patchdrill 0.1.0

package/examples/demo/patchdrill-demo.json

@@ -0,0 +1,355 @@
+{
+  "schemaVersion": "1",
+  "generatedAt": "2026-06-01T00:00:00.000Z",
+  "root": "/demo/checkout",
+  "base": "origin/main",
+  "head": "feature/auth-session-hardening",
+  "summary": {
+    "status": "warn",
+    "riskScore": 58,
+    "confidenceScore": 82,
+    "changedFileCount": 5,
+    "additions": 186,
+    "deletions": 42,
+    "requiredCommandCount": 3,
+    "failedCommandCount": 0
+  },
+  "changedFiles": [
+    {
+      "path": "apps/api/src/auth/session.ts",
+      "status": "modified",
+      "additions": 54,
+      "deletions": 16,
+      "binary": false,
+      "owners": [
+        "@acme/security"
+      ]
+    },
+    {
+      "path": "apps/api/src/auth/session.test.ts",
+      "status": "modified",
+      "additions": 48,
+      "deletions": 4,
+      "binary": false,
+      "owners": [
+        "@acme/security"
+      ]
+    },
+    {
+      "path": "packages/db/migrations/20260601090000_add_session_rotation.sql",
+      "status": "added",
+      "additions": 38,
+      "deletions": 0,
+      "binary": false,
+      "owners": [
+        "@acme/data"
+      ]
+    },
+    {
+      "path": ".github/workflows/deploy.yml",
+      "status": "modified",
+      "additions": 22,
+      "deletions": 12,
+      "binary": false,
+      "owners": [
+        "@acme/platform"
+      ]
+    },
+    {
+      "path": "package-lock.json",
+      "status": "modified",
+      "additions": 24,
+      "deletions": 10,
+      "binary": false
+    }
+  ],
+  "addedLines": 186,
+  "projectSignals": [
+    {
+      "ecosystem": "node",
+      "manifestPath": "package.json",
+      "packageManager": "pnpm",
+      "taskRunner": "turbo",
+      "scripts": {
+        "typecheck": "turbo run typecheck",
+        "test": "turbo run test",
+        "build": "turbo run build",
+        "test:e2e": "playwright test"
+      },
+      "workspacePackages": [
+        {
+          "name": "@acme/api",
+          "projectName": "api",
+          "path": "apps/api",
+          "scripts": {
+            "typecheck": "tsc --noEmit",
+            "test": "vitest run",
+            "build": "tsup"
+          },
+          "targets": [
+            "typecheck",
+            "test",
+            "build"
+          ],
+          "dependencies": [
+            "@acme/db"
+          ]
+        },
+        {
+          "name": "@acme/db",
+          "projectName": "db",
+          "path": "packages/db",
+          "scripts": {
+            "test": "vitest run"
+          },
+          "targets": [
+            "test"
+          ]
+        }
+      ]
+    },
+    {
+      "ecosystem": "github-actions",
+      "manifestPath": ".github/workflows/deploy.yml"
+    }
+  ],
+  "affectedPackages": [
+    {
+      "name": "@acme/api",
+      "projectName": "api",
+      "path": "apps/api",
+      "scripts": {
+        "typecheck": "tsc --noEmit",
+        "test": "vitest run",
+        "build": "tsup"
+      },
+      "targets": [
+        "typecheck",
+        "test",
+        "build"
+      ],
+      "dependencies": [
+        "@acme/db"
+      ]
+    }
+  ],
+  "dependencyChanges": [
+    {
+      "file": "package-lock.json",
+      "packageName": "@acme/session-store",
+      "packagePath": "node_modules/@acme/session-store",
+      "dependencyType": "lockfile",
+      "changeType": "updated",
+      "before": "1.8.2",
+      "after": "1.9.0"
+    }
+  ],
+  "packageScriptChanges": [],
+  "policy": {
+    "path": ".patchdrill.yml",
+    "ignoredPaths": [
+      "dist/**",
+      "coverage/**"
+    ],
+    "failOn": "high",
+    "maxRisk": 69,
+    "ruleCount": 2,
+    "requiredCommandCount": 1,
+    "optionalCommandCount": 1
+  },
+  "codeOwners": {
+    "path": ".github/CODEOWNERS",
+    "ruleCount": 3
+  },
+  "baseline": {
+    "path": "previous-patchdrill-report.json",
+    "previousStatus": "warn",
+    "currentStatus": "warn",
+    "previousRiskScore": 44,
+    "currentRiskScore": 58,
+    "riskDelta": 14,
+    "newFindingCount": 2,
+    "resolvedFindingCount": 1,
+    "unchangedFindingCount": 3
+  },
+  "findings": [
+    {
+      "ruleId": "file.high-impact-area",
+      "severity": "high",
+      "title": "High-impact product area changed",
+      "detail": "Authentication/session code changed and needs strong proof before merge.",
+      "file": "apps/api/src/auth/session.ts",
+      "remediation": "Require owner review and targeted session regression evidence.",
+      "tags": [
+        "security",
+        "auth"
+      ]
+    },
+    {
+      "ruleId": "file.high-impact-area",
+      "severity": "high",
+      "title": "Data migration review required",
+      "detail": "A database migration can alter production session state.",
+      "file": "packages/db/migrations/20260601090000_add_session_rotation.sql",
+      "remediation": "Attach dry-run, rollback, and data-owner approval notes.",
+      "tags": [
+        "data",
+        "migration"
+      ]
+    },
+    {
+      "ruleId": "workflow.environment-oidc-token",
+      "severity": "medium",
+      "title": "OIDC deployment job should use a protected environment",
+      "detail": "A deployment workflow can mint cloud credentials without an explicit GitHub environment gate.",
+      "file": ".github/workflows/deploy.yml",
+      "line": 34,
+      "remediation": "Attach a protected environment or document why this job cannot deploy.",
+      "tags": [
+        "ci",
+        "oidc",
+        "supply-chain"
+      ]
+    },
+    {
+      "ruleId": "file.lockfile",
+      "severity": "low",
+      "title": "Dependency lockfile changed",
+      "detail": "@acme/session-store changed from 1.8.2 to 1.9.0.",
+      "file": "package-lock.json",
+      "remediation": "Review release notes and verify transitive dependency impact.",
+      "tags": [
+        "dependencies"
+      ]
+    }
+  ],
+  "commandPlan": [
+    {
+      "id": "node-turbo-api-typecheck",
+      "label": "Typecheck affected API package",
+      "command": "pnpm exec turbo run typecheck --filter=@acme/api",
+      "reason": "Auth source changed in @acme/api.",
+      "ecosystem": "node",
+      "required": true,
+      "packageName": "@acme/api",
+      "packagePath": "apps/api"
+    },
+    {
+      "id": "node-turbo-api-test",
+      "label": "Test affected API package",
+      "command": "pnpm exec turbo run test --filter=@acme/api",
+      "reason": "Session behavior changed and matching tests exist.",
+      "ecosystem": "node",
+      "required": true,
+      "packageName": "@acme/api",
+      "packagePath": "apps/api"
+    },
+    {
+      "id": "policy-contract-tests",
+      "label": "Contract tests",
+      "command": "pnpm run test:contracts",
+      "reason": "Repository policy requires contract tests for auth/session changes.",
+      "ecosystem": "general",
+      "required": true
+    },
+    {
+      "id": "node-e2e",
+      "label": "Browser e2e",
+      "command": "pnpm run test:e2e",
+      "reason": "Optional browser coverage is available for session rotation flows.",
+      "ecosystem": "node",
+      "required": false
+    }
+  ],
+  "commandResults": [
+    {
+      "id": "node-turbo-api-typecheck",
+      "command": "pnpm exec turbo run typecheck --filter=@acme/api",
+      "exitCode": 0,
+      "durationMs": 8421,
+      "stdout": "@acme/api:typecheck: cache miss, executing\n@acme/api:typecheck: ok\n",
+      "stderr": ""
+    },
+    {
+      "id": "node-turbo-api-test",
+      "command": "pnpm exec turbo run test --filter=@acme/api",
+      "exitCode": 0,
+      "durationMs": 12544,
+      "stdout": "@acme/api:test: 42 tests passed\n",
+      "stderr": ""
+    },
+    {
+      "id": "policy-contract-tests",
+      "command": "pnpm run test:contracts",
+      "exitCode": 0,
+      "durationMs": 15038,
+      "stdout": "contract auth-session passed\ncontract deployment-claims passed\n",
+      "stderr": ""
+    }
+  ],
+  "verification": {
+    "summary": {
+      "plannedRequired": 3,
+      "plannedOptional": 1,
+      "run": 3,
+      "passed": 3,
+      "failed": 0,
+      "timedOut": 0,
+      "missingRequired": 0,
+      "skippedOptional": 1,
+      "unplannedResults": 0
+    },
+    "commands": [
+      {
+        "id": "node-turbo-api-typecheck",
+        "label": "Typecheck affected API package",
+        "command": "pnpm exec turbo run typecheck --filter=@acme/api",
+        "reason": "Auth source changed in @acme/api.",
+        "ecosystem": "node",
+        "required": true,
+        "planned": true,
+        "status": "passed",
+        "packageName": "@acme/api",
+        "packagePath": "apps/api",
+        "exitCode": 0,
+        "durationMs": 8421
+      },
+      {
+        "id": "node-turbo-api-test",
+        "label": "Test affected API package",
+        "command": "pnpm exec turbo run test --filter=@acme/api",
+        "reason": "Session behavior changed and matching tests exist.",
+        "ecosystem": "node",
+        "required": true,
+        "planned": true,
+        "status": "passed",
+        "packageName": "@acme/api",
+        "packagePath": "apps/api",
+        "exitCode": 0,
+        "durationMs": 12544
+      },
+      {
+        "id": "policy-contract-tests",
+        "label": "Contract tests",
+        "command": "pnpm run test:contracts",
+        "reason": "Repository policy requires contract tests for auth/session changes.",
+        "ecosystem": "general",
+        "required": true,
+        "planned": true,
+        "status": "passed",
+        "exitCode": 0,
+        "durationMs": 15038
+      },
+      {
+        "id": "node-e2e",
+        "label": "Browser e2e",
+        "command": "pnpm run test:e2e",
+        "reason": "Optional browser coverage is available for session rotation flows.",
+        "ecosystem": "node",
+        "required": false,
+        "planned": true,
+        "status": "skipped-optional"
+      }
+    ]
+  }
+}

package/examples/demo/patchdrill-demo.md

@@ -0,0 +1,120 @@
+# PatchDrill Report
+
+Status: **WARN**
+Risk score: **58/100**
+Confidence score: **82/100**
+Generated: 2026-06-01T00:00:00.000Z
+Schema version: 1
+
+## Summary
+
+- Changed files: 5
+- Additions / deletions: +186 / -42
+- Required verification commands: 3
+- Failed verification commands: 0
+- Verification evidence: 3 run, 3 passed, 0 failed, 0 timed out, 0 missing required, 1 optional skipped
+- Added lines inspected: 186
+
+## Policy
+
+- Config: .patchdrill.yml
+- Ignored path patterns: 2
+- Fail-on severity: high
+- Max risk: 69
+- Policy rules: 2
+- Policy commands: 1 required, 1 optional
+
+## Code Owners
+
+- Config: .github/CODEOWNERS
+- Rules: 3
+
+## Baseline
+
+- Baseline report: previous-patchdrill-report.json
+- Status: warn -> warn
+- Risk: 44/100 -> 58/100 (+14)
+- Findings: 2 new, 1 resolved, 3 unchanged
+
+## Project Signals
+
+| Ecosystem | Framework | Entrypoint | Manifest | Package manager | Task runner |
+| --- | --- | --- | --- | --- | --- |
+| node |  |  | package.json | pnpm | turbo |
+| github-actions |  |  | .github/workflows/deploy.yml |  |  |
+
+## Affected Workspace Packages
+
+| Package | Path |
+| --- | --- |
+| @acme/api | apps/api |
+
+## Dependency Changes
+
+| File | Type | Package | Path | Change | Before | After |
+| --- | --- | --- | --- | --- | --- | --- |
+| package-lock.json | lockfile | @acme/session-store | node_modules/@acme/session-store | updated | 1.8.2 | 1.9.0 |
+
+## Changed Files
+
+| File | Status | +/- | Owners |
+| --- | --- | --- | --- |
+| apps/api/src/auth/session.ts | modified | +54 / -16 | @acme/security |
+| apps/api/src/auth/session.test.ts | modified | +48 / -4 | @acme/security |
+| packages/db/migrations/20260601090000_add_session_rotation.sql | added | +38 / -0 | @acme/data |
+| .github/workflows/deploy.yml | modified | +22 / -12 | @acme/platform |
+| package-lock.json | modified | +24 / -10 |  |
+
+## Findings
+
+| Severity | Rule | Finding | Location | Remediation |
+| --- | --- | --- | --- | --- |
+| high | file.high-impact-area | High-impact product area changed: Authentication/session code changed and needs strong proof before merge. | apps/api/src/auth/session.ts | Require owner review and targeted session regression evidence. |
+| high | file.high-impact-area | Data migration review required: A database migration can alter production session state. | packages/db/migrations/20260601090000_add_session_rotation.sql | Attach dry-run, rollback, and data-owner approval notes. |
+| medium | workflow.environment-oidc-token | OIDC deployment job should use a protected environment: A deployment workflow can mint cloud credentials without an explicit GitHub environment gate. | .github/workflows/deploy.yml:34 | Attach a protected environment or document why this job cannot deploy. |
+| low | file.lockfile | Dependency lockfile changed: @acme/session-store changed from 1.8.2 to 1.9.0. | package-lock.json | Review release notes and verify transitive dependency impact. |
+
+## Verification Plan
+
+| Required | Package | Command | Result | Reason |
+| --- | --- | --- | --- | --- |
+| yes | @acme/api | `pnpm exec turbo run typecheck --filter=@acme/api` | passed | Auth source changed in @acme/api. |
+| yes | @acme/api | `pnpm exec turbo run test --filter=@acme/api` | passed | Session behavior changed and matching tests exist. |
+| yes |  | `pnpm run test:contracts` | passed | Repository policy requires contract tests for auth/session changes. |
+| no |  | `pnpm run test:e2e` | skipped optional | Optional browser coverage is available for session rotation flows. |
+
+## Command Results
+
+### `pnpm exec turbo run typecheck --filter=@acme/api`
+
+- Exit code: 0
+- Duration: 8421ms
+
+```text
+@acme/api:typecheck: cache miss, executing
+@acme/api:typecheck: ok
+```
+
+### `pnpm exec turbo run test --filter=@acme/api`
+
+- Exit code: 0
+- Duration: 12544ms
+
+```text
+@acme/api:test: 42 tests passed
+```
+
+### `pnpm run test:contracts`
+
+- Exit code: 0
+- Duration: 15038ms
+
+```text
+contract auth-session passed
+contract deployment-claims passed
+```
+
+## Reviewer Notes
+
+- Treat this report as triage evidence, not a replacement for review.
+- High-impact areas still need human sign-off even when automated commands pass.

package/examples/demo/patchdrill-demo.sarif

@@ -0,0 +1,195 @@
+{
+  "version": "2.1.0",
+  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "PatchDrill",
+          "informationUri": "https://github.com/seungdori/patchdrill",
+          "rules": [
+            {
+              "id": "file.high-impact-area",
+              "name": "Data migration review required",
+              "shortDescription": {
+                "text": "Data migration review required"
+              },
+              "help": {
+                "text": "Attach dry-run, rollback, and data-owner approval notes."
+              },
+              "properties": {
+                "severity": "high",
+                "tags": [
+                  "data",
+                  "migration"
+                ]
+              }
+            },
+            {
+              "id": "workflow.environment-oidc-token",
+              "name": "OIDC deployment job should use a protected environment",
+              "shortDescription": {
+                "text": "OIDC deployment job should use a protected environment"
+              },
+              "help": {
+                "text": "Attach a protected environment or document why this job cannot deploy."
+              },
+              "properties": {
+                "severity": "medium",
+                "tags": [
+                  "ci",
+                  "oidc",
+                  "supply-chain"
+                ]
+              }
+            },
+            {
+              "id": "file.lockfile",
+              "name": "Dependency lockfile changed",
+              "shortDescription": {
+                "text": "Dependency lockfile changed"
+              },
+              "help": {
+                "text": "Review release notes and verify transitive dependency impact."
+              },
+              "properties": {
+                "severity": "low",
+                "tags": [
+                  "dependencies"
+                ]
+              }
+            }
+          ]
+        }
+      },
+      "invocations": [
+        {
+          "executionSuccessful": true,
+          "properties": {
+            "status": "warn",
+            "riskScore": 58,
+            "confidenceScore": 82
+          }
+        }
+      ],
+      "results": [
+        {
+          "ruleId": "file.high-impact-area",
+          "level": "error",
+          "message": {
+            "text": "High-impact product area changed: Authentication/session code changed and needs strong proof before merge. Remediation: Require owner review and targeted session regression evidence."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "apps/api/src/auth/session.ts"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ],
+          "properties": {
+            "severity": "high",
+            "tags": [
+              "security",
+              "auth"
+            ]
+          },
+          "partialFingerprints": {
+            "patchdrillFinding": "1c19812835c3b6a32febeb8bc84e02b7e9a6bd1f08faa2620792e86cfdb43c77"
+          }
+        },
+        {
+          "ruleId": "file.high-impact-area",
+          "level": "error",
+          "message": {
+            "text": "Data migration review required: A database migration can alter production session state. Remediation: Attach dry-run, rollback, and data-owner approval notes."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "packages/db/migrations/20260601090000_add_session_rotation.sql"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ],
+          "properties": {
+            "severity": "high",
+            "tags": [
+              "data",
+              "migration"
+            ]
+          },
+          "partialFingerprints": {
+            "patchdrillFinding": "09f68fa17d892e6441ec1ee58e0db1531675121edf5db634e1ff31a238635e28"
+          }
+        },
+        {
+          "ruleId": "workflow.environment-oidc-token",
+          "level": "warning",
+          "message": {
+            "text": "OIDC deployment job should use a protected environment: A deployment workflow can mint cloud credentials without an explicit GitHub environment gate. Remediation: Attach a protected environment or document why this job cannot deploy."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": ".github/workflows/deploy.yml"
+                },
+                "region": {
+                  "startLine": 34
+                }
+              }
+            }
+          ],
+          "properties": {
+            "severity": "medium",
+            "tags": [
+              "ci",
+              "oidc",
+              "supply-chain"
+            ]
+          },
+          "partialFingerprints": {
+            "patchdrillFinding": "d1195d6fb484dff935b2007c8f47ba3b37baa26a9952e27293505ab1923f34b2"
+          }
+        },
+        {
+          "ruleId": "file.lockfile",
+          "level": "note",
+          "message": {
+            "text": "Dependency lockfile changed: @acme/session-store changed from 1.8.2 to 1.9.0. Remediation: Review release notes and verify transitive dependency impact."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "package-lock.json"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ],
+          "properties": {
+            "severity": "low",
+            "tags": [
+              "dependencies"
+            ]
+          },
+          "partialFingerprints": {
+            "patchdrillFinding": "5cdefc8ce238a88cde78ab92957d8d0b3f84483f99a431e5dd9af6c80012c92d"
+          }
+        }
+      ]
+    }
+  ]
+}