patchdrill 0.1.0

package/examples/risky-agent-pr/patchdrill-demo.html

@@ -0,0 +1,681 @@
+<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="icon" href="data:,">
+  <title>PatchDrill Dashboard</title>
+  <style>
+    :root {
+      color-scheme: light;
+      --bg: #f6f7f9;
+      --panel: #ffffff;
+      --text: #15181e;
+      --muted: #5c6470;
+      --border: #d9dee7;
+      --code-bg: #f0f3f7;
+      --pass: #0b6b43;
+      --pass-bg: #e5f5ed;
+      --warn: #9a5b00;
+      --warn-bg: #fff0d6;
+      --fail: #a12828;
+      --fail-bg: #fde7e7;
+      --info: #285da1;
+      --info-bg: #e7f0fb;
+      --shadow: 0 1px 2px rgb(16 24 40 / 8%);
+      font-family: Inter, ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+    }
+
+    * {
+      box-sizing: border-box;
+    }
+
+    body {
+      margin: 0;
+      background: var(--bg);
+      color: var(--text);
+      line-height: 1.5;
+    }
+
+    main {
+      width: min(1180px, calc(100% - 32px));
+      margin: 0 auto;
+      padding: 32px 0 48px;
+    }
+
+    header {
+      display: grid;
+      gap: 18px;
+      margin-bottom: 22px;
+    }
+
+    h1,
+    h2,
+    h3,
+    p {
+      margin: 0;
+    }
+
+    h1 {
+      font-size: 32px;
+      line-height: 1.15;
+      letter-spacing: 0;
+    }
+
+    h2 {
+      font-size: 19px;
+      line-height: 1.25;
+      letter-spacing: 0;
+    }
+
+    h3 {
+      font-size: 15px;
+      line-height: 1.3;
+      letter-spacing: 0;
+    }
+
+    .eyebrow {
+      color: var(--muted);
+      font-size: 13px;
+      font-weight: 700;
+      letter-spacing: .08em;
+      text-transform: uppercase;
+    }
+
+    .header-row,
+    .section-heading,
+    .finding-head,
+    summary {
+      align-items: center;
+      display: flex;
+      gap: 12px;
+      justify-content: space-between;
+    }
+
+    .context {
+      color: var(--muted);
+      display: flex;
+      flex-wrap: wrap;
+      font-size: 13px;
+      gap: 8px 16px;
+    }
+
+    .grid {
+      display: grid;
+      gap: 12px;
+    }
+
+    .metrics {
+      grid-template-columns: repeat(5, minmax(0, 1fr));
+    }
+
+    .two-column {
+      grid-template-columns: repeat(2, minmax(0, 1fr));
+    }
+
+    .metric,
+    .finding,
+    .table-wrap,
+    details {
+      background: var(--panel);
+      border: 1px solid var(--border);
+      border-radius: 8px;
+      box-shadow: var(--shadow);
+    }
+
+    section {
+      display: grid;
+      gap: 14px;
+      margin-top: 24px;
+      padding: 0;
+    }
+
+    .metric {
+      min-width: 0;
+      padding: 14px;
+    }
+
+    .metric-label {
+      color: var(--muted);
+      font-size: 12px;
+      font-weight: 700;
+      text-transform: uppercase;
+    }
+
+    .metric-value {
+      font-size: 24px;
+      font-weight: 760;
+      line-height: 1.2;
+      margin-top: 6px;
+      overflow-wrap: anywhere;
+    }
+
+    .metric-detail {
+      color: var(--muted);
+      font-size: 12px;
+      margin-top: 4px;
+      overflow-wrap: anywhere;
+    }
+
+    .bar {
+      background: #e7ebf1;
+      border-radius: 999px;
+      height: 8px;
+      margin-top: 10px;
+      overflow: hidden;
+    }
+
+    .bar span {
+      display: block;
+      height: 100%;
+    }
+
+    .bar .pass {
+      background: var(--pass);
+    }
+
+    .bar .warn {
+      background: var(--warn);
+    }
+
+    .bar .fail {
+      background: var(--fail);
+    }
+
+    .trend-table td,
+    .trend-table th {
+      white-space: nowrap;
+    }
+
+    .trend-risk {
+      align-items: center;
+      display: grid;
+      gap: 8px;
+      grid-template-columns: 54px minmax(120px, 1fr);
+    }
+
+    .pill {
+      border-radius: 999px;
+      display: inline-flex;
+      font-size: 12px;
+      font-weight: 760;
+      gap: 6px;
+      line-height: 1;
+      padding: 7px 9px;
+      text-transform: uppercase;
+      white-space: nowrap;
+    }
+
+    .pass {
+      background: var(--pass-bg);
+      color: var(--pass);
+    }
+
+    .warn {
+      background: var(--warn-bg);
+      color: var(--warn);
+    }
+
+    .fail,
+    .critical,
+    .high {
+      background: var(--fail-bg);
+      color: var(--fail);
+    }
+
+    .medium {
+      background: var(--warn-bg);
+      color: var(--warn);
+    }
+
+    .low,
+    .info {
+      background: var(--info-bg);
+      color: var(--info);
+    }
+
+    .muted,
+    .empty {
+      color: var(--muted);
+    }
+
+    .table-wrap {
+      overflow-x: auto;
+      border-radius: 8px;
+      box-shadow: var(--shadow);
+    }
+
+    table {
+      border-collapse: collapse;
+      font-size: 13px;
+      min-width: 720px;
+      width: 100%;
+    }
+
+    th,
+    td {
+      border-bottom: 1px solid var(--border);
+      padding: 10px;
+      text-align: left;
+      vertical-align: top;
+    }
+
+    th {
+      color: var(--muted);
+      font-size: 12px;
+      text-transform: uppercase;
+    }
+
+    tr:last-child td {
+      border-bottom: 0;
+    }
+
+    code,
+    pre {
+      background: var(--code-bg);
+      border-radius: 6px;
+      font-family: "SFMono-Regular", Consolas, "Liberation Mono", monospace;
+      font-size: 12px;
+    }
+
+    code {
+      padding: 2px 5px;
+    }
+
+    pre {
+      margin: 10px 0 0;
+      max-height: 360px;
+      overflow: auto;
+      padding: 12px;
+      white-space: pre-wrap;
+      word-break: break-word;
+    }
+
+    .finding-list {
+      display: grid;
+      gap: 10px;
+    }
+
+    .finding {
+      display: grid;
+      gap: 8px;
+      padding: 14px;
+    }
+
+    .finding-title {
+      font-weight: 760;
+      overflow-wrap: anywhere;
+    }
+
+    .detail-list {
+      display: grid;
+      gap: 8px;
+      grid-template-columns: repeat(2, minmax(0, 1fr));
+    }
+
+    .detail-item {
+      border: 1px solid var(--border);
+      border-radius: 8px;
+      padding: 12px;
+    }
+
+    .detail-label {
+      color: var(--muted);
+      font-size: 12px;
+      font-weight: 700;
+      text-transform: uppercase;
+    }
+
+    .detail-value {
+      margin-top: 4px;
+      overflow-wrap: anywhere;
+    }
+
+    details {
+      padding: 0;
+    }
+
+    summary {
+      cursor: pointer;
+      font-weight: 700;
+      list-style: none;
+      padding: 14px;
+    }
+
+    summary::-webkit-details-marker {
+      display: none;
+    }
+
+    .command-body {
+      border-top: 1px solid var(--border);
+      padding: 0 14px 14px;
+    }
+
+    @media (max-width: 900px) {
+      .metrics,
+      .two-column,
+      .detail-list {
+        grid-template-columns: 1fr;
+      }
+
+      .header-row,
+      .section-heading,
+      .finding-head,
+      summary {
+        align-items: flex-start;
+        flex-direction: column;
+      }
+
+      main {
+        width: min(100% - 20px, 1180px);
+        padding-top: 20px;
+      }
+    }
+  </style>
+</head>
+<body>
+  <main>
+    <header>
+      <div class="header-row">
+        <div>
+          <p class="eyebrow">PatchDrill</p>
+          <h1>Verification Dashboard</h1>
+        </div>
+        <span class="pill fail">FAIL</span>
+      </div>
+      <div class="context"><span>Base: origin/main</span><span>Head: agent/refactor-release-flow</span><span>Generated: 2026-06-01T00:00:00.000Z</span><span>Schema: 1</span></div>
+    </header>
+
+    <div class="grid metrics">
+      <div class="metric">
+        <div class="metric-label">Risk score</div>
+        <div class="metric-value">94/100</div>
+        <div class="metric-detail">Higher means more review proof is needed.</div>
+        <div class="bar" aria-hidden="true"><span class="fail" style="width: 94%;"></span></div>
+      </div>
+      <div class="metric">
+        <div class="metric-label">Confidence</div>
+        <div class="metric-value">21/100</div>
+        <div class="metric-detail">Higher means stronger verification evidence.</div>
+        <div class="bar" aria-hidden="true"><span class="pass" style="width: 21%;"></span></div>
+      </div>
+      <div class="metric">
+        <div class="metric-label">Changed files</div>
+        <div class="metric-value">8</div>
+        <div class="metric-detail">+326 / -78</div>
+      </div>
+      <div class="metric">
+        <div class="metric-label">Required checks</div>
+        <div class="metric-value">4</div>
+        <div class="metric-detail">2 passed, 1 failed, 1 missing</div>
+      </div>
+      <div class="metric">
+        <div class="metric-label">Added lines</div>
+        <div class="metric-value">326</div>
+        <div class="metric-detail">Diff lines scanned for risky content.</div>
+      </div>
+    </div>
+
+
+
+    <section>
+      <div class="section-heading">
+        <h2>Findings</h2>
+        <span class="pill fail">8 total</span>
+      </div>
+      <div class="finding-list">
+        <article class="finding">
+          <div class="finding-head">
+            <div>
+              <div class="finding-title">Privileged workflow checks out pull request code</div>
+              <div class="metric-detail">.github/workflows/release.yml:19</div>
+            </div>
+            <span class="pill critical">critical</span>
+          </div>
+          <p>A pull_request_target workflow can run untrusted pull request code while write tokens or repository secrets are available.</p>
+          <p class="muted">Remediation: Use pull_request for untrusted code, remove PR-head checkout, or split the privileged publishing step behind an environment gate.</p>
+          <p class="muted">Rule: <code>workflow.pull-request-target-head-checkout</code></p>
+          <p class="muted">Tags: ci, supply-chain, github-actions</p>
+        </article><article class="finding">
+          <div class="finding-head">
+            <div>
+              <div class="finding-title">Secret-looking value added</div>
+              <div class="metric-detail">.env.example:8</div>
+            </div>
+            <span class="pill critical">critical</span>
+          </div>
+          <p>A newly added environment example contains a value with a live-key shape. The demo redacts the actual token body.</p>
+          <p class="muted">Remediation: Remove the value, rotate the credential if it was real, and use a non-secret placeholder such as &lt;redacted&gt;.</p>
+          <p class="muted">Rule: <code>secret.generic-assignment</code></p>
+          <p class="muted">Tags: secret, credentials</p>
+        </article><article class="finding">
+          <div class="finding-head">
+            <div>
+              <div class="finding-title">Agent instructions changed</div>
+              <div class="metric-detail">AGENTS.md</div>
+            </div>
+            <span class="pill high">high</span>
+          </div>
+          <p>Repository-level coding-agent instructions changed in the same patch as release and billing code.</p>
+          <p class="muted">Remediation: Review instruction changes separately and require maintainer approval before agent-visible rules change.</p>
+          <p class="muted">Rule: <code>agent.control-file</code></p>
+          <p class="muted">Tags: agentic-coding, review</p>
+        </article><article class="finding">
+          <div class="finding-head">
+            <div>
+              <div class="finding-title">High-impact product area changed</div>
+              <div class="metric-detail">apps/web/src/billing/checkout.ts</div>
+            </div>
+            <span class="pill high">high</span>
+          </div>
+          <p>Billing checkout and webhook code changed, which can affect payment capture, refunds, and entitlement state.</p>
+          <p class="muted">Remediation: Attach targeted billing regression tests and owner approval.</p>
+          <p class="muted">Rule: <code>file.high-impact-area</code></p>
+          <p class="muted">Tags: billing, payments</p>
+        </article><article class="finding">
+          <div class="finding-head">
+            <div>
+              <div class="finding-title">Verification script disabled: test</div>
+              <div class="metric-detail">package.json</div>
+            </div>
+            <span class="pill high">high</span>
+          </div>
+          <p>package.json verification script &quot;test&quot; now appears to exit successfully without running meaningful checks.</p>
+          <p class="muted">Remediation: Restore the real verification command or explain why this repository no longer has that check.</p>
+          <p class="muted">Rule: <code>package-script.disabled-verification</code></p>
+          <p class="muted">Tags: testing, ci, package-script</p>
+        </article><article class="finding">
+          <div class="finding-head">
+            <div>
+              <div class="finding-title">Package lifecycle script changed: postinstall</div>
+              <div class="metric-detail">package.json</div>
+            </div>
+            <span class="pill high">high</span>
+          </div>
+          <p>package.json lifecycle script &quot;postinstall&quot; was added, creating code that can run during install, prepare, pack, or publish flows.</p>
+          <p class="muted">Remediation: Review the script as executable supply-chain surface. Prefer explicit CI steps or documented commands over implicit install-time behavior.</p>
+          <p class="muted">Rule: <code>package-script.lifecycle</code></p>
+          <p class="muted">Tags: dependencies, supply-chain, package-script</p>
+        </article><article class="finding">
+          <div class="finding-head">
+            <div>
+              <div class="finding-title">Source changed without matching test changes</div>
+              <div class="metric-detail">apps/web/src/billing/checkout.ts</div>
+            </div>
+            <span class="pill medium">medium</span>
+          </div>
+          <p>Billing source files changed, but no matching checkout or webhook test files changed.</p>
+          <p class="muted">Remediation: Add or update tests covering signed webhook verification, failed payment paths, and entitlement updates.</p>
+          <p class="muted">Rule: <code>test.source-without-test-change</code></p>
+          <p class="muted">Tags: tests</p>
+        </article><article class="finding">
+          <div class="finding-head">
+            <div>
+              <div class="finding-title">Dependency lockfile changed</div>
+              <div class="metric-detail">package-lock.json</div>
+            </div>
+            <span class="pill low">low</span>
+          </div>
+          <p>@acme/payments changed from 4.2.0 to 4.3.0.</p>
+          <p class="muted">Remediation: Review release notes and verify transitive dependency impact.</p>
+          <p class="muted">Rule: <code>file.lockfile</code></p>
+          <p class="muted">Tags: dependencies</p>
+        </article>
+      </div>
+    </section>
+
+    <section>
+      <div class="section-heading">
+        <h2>Verification Plan</h2>
+        <span class="pill info">4 required, 1 optional</span>
+      </div>
+      <div class="table-wrap">
+        <table>
+          <thead>
+            <tr><th>Required</th><th>Package</th><th>Command</th><th>Result</th><th>Reason</th></tr>
+          </thead>
+          <tbody>
+            <tr><td><span class="pill warn">yes</span></td><td>@acme/web</td><td><code>npm run lint --workspace @acme/web</code></td><td><span class="pill pass">passed</span></td><td>Billing and release-adjacent source files changed.</td></tr><tr><td><span class="pill warn">yes</span></td><td>@acme/web</td><td><code>npm test --workspace @acme/web</code></td><td><span class="pill fail">failed (1)</span></td><td>Billing checkout and webhook behavior changed.</td></tr><tr><td><span class="pill warn">yes</span></td><td>@acme/web</td><td><code>npm run build --workspace @acme/web</code></td><td><span class="pill pass">passed</span></td><td>Production web package changed.</td></tr><tr><td><span class="pill warn">yes</span></td><td></td><td><code>gh workflow view release.yml --yaml</code></td><td><span class="pill warn">not run</span></td><td>Repository policy requires human-readable workflow evidence when privileged release jobs change.</td></tr><tr><td><span class="pill info">no</span></td><td>@acme/web</td><td><code>npm run test:e2e -- --grep billing</code></td><td><span class="pill info">skipped optional</span></td><td>Optional browser coverage is available for checkout flows.</td></tr>
+          </tbody>
+        </table>
+      </div>
+    </section>
+
+<section>
+      <div class="section-heading">
+        <h2>Command Results</h2>
+        <span class="pill fail">1 failed</span>
+      </div>
+      <div class="grid">
+        <details>
+          <summary>
+            <span><code>npm run lint --workspace @acme/web</code></span>
+            <span class="pill pass">exit 0</span>
+          </summary>
+          <div class="command-body">
+            <p class="muted">Duration: 6240ms</p>
+            <h3>stdout</h3><pre>@acme/web lint: ok</pre>
+          </div>
+        </details><details>
+          <summary>
+            <span><code>npm test --workspace @acme/web</code></span>
+            <span class="pill fail">exit 1</span>
+          </summary>
+          <div class="command-body">
+            <p class="muted">Duration: 11982ms</p>
+            <h3>stdout</h3><pre>CheckoutService.test.ts: 38 passed, 1 failed
+Webhook signature regression: expected 401, received 200</pre>
+            <h3>stderr</h3><pre>FAIL apps/web/src/billing/webhook.test.ts &gt; rejects unsigned webhook payloads</pre>
+          </div>
+        </details><details>
+          <summary>
+            <span><code>npm run build --workspace @acme/web</code></span>
+            <span class="pill pass">exit 0</span>
+          </summary>
+          <div class="command-body">
+            <p class="muted">Duration: 18321ms</p>
+            <h3>stdout</h3><pre>vite v6.0.0 building for production...
+built in 4.2s</pre>
+          </div>
+        </details>
+      </div>
+    </section>
+
+    <section>
+      <h2>Changed Files</h2>
+      <div class="table-wrap">
+        <table>
+          <thead>
+            <tr><th>File</th><th>Status</th><th>+/-</th><th>Owners</th></tr>
+          </thead>
+          <tbody>
+            <tr><td>AGENTS.md</td><td>modified</td><td>+28 / -4</td><td>@acme/platform</td></tr><tr><td>.github/workflows/release.yml</td><td>modified</td><td>+44 / -18</td><td>@acme/platform</td></tr><tr><td>apps/web/src/billing/checkout.ts</td><td>modified</td><td>+83 / -21</td><td>@acme/billing</td></tr><tr><td>apps/web/src/billing/webhook.ts</td><td>modified</td><td>+39 / -15</td><td>@acme/billing</td></tr><tr><td>scripts/deploy.sh</td><td>modified</td><td>+27 / -8</td><td>@acme/platform</td></tr><tr><td>.env.example</td><td>modified</td><td>+3 / -0</td><td>@acme/platform</td></tr><tr><td>package.json</td><td>modified</td><td>+14 / -4</td><td>@acme/platform</td></tr><tr><td>package-lock.json</td><td>modified</td><td>+88 / -8</td><td></td></tr>
+          </tbody>
+        </table>
+      </div>
+    </section>
+
+    <div class="grid two-column">
+      <section>
+        <h2>Project Signals</h2>
+        <div class="table-wrap">
+        <table>
+          <thead>
+            <tr><th>Ecosystem</th><th>Framework</th><th>Entrypoint</th><th>Manifest</th><th>Package manager</th><th>Task runner</th></tr>
+          </thead>
+          <tbody>
+            <tr><td>node</td><td></td><td></td><td>package.json</td><td>npm</td><td></td></tr><tr><td>github-actions</td><td></td><td></td><td>.github/workflows/release.yml</td><td></td><td></td></tr>
+          </tbody>
+        </table>
+      </div>
+      </section>
+      <section>
+        <h2>Review Context</h2>
+        <div class="detail-list">
+        <div class="detail-item">
+          <div class="detail-label">Policy</div>
+          <div class="detail-value">.patchdrill.yml (4 rules)</div>
+        </div><div class="detail-item">
+          <div class="detail-label">Policy commands</div>
+          <div class="detail-value">1 required, 1 optional</div>
+        </div><div class="detail-item">
+          <div class="detail-label">Fail-on</div>
+          <div class="detail-value">high</div>
+        </div><div class="detail-item">
+          <div class="detail-label">Max risk</div>
+          <div class="detail-value">69</div>
+        </div><div class="detail-item">
+          <div class="detail-label">Code owners</div>
+          <div class="detail-value">.github/CODEOWNERS (4 rules)</div>
+        </div><div class="detail-item">
+          <div class="detail-label">Baseline</div>
+          <div class="detail-value">main-patchdrill-report.json</div>
+        </div><div class="detail-item">
+          <div class="detail-label">Risk delta</div>
+          <div class="detail-value">+63</div>
+        </div><div class="detail-item">
+          <div class="detail-label">Findings delta</div>
+          <div class="detail-value">6 new, 0 resolved, 1 unchanged</div>
+        </div><div class="detail-item">
+          <div class="detail-label">Affected packages</div>
+          <div class="detail-value">@acme/web</div>
+        </div>
+      </div>
+      </section>
+    </div>
+
+    <section>
+      <h2>Dependency Changes</h2>
+      <div class="table-wrap">
+        <table>
+          <thead>
+            <tr><th>File</th><th>Type</th><th>Package</th><th>Path</th><th>Change</th><th>Before</th><th>After</th></tr>
+          </thead>
+          <tbody>
+            <tr><td>package-lock.json</td><td>lockfile</td><td>yaml</td><td>node_modules/yaml</td><td>updated</td><td>2.8.1</td><td>2.9.0</td></tr><tr><td>package-lock.json</td><td>lockfile</td><td>@acme/payments</td><td>node_modules/@acme/payments</td><td>updated</td><td>4.2.0</td><td>4.3.0</td></tr>
+          </tbody>
+        </table>
+      </div>
+    </section>
+
+    <section>
+      <h2>Package Script Changes</h2>
+      <div class="table-wrap">
+        <table>
+          <thead>
+            <tr><th>File</th><th>Script</th><th>Change</th><th>Before</th><th>After</th></tr>
+          </thead>
+          <tbody>
+            <tr><td>package.json</td><td><code>postinstall</code></td><td>added</td><td><code></code></td><td><code>node scripts/bootstrap-agent.js</code></td></tr><tr><td>package.json</td><td><code>test</code></td><td>updated</td><td><code>vitest run</code></td><td><code>true</code></td></tr>
+          </tbody>
+        </table>
+      </div>
+    </section>
+
+    <section>
+      <h2>Reviewer Notes</h2>
+      <p class="muted">Treat this dashboard as triage evidence, not a replacement for review. High-impact areas still need human sign-off even when automated commands pass.</p>
+    </section>
+  </main>
+</body>
+</html>