patchdrill 0.1.0

package/examples/risky-agent-pr/patchdrill-demo.json

@@ -0,0 +1,483 @@
+{
+  "schemaVersion": "1",
+  "generatedAt": "2026-06-01T00:00:00.000Z",
+  "root": "/demo/checkout",
+  "base": "origin/main",
+  "head": "agent/refactor-release-flow",
+  "summary": {
+    "status": "fail",
+    "riskScore": 94,
+    "confidenceScore": 21,
+    "changedFileCount": 8,
+    "additions": 326,
+    "deletions": 78,
+    "requiredCommandCount": 4,
+    "failedCommandCount": 1
+  },
+  "changedFiles": [
+    {
+      "path": "AGENTS.md",
+      "status": "modified",
+      "additions": 28,
+      "deletions": 4,
+      "binary": false,
+      "owners": [
+        "@acme/platform"
+      ]
+    },
+    {
+      "path": ".github/workflows/release.yml",
+      "status": "modified",
+      "additions": 44,
+      "deletions": 18,
+      "binary": false,
+      "owners": [
+        "@acme/platform"
+      ]
+    },
+    {
+      "path": "apps/web/src/billing/checkout.ts",
+      "status": "modified",
+      "additions": 83,
+      "deletions": 21,
+      "binary": false,
+      "owners": [
+        "@acme/billing"
+      ]
+    },
+    {
+      "path": "apps/web/src/billing/webhook.ts",
+      "status": "modified",
+      "additions": 39,
+      "deletions": 15,
+      "binary": false,
+      "owners": [
+        "@acme/billing"
+      ]
+    },
+    {
+      "path": "scripts/deploy.sh",
+      "status": "modified",
+      "additions": 27,
+      "deletions": 8,
+      "binary": false,
+      "owners": [
+        "@acme/platform"
+      ]
+    },
+    {
+      "path": ".env.example",
+      "status": "modified",
+      "additions": 3,
+      "deletions": 0,
+      "binary": false,
+      "owners": [
+        "@acme/platform"
+      ]
+    },
+    {
+      "path": "package.json",
+      "status": "modified",
+      "additions": 14,
+      "deletions": 4,
+      "binary": false,
+      "owners": [
+        "@acme/platform"
+      ]
+    },
+    {
+      "path": "package-lock.json",
+      "status": "modified",
+      "additions": 88,
+      "deletions": 8,
+      "binary": false
+    }
+  ],
+  "addedLines": 326,
+  "projectSignals": [
+    {
+      "ecosystem": "node",
+      "manifestPath": "package.json",
+      "packageManager": "npm",
+      "scripts": {
+        "lint": "eslint .",
+        "test": "vitest run",
+        "build": "vite build",
+        "test:e2e": "playwright test"
+      },
+      "workspacePackages": [
+        {
+          "name": "@acme/web",
+          "projectName": "web",
+          "path": "apps/web",
+          "scripts": {
+            "lint": "eslint src",
+            "test": "vitest run",
+            "build": "vite build"
+          },
+          "targets": [
+            "lint",
+            "test",
+            "build"
+          ],
+          "dependencies": [
+            "@acme/payments"
+          ]
+        },
+        {
+          "name": "@acme/payments",
+          "projectName": "payments",
+          "path": "packages/payments",
+          "scripts": {
+            "test": "vitest run"
+          },
+          "targets": [
+            "test"
+          ]
+        }
+      ]
+    },
+    {
+      "ecosystem": "github-actions",
+      "manifestPath": ".github/workflows/release.yml"
+    }
+  ],
+  "affectedPackages": [
+    {
+      "name": "@acme/web",
+      "projectName": "web",
+      "path": "apps/web",
+      "scripts": {
+        "lint": "eslint src",
+        "test": "vitest run",
+        "build": "vite build"
+      },
+      "targets": [
+        "lint",
+        "test",
+        "build"
+      ],
+      "dependencies": [
+        "@acme/payments"
+      ]
+    }
+  ],
+  "dependencyChanges": [
+    {
+      "file": "package-lock.json",
+      "packageName": "yaml",
+      "packagePath": "node_modules/yaml",
+      "dependencyType": "lockfile",
+      "changeType": "updated",
+      "before": "2.8.1",
+      "after": "2.9.0"
+    },
+    {
+      "file": "package-lock.json",
+      "packageName": "@acme/payments",
+      "packagePath": "node_modules/@acme/payments",
+      "dependencyType": "lockfile",
+      "changeType": "updated",
+      "before": "4.2.0",
+      "after": "4.3.0"
+    }
+  ],
+  "packageScriptChanges": [
+    {
+      "file": "package.json",
+      "scriptName": "postinstall",
+      "changeType": "added",
+      "after": "node scripts/bootstrap-agent.js"
+    },
+    {
+      "file": "package.json",
+      "scriptName": "test",
+      "changeType": "updated",
+      "before": "vitest run",
+      "after": "true"
+    }
+  ],
+  "policy": {
+    "path": ".patchdrill.yml",
+    "ignoredPaths": [
+      "dist/**",
+      "coverage/**"
+    ],
+    "failOn": "high",
+    "maxRisk": 69,
+    "ruleCount": 4,
+    "requiredCommandCount": 1,
+    "optionalCommandCount": 1
+  },
+  "codeOwners": {
+    "path": ".github/CODEOWNERS",
+    "ruleCount": 4
+  },
+  "baseline": {
+    "path": "main-patchdrill-report.json",
+    "previousStatus": "warn",
+    "currentStatus": "fail",
+    "previousRiskScore": 31,
+    "currentRiskScore": 94,
+    "riskDelta": 63,
+    "newFindingCount": 6,
+    "resolvedFindingCount": 0,
+    "unchangedFindingCount": 1
+  },
+  "findings": [
+    {
+      "ruleId": "workflow.pull-request-target-head-checkout",
+      "severity": "critical",
+      "title": "Privileged workflow checks out pull request code",
+      "detail": "A pull_request_target workflow can run untrusted pull request code while write tokens or repository secrets are available.",
+      "file": ".github/workflows/release.yml",
+      "line": 19,
+      "remediation": "Use pull_request for untrusted code, remove PR-head checkout, or split the privileged publishing step behind an environment gate.",
+      "tags": [
+        "ci",
+        "supply-chain",
+        "github-actions"
+      ]
+    },
+    {
+      "ruleId": "secret.generic-assignment",
+      "severity": "critical",
+      "title": "Secret-looking value added",
+      "detail": "A newly added environment example contains a value with a live-key shape. The demo redacts the actual token body.",
+      "file": ".env.example",
+      "line": 8,
+      "remediation": "Remove the value, rotate the credential if it was real, and use a non-secret placeholder such as <redacted>.",
+      "tags": [
+        "secret",
+        "credentials"
+      ]
+    },
+    {
+      "ruleId": "agent.control-file",
+      "severity": "high",
+      "title": "Agent instructions changed",
+      "detail": "Repository-level coding-agent instructions changed in the same patch as release and billing code.",
+      "file": "AGENTS.md",
+      "remediation": "Review instruction changes separately and require maintainer approval before agent-visible rules change.",
+      "tags": [
+        "agentic-coding",
+        "review"
+      ]
+    },
+    {
+      "ruleId": "file.high-impact-area",
+      "severity": "high",
+      "title": "High-impact product area changed",
+      "detail": "Billing checkout and webhook code changed, which can affect payment capture, refunds, and entitlement state.",
+      "file": "apps/web/src/billing/checkout.ts",
+      "remediation": "Attach targeted billing regression tests and owner approval.",
+      "tags": [
+        "billing",
+        "payments"
+      ]
+    },
+    {
+      "ruleId": "package-script.disabled-verification",
+      "severity": "high",
+      "title": "Verification script disabled: test",
+      "detail": "package.json verification script \"test\" now appears to exit successfully without running meaningful checks.",
+      "file": "package.json",
+      "remediation": "Restore the real verification command or explain why this repository no longer has that check.",
+      "tags": [
+        "testing",
+        "ci",
+        "package-script"
+      ]
+    },
+    {
+      "ruleId": "package-script.lifecycle",
+      "severity": "high",
+      "title": "Package lifecycle script changed: postinstall",
+      "detail": "package.json lifecycle script \"postinstall\" was added, creating code that can run during install, prepare, pack, or publish flows.",
+      "file": "package.json",
+      "remediation": "Review the script as executable supply-chain surface. Prefer explicit CI steps or documented commands over implicit install-time behavior.",
+      "tags": [
+        "dependencies",
+        "supply-chain",
+        "package-script"
+      ]
+    },
+    {
+      "ruleId": "test.source-without-test-change",
+      "severity": "medium",
+      "title": "Source changed without matching test changes",
+      "detail": "Billing source files changed, but no matching checkout or webhook test files changed.",
+      "file": "apps/web/src/billing/checkout.ts",
+      "remediation": "Add or update tests covering signed webhook verification, failed payment paths, and entitlement updates.",
+      "tags": [
+        "tests"
+      ]
+    },
+    {
+      "ruleId": "file.lockfile",
+      "severity": "low",
+      "title": "Dependency lockfile changed",
+      "detail": "@acme/payments changed from 4.2.0 to 4.3.0.",
+      "file": "package-lock.json",
+      "remediation": "Review release notes and verify transitive dependency impact.",
+      "tags": [
+        "dependencies"
+      ]
+    }
+  ],
+  "commandPlan": [
+    {
+      "id": "node-web-lint",
+      "label": "Lint affected web package",
+      "command": "npm run lint --workspace @acme/web",
+      "reason": "Billing and release-adjacent source files changed.",
+      "ecosystem": "node",
+      "required": true,
+      "packageName": "@acme/web",
+      "packagePath": "apps/web"
+    },
+    {
+      "id": "node-web-test",
+      "label": "Test affected web package",
+      "command": "npm test --workspace @acme/web",
+      "reason": "Billing checkout and webhook behavior changed.",
+      "ecosystem": "node",
+      "required": true,
+      "packageName": "@acme/web",
+      "packagePath": "apps/web"
+    },
+    {
+      "id": "node-web-build",
+      "label": "Build affected web package",
+      "command": "npm run build --workspace @acme/web",
+      "reason": "Production web package changed.",
+      "ecosystem": "node",
+      "required": true,
+      "packageName": "@acme/web",
+      "packagePath": "apps/web"
+    },
+    {
+      "id": "policy-release-review",
+      "label": "Release workflow review",
+      "command": "gh workflow view release.yml --yaml",
+      "reason": "Repository policy requires human-readable workflow evidence when privileged release jobs change.",
+      "ecosystem": "github-actions",
+      "required": true
+    },
+    {
+      "id": "node-web-e2e",
+      "label": "Billing browser e2e",
+      "command": "npm run test:e2e -- --grep billing",
+      "reason": "Optional browser coverage is available for checkout flows.",
+      "ecosystem": "node",
+      "required": false,
+      "packageName": "@acme/web",
+      "packagePath": "apps/web"
+    }
+  ],
+  "commandResults": [
+    {
+      "id": "node-web-lint",
+      "command": "npm run lint --workspace @acme/web",
+      "exitCode": 0,
+      "durationMs": 6240,
+      "stdout": "@acme/web lint: ok\n",
+      "stderr": ""
+    },
+    {
+      "id": "node-web-test",
+      "command": "npm test --workspace @acme/web",
+      "exitCode": 1,
+      "durationMs": 11982,
+      "stdout": "CheckoutService.test.ts: 38 passed, 1 failed\nWebhook signature regression: expected 401, received 200\n",
+      "stderr": "FAIL apps/web/src/billing/webhook.test.ts > rejects unsigned webhook payloads\n"
+    },
+    {
+      "id": "node-web-build",
+      "command": "npm run build --workspace @acme/web",
+      "exitCode": 0,
+      "durationMs": 18321,
+      "stdout": "vite v6.0.0 building for production...\nbuilt in 4.2s\n",
+      "stderr": ""
+    }
+  ],
+  "verification": {
+    "summary": {
+      "plannedRequired": 4,
+      "plannedOptional": 1,
+      "run": 3,
+      "passed": 2,
+      "failed": 1,
+      "timedOut": 0,
+      "missingRequired": 1,
+      "skippedOptional": 1,
+      "unplannedResults": 0
+    },
+    "commands": [
+      {
+        "id": "node-web-lint",
+        "label": "Lint affected web package",
+        "command": "npm run lint --workspace @acme/web",
+        "reason": "Billing and release-adjacent source files changed.",
+        "ecosystem": "node",
+        "required": true,
+        "planned": true,
+        "status": "passed",
+        "packageName": "@acme/web",
+        "packagePath": "apps/web",
+        "exitCode": 0,
+        "durationMs": 6240
+      },
+      {
+        "id": "node-web-test",
+        "label": "Test affected web package",
+        "command": "npm test --workspace @acme/web",
+        "reason": "Billing checkout and webhook behavior changed.",
+        "ecosystem": "node",
+        "required": true,
+        "planned": true,
+        "status": "failed",
+        "packageName": "@acme/web",
+        "packagePath": "apps/web",
+        "exitCode": 1,
+        "durationMs": 11982
+      },
+      {
+        "id": "node-web-build",
+        "label": "Build affected web package",
+        "command": "npm run build --workspace @acme/web",
+        "reason": "Production web package changed.",
+        "ecosystem": "node",
+        "required": true,
+        "planned": true,
+        "status": "passed",
+        "packageName": "@acme/web",
+        "packagePath": "apps/web",
+        "exitCode": 0,
+        "durationMs": 18321
+      },
+      {
+        "id": "policy-release-review",
+        "label": "Release workflow review",
+        "command": "gh workflow view release.yml --yaml",
+        "reason": "Repository policy requires human-readable workflow evidence when privileged release jobs change.",
+        "ecosystem": "github-actions",
+        "required": true,
+        "planned": true,
+        "status": "not-run"
+      },
+      {
+        "id": "node-web-e2e",
+        "label": "Billing browser e2e",
+        "command": "npm run test:e2e -- --grep billing",
+        "reason": "Optional browser coverage is available for checkout flows.",
+        "ecosystem": "node",
+        "required": false,
+        "planned": true,
+        "status": "skipped-optional",
+        "packageName": "@acme/web",
+        "packagePath": "apps/web"
+      }
+    ]
+  }
+}

package/examples/risky-agent-pr/patchdrill-demo.md

@@ -0,0 +1,140 @@
+# PatchDrill Report
+
+Status: **FAIL**
+Risk score: **94/100**
+Confidence score: **21/100**
+Generated: 2026-06-01T00:00:00.000Z
+Schema version: 1
+
+## Summary
+
+- Changed files: 8
+- Additions / deletions: +326 / -78
+- Required verification commands: 4
+- Failed verification commands: 1
+- Verification evidence: 3 run, 2 passed, 1 failed, 0 timed out, 1 missing required, 1 optional skipped
+- Added lines inspected: 326
+
+## Policy
+
+- Config: .patchdrill.yml
+- Ignored path patterns: 2
+- Fail-on severity: high
+- Max risk: 69
+- Policy rules: 4
+- Policy commands: 1 required, 1 optional
+
+## Code Owners
+
+- Config: .github/CODEOWNERS
+- Rules: 4
+
+## Baseline
+
+- Baseline report: main-patchdrill-report.json
+- Status: warn -> fail
+- Risk: 31/100 -> 94/100 (+63)
+- Findings: 6 new, 0 resolved, 1 unchanged
+
+## Project Signals
+
+| Ecosystem | Framework | Entrypoint | Manifest | Package manager | Task runner |
+| --- | --- | --- | --- | --- | --- |
+| node |  |  | package.json | npm |  |
+| github-actions |  |  | .github/workflows/release.yml |  |  |
+
+## Affected Workspace Packages
+
+| Package | Path |
+| --- | --- |
+| @acme/web | apps/web |
+
+## Dependency Changes
+
+| File | Type | Package | Path | Change | Before | After |
+| --- | --- | --- | --- | --- | --- | --- |
+| package-lock.json | lockfile | yaml | node_modules/yaml | updated | 2.8.1 | 2.9.0 |
+| package-lock.json | lockfile | @acme/payments | node_modules/@acme/payments | updated | 4.2.0 | 4.3.0 |
+
+## Package Script Changes
+
+| File | Script | Change | Before | After |
+| --- | --- | --- | --- | --- |
+| package.json | `postinstall` | added | `` | `node scripts/bootstrap-agent.js` |
+| package.json | `test` | updated | `vitest run` | `true` |
+
+## Changed Files
+
+| File | Status | +/- | Owners |
+| --- | --- | --- | --- |
+| AGENTS.md | modified | +28 / -4 | @acme/platform |
+| .github/workflows/release.yml | modified | +44 / -18 | @acme/platform |
+| apps/web/src/billing/checkout.ts | modified | +83 / -21 | @acme/billing |
+| apps/web/src/billing/webhook.ts | modified | +39 / -15 | @acme/billing |
+| scripts/deploy.sh | modified | +27 / -8 | @acme/platform |
+| .env.example | modified | +3 / -0 | @acme/platform |
+| package.json | modified | +14 / -4 | @acme/platform |
+| package-lock.json | modified | +88 / -8 |  |
+
+## Findings
+
+| Severity | Rule | Finding | Location | Remediation |
+| --- | --- | --- | --- | --- |
+| critical | workflow.pull-request-target-head-checkout | Privileged workflow checks out pull request code: A pull_request_target workflow can run untrusted pull request code while write tokens or repository secrets are available. | .github/workflows/release.yml:19 | Use pull_request for untrusted code, remove PR-head checkout, or split the privileged publishing step behind an environment gate. |
+| critical | secret.generic-assignment | Secret-looking value added: A newly added environment example contains a value with a live-key shape. The demo redacts the actual token body. | .env.example:8 | Remove the value, rotate the credential if it was real, and use a non-secret placeholder such as <redacted>. |
+| high | agent.control-file | Agent instructions changed: Repository-level coding-agent instructions changed in the same patch as release and billing code. | AGENTS.md | Review instruction changes separately and require maintainer approval before agent-visible rules change. |
+| high | file.high-impact-area | High-impact product area changed: Billing checkout and webhook code changed, which can affect payment capture, refunds, and entitlement state. | apps/web/src/billing/checkout.ts | Attach targeted billing regression tests and owner approval. |
+| high | package-script.disabled-verification | Verification script disabled: test: package.json verification script "test" now appears to exit successfully without running meaningful checks. | package.json | Restore the real verification command or explain why this repository no longer has that check. |
+| high | package-script.lifecycle | Package lifecycle script changed: postinstall: package.json lifecycle script "postinstall" was added, creating code that can run during install, prepare, pack, or publish flows. | package.json | Review the script as executable supply-chain surface. Prefer explicit CI steps or documented commands over implicit install-time behavior. |
+| medium | test.source-without-test-change | Source changed without matching test changes: Billing source files changed, but no matching checkout or webhook test files changed. | apps/web/src/billing/checkout.ts | Add or update tests covering signed webhook verification, failed payment paths, and entitlement updates. |
+| low | file.lockfile | Dependency lockfile changed: @acme/payments changed from 4.2.0 to 4.3.0. | package-lock.json | Review release notes and verify transitive dependency impact. |
+
+## Verification Plan
+
+| Required | Package | Command | Result | Reason |
+| --- | --- | --- | --- | --- |
+| yes | @acme/web | `npm run lint --workspace @acme/web` | passed | Billing and release-adjacent source files changed. |
+| yes | @acme/web | `npm test --workspace @acme/web` | failed (1) | Billing checkout and webhook behavior changed. |
+| yes | @acme/web | `npm run build --workspace @acme/web` | passed | Production web package changed. |
+| yes |  | `gh workflow view release.yml --yaml` | not run | Repository policy requires human-readable workflow evidence when privileged release jobs change. |
+| no | @acme/web | `npm run test:e2e -- --grep billing` | skipped optional | Optional browser coverage is available for checkout flows. |
+
+## Command Results
+
+### `npm run lint --workspace @acme/web`
+
+- Exit code: 0
+- Duration: 6240ms
+
+```text
+@acme/web lint: ok
+```
+
+### `npm test --workspace @acme/web`
+
+- Exit code: 1
+- Duration: 11982ms
+
+```text
+CheckoutService.test.ts: 38 passed, 1 failed
+Webhook signature regression: expected 401, received 200
+```
+
+```text
+FAIL apps/web/src/billing/webhook.test.ts > rejects unsigned webhook payloads
+```
+
+### `npm run build --workspace @acme/web`
+
+- Exit code: 0
+- Duration: 18321ms
+
+```text
+vite v6.0.0 building for production...
+built in 4.2s
+```
+
+## Reviewer Notes
+
+- Treat this report as triage evidence, not a replacement for review.
+- High-impact areas still need human sign-off even when automated commands pass.