhY3Rpb25zOiBbJ2Nsb3VkZm9ybWF0aW9uOkRlc2NyaWJlU3RhY2tzJ10sXG4gICAgICAgICAgcmVzb3VyY2VzOiBbU3RhY2sub2YodGhpcykuc3RhY2tJZF0sXG4gICAgICAgIH0pLFxuICAgICAgKTtcbiAgICB9XG5cbiAgICAvLyBDaGVjayBmb3IgZGVmYXVsdExvZ0dyb3VwIGNvbnNpc3RlbmN5IGFjcm9zcyBtdWx0aXBsZSBpbnN0YW5jZXMgaW4gdGhlIHNhbWUgc3RhY2tcbiAgICBBc3BlY3RzLm9mKFN0YWNrLm9mKHRoaXMpKS5hZGQoe1xuICAgICAgdmlzaXQ6IChub2RlKSA9PiB7XG4gICAgICAgIGlmIChcbiAgICAgICAgICBub2RlIGluc3RhbmNlb2YgRWNyU2NhblZlcmlmaWVyICYmXG4gICAgICAgICAgbm9kZS5fZGVmYXVsdExvZ0dyb3VwPy5ub2RlLnBhdGggIT09IHRoaXMuZGVmYXVsdExvZ0dyb3VwPy5ub2RlLnBhdGhcbiAgICAgICAgKSB7XG4gICAgICAgICAgQW5ub3RhdGlvbnMub2YodGhpcykuYWRkV2FybmluZ1YyKFxuICAgICAgICAgICAgJ0BlY3Itc2Nhbi12ZXJpZmllcjpkdXBsaWNhdGVMYW1iZGFEZWZhdWx0TG9nR3JvdXAnLFxuICAgICAgICAgICAgXCJZb3UgaGF2ZSB0byBzZXQgdGhlIHNhbWUgbG9nIGdyb3VwIGZvciAnZGVmYXVsdExvZ0dyb3VwJyBmb3IgZWFjaCBFY3JTY2FuVmVyaWZpZXIgY29uc3RydWN0IGluIHRoZSBzYW1lIHN0YWNrLlwiLFxuICAgICAgICAgICk7XG4gICAgICAgIH1cbiAgICAgIH0sXG4gICAgfSk7XG5cbiAgICBjb25zdCB2ZXJpZmllclByb3ZpZGVyID0gbmV3IFByb3ZpZGVyKHRoaXMsICdQcm92aWRlcicsIHtcbiAgICAgIG9uRXZlbnRIYW5kbGVyOiBjdXN0b21SZXNvdXJjZUxhbWJkYSxcbiAgICB9KTtcblxuICAgIGNvbnN0IHZlcmlmaWVyUHJvcGVydGllczogU2Nhbm5lckN1c3RvbVJlc291cmNlUHJvcHMgPSB7XG4gICAgICBhZGRyOiB0aGlzLm5vZGUuYWRkcixcbiAgICAgIHJlcG9zaXRvcnlOYW1lOiBwcm9wcy5yZXBvc2l0b3J5LnJlcG9zaXRvcnlOYW1lLFxuICAgICAgaW1hZ2VUYWcsXG4gICAgICBzY2FuVHlwZTogc2NhbkNvbmZpZ091dHB1dC5zY2FuVHlwZSxcbiAgICAgIHN0YXJ0U2NhbjogU3RyaW5nKHNjYW5Db25maWdPdXRwdXQuc3RhcnRTY2FuKSxcbiAgICAgIHNldmVyaXR5OiBwcm9wcy5zZXZlcml0eSA/PyBbU2V2ZXJpdHkuQ1JJVElDQUxdLFxuICAgICAgZmFpbE9uVnVsbmVyYWJpbGl0eTogU3RyaW5nKHByb3BzLmZhaWxPblZ1bG5lcmFiaWxpdHkgPz8gdHJ1ZSksXG4gICAgICBpZ25vcmVGaW5kaW5nczogcHJvcHMuaWdub3JlRmluZGluZ3MgPz8gW10sXG4gICAgICBvdXRwdXQ6IG91dHB1dE9wdGlvbnMsXG4gICAgICBzYm9tOiBzYm9tQ29uZmlnLFxuICAgICAgc2lnbmF0dXJlVmVyaWZpY2F0aW9uOiBzaWduYXR1cmVWZXJpZmljYXRpb25Db25maWdcbiAgICAgICAgPyB7XG4gICAgICAgICAgICB0eXBlOiBzaWduYXR1cmVWZXJpZmljYXRpb25Db25maWcudHlwZSxcbiAgICAgICAgICAgIHRydXN0ZWRJZGVudGl0aWVzOiBzaWduYXR1cmVWZXJpZmljYXRpb25Db25maWcudHJ1c3RlZElkZW50aXRpZXMsXG4gICAgICAgICAgICBwdWJsaWNLZXk6IHNpZ25hdHVyZVZlcmlmaWNhdGlvbkNvbmZpZy5wdWJsaWNLZXksXG4gICAgICAgICAgICBrbXNLZXlBcm46IHNpZ25hdHVyZVZlcmlmaWNhdGlvbkNvbmZpZy5rbXNLZXlBcm4sXG4gICAgICAgICAgICBmYWlsT25VbnNpZ25lZDogU3RyaW5nKHNpZ25hdHVyZVZlcmlmaWNhdGlvbkNvbmZpZy5mYWlsT25VbnNpZ25lZCksXG4gICAgICAgICAgfVxuICAgICAgICA6IHVuZGVmaW5lZCxcbiAgICAgIHN1cHByZXNzRXJyb3JPblJvbGxiYWNrOiBTdHJpbmcoc3VwcHJlc3NFcnJvck9uUm9sbGJhY2spLFxuICAgICAgdnVsbnNUb3BpY0FybjogcHJvcHMudnVsbnNOb3RpZmljYXRpb25Ub3BpYz8udG9waWNBcm4sXG4gICAgICBkZWZhdWx0TG9nR3JvdXBOYW1lOlxuICAgICAgICB0aGlzLmRlZmF1bHRMb2dHcm91cD8ubG9nR3JvdXBOYW1lID8/IGAvYXdzL2xhbWJkYS8ke2N1c3RvbVJlc291cmNlTGFtYmRhLmZ1bmN0aW9uTmFtZX1gLFxuICAgIH07XG5cbiAgICBuZXcgQ3VzdG9tUmVzb3VyY2UodGhpcywgJ1Jlc291cmNlJywge1xuICAgICAgcmVzb3VyY2VUeXBlOiAnQ3VzdG9tOjpFY3JTY2FuVmVyaWZpZXInLFxuICAgICAgcHJvcGVydGllczogdmVyaWZpZXJQcm9wZXJ0aWVzLFxuICAgICAgc2VydmljZVRva2VuOiB2ZXJpZmllclByb3ZpZGVyLnNlcnZpY2VUb2tlbixcbiAgICB9KTtcblxuICAgIHByb3BzLmJsb2NrQ29uc3RydWN0cz8uZm9yRWFjaCgoY29uc3RydWN0KSA9PiB7XG4gICAgICBjb25zdHJ1Y3Qubm9kZS5hZGREZXBlbmRlbmN5KHRoaXMpO1xuICAgIH0pO1xuICB9XG5cbiAgLyoqIEBpbnRlcm5hbCAqL1xuICBnZXQgX2RlZmF1bHRMb2dHcm91cCgpOiBJTG9nR3JvdXAgfCB1bmRlZmluZWQge1xuICAgIHJldHVybiB0aGlzLmRlZmF1bHRMb2dHcm91cDtcbiAgfVxufVxuIl19

package/lib/sbom-output.js CHANGED Viewed

@@ -30,7 +30,7 @@ class SbomOutput {
 }
 exports.SbomOutput = SbomOutput;
 _a = JSII_RTTI_SYMBOL_1;
-SbomOutput[_a] = { fqn: "ecr-scan-verifier.SbomOutput", version: "0.1.1" };
+SbomOutput[_a] = { fqn: "ecr-scan-verifier.SbomOutput", version: "0.1.2" };
 class SbomOutputImpl extends SbomOutput {
     constructor(props, format) {
         super();

package/lib/scan-config.js CHANGED Viewed

@@ -44,7 +44,7 @@ class ScanConfig {
 }
 exports.ScanConfig = ScanConfig;
 _a = JSII_RTTI_SYMBOL_1;
-ScanConfig[_a] = { fqn: "ecr-scan-verifier.ScanConfig", version: "0.1.1" };
+ScanConfig[_a] = { fqn: "ecr-scan-verifier.ScanConfig", version: "0.1.2" };
 class BasicScanConfig extends ScanConfig {
     constructor(options) {
         super();

package/lib/scan-logs-output.js CHANGED Viewed

@@ -43,7 +43,7 @@ class ScanLogsOutput {
 }
 exports.ScanLogsOutput = ScanLogsOutput;
 _a = JSII_RTTI_SYMBOL_1;
-ScanLogsOutput[_a] = { fqn: "ecr-scan-verifier.ScanLogsOutput", version: "0.1.1" };
+ScanLogsOutput[_a] = { fqn: "ecr-scan-verifier.ScanLogsOutput", version: "0.1.2" };
 class CloudWatchLogsOutput extends ScanLogsOutput {
     constructor(options) {
         super();

package/lib/signature-verification.js CHANGED Viewed

@@ -47,7 +47,7 @@ class SignatureVerification {
 }
 exports.SignatureVerification = SignatureVerification;
 _a = JSII_RTTI_SYMBOL_1;
-SignatureVerification[_a] = { fqn: "ecr-scan-verifier.SignatureVerification", version: "0.1.1" };
+SignatureVerification[_a] = { fqn: "ecr-scan-verifier.SignatureVerification", version: "0.1.2" };
 class NotationSignatureVerification extends SignatureVerification {
     constructor(options) {
         super();

package/package.json CHANGED Viewed

@@ -60,7 +60,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "0.1.1",
+  "version": "0.1.2",
   "types": "lib/index.d.ts",
   "stability": "stable",
   "jsii": {

package/scripts/integ.sh ADDED Viewed

@@ -0,0 +1,221 @@
+#!/usr/bin/env bash
+# Shared helpers for ecr-scan-verifier integ test orchestration.
+#
+# Source this from a shell or from the /integ-test skill:
+#   . scripts/integ.sh
+#
+# Functions are intentionally small and idempotent so the skill can chain
+# them without re-deriving region lists, account ids, or polling loops.
+set -u
+REGIONS=(us-east-1 us-east-2 us-west-2)
+account_id() {
+  aws sts get-caller-identity --query Account --output text
+}
+default_region() {
+  aws configure get region
+}
+# --- Inspector (Enhanced scanning) ------------------------------------------
+inspector_status() {
+  local region="$1"
+  aws inspector2 batch-get-account-status \
+    --region "$region" \
+    --query 'accounts[0].resourceState.ecr.status' \
+    --output text
+}
+inspector_status_all() {
+  for region in "${REGIONS[@]}"; do
+    echo "$region: $(inspector_status "$region")"
+  done
+}
+inspector_enable_all() {
+  for region in "${REGIONS[@]}"; do
+    aws inspector2 enable --resource-types ECR --region "$region"
+  done
+}
+inspector_disable_all() {
+  for region in "${REGIONS[@]}"; do
+    aws inspector2 disable --resource-types ECR --region "$region"
+  done
+}
+# Poll one region until inspector status equals $target. Cap at 5 min so we
+# fail loudly on stuck transitions instead of hanging.
+wait_inspector_status() {
+  local region="$1" target="$2" i=0
+  while [ "$(inspector_status "$region")" != "$target" ]; do
+    i=$((i + 1))
+    if [ "$i" -ge 20 ]; then
+      echo "ERROR: $region did not reach $target after 5 min" >&2
+      return 1
+    fi
+    sleep 15
+  done
+}
+wait_inspector_status_all() {
+  local target="$1"
+  for region in "${REGIONS[@]}"; do
+    wait_inspector_status "$region" "$target" || return 1
+  done
+}
+# --- scan-on-push on the CDK bootstrap asset repo ---------------------------
+# Usage: scan_on_push_set true|false
+scan_on_push_set() {
+  local enabled="$1"
+  local account
+  account="$(account_id)"
+  for region in "${REGIONS[@]}"; do
+    aws ecr put-image-scanning-configuration \
+      --repository-name "cdk-hnb659fds-container-assets-${account}-${region}" \
+      --image-scanning-configuration "scanOnPush=${enabled}" \
+      --region "$region"
+  done
+}
+# --- Enhanced engine warmup (DISABLED -> ENABLED) ---------------------------
+#
+# `batch-get-account-status` flipping to ENABLED is not the same as the
+# scanning engine being ready — empirically the lag is often 20-30 min on
+# a fresh enable. wait_enhanced_engine_warmup absorbs that with a long
+# initial sleep; enhanced_run_with_retry then retries the test up to N
+# more times with a fixed gap between attempts.
+# Initial wait after a DISABLED -> ENABLED transition. Skip if already
+# enabled (no transition happened).
+# Args: $1 = ORIGINAL_STATE (ENABLED|DISABLED), $2 = seconds (default 1200)
+wait_enhanced_engine_warmup() {
+  local original_state="$1" secs="${2:-1200}"
+  if [ "$original_state" = "DISABLED" ]; then
+    echo "Inspector engine warmup: sleeping ${secs}s after fresh enable..."
+    sleep "$secs"
+  fi
+}
+# Run `$@` (the test command). On failure, sleep $RETRY_GAP_SECS and retry,
+# up to $MAX_ATTEMPTS total attempts. Defaults: 3 attempts, 600s gap.
+# Tuned for "Inspector engine still warming up" — NOT for catching flaky
+# tests. If real findings change, surface them; don't burn time retrying.
+enhanced_run_with_retry() {
+  local max="${MAX_ATTEMPTS:-3}" gap="${RETRY_GAP_SECS:-600}" attempt=1
+  while true; do
+    echo "Attempt ${attempt}/${max}: $*"
+    if "$@"; then
+      return 0
+    fi
+    if [ "$attempt" -ge "$max" ]; then
+      echo "ERROR: failed after ${max} attempts across ~$((max * gap / 60)) min of waits." >&2
+      echo "       Stop waiting — the cause is not propagation lag." >&2
+      return 1
+    fi
+    echo "Attempt ${attempt} failed. Sleeping ${gap}s before retry..."
+    sleep "$gap"
+    attempt=$((attempt + 1))
+  done
+}
+# --- Signature test cleanup -------------------------------------------------
+#
+# Cleans up shared signature-test artifacts. AWS Signer profile is left
+# Active on purpose (cancellation is permanent and would block future runs).
+cleanup_signature_artifacts() {
+  local key_id
+  key_id="$(aws ssm get-parameter --name /ecr-scan-verifier/cosign-kms-key-id \
+    --query 'Parameter.Value' --output text 2>/dev/null || true)"
+  aws ssm delete-parameter --name /ecr-scan-verifier/cosign-kms-key-id 2>/dev/null || true
+  aws ssm delete-parameter --name /ecr-scan-verifier/cosign-public-key 2>/dev/null || true
+  if [ -n "$key_id" ]; then
+    aws kms schedule-key-deletion --key-id "$key_id" --pending-window-in-days 7
+  else
+    echo "WARN: KMS key id not in SSM. Ask the user before scheduling deletion." >&2
+  fi
+  rm -f cosign.key cosign.pub
+}
+# --- signature-ecr-signing repo setup / teardown ----------------------------
+ECR_SIGNING_REPO_NAME="${ECR_SIGNING_REPO_NAME:-ecr-scan-verifier-integ-ecr-signing}"
+SIGNER_PROFILE_NAME="${SIGNER_PROFILE_NAME:-EcrScanVerifierTestProfile}"
+# Idempotent-ish wrapper. `put-signing-profile` is NOT actually idempotent
+# (returns ProfileAlreadyExists for an existing Active profile), so check
+# first and only create if missing. Echoes the ARN on stdout.
+# Returns non-zero if the profile cannot be ensured — callers using
+# `var=$(signer_profile_ensure)` should also check `[ -n "$var" ]` since
+# command substitution swallows the inner exit code by default.
+signer_profile_ensure() {
+  local arn
+  arn="$(aws signer get-signing-profile --profile-name "$SIGNER_PROFILE_NAME" \
+    --query 'arn' --output text 2>/dev/null || true)"
+  if [ -z "$arn" ] || [ "$arn" = "None" ]; then
+    aws signer put-signing-profile \
+      --profile-name "$SIGNER_PROFILE_NAME" \
+      --platform-id Notation-OCI-SHA384-ECDSA >&2 || return 1
+    arn="$(aws signer get-signing-profile --profile-name "$SIGNER_PROFILE_NAME" \
+      --query 'arn' --output text 2>/dev/null || true)"
+  fi
+  if [ -z "$arn" ] || [ "$arn" = "None" ]; then
+    echo "ERROR: signer_profile_ensure: could not resolve ARN for $SIGNER_PROFILE_NAME" >&2
+    return 1
+  fi
+  echo "$arn"
+}
+# Build the cosign signing-config the Lambda verifier expects: no rekor
+# (transparency log), no fulcio CA, no OIDC, no TSA. cosign 3.x will try
+# keyless flows even with --key if these fields are present, which manifests
+# as a hung "Signing artifact..." with no further output. Stripping them
+# lets a `--key`-based sign complete.
+cosign_minimal_signing_config() {
+  local out="${1:-/tmp/signing-config.json}"
+  curl -fsSL https://raw.githubusercontent.com/sigstore/root-signing/refs/heads/main/targets/signing_config.v0.2.json | \
+    jq 'del(.rekorTlogUrls, .oidcUrls, .caUrls, .tsaUrls)' > "$out"
+  echo "$out"
+}
+ecr_signing_setup() {
+  local region profile_arn
+  region="$(default_region)"
+  profile_arn="$(signer_profile_ensure)"
+  aws ecr create-repository --repository-name "$ECR_SIGNING_REPO_NAME" 2>/dev/null || true
+  local cfg=/tmp/ecr-scan-verifier-signing-config.json
+  cat > "$cfg" <<EOF
+{
+  "rules": [
+    {
+      "signingProfileArn": "${profile_arn}",
+      "repositoryFilters": [
+        { "filter": "${ECR_SIGNING_REPO_NAME}", "filterType": "WILDCARD_MATCH" }
+      ]
+    }
+  ]
+}
+EOF
+  aws ecr put-signing-configuration --region "$region" \
+    --signing-configuration "file://${cfg}"
+  aws ecr get-signing-configuration --region "$region"
+}
+ecr_signing_teardown() {
+  local region cfg=/tmp/ecr-scan-verifier-signing-config-empty.json
+  region="$(default_region)"
+  printf '{ "rules": [] }\n' > "$cfg"
+  aws ecr put-signing-configuration --region "$region" \
+    --signing-configuration "file://${cfg}" || true
+  aws ecr delete-repository --repository-name "$ECR_SIGNING_REPO_NAME" --force || true
+}

package/scripts/verify-integ-docs.sh ADDED Viewed

@@ -0,0 +1,129 @@
+#!/usr/bin/env bash
+# verify-integ-docs.sh
+#
+# Verifies that the three sources documenting the integ workflow stay in
+# sync with each other:
+#
+#   .claude/skills/integ-test/SKILL.md  — automated (Claude Code skill)
+#   test/integ/README.md                 — manual (human-readable docs)
+#   scripts/integ.sh                     — shell helpers shared by both
+#
+# Both docs must exist (skill = automated, README = manual; deleting one
+# would leave the other lying about its counterpart). Both must mention
+# every helper that lives in scripts/integ.sh, and both must agree on
+# the mode list.
+#
+# Run via the /verify-integ-docs skill, which flips the `integ-docs`
+# markgate marker after this passes.
+set -u
+SKILL=".claude/skills/integ-test/SKILL.md"
+README="test/integ/README.md"
+HELPERS="scripts/integ.sh"
+fails=0
+fail() { echo "FAIL: $*" >&2; fails=$((fails + 1)); }
+ok()   { echo "ok:   $*"; }
+# --- 1. Source files exist --------------------------------------------------
+for f in "$SKILL" "$README" "$HELPERS"; do
+  if [ ! -f "$f" ]; then
+    fail "missing source file: $f"
+  fi
+done
+[ "$fails" -eq 0 ] || { echo "Aborting; source files missing." >&2; exit 1; }
+ok "all three source files exist"
+# --- 2. Mode parity ---------------------------------------------------------
+# Every mode in the skill's argument-hint must appear in both:
+#   - the SKILL's `## Arguments` list (one `- \`mode\` — desc` line each)
+#   - the README's `### Modes` table (one `| \`mode\` |` row each)
+modes_line=$(grep -E '^argument-hint:' "$SKILL" | head -1)
+modes=$(printf '%s\n' "$modes_line" | grep -oE '<[^>]+>' | head -1 | tr -d '<>' | tr '|' '\n')
+if [ -z "$modes" ]; then
+  fail "could not parse modes from SKILL argument-hint"
+else
+  for mode in $modes; do
+    grep -qE "^- \`$mode\`" "$SKILL" \
+      || fail "mode '$mode' in argument-hint but missing from SKILL '## Arguments' list"
+    grep -qE "\| \`$mode\` \|" "$README" \
+      || fail "mode '$mode' in argument-hint but missing from README modes table"
+  done
+  [ "$fails" -gt 0 ] || ok "all argument-hint modes present in SKILL Arguments + README table"
+fi
+# --- 3. Helper function parity ---------------------------------------------
+# Every shell function defined in scripts/integ.sh should be referenced
+# from at least one of SKILL/README (catches dead helpers and rename drift).
+functions=$(grep -E '^[a-z_][a-z0-9_]*\(\)' "$HELPERS" | sed 's/().*//')
+if [ -z "$functions" ]; then
+  fail "could not parse any functions from $HELPERS"
+else
+  for fn in $functions; do
+    if ! grep -qw "$fn" "$SKILL" && ! grep -qw "$fn" "$README"; then
+      fail "helper '$fn' defined in $HELPERS but not referenced from SKILL or README"
+    fi
+  done
+  [ "$fails" -gt 0 ] || ok "every helper function is referenced from at least one doc"
+fi
+# --- 4. Both docs reference scripts/integ.sh -------------------------------
+for f in "$SKILL" "$README"; do
+  grep -q "scripts/integ.sh" "$f" \
+    || fail "$f does not reference scripts/integ.sh"
+done
+[ "$fails" -gt 0 ] || ok "both docs reference scripts/integ.sh"
+# --- 5. No raw `aws signer put-signing-profile` ----------------------------
+# Raw form is NOT idempotent (returns ProfileAlreadyExists on existing
+# Active profile). Use signer_profile_ensure instead.
+for f in "$SKILL" "$README"; do
+  if grep -nE "aws signer put-signing-profile" "$f" >/dev/null; then
+    fail "$f has raw 'aws signer put-signing-profile' — use signer_profile_ensure (raw form is NOT idempotent)"
+  fi
+done
+# --- 6. No insufficient signing-config jq strip ----------------------------
+# cosign 3.x silently hangs when --key is combined with a signing-config
+# that still has oidc/ca/tsa fields. The correct strip is rekor+oidc+ca+tsa,
+# which lives in cosign_minimal_signing_config.
+for f in "$SKILL" "$README"; do
+  # Match `jq 'del(.rekorTlogUrls)'` (the OLD broken strip) — but not
+  # `del(.rekorTlogUrls, .oidcUrls, .caUrls, .tsaUrls)` (the helper's correct strip).
+  if grep -E "del\(\\.rekorTlogUrls\)" "$f" >/dev/null; then
+    fail "$f has insufficient 'del(.rekorTlogUrls)' — use cosign_minimal_signing_config (also strips oidc/ca/tsa)"
+  fi
+done
+# --- 7. signature mode list matches integ.signature/integ.<name>.ts -------
+# For every signature-* mode, the referenced integ test source must exist.
+# Check .ts (the source) not .js (the build artifact) — a fresh clone
+# without `pnpm tsc` would otherwise false-fail.
+for mode in $(printf '%s\n' "$modes" | grep '^signature-'); do
+  # signature-notation -> test/integ/signature/integ.notation.ts
+  fname=$(printf '%s' "$mode" | sed 's/^signature-//')
+  testfile="test/integ/signature/integ.${fname}.ts"
+  if [ ! -f "$testfile" ]; then
+    fail "mode '$mode' references missing test source $testfile"
+  fi
+done
+# --- 8. Final report -------------------------------------------------------
+if [ "$fails" -gt 0 ]; then
+  echo "" >&2
+  echo "verify-integ-docs: $fails failure(s). Fix above before setting integ-docs marker." >&2
+  exit 1
+fi
+echo ""
+echo "verify-integ-docs: all consistency checks passed."