patchdrill 0.1.0

package/examples/risky-agent-pr/patchdrill-demo.sarif

@@ -0,0 +1,398 @@
+{
+  "version": "2.1.0",
+  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "PatchDrill",
+          "informationUri": "https://github.com/seungdori/patchdrill",
+          "rules": [
+            {
+              "id": "workflow.pull-request-target-head-checkout",
+              "name": "Privileged workflow checks out pull request code",
+              "shortDescription": {
+                "text": "Privileged workflow checks out pull request code"
+              },
+              "help": {
+                "text": "Use pull_request for untrusted code, remove PR-head checkout, or split the privileged publishing step behind an environment gate."
+              },
+              "properties": {
+                "severity": "critical",
+                "tags": [
+                  "ci",
+                  "supply-chain",
+                  "github-actions"
+                ]
+              }
+            },
+            {
+              "id": "secret.generic-assignment",
+              "name": "Secret-looking value added",
+              "shortDescription": {
+                "text": "Secret-looking value added"
+              },
+              "help": {
+                "text": "Remove the value, rotate the credential if it was real, and use a non-secret placeholder such as <redacted>."
+              },
+              "properties": {
+                "severity": "critical",
+                "tags": [
+                  "secret",
+                  "credentials"
+                ]
+              }
+            },
+            {
+              "id": "agent.control-file",
+              "name": "Agent instructions changed",
+              "shortDescription": {
+                "text": "Agent instructions changed"
+              },
+              "help": {
+                "text": "Review instruction changes separately and require maintainer approval before agent-visible rules change."
+              },
+              "properties": {
+                "severity": "high",
+                "tags": [
+                  "agentic-coding",
+                  "review"
+                ]
+              }
+            },
+            {
+              "id": "file.high-impact-area",
+              "name": "High-impact product area changed",
+              "shortDescription": {
+                "text": "High-impact product area changed"
+              },
+              "help": {
+                "text": "Attach targeted billing regression tests and owner approval."
+              },
+              "properties": {
+                "severity": "high",
+                "tags": [
+                  "billing",
+                  "payments"
+                ]
+              }
+            },
+            {
+              "id": "package-script.disabled-verification",
+              "name": "Verification script disabled: test",
+              "shortDescription": {
+                "text": "Verification script disabled: test"
+              },
+              "help": {
+                "text": "Restore the real verification command or explain why this repository no longer has that check."
+              },
+              "properties": {
+                "severity": "high",
+                "tags": [
+                  "testing",
+                  "ci",
+                  "package-script"
+                ]
+              }
+            },
+            {
+              "id": "package-script.lifecycle",
+              "name": "Package lifecycle script changed: postinstall",
+              "shortDescription": {
+                "text": "Package lifecycle script changed: postinstall"
+              },
+              "help": {
+                "text": "Review the script as executable supply-chain surface. Prefer explicit CI steps or documented commands over implicit install-time behavior."
+              },
+              "properties": {
+                "severity": "high",
+                "tags": [
+                  "dependencies",
+                  "supply-chain",
+                  "package-script"
+                ]
+              }
+            },
+            {
+              "id": "test.source-without-test-change",
+              "name": "Source changed without matching test changes",
+              "shortDescription": {
+                "text": "Source changed without matching test changes"
+              },
+              "help": {
+                "text": "Add or update tests covering signed webhook verification, failed payment paths, and entitlement updates."
+              },
+              "properties": {
+                "severity": "medium",
+                "tags": [
+                  "tests"
+                ]
+              }
+            },
+            {
+              "id": "file.lockfile",
+              "name": "Dependency lockfile changed",
+              "shortDescription": {
+                "text": "Dependency lockfile changed"
+              },
+              "help": {
+                "text": "Review release notes and verify transitive dependency impact."
+              },
+              "properties": {
+                "severity": "low",
+                "tags": [
+                  "dependencies"
+                ]
+              }
+            }
+          ]
+        }
+      },
+      "invocations": [
+        {
+          "executionSuccessful": false,
+          "properties": {
+            "status": "fail",
+            "riskScore": 94,
+            "confidenceScore": 21
+          }
+        }
+      ],
+      "results": [
+        {
+          "ruleId": "workflow.pull-request-target-head-checkout",
+          "level": "error",
+          "message": {
+            "text": "Privileged workflow checks out pull request code: A pull_request_target workflow can run untrusted pull request code while write tokens or repository secrets are available. Remediation: Use pull_request for untrusted code, remove PR-head checkout, or split the privileged publishing step behind an environment gate."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": ".github/workflows/release.yml"
+                },
+                "region": {
+                  "startLine": 19
+                }
+              }
+            }
+          ],
+          "properties": {
+            "severity": "critical",
+            "tags": [
+              "ci",
+              "supply-chain",
+              "github-actions"
+            ]
+          },
+          "partialFingerprints": {
+            "patchdrillFinding": "dd62de8821265a5bce0d09b31b7d674fad3eeeeb9321ad6787b49ce39fb6968e"
+          }
+        },
+        {
+          "ruleId": "secret.generic-assignment",
+          "level": "error",
+          "message": {
+            "text": "Secret-looking value added: A newly added environment example contains a value with a live-key shape. The demo redacts the actual token body. Remediation: Remove the value, rotate the credential if it was real, and use a non-secret placeholder such as <redacted>."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": ".env.example"
+                },
+                "region": {
+                  "startLine": 8
+                }
+              }
+            }
+          ],
+          "properties": {
+            "severity": "critical",
+            "tags": [
+              "secret",
+              "credentials"
+            ]
+          },
+          "partialFingerprints": {
+            "patchdrillFinding": "7cce2c7a32196fafdb1cd236916f34fb87c4809d0d0f9b6711b9746cb047ddb4"
+          }
+        },
+        {
+          "ruleId": "agent.control-file",
+          "level": "error",
+          "message": {
+            "text": "Agent instructions changed: Repository-level coding-agent instructions changed in the same patch as release and billing code. Remediation: Review instruction changes separately and require maintainer approval before agent-visible rules change."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "AGENTS.md"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ],
+          "properties": {
+            "severity": "high",
+            "tags": [
+              "agentic-coding",
+              "review"
+            ]
+          },
+          "partialFingerprints": {
+            "patchdrillFinding": "152935f9d990a29a16471df2c81a179d3c1e4c49f056bff3ccf629362d22d014"
+          }
+        },
+        {
+          "ruleId": "file.high-impact-area",
+          "level": "error",
+          "message": {
+            "text": "High-impact product area changed: Billing checkout and webhook code changed, which can affect payment capture, refunds, and entitlement state. Remediation: Attach targeted billing regression tests and owner approval."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "apps/web/src/billing/checkout.ts"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ],
+          "properties": {
+            "severity": "high",
+            "tags": [
+              "billing",
+              "payments"
+            ]
+          },
+          "partialFingerprints": {
+            "patchdrillFinding": "2fd95cd4c8bf6a886b6a8c77850232bda70c8c5559f4e603d58bb93a8b104859"
+          }
+        },
+        {
+          "ruleId": "package-script.disabled-verification",
+          "level": "error",
+          "message": {
+            "text": "Verification script disabled: test: package.json verification script \"test\" now appears to exit successfully without running meaningful checks. Remediation: Restore the real verification command or explain why this repository no longer has that check."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "package.json"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ],
+          "properties": {
+            "severity": "high",
+            "tags": [
+              "testing",
+              "ci",
+              "package-script"
+            ]
+          },
+          "partialFingerprints": {
+            "patchdrillFinding": "f659ab1a5d6066ca9afb587095764ba745ca4ea1dcf74a4544c45d73a656e6c8"
+          }
+        },
+        {
+          "ruleId": "package-script.lifecycle",
+          "level": "error",
+          "message": {
+            "text": "Package lifecycle script changed: postinstall: package.json lifecycle script \"postinstall\" was added, creating code that can run during install, prepare, pack, or publish flows. Remediation: Review the script as executable supply-chain surface. Prefer explicit CI steps or documented commands over implicit install-time behavior."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "package.json"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ],
+          "properties": {
+            "severity": "high",
+            "tags": [
+              "dependencies",
+              "supply-chain",
+              "package-script"
+            ]
+          },
+          "partialFingerprints": {
+            "patchdrillFinding": "99a9a7495c0512a3b640ab4d14d78fb359968ef544025231d6154da6b5a0cafc"
+          }
+        },
+        {
+          "ruleId": "test.source-without-test-change",
+          "level": "warning",
+          "message": {
+            "text": "Source changed without matching test changes: Billing source files changed, but no matching checkout or webhook test files changed. Remediation: Add or update tests covering signed webhook verification, failed payment paths, and entitlement updates."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "apps/web/src/billing/checkout.ts"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ],
+          "properties": {
+            "severity": "medium",
+            "tags": [
+              "tests"
+            ]
+          },
+          "partialFingerprints": {
+            "patchdrillFinding": "07dddbd9eebea7fef9b24ccb8c66e70be0936ed69cc404f657ec6a3d2feb87ac"
+          }
+        },
+        {
+          "ruleId": "file.lockfile",
+          "level": "note",
+          "message": {
+            "text": "Dependency lockfile changed: @acme/payments changed from 4.2.0 to 4.3.0. Remediation: Review release notes and verify transitive dependency impact."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "package-lock.json"
+                },
+                "region": {
+                  "startLine": 1
+                }
+              }
+            }
+          ],
+          "properties": {
+            "severity": "low",
+            "tags": [
+              "dependencies"
+            ]
+          },
+          "partialFingerprints": {
+            "patchdrillFinding": "5cdefc8ce238a88cde78ab92957d8d0b3f84483f99a431e5dd9af6c80012c92d"
+          }
+        }
+      ]
+    }
+  ]
+}

package/fixtures/stacks/README.md

@@ -0,0 +1,4 @@
+# Stack Fixtures
+
+These fixtures are small, committed repository shapes that PatchDrill scans in tests. Each fixture defines base files, changed files, and the expected verification plan. They keep ecosystem detection and monorepo targeting behavior stable as the planner grows.
+

package/fixtures/stacks/android-gradle/fixture.json

@@ -0,0 +1,33 @@
+{
+  "name": "android-gradle",
+  "expectedEcosystems": ["android"],
+  "expectedCommands": ["./gradlew testDebugUnitTest", "./gradlew assembleDebug", "./gradlew lintDebug"],
+  "baseFiles": [
+    {
+      "path": "settings.gradle",
+      "lines": ["pluginManagement { repositories { google(); mavenCentral(); gradlePluginPortal() } }", "dependencyResolutionManagement { repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS); repositories { google(); mavenCentral() } }", "rootProject.name = 'MobileApp'", "include ':app'"]
+    },
+    {
+      "path": "app/build.gradle",
+      "lines": ["plugins {", "    id 'com.android.application'", "}", "android {", "    namespace 'com.acme.mobile'", "    compileSdk 35", "    defaultConfig { applicationId 'com.acme.mobile'; minSdk 24; targetSdk 35; versionCode 1; versionName '1.0' }", "}"]
+    },
+    {
+      "path": "gradlew",
+      "lines": ["#!/bin/sh", "echo gradle wrapper"]
+    },
+    {
+      "path": "app/src/main/AndroidManifest.xml",
+      "lines": ["<manifest xmlns:android=\"http://schemas.android.com/apk/res/android\" />"]
+    },
+    {
+      "path": "app/src/main/java/com/acme/mobile/MainActivity.kt",
+      "lines": ["package com.acme.mobile", "class MainActivity { fun ready() = true }"]
+    }
+  ],
+  "changeFiles": [
+    {
+      "path": "app/src/main/res/values/strings.xml",
+      "lines": ["<resources>", "    <string name=\"app_name\">PatchDrill Mobile</string>", "</resources>"]
+    }
+  ]
+}

package/fixtures/stacks/aspnet-core-service/fixture.json

@@ -0,0 +1,36 @@
+{
+  "name": "aspnet-core-service",
+  "expectedEcosystems": ["dotnet"],
+  "expectedCommands": [
+    "dotnet test tests/Api.Tests/Api.Tests.csproj",
+    "dotnet build src/Api/Api.csproj --no-restore",
+    "dotnet publish src/Api/Api.csproj --no-restore"
+  ],
+  "baseFiles": [
+    {
+      "path": "src/Api/Api.csproj",
+      "lines": ["<Project Sdk=\"Microsoft.NET.Sdk.Web\">", "  <PropertyGroup>", "    <TargetFramework>net8.0</TargetFramework>", "    <Nullable>enable</Nullable>", "  </PropertyGroup>", "</Project>"]
+    },
+    {
+      "path": "tests/Api.Tests/Api.Tests.csproj",
+      "lines": [
+        "<Project Sdk=\"Microsoft.NET.Sdk\">",
+        "  <ItemGroup>",
+        "    <PackageReference Include=\"Microsoft.NET.Test.Sdk\" Version=\"17.10.0\" />",
+        "    <ProjectReference Include=\"../../src/Api/Api.csproj\" />",
+        "  </ItemGroup>",
+        "</Project>"
+      ]
+    },
+    {
+      "path": "src/Api/Program.cs",
+      "lines": ["var builder = WebApplication.CreateBuilder(args);", "var app = builder.Build();", "app.MapGet(\"/health\", () => Results.Ok(new { ok = true }));", "app.Run();"]
+    }
+  ],
+  "changeFiles": [
+    {
+      "path": "src/Api/Program.cs",
+      "lines": ["var builder = WebApplication.CreateBuilder(args);", "var app = builder.Build();", "app.MapGet(\"/health\", () => Results.Ok(new { ok = false }));", "app.Run();"]
+    }
+  ]
+}

package/fixtures/stacks/bazel-workspace/fixture.json

@@ -0,0 +1,30 @@
+{
+  "name": "bazel-workspace",
+  "expectedEcosystems": ["bazel"],
+  "expectedCommands": [
+    "bazel test //src/app/...",
+    "bazel build //src/app/...",
+    "bazel query 'rdeps(//..., set(//src/app/...))'",
+    "targets=\"$(bazel query 'tests(rdeps(//..., set(//src/app/...)))')\" && if [ -n \"$targets\" ]; then bazel test $targets; else echo 'No downstream Bazel tests found'; fi"
+  ],
+  "baseFiles": [
+    {
+      "path": "MODULE.bazel",
+      "lines": ["module(name = \"api\")"]
+    },
+    {
+      "path": "src/app/BUILD.bazel",
+      "lines": ["java_library(", "    name = \"app\",", "    srcs = [\"App.java\"],", ")"]
+    },
+    {
+      "path": "src/app/App.java",
+      "lines": ["package app;", "public class App { public boolean ok() { return true; } }"]
+    }
+  ],
+  "changeFiles": [
+    {
+      "path": "src/app/App.java",
+      "lines": ["package app;", "public class App { public boolean ok() { return false; } }"]
+    }
+  ]
+}

package/fixtures/stacks/buck2-workspace/fixture.json

@@ -0,0 +1,30 @@
+{
+  "name": "buck2-workspace",
+  "expectedEcosystems": ["buck"],
+  "expectedCommands": [
+    "buck2 test //src/app/...",
+    "buck2 build //src/app/...",
+    "buck2 uquery 'rdeps(//..., set(//src/app/...))'",
+    "targets=\"$(buck2 uquery 'testsof(rdeps(//..., set(//src/app/...)))')\" && if [ -n \"$targets\" ]; then buck2 test $targets; else echo 'No downstream Buck tests found'; fi"
+  ],
+  "baseFiles": [
+    {
+      "path": ".buckconfig",
+      "lines": ["[cells]", "  root = ."]
+    },
+    {
+      "path": "src/app/BUCK",
+      "lines": ["python_library(", "    name = \"app\",", "    srcs = [\"app.py\"],", ")"]
+    },
+    {
+      "path": "src/app/app.py",
+      "lines": ["def ok():", "    return True"]
+    }
+  ],
+  "changeFiles": [
+    {
+      "path": "src/app/app.py",
+      "lines": ["def ok():", "    return False"]
+    }
+  ]
+}

package/fixtures/stacks/cargo-workspace/fixture.json

@@ -0,0 +1,48 @@
+{
+  "name": "cargo-workspace",
+  "expectedEcosystems": ["rust"],
+  "expectedAffectedPackages": ["core-lib", "api-server"],
+  "expectedCommands": [
+    "cargo test -p core-lib --all-targets",
+    "cargo clippy -p core-lib --all-targets -- -D warnings",
+    "cargo test -p api-server --all-targets",
+    "cargo clippy -p api-server --all-targets -- -D warnings"
+  ],
+  "baseFiles": [
+    {
+      "path": "Cargo.toml",
+      "lines": ["[workspace]", "members = [\"crates/*\"]"]
+    },
+    {
+      "path": "crates/core/Cargo.toml",
+      "lines": ["[package]", "name = \"core-lib\"", "version = \"0.1.0\"", "edition = \"2021\""]
+    },
+    {
+      "path": "crates/core/src/lib.rs",
+      "lines": ["pub fn core() -> bool { true }"]
+    },
+    {
+      "path": "crates/api/Cargo.toml",
+      "lines": [
+        "[package]",
+        "name = \"api-server\"",
+        "version = \"0.1.0\"",
+        "edition = \"2021\"",
+        "",
+        "[dependencies]",
+        "core-lib = { path = \"../core\" }"
+      ]
+    },
+    {
+      "path": "crates/api/src/lib.rs",
+      "lines": ["pub fn api() -> bool { core_lib::core() }"]
+    }
+  ],
+  "changeFiles": [
+    {
+      "path": "crates/core/src/lib.rs",
+      "lines": ["pub fn core() -> bool { false }"]
+    }
+  ]
+}
+

package/fixtures/stacks/django-app/fixture.json

@@ -0,0 +1,25 @@
+{
+  "name": "django-app",
+  "expectedEcosystems": ["python"],
+  "expectedCommands": ["python manage.py test", "python manage.py check", "python -m compileall ."],
+  "baseFiles": [
+    {
+      "path": "manage.py",
+      "lines": ["#!/usr/bin/env python", "import sys", "if __name__ == \"__main__\":", "    from django.core.management import execute_from_command_line", "    execute_from_command_line(sys.argv)"]
+    },
+    {
+      "path": "requirements.txt",
+      "lines": ["Django==5.0.0"]
+    },
+    {
+      "path": "app/views.py",
+      "lines": ["def home(request):", "    return \"ok\""]
+    }
+  ],
+  "changeFiles": [
+    {
+      "path": "app/views.py",
+      "lines": ["def home(request):", "    return \"changed\""]
+    }
+  ]
+}

package/fixtures/stacks/docker-compose/fixture.json

@@ -0,0 +1,17 @@
+{
+  "name": "docker-compose",
+  "expectedEcosystems": ["docker"],
+  "expectedCommands": ["docker compose -f compose.yaml config"],
+  "baseFiles": [
+    {
+      "path": "compose.yaml",
+      "lines": ["services:", "  api:", "    image: node:22-alpine", "    command: node server.js"]
+    }
+  ],
+  "changeFiles": [
+    {
+      "path": "compose.yaml",
+      "lines": ["services:", "  api:", "    image: node:22-alpine", "    command: node server.js", "    restart: unless-stopped"]
+    }
+  ]
+}

package/fixtures/stacks/dockerfile-service/fixture.json

@@ -0,0 +1,17 @@
+{
+  "name": "dockerfile-service",
+  "expectedEcosystems": ["docker"],
+  "expectedCommands": ["docker build services/api"],
+  "baseFiles": [
+    {
+      "path": "services/api/Dockerfile",
+      "lines": ["FROM node:22-alpine", "WORKDIR /app", "COPY . .", "CMD [\"node\", \"server.js\"]"]
+    }
+  ],
+  "changeFiles": [
+    {
+      "path": "services/api/Dockerfile",
+      "lines": ["FROM node:22-alpine", "WORKDIR /app", "COPY package.json .", "COPY . .", "CMD [\"node\", \"server.js\"]"]
+    }
+  ]
+}