audit-test 0.1.0__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- audit_test-0.1.0/LICENSE +26 -0
- audit_test-0.1.0/PKG-INFO +239 -0
- audit_test-0.1.0/README.md +229 -0
- audit_test-0.1.0/pyproject.toml +27 -0
- audit_test-0.1.0/setup.cfg +4 -0
- audit_test-0.1.0/src/audit_code/__init__.py +3 -0
- audit_test-0.1.0/src/audit_code/__main__.py +5 -0
- audit_test-0.1.0/src/audit_code/adapters/__init__.py +34 -0
- audit_test-0.1.0/src/audit_code/adapters/base.py +202 -0
- audit_test-0.1.0/src/audit_code/adapters/cpp/__init__.py +1 -0
- audit_test-0.1.0/src/audit_code/adapters/cpp/adapter.py +114 -0
- audit_test-0.1.0/src/audit_code/adapters/csharp/__init__.py +1 -0
- audit_test-0.1.0/src/audit_code/adapters/csharp/adapter.py +85 -0
- audit_test-0.1.0/src/audit_code/adapters/go/__init__.py +1 -0
- audit_test-0.1.0/src/audit_code/adapters/go/adapter.py +53 -0
- audit_test-0.1.0/src/audit_code/adapters/html/__init__.py +1 -0
- audit_test-0.1.0/src/audit_code/adapters/html/adapter.py +177 -0
- audit_test-0.1.0/src/audit_code/adapters/java/__init__.py +1 -0
- audit_test-0.1.0/src/audit_code/adapters/java/adapter.py +101 -0
- audit_test-0.1.0/src/audit_code/adapters/javascript/__init__.py +1 -0
- audit_test-0.1.0/src/audit_code/adapters/javascript/adapter.py +128 -0
- audit_test-0.1.0/src/audit_code/adapters/python/__init__.py +1 -0
- audit_test-0.1.0/src/audit_code/adapters/python/adapter.py +40 -0
- audit_test-0.1.0/src/audit_code/adapters/rust/__init__.py +1 -0
- audit_test-0.1.0/src/audit_code/adapters/rust/adapter.py +60 -0
- audit_test-0.1.0/src/audit_code/adapters/sql/__init__.py +1 -0
- audit_test-0.1.0/src/audit_code/adapters/sql/adapter.py +71 -0
- audit_test-0.1.0/src/audit_code/audit_config.py +21 -0
- audit_test-0.1.0/src/audit_code/audit_deps.py +426 -0
- audit_test-0.1.0/src/audit_code/audit_gate.py +596 -0
- audit_test-0.1.0/src/audit_code/audit_phd.py +1478 -0
- audit_test-0.1.0/src/audit_code/audit_quality.py +574 -0
- audit_test-0.1.0/src/audit_code/audit_runtime.py +1262 -0
- audit_test-0.1.0/src/audit_code/audit_shared.py +63 -0
- audit_test-0.1.0/src/audit_code/audit_suite.py +322 -0
- audit_test-0.1.0/src/audit_code/audit_wiring.py +998 -0
- audit_test-0.1.0/src/audit_code/cli.py +353 -0
- audit_test-0.1.0/src/audit_code/config.py +107 -0
- audit_test-0.1.0/src/audit_code/deps.py +49 -0
- audit_test-0.1.0/src/audit_code/gate.py +52 -0
- audit_test-0.1.0/src/audit_code/integrations/__init__.py +15 -0
- audit_test-0.1.0/src/audit_code/integrations/codeql.py +27 -0
- audit_test-0.1.0/src/audit_code/integrations/dependency_scan.py +27 -0
- audit_test-0.1.0/src/audit_code/integrations/megalinter.py +27 -0
- audit_test-0.1.0/src/audit_code/integrations/secret_scan.py +27 -0
- audit_test-0.1.0/src/audit_code/integrations/semgrep.py +27 -0
- audit_test-0.1.0/src/audit_code/models.py +73 -0
- audit_test-0.1.0/src/audit_code/phd.py +84 -0
- audit_test-0.1.0/src/audit_code/profiles/__init__.py +10 -0
- audit_test-0.1.0/src/audit_code/profiles/agent_engine/__init__.py +1 -0
- audit_test-0.1.0/src/audit_code/profiles/agent_engine/config_checks.py +14 -0
- audit_test-0.1.0/src/audit_code/profiles/agent_engine/profile.py +16 -0
- audit_test-0.1.0/src/audit_code/profiles/agent_engine/prompt_checks.py +14 -0
- audit_test-0.1.0/src/audit_code/profiles/agent_engine/stdout_checks.py +14 -0
- audit_test-0.1.0/src/audit_code/profiles/agent_engine/tool_registry_checks.py +14 -0
- audit_test-0.1.0/src/audit_code/project.py +28 -0
- audit_test-0.1.0/src/audit_code/quality.py +748 -0
- audit_test-0.1.0/src/audit_code/reporting/__init__.py +19 -0
- audit_test-0.1.0/src/audit_code/reporting/json_report.py +42 -0
- audit_test-0.1.0/src/audit_code/reporting/junit.py +47 -0
- audit_test-0.1.0/src/audit_code/reporting/sarif.py +50 -0
- audit_test-0.1.0/src/audit_code/run_all_audits.py +121 -0
- audit_test-0.1.0/src/audit_code/runner.py +343 -0
- audit_test-0.1.0/src/audit_code/runtime.py +74 -0
- audit_test-0.1.0/src/audit_code/suite.py +337 -0
- audit_test-0.1.0/src/audit_code/wiring.py +90 -0
- audit_test-0.1.0/src/audit_test.egg-info/PKG-INFO +239 -0
- audit_test-0.1.0/src/audit_test.egg-info/SOURCES.txt +77 -0
- audit_test-0.1.0/src/audit_test.egg-info/dependency_links.txt +1 -0
- audit_test-0.1.0/src/audit_test.egg-info/entry_points.txt +4 -0
- audit_test-0.1.0/src/audit_test.egg-info/top_level.txt +1 -0
- audit_test-0.1.0/tests/test_adapters.py +253 -0
- audit_test-0.1.0/tests/test_base.py +122 -0
- audit_test-0.1.0/tests/test_cli.py +167 -0
- audit_test-0.1.0/tests/test_config.py +104 -0
- audit_test-0.1.0/tests/test_coverage.py +97 -0
- audit_test-0.1.0/tests/test_reporting.py +106 -0
- audit_test-0.1.0/tests/test_runner.py +220 -0
- audit_test-0.1.0/tests/test_smoke.py +6 -0
audit_test-0.1.0/LICENSE
ADDED
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY-NC-ND 4.0)
|
|
2
|
+
|
|
3
|
+
© Yosef Bunick. All rights reserved.
|
|
4
|
+
|
|
5
|
+
You are free to:
|
|
6
|
+
|
|
7
|
+
Share — copy and redistribute the material in any medium or format
|
|
8
|
+
|
|
9
|
+
Under the following terms:
|
|
10
|
+
|
|
11
|
+
Attribution — You must give appropriate credit, provide a link to the
|
|
12
|
+
license, and indicate if changes were made.
|
|
13
|
+
|
|
14
|
+
NonCommercial — You may not use the material for commercial purposes.
|
|
15
|
+
|
|
16
|
+
NoDerivatives — If you remix, transform, or build upon the material,
|
|
17
|
+
you may not distribute the modified material.
|
|
18
|
+
|
|
19
|
+
License details: https://creativecommons.org/licenses/by-nc-nd/4.0/
|
|
20
|
+
|
|
21
|
+
This license applies unless otherwise explicitly stated within specific
|
|
22
|
+
files or directories of this repository.
|
|
23
|
+
|
|
24
|
+
For permission to monetize, distribute modified versions, remix,
|
|
25
|
+
sublicense, or commercially use this repository, please contact the
|
|
26
|
+
creator directly.
|
|
@@ -0,0 +1,239 @@
|
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
|
+
Name: audit-test
|
|
3
|
+
Version: 0.1.0
|
|
4
|
+
Summary: Code and test verification orchestrator — interrogates code quality AND whether tests genuinely prove correctness
|
|
5
|
+
License: MIT
|
|
6
|
+
Requires-Python: >=3.10
|
|
7
|
+
Description-Content-Type: text/markdown
|
|
8
|
+
License-File: LICENSE
|
|
9
|
+
Dynamic: license-file
|
|
10
|
+
|
|
11
|
+
# audit-test
|
|
12
|
+
|
|
13
|
+
**One command. One policy. One report. One fail-closed verdict.**
|
|
14
|
+
|
|
15
|
+
Interrogates the quality of a repo's code *and* its tests — answers the hard
|
|
16
|
+
question: **does the code work, do the tests prove it, and did my change
|
|
17
|
+
break anything?**
|
|
18
|
+
|
|
19
|
+
## Install
|
|
20
|
+
|
|
21
|
+
```powershell
|
|
22
|
+
pip install audit-test
|
|
23
|
+
```
|
|
24
|
+
|
|
25
|
+
Three CLI commands available after install (all identical):
|
|
26
|
+
|
|
27
|
+
```powershell
|
|
28
|
+
audit-test high
|
|
29
|
+
audit-test high
|
|
30
|
+
audit-code high
|
|
31
|
+
```
|
|
32
|
+
|
|
33
|
+
Or from source:
|
|
34
|
+
|
|
35
|
+
```powershell
|
|
36
|
+
git clone https://github.com/Yosef-Bunick/AUDIT-TEST.git
|
|
37
|
+
cd AUDIT-TEST
|
|
38
|
+
pip install -e .
|
|
39
|
+
```
|
|
40
|
+
|
|
41
|
+
## Usage
|
|
42
|
+
|
|
43
|
+
Bare words or flags — both work:
|
|
44
|
+
|
|
45
|
+
```powershell
|
|
46
|
+
audit-test # full audit
|
|
47
|
+
audit-test min # fast: wiring + phd + quality
|
|
48
|
+
audit-test full # complete: all checks + raw output
|
|
49
|
+
audit-test fix # auto-format (~1s)
|
|
50
|
+
audit-test phd high # PHD only, HIGH only
|
|
51
|
+
audit-test phd wiring medium # PHD + wiring, HIGH+MEDIUM
|
|
52
|
+
audit-test -p <dir> # audit a specific project
|
|
53
|
+
audit-test -s "suite lint" # skip suite + lint
|
|
54
|
+
```
|
|
55
|
+
|
|
56
|
+
### Flags quick reference
|
|
57
|
+
|
|
58
|
+
| Short | Long | Does |
|
|
59
|
+
|---|---|---|
|
|
60
|
+
| `-h` | `--high` | HIGH severity only (default) |
|
|
61
|
+
| `-m` | `--medium` | HIGH + MEDIUM severity |
|
|
62
|
+
| | `--info` | HIGH + MEDIUM + INFO |
|
|
63
|
+
| | `--all` | all findings |
|
|
64
|
+
| `-v` | `--verbose` | full detail output |
|
|
65
|
+
| `-f` | `--fix` | auto-format |
|
|
66
|
+
| `-F` | `--full` | complete analysis |
|
|
67
|
+
| `-p` | `--path` | project directory |
|
|
68
|
+
| `-s` | `--skip` | skip modules (comma/space) |
|
|
69
|
+
| `-H` | `--help` | show help |
|
|
70
|
+
|
|
71
|
+
### Modules
|
|
72
|
+
|
|
73
|
+
Any combination, bare words or `--flag`:
|
|
74
|
+
|
|
75
|
+
```powershell
|
|
76
|
+
audit-test phd # PHD static audit
|
|
77
|
+
audit-test wiring # wiring audit
|
|
78
|
+
audit-test runtime # runtime audit
|
|
79
|
+
audit-test suite # test suite audit
|
|
80
|
+
audit-test quality # quality gates
|
|
81
|
+
audit-test syntax # all language syntax checks
|
|
82
|
+
audit-test python # Python syntax only
|
|
83
|
+
audit-test tests # non-Python test suites
|
|
84
|
+
audit-test lint # ruff check
|
|
85
|
+
audit-test black # black format
|
|
86
|
+
audit-test lint fix # ruff --fix
|
|
87
|
+
audit-test black fix # black format
|
|
88
|
+
audit-test phd wiring medium # mix any modules + severity
|
|
89
|
+
```
|
|
90
|
+
|
|
91
|
+
### Change gate
|
|
92
|
+
|
|
93
|
+
```powershell
|
|
94
|
+
audit-test gate # judge working-tree diff vs HEAD
|
|
95
|
+
audit-test gate high # block on new HIGH findings (default)
|
|
96
|
+
audit-test gate medium # block on new HIGH+MEDIUM
|
|
97
|
+
audit-test gate fast # skip mutation (G4)
|
|
98
|
+
audit-test gate -p <dir> # gate a specific project
|
|
99
|
+
```
|
|
100
|
+
|
|
101
|
+
### Standalone scripts
|
|
102
|
+
|
|
103
|
+
The original audit scripts also work standalone — no pip install needed.
|
|
104
|
+
Copy them into any project and run directly:
|
|
105
|
+
|
|
106
|
+
```powershell
|
|
107
|
+
python audit_wiring.py # dead symbols, config drift
|
|
108
|
+
python audit_phd.py # exception discipline, security patterns
|
|
109
|
+
python audit_phd.py --min-severity=HIGH # HIGH findings only
|
|
110
|
+
python audit_runtime.py # timeouts, log hygiene, prompt contracts
|
|
111
|
+
python audit_suite.py # run pytest, classify failures
|
|
112
|
+
python audit_quality.py # black, ruff, mypy, CVE, coverage
|
|
113
|
+
python audit_gate.py # judge working-tree diff vs HEAD
|
|
114
|
+
python run_all_audits.py # orchestrate all five into one report
|
|
115
|
+
```
|
|
116
|
+
|
|
117
|
+
## The stack
|
|
118
|
+
|
|
119
|
+
| Audit | Question it answers |
|
|
120
|
+
|---|---|
|
|
121
|
+
| wiring | **Is it connected?** Dead symbols, test-only code, config key drift |
|
|
122
|
+
| phd | **Does it meet the bar?** Exception discipline, security patterns, state bugs |
|
|
123
|
+
| runtime | **Will it hang or crash?** Unbounded loops, missing timeouts, secrets in logs |
|
|
124
|
+
| suite | **Is the test suite healthy?** Runs pytest, classifies real vs pollution failures |
|
|
125
|
+
| quality | **External gates + execution truth.** Black, ruff, mypy, CVE scan, coverage |
|
|
126
|
+
|
|
127
|
+
## Languages
|
|
128
|
+
|
|
129
|
+
Auto-detects 9 languages (marker files or source files anywhere in the tree,
|
|
130
|
+
root included). Python runs the full five-audit stack. Every other language
|
|
131
|
+
gets a **real** syntax check plus its native test suite — and when the
|
|
132
|
+
required toolchain is missing, the result is an honest `SKIP` with the
|
|
133
|
+
install hint, never a fake pass:
|
|
134
|
+
|
|
135
|
+
| Language | Detection | Syntax check | Test suite |
|
|
136
|
+
|---|---|---|---|
|
|
137
|
+
| Python | `pyproject.toml`, `setup.py`, `*.py` | `ast.parse` per file (built-in) | pytest (via `suite` audit) |
|
|
138
|
+
| JS / TS | `package.json`, `*.js`, `*.ts` | `node --check`; TS via `tsc --noEmit` (TS1xxx only) | `npm test` (real script only) |
|
|
139
|
+
| Java | `pom.xml`, `build.gradle`, `*.java` | `javac -proc:none` (parse errors only; classpath noise not judged) | `mvn test` / `gradlew test` |
|
|
140
|
+
| Go | `go.mod`, `*.go` | `gofmt -l -e` (parse + format drift) | `go test ./...` |
|
|
141
|
+
| Rust | `Cargo.toml`, `*.rs` | `cargo check` | `cargo test` |
|
|
142
|
+
| C# | `*.cs` | `dotnet build` (SKIP if restore fails) | `dotnet test` |
|
|
143
|
+
| C / C++ | `CMakeLists.txt`, `Makefile`, `*.c(pp)` | `gcc/clang -fsyntax-only` or `cl /Zs` per unit | `ctest` (if `build/` exists) |
|
|
144
|
+
| HTML / CSS | `*.html`, `*.css`, `*.scss` | tag-balance / brace-balance (structural, stdlib) | — |
|
|
145
|
+
| SQL | `*.sql` | `sqlfluff parse` (ANSI; SKIP if not installed) | — |
|
|
146
|
+
|
|
147
|
+
Restrict detection with `[audit] languages = ["python", "go"]` in
|
|
148
|
+
`audit-code.toml` (empty list = auto-detect all).
|
|
149
|
+
|
|
150
|
+
## Exit codes
|
|
151
|
+
|
|
152
|
+
| Code | Meaning |
|
|
153
|
+
|---|---|
|
|
154
|
+
| 0 | Audits completed, passed |
|
|
155
|
+
| 1 | Completed but blocking problems found |
|
|
156
|
+
| 2 | Setup or configuration error |
|
|
157
|
+
| 3 | Required audit or tool crashed |
|
|
158
|
+
| 4 | No supported language detected |
|
|
159
|
+
|
|
160
|
+
### Severity levels
|
|
161
|
+
|
|
162
|
+
Every finding has a severity: **HIGH**, **MEDIUM**, or **INFO**. Default reports
|
|
163
|
+
HIGH only. Use `--medium`, `--info`, or `--all` to expand. The `phd` audit
|
|
164
|
+
supports `--min-severity=HIGH` when run standalone.
|
|
165
|
+
|
|
166
|
+
## The gate
|
|
167
|
+
|
|
168
|
+
`audit-test gate` judges **only your working-tree diff vs HEAD**, inside a
|
|
169
|
+
disposable git worktree:
|
|
170
|
+
|
|
171
|
+
- **G0** syntax — changed files must parse
|
|
172
|
+
- **G1** static regression — no new HIGH findings vs HEAD
|
|
173
|
+
- **G2** suite green — full test suite passes
|
|
174
|
+
- **G3** execution proof — every changed def + line executes under tests
|
|
175
|
+
- **G4** mutation kill — injected bugs in changed lines must be caught
|
|
176
|
+
|
|
177
|
+
## Design
|
|
178
|
+
|
|
179
|
+
- **Fail-closed.** Crash, missing summary, unparseable file — all failures, never passes.
|
|
180
|
+
- **Name-level vs execution-level.** "Test mentions this" and "body ran" are different facts.
|
|
181
|
+
- **Judge the diff, not the history.** Legacy findings are baseline; only regressions fail.
|
|
182
|
+
- **Honest limits.** No static tool promises semantic correctness — this stack narrows the gap.
|
|
183
|
+
|
|
184
|
+
## Configuration
|
|
185
|
+
|
|
186
|
+
### `.audit-test-ignore`
|
|
187
|
+
|
|
188
|
+
Skip directories or files from all scans. Drop this file in your project root.
|
|
189
|
+
One pattern per line, `#` for comments. Patterns are merged with built-in defaults
|
|
190
|
+
(`.venv`, `node_modules`, `.git`, `__pycache__`, `dist`, `build`, etc.):
|
|
191
|
+
|
|
192
|
+
```
|
|
193
|
+
# .audit-test-ignore
|
|
194
|
+
generated/
|
|
195
|
+
third_party/
|
|
196
|
+
*.pb2.py
|
|
197
|
+
```
|
|
198
|
+
|
|
199
|
+
Patterns match directory/file name parts (exact match, not substring).
|
|
200
|
+
|
|
201
|
+
### `# audit: ok`
|
|
202
|
+
|
|
203
|
+
Add `# audit: ok` to the end of any line to suppress a finding on that line.
|
|
204
|
+
Use sparingly — every suppression is counted in the summary.
|
|
205
|
+
|
|
206
|
+
Applies to `wiring`, `phd`, and `runtime` audits. Example:
|
|
207
|
+
|
|
208
|
+
```python
|
|
209
|
+
except Exception: # audit: ok (intentional swallow — benign)
|
|
210
|
+
TOOL_TIMEOUT = 600 # audit: ok (tool config, not a tuning knob)
|
|
211
|
+
subprocess.run(cmd) # audit: ok (audit tools ARE subprocess runners)
|
|
212
|
+
```
|
|
213
|
+
|
|
214
|
+
## Requirements
|
|
215
|
+
|
|
216
|
+
Python 3.10+, git, pytest
|
|
217
|
+
Optional (auto-detected): `coverage`, `black`, `ruff`, `mypy`, `pip-audit`, `mutmut`
|
|
218
|
+
|
|
219
|
+
## License
|
|
220
|
+
|
|
221
|
+
This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY-NC-ND 4.0).
|
|
222
|
+
|
|
223
|
+
© Yosef Bunick. All rights reserved.
|
|
224
|
+
|
|
225
|
+
You are free to:
|
|
226
|
+
|
|
227
|
+
Share — copy and redistribute the material in any medium or format
|
|
228
|
+
|
|
229
|
+
Under the following terms:
|
|
230
|
+
|
|
231
|
+
Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made.
|
|
232
|
+
NonCommercial — You may not use the material for commercial purposes.
|
|
233
|
+
NoDerivatives — If you remix, transform, or build upon the material, you may not distribute the modified material.
|
|
234
|
+
|
|
235
|
+
License details: https://creativecommons.org/licenses/by-nc-nd/4.0/
|
|
236
|
+
|
|
237
|
+
This license applies unless otherwise explicitly stated within specific files or directories of this repository.
|
|
238
|
+
|
|
239
|
+
For permission to monetize, distribute modified versions, remix, sublicense, or commercially use this repository, please contact the creator directly.
|
|
@@ -0,0 +1,229 @@
|
|
|
1
|
+
# audit-test
|
|
2
|
+
|
|
3
|
+
**One command. One policy. One report. One fail-closed verdict.**
|
|
4
|
+
|
|
5
|
+
Interrogates the quality of a repo's code *and* its tests — answers the hard
|
|
6
|
+
question: **does the code work, do the tests prove it, and did my change
|
|
7
|
+
break anything?**
|
|
8
|
+
|
|
9
|
+
## Install
|
|
10
|
+
|
|
11
|
+
```powershell
|
|
12
|
+
pip install audit-test
|
|
13
|
+
```
|
|
14
|
+
|
|
15
|
+
Three CLI commands available after install (all identical):
|
|
16
|
+
|
|
17
|
+
```powershell
|
|
18
|
+
audit-test high
|
|
19
|
+
audit-test high
|
|
20
|
+
audit-code high
|
|
21
|
+
```
|
|
22
|
+
|
|
23
|
+
Or from source:
|
|
24
|
+
|
|
25
|
+
```powershell
|
|
26
|
+
git clone https://github.com/Yosef-Bunick/AUDIT-TEST.git
|
|
27
|
+
cd AUDIT-TEST
|
|
28
|
+
pip install -e .
|
|
29
|
+
```
|
|
30
|
+
|
|
31
|
+
## Usage
|
|
32
|
+
|
|
33
|
+
Bare words or flags — both work:
|
|
34
|
+
|
|
35
|
+
```powershell
|
|
36
|
+
audit-test # full audit
|
|
37
|
+
audit-test min # fast: wiring + phd + quality
|
|
38
|
+
audit-test full # complete: all checks + raw output
|
|
39
|
+
audit-test fix # auto-format (~1s)
|
|
40
|
+
audit-test phd high # PHD only, HIGH only
|
|
41
|
+
audit-test phd wiring medium # PHD + wiring, HIGH+MEDIUM
|
|
42
|
+
audit-test -p <dir> # audit a specific project
|
|
43
|
+
audit-test -s "suite lint" # skip suite + lint
|
|
44
|
+
```
|
|
45
|
+
|
|
46
|
+
### Flags quick reference
|
|
47
|
+
|
|
48
|
+
| Short | Long | Does |
|
|
49
|
+
|---|---|---|
|
|
50
|
+
| `-h` | `--high` | HIGH severity only (default) |
|
|
51
|
+
| `-m` | `--medium` | HIGH + MEDIUM severity |
|
|
52
|
+
| | `--info` | HIGH + MEDIUM + INFO |
|
|
53
|
+
| | `--all` | all findings |
|
|
54
|
+
| `-v` | `--verbose` | full detail output |
|
|
55
|
+
| `-f` | `--fix` | auto-format |
|
|
56
|
+
| `-F` | `--full` | complete analysis |
|
|
57
|
+
| `-p` | `--path` | project directory |
|
|
58
|
+
| `-s` | `--skip` | skip modules (comma/space) |
|
|
59
|
+
| `-H` | `--help` | show help |
|
|
60
|
+
|
|
61
|
+
### Modules
|
|
62
|
+
|
|
63
|
+
Any combination, bare words or `--flag`:
|
|
64
|
+
|
|
65
|
+
```powershell
|
|
66
|
+
audit-test phd # PHD static audit
|
|
67
|
+
audit-test wiring # wiring audit
|
|
68
|
+
audit-test runtime # runtime audit
|
|
69
|
+
audit-test suite # test suite audit
|
|
70
|
+
audit-test quality # quality gates
|
|
71
|
+
audit-test syntax # all language syntax checks
|
|
72
|
+
audit-test python # Python syntax only
|
|
73
|
+
audit-test tests # non-Python test suites
|
|
74
|
+
audit-test lint # ruff check
|
|
75
|
+
audit-test black # black format
|
|
76
|
+
audit-test lint fix # ruff --fix
|
|
77
|
+
audit-test black fix # black format
|
|
78
|
+
audit-test phd wiring medium # mix any modules + severity
|
|
79
|
+
```
|
|
80
|
+
|
|
81
|
+
### Change gate
|
|
82
|
+
|
|
83
|
+
```powershell
|
|
84
|
+
audit-test gate # judge working-tree diff vs HEAD
|
|
85
|
+
audit-test gate high # block on new HIGH findings (default)
|
|
86
|
+
audit-test gate medium # block on new HIGH+MEDIUM
|
|
87
|
+
audit-test gate fast # skip mutation (G4)
|
|
88
|
+
audit-test gate -p <dir> # gate a specific project
|
|
89
|
+
```
|
|
90
|
+
|
|
91
|
+
### Standalone scripts
|
|
92
|
+
|
|
93
|
+
The original audit scripts also work standalone — no pip install needed.
|
|
94
|
+
Copy them into any project and run directly:
|
|
95
|
+
|
|
96
|
+
```powershell
|
|
97
|
+
python audit_wiring.py # dead symbols, config drift
|
|
98
|
+
python audit_phd.py # exception discipline, security patterns
|
|
99
|
+
python audit_phd.py --min-severity=HIGH # HIGH findings only
|
|
100
|
+
python audit_runtime.py # timeouts, log hygiene, prompt contracts
|
|
101
|
+
python audit_suite.py # run pytest, classify failures
|
|
102
|
+
python audit_quality.py # black, ruff, mypy, CVE, coverage
|
|
103
|
+
python audit_gate.py # judge working-tree diff vs HEAD
|
|
104
|
+
python run_all_audits.py # orchestrate all five into one report
|
|
105
|
+
```
|
|
106
|
+
|
|
107
|
+
## The stack
|
|
108
|
+
|
|
109
|
+
| Audit | Question it answers |
|
|
110
|
+
|---|---|
|
|
111
|
+
| wiring | **Is it connected?** Dead symbols, test-only code, config key drift |
|
|
112
|
+
| phd | **Does it meet the bar?** Exception discipline, security patterns, state bugs |
|
|
113
|
+
| runtime | **Will it hang or crash?** Unbounded loops, missing timeouts, secrets in logs |
|
|
114
|
+
| suite | **Is the test suite healthy?** Runs pytest, classifies real vs pollution failures |
|
|
115
|
+
| quality | **External gates + execution truth.** Black, ruff, mypy, CVE scan, coverage |
|
|
116
|
+
|
|
117
|
+
## Languages
|
|
118
|
+
|
|
119
|
+
Auto-detects 9 languages (marker files or source files anywhere in the tree,
|
|
120
|
+
root included). Python runs the full five-audit stack. Every other language
|
|
121
|
+
gets a **real** syntax check plus its native test suite — and when the
|
|
122
|
+
required toolchain is missing, the result is an honest `SKIP` with the
|
|
123
|
+
install hint, never a fake pass:
|
|
124
|
+
|
|
125
|
+
| Language | Detection | Syntax check | Test suite |
|
|
126
|
+
|---|---|---|---|
|
|
127
|
+
| Python | `pyproject.toml`, `setup.py`, `*.py` | `ast.parse` per file (built-in) | pytest (via `suite` audit) |
|
|
128
|
+
| JS / TS | `package.json`, `*.js`, `*.ts` | `node --check`; TS via `tsc --noEmit` (TS1xxx only) | `npm test` (real script only) |
|
|
129
|
+
| Java | `pom.xml`, `build.gradle`, `*.java` | `javac -proc:none` (parse errors only; classpath noise not judged) | `mvn test` / `gradlew test` |
|
|
130
|
+
| Go | `go.mod`, `*.go` | `gofmt -l -e` (parse + format drift) | `go test ./...` |
|
|
131
|
+
| Rust | `Cargo.toml`, `*.rs` | `cargo check` | `cargo test` |
|
|
132
|
+
| C# | `*.cs` | `dotnet build` (SKIP if restore fails) | `dotnet test` |
|
|
133
|
+
| C / C++ | `CMakeLists.txt`, `Makefile`, `*.c(pp)` | `gcc/clang -fsyntax-only` or `cl /Zs` per unit | `ctest` (if `build/` exists) |
|
|
134
|
+
| HTML / CSS | `*.html`, `*.css`, `*.scss` | tag-balance / brace-balance (structural, stdlib) | — |
|
|
135
|
+
| SQL | `*.sql` | `sqlfluff parse` (ANSI; SKIP if not installed) | — |
|
|
136
|
+
|
|
137
|
+
Restrict detection with `[audit] languages = ["python", "go"]` in
|
|
138
|
+
`audit-code.toml` (empty list = auto-detect all).
|
|
139
|
+
|
|
140
|
+
## Exit codes
|
|
141
|
+
|
|
142
|
+
| Code | Meaning |
|
|
143
|
+
|---|---|
|
|
144
|
+
| 0 | Audits completed, passed |
|
|
145
|
+
| 1 | Completed but blocking problems found |
|
|
146
|
+
| 2 | Setup or configuration error |
|
|
147
|
+
| 3 | Required audit or tool crashed |
|
|
148
|
+
| 4 | No supported language detected |
|
|
149
|
+
|
|
150
|
+
### Severity levels
|
|
151
|
+
|
|
152
|
+
Every finding has a severity: **HIGH**, **MEDIUM**, or **INFO**. Default reports
|
|
153
|
+
HIGH only. Use `--medium`, `--info`, or `--all` to expand. The `phd` audit
|
|
154
|
+
supports `--min-severity=HIGH` when run standalone.
|
|
155
|
+
|
|
156
|
+
## The gate
|
|
157
|
+
|
|
158
|
+
`audit-test gate` judges **only your working-tree diff vs HEAD**, inside a
|
|
159
|
+
disposable git worktree:
|
|
160
|
+
|
|
161
|
+
- **G0** syntax — changed files must parse
|
|
162
|
+
- **G1** static regression — no new HIGH findings vs HEAD
|
|
163
|
+
- **G2** suite green — full test suite passes
|
|
164
|
+
- **G3** execution proof — every changed def + line executes under tests
|
|
165
|
+
- **G4** mutation kill — injected bugs in changed lines must be caught
|
|
166
|
+
|
|
167
|
+
## Design
|
|
168
|
+
|
|
169
|
+
- **Fail-closed.** Crash, missing summary, unparseable file — all failures, never passes.
|
|
170
|
+
- **Name-level vs execution-level.** "Test mentions this" and "body ran" are different facts.
|
|
171
|
+
- **Judge the diff, not the history.** Legacy findings are baseline; only regressions fail.
|
|
172
|
+
- **Honest limits.** No static tool promises semantic correctness — this stack narrows the gap.
|
|
173
|
+
|
|
174
|
+
## Configuration
|
|
175
|
+
|
|
176
|
+
### `.audit-test-ignore`
|
|
177
|
+
|
|
178
|
+
Skip directories or files from all scans. Drop this file in your project root.
|
|
179
|
+
One pattern per line, `#` for comments. Patterns are merged with built-in defaults
|
|
180
|
+
(`.venv`, `node_modules`, `.git`, `__pycache__`, `dist`, `build`, etc.):
|
|
181
|
+
|
|
182
|
+
```
|
|
183
|
+
# .audit-test-ignore
|
|
184
|
+
generated/
|
|
185
|
+
third_party/
|
|
186
|
+
*.pb2.py
|
|
187
|
+
```
|
|
188
|
+
|
|
189
|
+
Patterns match directory/file name parts (exact match, not substring).
|
|
190
|
+
|
|
191
|
+
### `# audit: ok`
|
|
192
|
+
|
|
193
|
+
Add `# audit: ok` to the end of any line to suppress a finding on that line.
|
|
194
|
+
Use sparingly — every suppression is counted in the summary.
|
|
195
|
+
|
|
196
|
+
Applies to `wiring`, `phd`, and `runtime` audits. Example:
|
|
197
|
+
|
|
198
|
+
```python
|
|
199
|
+
except Exception: # audit: ok (intentional swallow — benign)
|
|
200
|
+
TOOL_TIMEOUT = 600 # audit: ok (tool config, not a tuning knob)
|
|
201
|
+
subprocess.run(cmd) # audit: ok (audit tools ARE subprocess runners)
|
|
202
|
+
```
|
|
203
|
+
|
|
204
|
+
## Requirements
|
|
205
|
+
|
|
206
|
+
Python 3.10+, git, pytest
|
|
207
|
+
Optional (auto-detected): `coverage`, `black`, `ruff`, `mypy`, `pip-audit`, `mutmut`
|
|
208
|
+
|
|
209
|
+
## License
|
|
210
|
+
|
|
211
|
+
This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY-NC-ND 4.0).
|
|
212
|
+
|
|
213
|
+
© Yosef Bunick. All rights reserved.
|
|
214
|
+
|
|
215
|
+
You are free to:
|
|
216
|
+
|
|
217
|
+
Share — copy and redistribute the material in any medium or format
|
|
218
|
+
|
|
219
|
+
Under the following terms:
|
|
220
|
+
|
|
221
|
+
Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made.
|
|
222
|
+
NonCommercial — You may not use the material for commercial purposes.
|
|
223
|
+
NoDerivatives — If you remix, transform, or build upon the material, you may not distribute the modified material.
|
|
224
|
+
|
|
225
|
+
License details: https://creativecommons.org/licenses/by-nc-nd/4.0/
|
|
226
|
+
|
|
227
|
+
This license applies unless otherwise explicitly stated within specific files or directories of this repository.
|
|
228
|
+
|
|
229
|
+
For permission to monetize, distribute modified versions, remix, sublicense, or commercially use this repository, please contact the creator directly.
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
[build-system]
|
|
2
|
+
requires = ["setuptools>=68"]
|
|
3
|
+
build-backend = "setuptools.build_meta"
|
|
4
|
+
|
|
5
|
+
[project]
|
|
6
|
+
name = "audit-test"
|
|
7
|
+
version = "0.1.0"
|
|
8
|
+
description = "Code and test verification orchestrator — interrogates code quality AND whether tests genuinely prove correctness"
|
|
9
|
+
requires-python = ">=3.10"
|
|
10
|
+
license = {text = "MIT"}
|
|
11
|
+
readme = "README.md"
|
|
12
|
+
|
|
13
|
+
[project.scripts]
|
|
14
|
+
audit-code = "audit_code.cli:main"
|
|
15
|
+
audit-test = "audit_code.cli:main"
|
|
16
|
+
audit-tests = "audit_code.cli:main"
|
|
17
|
+
|
|
18
|
+
[tool.setuptools.packages.find]
|
|
19
|
+
where = ["src"]
|
|
20
|
+
|
|
21
|
+
[tool.ruff.lint]
|
|
22
|
+
ignore = [
|
|
23
|
+
"S101", "S105", "S110", "S112", "S603", "S607",
|
|
24
|
+
"B007", # unused loop variable (legitimate in AST walkers)
|
|
25
|
+
"B023", # function binding loop variable
|
|
26
|
+
"B905", # zip() without strict (pre-3.10 compat)
|
|
27
|
+
]
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
"""Language adapters — one per supported language."""
|
|
2
|
+
|
|
3
|
+
from pathlib import Path
|
|
4
|
+
|
|
5
|
+
from audit_code.adapters.cpp.adapter import CppAdapter
|
|
6
|
+
from audit_code.adapters.csharp.adapter import CsharpAdapter
|
|
7
|
+
from audit_code.adapters.go.adapter import GoAdapter
|
|
8
|
+
from audit_code.adapters.html.adapter import HtmlAdapter
|
|
9
|
+
from audit_code.adapters.java.adapter import JavaAdapter
|
|
10
|
+
from audit_code.adapters.javascript.adapter import JavaScriptAdapter
|
|
11
|
+
from audit_code.adapters.python.adapter import PythonAdapter
|
|
12
|
+
from audit_code.adapters.rust.adapter import RustAdapter
|
|
13
|
+
from audit_code.adapters.sql.adapter import SqlAdapter
|
|
14
|
+
|
|
15
|
+
ALL = [
|
|
16
|
+
PythonAdapter,
|
|
17
|
+
JavaScriptAdapter,
|
|
18
|
+
JavaAdapter,
|
|
19
|
+
GoAdapter,
|
|
20
|
+
RustAdapter,
|
|
21
|
+
CsharpAdapter,
|
|
22
|
+
CppAdapter,
|
|
23
|
+
HtmlAdapter,
|
|
24
|
+
SqlAdapter,
|
|
25
|
+
]
|
|
26
|
+
|
|
27
|
+
|
|
28
|
+
def discover(target_root: Path) -> list:
|
|
29
|
+
"""Return the adapter classes for every language detected in the target.
|
|
30
|
+
|
|
31
|
+
Detection only — the runner decides when to run syntax checks and test
|
|
32
|
+
suites so their results land in the report.
|
|
33
|
+
"""
|
|
34
|
+
return [a for a in ALL if a.detect(target_root)]
|