patchdrill 0.1.0

package/.patchdrill.yml

@@ -0,0 +1,33 @@
+failOn: critical
+maxRisk: 100
+
+ignoredPaths:
+  - node_modules/**
+  - dist/**
+  - coverage/**
+  - .patchdrill/**
+
+requiredCommands:
+  - id: full-quality-gate
+    label: Full quality gate
+    command: npm run check
+    reason: PatchDrill must typecheck and pass its deterministic test suite before release.
+
+optionalCommands:
+  - id: package-dry-run
+    label: Package dry run
+    command: npm pack --dry-run
+    reason: Confirms the npm tarball contains the expected CLI, docs, action, and examples.
+
+rules:
+  - id: risk-engine-review
+    title: Risk engine changed
+    severity: medium
+    path:
+      - src/risk.ts
+      - src/policy.ts
+    detail: Risk or policy logic changed, so reviewers should inspect false-positive and false-negative behavior.
+    remediation: Add targeted tests for every new scoring rule or policy behavior.
+    tags:
+      - risk-model
+      - review

package/CHANGELOG.md

@@ -0,0 +1,150 @@
+# Changelog
+
+## 0.1.0
+
+- Initial CLI with diff scanning, project detection, risk findings, verification planning, optional command execution, Markdown reports, JSON reports, and GitHub workflow generation.
+- Added `.patchdrill.yml` policy-as-code support.
+- Added SARIF output for GitHub code scanning.
+- Added diff-content detection for secret-looking values and prompt-injection instructions.
+- Added agent-control, MCP configuration, GitHub Actions privilege, and destructive agent-instruction rules.
+- Added SARIF partial fingerprints, CodeQL, OpenSSF Scorecard, and Dependabot configuration.
+- Split CI gating into explicit `--fail-on` severity and `--max-risk` score thresholds.
+- Added Node workspace affected-package targeting and release workflow for npm provenance.
+- Added package.json dependency diff summaries to Markdown and JSON reports.
+- Added pull request comment upsert mode to the GitHub Action and generated workflow.
+- Added JSON Schemas for policy, report, evidence, doctor, and release-check contracts with `patchdrill schema`.
+- Added downstream workspace dependency graph expansion for Node monorepos.
+- Added npm `package-lock.json` dependency diff summaries.
+- Added CODEOWNERS owner hints for changed files.
+- Added baseline comparison against previous JSON reports.
+- Added `--max-risk-delta` gating for baseline regressions.
+- Added `patchdrill init --policy` starter policy generation.
+- Added npm package metadata for repository discovery.
+- Updated architecture docs and action examples for the public package path.
+- Strengthened CI dogfooding with PatchDrill SARIF and report artifacts.
+- Refreshed the example report to cover current Markdown sections.
+- Added GitHub issue forms and a pull request template for contributor intake.
+- Added `schemaVersion` to JSON and Markdown reports.
+- Added `pyproject.toml` PEP 621 and Poetry dependency diff summaries.
+- Added `pnpm-lock.yaml` dependency diff summaries.
+- Added `yarn.lock` dependency diff summaries.
+- Added `go.mod` and `go.sum` dependency diff summaries.
+- Added `Cargo.toml` and `Cargo.lock` dependency diff summaries.
+- Added Maven `pom.xml` dependency diff summaries.
+- Added Gradle `build.gradle` and `build.gradle.kts` dependency diff summaries.
+- Added Gradle `libs.versions.toml` version catalog dependency diff summaries.
+- Added `requirements.txt` dependency diff summaries.
+- Added `poetry.lock` dependency diff summaries.
+- Added `uv.lock` dependency diff summaries.
+- Added `Pipfile.lock` dependency diff summaries.
+- Added `bun.lock` dependency diff summaries.
+- Hardened GitHub Action input handling with environment-backed bash argument arrays.
+- Added configurable command-output retention with visible truncation markers.
+- Updated `patchdrill init` to generate workflows that use the hardened composite Action.
+- Added fail-fast validation for malformed PatchDrill policy files.
+- Fixed the example report confidence score and added a documentation consistency test.
+- Added `Gemfile.lock` and `composer.lock` dependency diff summaries.
+- Reduced high-impact-area false positives for test file paths.
+- Added optional per-command timeout handling for verification runs.
+- Added native Turborepo and Nx task-runner planning for affected Node workspaces.
+- Added migration guidance when legacy binary `bun.lockb` lockfiles change.
+- Added `Gemfile` dependency diff summaries.
+- Added `composer.json` dependency diff summaries.
+- Added built-in `regulated` and `agentic` policy packs for `patchdrill init`.
+- Added Cargo workspace task planning for affected crates and downstream dependents.
+- Added Go workspace task planning for affected modules and downstream dependents.
+- Added packaged stack fixtures and a fixture harness for planner regression coverage.
+- Added native Pants changed-target task planning.
+- Expanded stack fixtures with Next.js, Rails, PHP/Composer, and Terraform examples.
+- Added language-aware source-to-test matching for missing-test risk findings.
+- Added self-contained static HTML dashboards through `scan --html` and `patchdrill dashboard --json`.
+- Added `report-html` output support to the composite GitHub Action and generated workflow.
+- Added Kubernetes and Helm project detection with manifest dry-run, Kustomize render, and Helm lint plans.
+- Expanded stack fixtures with Kustomize, Java/Gradle, and .NET service examples.
+- Added Bazel and Buck2 workspace detection with graph-wide test and build plans.
+- Added Swift Package Manager detection with `swift test` and `swift build` plans.
+- Added Xcode project/workspace detection with shared-scheme `xcodebuild test` and `xcodebuild build` plans.
+- Added Python framework metadata for Django/FastAPI and Django-specific `manage.py` verification plans.
+- Added Spring Boot framework detection, Gradle fallback commands, and `bootJar` packaging plans.
+- Added Android Gradle detection with debug unit test, assemble, and lint verification plans.
+- Added ASP.NET Core detection with .NET build and publish verification plans.
+- Added FastAPI app entrypoint detection with import-smoke verification plans.
+- Added FastAPI changed router/dependency module import-smoke planning.
+- Added GitHub Actions supply-chain findings for unpinned actions, remote script pipes, and untrusted PR metadata interpolation.
+- Added Bazel and Buck2 changed-package target narrowing with graph-wide fallback for root metadata changes.
+- Added Bazel `rdeps` and Buck2 `uquery rdeps` downstream discovery commands for narrowed target plans.
+- Added .NET project-aware test, build, and ASP.NET Core publish plans using `ProjectReference` relationships.
+- Added Android Gradle variant-aware test, assemble, and lint planning from changed source sets.
+- Added Android product-flavor source set parsing so flavor-only changes plan matching debug variant tasks.
+- Added context-aware GitHub Actions finding for `pull_request_target` workflows that check out pull request head code.
+- Added Python/FastAPI changed-test targeting for matching pytest files with whole-suite fallback.
+- Added whole-file GitHub Actions context so privileged PR-head checkout findings work when only one side of the dangerous pattern is newly added.
+- Added NuGet PackageReference and central PackageVersion dependency change summaries.
+- Added context-aware GitHub Actions findings for reusable workflows that inherit all caller secrets, including mutable remote reusable workflow refs.
+- Added workflow trust-boundary findings for `pull_request_target` OIDC token minting, environment-scoped OIDC jobs, and remote reusable workflows receiving caller OIDC permissions.
+- Added .NET solution filter (`.slnf`) detection and filtered `dotnet test`/`dotnet build` plans for large solutions.
+- Added FastAPI dependency override test targeting for changed dependency helper functions.
+- Added .NET solution-filter selection for changed projects when multiple overlapping `.slnf` files exist.
+- Added Xcode `.xctestplan` detection from shared schemes and `xcodebuild test -testPlan` planning.
+- Added Android generated-source variant detection and `variantFilter` disabled-variant avoidance.
+- Added nested local reusable workflow loading so changed workflows expose downstream reusable workflow secret and OIDC trust-boundary findings.
+- Added cloud OIDC credential exchange findings for AWS, Azure, GCP, and Vault auth jobs without GitHub environment protection.
+- Added `patchdrill demo` and committed synchronized sample Markdown, JSON, SARIF, and HTML artifacts.
+- Added GitHub Actions annotation output for findings through `--github-annotations` and the composite Action, with dedicated documentation.
+- Updated generated workflows to make annotations and step summaries explicit.
+- Added compact Markdown summaries for GitHub step summaries and PR comments.
+- Added first-party Maven and Spring Boot Maven stack fixtures.
+- Added audit evidence manifests with report, artifact, and command-output digests.
+- Added evidence manifest verification against generated artifact hashes.
+- Added evidence manifest regeneration for finalized artifacts and CI verification before upload.
+- Added a `risky-agent-pr` demo scenario for showing fail-state agentic PR evidence without a live repository.
+- Made PR comment upserts fork-safe by warning instead of failing when GitHub token permissions prevent commenting.
+- Added compact PR comment preview files to demo artifacts.
+- Updated generated PR workflows to run required verification commands with a per-command timeout.
+- Added package automation script risk findings for lifecycle hooks, removed verification scripts, no-op checks, and remote shell pipes.
+- Added structured package script change summaries to JSON, Markdown, and HTML reports.
+- Expanded `patchdrill explain` with a clearer AI-reviewer boundary, deterministic guarantees, and first-run commands.
+- Ignored all default generated PatchDrill report artifacts to prevent accidental report commits after local scans.
+- Added mutable `docker://` GitHub Action image findings while allowing sha256 digest-pinned references.
+- Added missing-evidence risk findings when required verification commands are planned but not run.
+- Added dependency proof-gap findings for manifest-only dependency changes and lockfile-only resolution drift.
+- Added nested Python package-root detection with scoped pytest, compile, and optional static-analysis plans.
+- Added nested Cargo workspace detection with manifest-path crate and downstream-dependent verification plans.
+- Added nested Go module and workspace detection with scoped `go test` and `go vet` plans.
+- Added `patchdrill doctor` for first-run repository readiness diagnosis.
+- Added `patchdrill release-check` for local npm and GitHub Action release readiness checks.
+- Added JSON output for `patchdrill doctor --format json` and `patchdrill release-check --format json`.
+- Added JSON Schemas for `patchdrill doctor --format json` and `patchdrill release-check --format json`.
+- Added readiness summaries to doctor/release JSON and dogfooded release-check in CI and release workflows.
+- Added local Markdown link verification to release readiness and documentation tests.
+- Added package file allowlist and launch keyword checks to release readiness.
+- Hardened release readiness so shipped schemas must parse, expose matching `$id` values, and appear in README/SCHEMAS documentation.
+- Added release Proof Pack smoke generation plus evidence verification before npm packaging, and taught release readiness to check CI/action/release evidence verification.
+- Strengthened the release Proof Pack smoke so it runs required PatchDrill commands before verifying evidence.
+- Added launch case studies and a fixture-backed stack coverage matrix.
+- Added named dependency analyzer registry and planner ecosystem introspection for coverage and architecture reporting.
+- Added structured verification status to JSON reports so automation consumers do not have to join command plans and results manually.
+- Hardened evidence verification to reject JSON reports whose structured verification status is missing or drifts from command plans and command results.
+- Hardened `patchdrill evidence --json` so it rejects saved JSON reports that fail the report contract before writing a manifest.
+- Hardened `patchdrill dashboard --json` so stale saved reports must pass the report contract before rendering.
+- Required `scan --evidence` to include `--json` so evidence verification can always check the report contract.
+- Hardened release readiness so CI, Action, and release Proof Pack evidence checks must include JSON report artifacts.
+- Added separate fast and integration test scripts while keeping `npm test` and `npm run check` as the full confidence gates.
+- Added an ESLint flat config with type-aware correctness rules, a `typecheck` step that also covers tests, coverage tooling, `.editorconfig`, and `.gitattributes`; `npm run check` now runs build, typecheck, lint, and tests.
+- Fixed an OpenAI-key detector false positive that flagged ordinary kebab-case slugs and CSS class names (e.g. `sk-button-primary`) as critical secrets.
+- Fixed root-level .NET project detection so a repo-root `.csproj` no longer claims every changed path and triggers spurious builds and tests.
+- Fixed renamed-file churn reporting so `git mv` plus edits report real additions and deletions instead of zero.
+- Hardened evidence verification to reject a manifest that records no JSON report artifact, closing a tamper bypass.
+- Hardened Markdown rendering against fenced-code-block breakout and inline-HTML injection from untrusted command output and finding text.
+- Rejected unknown CLI flags and missing flag values, and required `--max-risk-delta` to be paired with `--baseline`.
+- Made the risk score reconstructable from the displayed findings, excluded declaration files from the missing-test signal, and caught the reversed `rm -fr` form.
+- Counted timed-out verification commands once so the verification summary buckets partition the runs.
+- Anchored CODEOWNERS directory patterns and ecosystem/manifest matching by path segment to remove false positives and false negatives.
+- Replaced prefix-only workspace glob matching with real glob matching, and made single-result project detection deterministic regardless of filesystem order.
+- Stopped treating Cargo `*.metadata.*` tables, basename look-alike manifests, and dropped Gradle `enforcedPlatform`/version-catalog entries as phantom dependency changes; captured Gemfile git/source refs.
+- Aligned `patchdrill doctor` script detection with the planner's exact task aliases.
+- Rejected negative and empty policy rule values that could lower or broaden the risk gate, and added `minimum: 0` to the policy schema weight.
+- Allowed reproducible report timestamps via `SOURCE_DATE_EPOCH` for byte-identical Proof Packs.
+- Corrected demo Proof Pack rule IDs to match the engine and rule catalog.
+- Added a Node version matrix (20, 22, 24), workflow concurrency cancellation, and per-job timeouts to CI.
+- Added localized human-facing reports (English, Korean, Japanese, Simplified Chinese) for the console summary, Markdown summary, Markdown report, and HTML dashboard via a deterministic translation catalog. `scan` auto-detects the system locale (`LC_ALL`/`LANG`) and `--locale` overrides it; JSON, SARIF, and the evidence manifest stay English for machine consumers, and English output remains byte-identical.

package/CONTRIBUTING.md

@@ -0,0 +1,59 @@
+# Contributing
+
+PatchDrill is intentionally small and deterministic. Contributions should keep the default path fast to understand and easy to review.
+
+## Development
+
+```bash
+npm install
+npm run check
+```
+
+`npm run check` is the full confidence gate. It runs, in order, `build`
+(emitting and type-checking `src/`), `typecheck` (type-checking `src/` **and**
+`tests/` with no emit via `tsconfig.eslint.json`), `lint` (ESLint with
+type-aware rules), and the test suite, which intentionally includes git-backed
+integration fixtures. For a faster local edit loop, use `npm run test:fast`; use
+`npm run test:integration` when changing scan orchestration, dependency diffing,
+stack fixtures, or git-backed behavior.
+
+The linter (`eslint.config.js`) enforces type-aware correctness rules such as
+`no-floating-promises` and `no-unnecessary-condition`. Run `npm run lint:fix` to
+auto-apply safe fixes. `.editorconfig` and `.gitattributes` keep formatting and
+line endings consistent, which protects the byte-identical fixtures.
+
+## Useful Commands
+
+```bash
+npm run build
+npm run typecheck
+npm run lint
+npm run lint:fix
+npm run test:fast
+npm test
+npm run test:integration
+npm run test:coverage
+node dist/cli.js scan
+```
+
+## Adding Rules
+
+Risk rules live in `src/risk.ts`. Command inference lives in `src/planner.ts`. Project detection lives in `src/project.ts`.
+Policy loading lives in `src/policy.ts`. SARIF and Markdown rendering live in `src/report.ts`.
+
+When adding a rule:
+
+1. Add a fixture-style test that demonstrates the behavior.
+2. Keep findings explainable.
+3. Prefer a specific path pattern over a broad one.
+4. Avoid network calls in deterministic scan mode.
+5. Do not include secret-like literal values in fixtures unless they are deliberately synthetic and covered by tests that ensure reports do not echo them.
+
+## Pull Request Checklist
+
+- The change is covered by tests or fixture evidence.
+- `npm run check` passes.
+- `npm pack --dry-run` passes for packaging, docs, action, or release changes.
+- README or docs are updated when behavior changes.
+- New commands are conservative and do not mutate the checkout.
+- The pull request template includes verification evidence and compatibility notes.

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 PatchDrill contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.