intent-audit-harness 1.2.0__tar.gz

intent_audit_harness-1.2.0/.gitignore

@@ -0,0 +1,40 @@
+node_modules/
+dist/
+*.tgz
+.DS_Store
+coverage/
+build/
+reports/
+
+# NOTE: .harness-hash is INTENTIONALLY tracked, not ignored.
+# Per iep-P3 iah-self-pin (bd_000-projects-itpl) + audit-harness CLAUDE.md
+# design rule 5 ("the harness tests itself"): the manifest IS the policy
+# commitment. CI's `harness-hash --verify` step (hard-fail since v1.1.0)
+# compares working-tree hashes against the committed manifest. If
+# .harness-hash were gitignored, --verify would either compare against a
+# locally-regenerated manifest (no integrity guarantee) or fail with
+# exit-3 (no manifest) — both useless.
+
+# Python wrapper build artifacts
+python/.venv/
+python/dist/
+python/build/
+python/*.egg-info/
+**/__pycache__/
+*.pyc
+
+# Rust wrapper build artifacts
+rust/target/
+rust/Cargo.lock
+
+# Beads / Dolt files (added by bd init)
+.dolt/
+*.db
+.beads-credential-key
+
+# Auto-generated by ~/.claude/skills/sync-testing-harness/ (weekly cron). Operational state, not policy commitment.
+/HARNESS-SYNC-REPORT.md
+
+# crap-score writes reports/ into whatever dir `audit --deep` runs in;
+# the audit suite exercises it on fixtures — never commit those generated artifacts.
+tests/fixtures/audit/**/reports/

intent_audit_harness-1.2.0/PKG-INFO

@@ -0,0 +1,76 @@
+Metadata-Version: 2.4
+Name: intent-audit-harness
+Version: 1.2.0
+Summary: Deterministic test-enforcement harness — escape-scan, hash-pinning, CRAP, architecture checks, bias detection, Gherkin lint. Python-native wrapper around the @intentsolutions/audit-harness toolkit.
+Project-URL: Homepage, https://github.com/jeremylongshore/intent-audit-harness
+Project-URL: Repository, https://github.com/jeremylongshore/intent-audit-harness
+Project-URL: Issues, https://github.com/jeremylongshore/intent-audit-harness/issues
+Project-URL: Changelog, https://github.com/jeremylongshore/intent-audit-harness/blob/main/CHANGELOG.md
+Author-email: Jeremy Longshore <jeremy@intentsolutions.io>
+License: Apache-2.0
+Keywords: 7-layer-testing,ai-containment,architecture,claude-code,coverage-gate,crap,escape-scan,hash-pin,mutation-testing,test-audit,testing
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Operating System :: MacOS
+Classifier: Operating System :: POSIX
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: Topic :: Software Development :: Quality Assurance
+Classifier: Topic :: Software Development :: Testing
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown
+
+# intent-audit-harness (Python)
+
+Python-native install of the Intent Solutions deterministic test-enforcement toolkit.
+
+Mirrors the CLI surface of the Node package
+[`@intentsolutions/audit-harness`](https://www.npmjs.com/package/@intentsolutions/audit-harness)
+so the command line is identical across ecosystems.
+
+## Install
+
+```bash
+pip install intent-audit-harness
+# or, inside a project venv:
+python -m pip install intent-audit-harness
+```
+
+This ships a console script `audit-harness` and a module entry point
+`python -m intent_audit_harness`.
+
+## Requirements
+
+- Python 3.8+
+- `bash` available on `PATH` (Linux, macOS, or WSL)
+- `python3` on `PATH` for the `crap` subcommand
+- Optional per-subcommand tools: `radon` / `gocyclo` / `dependency-cruiser` / `import-linter`
+
+## Usage
+
+```bash
+audit-harness --help
+audit-harness verify
+audit-harness escape-scan --staged
+audit-harness crap src/
+```
+
+See the root project for the full docs:
+<https://github.com/jeremylongshore/intent-audit-harness>
+
+## What this package does
+
+Dispatches to the same shell/python scripts shipped with the canonical npm package.
+The Python wheel bundles:
+
+- `harness-hash.sh`  — pinning / verification
+- `escape-scan.sh`   — diff scanner for AI escape grammar
+- `arch-check.sh`    — language-appropriate architecture checker
+- `bias-count.sh`    — test-bias heuristics
+- `gherkin-lint.sh`  — advisory Gherkin quality check
+- `crap-score.py`    — CRAP (complexity x coverage) scorer
+
+## License
+
+MIT

intent_audit_harness-1.2.0/README.md

@@ -0,0 +1,53 @@
+# intent-audit-harness (Python)
+
+Python-native install of the Intent Solutions deterministic test-enforcement toolkit.
+
+Mirrors the CLI surface of the Node package
+[`@intentsolutions/audit-harness`](https://www.npmjs.com/package/@intentsolutions/audit-harness)
+so the command line is identical across ecosystems.
+
+## Install
+
+```bash
+pip install intent-audit-harness
+# or, inside a project venv:
+python -m pip install intent-audit-harness
+```
+
+This ships a console script `audit-harness` and a module entry point
+`python -m intent_audit_harness`.
+
+## Requirements
+
+- Python 3.8+
+- `bash` available on `PATH` (Linux, macOS, or WSL)
+- `python3` on `PATH` for the `crap` subcommand
+- Optional per-subcommand tools: `radon` / `gocyclo` / `dependency-cruiser` / `import-linter`
+
+## Usage
+
+```bash
+audit-harness --help
+audit-harness verify
+audit-harness escape-scan --staged
+audit-harness crap src/
+```
+
+See the root project for the full docs:
+<https://github.com/jeremylongshore/intent-audit-harness>
+
+## What this package does
+
+Dispatches to the same shell/python scripts shipped with the canonical npm package.
+The Python wheel bundles:
+
+- `harness-hash.sh`  — pinning / verification
+- `escape-scan.sh`   — diff scanner for AI escape grammar
+- `arch-check.sh`    — language-appropriate architecture checker
+- `bias-count.sh`    — test-bias heuristics
+- `gherkin-lint.sh`  — advisory Gherkin quality check
+- `crap-score.py`    — CRAP (complexity x coverage) scorer
+
+## License
+
+MIT

intent_audit_harness-1.2.0/pyproject.toml

@@ -0,0 +1,60 @@
+[build-system]
+requires = ["hatchling>=1.21"]
+build-backend = "hatchling.build"
+
+[project]
+name = "intent-audit-harness"
+version = "1.2.0"
+description = "Deterministic test-enforcement harness — escape-scan, hash-pinning, CRAP, architecture checks, bias detection, Gherkin lint. Python-native wrapper around the @intentsolutions/audit-harness toolkit."
+readme = "README.md"
+requires-python = ">=3.8"
+license = { text = "Apache-2.0" }
+authors = [
+  { name = "Jeremy Longshore", email = "jeremy@intentsolutions.io" },
+]
+keywords = [
+  "testing",
+  "test-audit",
+  "hash-pin",
+  "escape-scan",
+  "crap",
+  "architecture",
+  "mutation-testing",
+  "coverage-gate",
+  "7-layer-testing",
+  "claude-code",
+  "ai-containment",
+]
+classifiers = [
+  "Development Status :: 4 - Beta",
+  "Intended Audience :: Developers",
+  "License :: OSI Approved :: Apache Software License",
+  "Operating System :: POSIX",
+  "Operating System :: MacOS",
+  "Programming Language :: Python :: 3",
+  "Programming Language :: Python :: 3 :: Only",
+  "Topic :: Software Development :: Quality Assurance",
+  "Topic :: Software Development :: Testing",
+]
+dependencies = []
+
+[project.urls]
+Homepage = "https://github.com/jeremylongshore/intent-audit-harness"
+Repository = "https://github.com/jeremylongshore/intent-audit-harness"
+Issues = "https://github.com/jeremylongshore/intent-audit-harness/issues"
+Changelog = "https://github.com/jeremylongshore/intent-audit-harness/blob/main/CHANGELOG.md"
+
+[project.scripts]
+audit-harness = "intent_audit_harness.cli:main"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/intent_audit_harness"]
+
+[tool.hatch.build.targets.sdist]
+include = [
+  "/src",
+  "/README.md",
+  "/pyproject.toml",
+  "/LICENSE",
+  "/NOTICE",
+]

intent_audit_harness-1.2.0/src/intent_audit_harness/__init__.py

@@ -0,0 +1,10 @@
+"""intent-audit-harness — deterministic test-enforcement toolkit.
+
+Python-native wrapper around the canonical shell/python scripts maintained at
+https://github.com/jeremylongshore/intent-audit-harness.
+
+The Python package mirrors the CLI surface of the Node package
+``@intentsolutions/audit-harness`` so commands are identical across languages.
+"""
+
+__version__ = "1.2.0"

intent_audit_harness-1.2.0/src/intent_audit_harness/__main__.py

@@ -0,0 +1,5 @@
+"""Entry point for ``python -m intent_audit_harness``."""
+from .cli import main
+
+if __name__ == "__main__":
+    main()

intent_audit_harness-1.2.0/src/intent_audit_harness/cli.py

@@ -0,0 +1,125 @@
+"""CLI dispatcher — thin wrapper that shells out to the bundled scripts.
+
+Mirrors the command surface of ``@intentsolutions/audit-harness``:
+
+    verify | init | list | escape-scan | arch | bias | gherkin-lint | crap
+
+The scripts are shipped inside the wheel as package data; we resolve their
+filesystem path via ``importlib.resources`` and invoke ``bash``/``python3``.
+"""
+from __future__ import annotations
+
+import shutil
+import stat
+import subprocess
+import sys
+from importlib import resources
+from pathlib import Path
+from typing import Iterable
+
+from . import __version__
+
+COMMANDS: dict[str, tuple[str, list[str]]] = {
+    "verify":       ("harness-hash.sh",  ["--verify"]),
+    "init":         ("harness-hash.sh",  ["--init"]),
+    "list":         ("harness-hash.sh",  ["--list"]),
+    "escape-scan":  ("escape-scan.sh",   []),
+    "arch":         ("arch-check.sh",    []),
+    "bias":         ("bias-count.sh",    []),
+    "gherkin-lint": ("gherkin-lint.sh",  []),
+    "crap":         ("crap-score.py",    []),
+}
+
+USAGE = """audit-harness — deterministic test-enforcement toolkit (Python)
+
+Usage:
+  audit-harness <command> [args...]
+
+Commands:
+  verify                   Verify hash-pinned artifacts (exit 2 = HARNESS_TAMPERED)
+  init                     Initialize or re-init the .harness-hash manifest
+  list                     List currently pinned files
+  escape-scan <source>     Scan a diff for escape attempts
+                           source: --staged | --range A..B | - (stdin) | path.patch
+  arch                     Run architecture-rule checks (Wall 7)
+  bias                     Count test-bias patterns (tautology, smoke-only, etc.)
+  gherkin-lint             Advisory Gherkin quality check
+  crap [args...]           CRAP complexity x coverage scorer (multi-language)
+
+Options:
+  --version, -v            Print version
+  --help, -h               Print this help
+
+Exit codes (escape-scan):
+  0 = clean
+  1 = CHALLENGE (engineer-approved comment required)
+  2 = REFUSE (pipeline halted)
+"""
+
+
+def _script_path(name: str) -> Path:
+    """Return the on-disk path of a bundled script, ensuring it's executable."""
+    # importlib.resources.files -> Traversable; .joinpath returns a Path-like
+    # When installed from a wheel, this resolves to the extracted scripts/ dir.
+    pkg_scripts = resources.files("intent_audit_harness").joinpath("scripts")
+    path = Path(str(pkg_scripts.joinpath(name)))
+    if not path.exists():
+        print(f"audit-harness: script not found at {path}", file=sys.stderr)
+        sys.exit(2)
+    # Ensure executable bit for shell scripts (wheels don't always preserve it)
+    try:
+        mode = path.stat().st_mode
+        path.chmod(mode | stat.S_IXUSR | stat.S_IXGRP | stat.S_IXOTH)
+    except OSError:
+        pass  # best-effort; we always invoke via explicit interpreter anyway
+    return path
+
+
+def _interpreter_for(script: str) -> str:
+    return "python3" if script.endswith(".py") else "bash"
+
+
+def _dispatch(cmd: str, extra_args: Iterable[str]) -> int:
+    script, default_args = COMMANDS[cmd]
+    script_path = _script_path(script)
+    interpreter = _interpreter_for(script)
+
+    if shutil.which(interpreter) is None:
+        print(
+            f"audit-harness: required interpreter '{interpreter}' not found on PATH",
+            file=sys.stderr,
+        )
+        return 2
+
+    argv = [interpreter, str(script_path), *default_args, *extra_args]
+    try:
+        completed = subprocess.run(argv, check=False)
+    except OSError as exc:
+        print(f"audit-harness: failed to spawn {interpreter}: {exc}", file=sys.stderr)
+        return 2
+    return completed.returncode
+
+
+def main(argv: list[str] | None = None) -> int:
+    args = list(argv if argv is not None else sys.argv[1:])
+
+    if not args or args[0] in ("--help", "-h"):
+        print(USAGE)
+        return 0
+
+    if args[0] in ("--version", "-v"):
+        print(__version__)
+        return 0
+
+    cmd, rest = args[0], args[1:]
+    if cmd not in COMMANDS:
+        print(f"audit-harness: unknown command '{cmd}'", file=sys.stderr)
+        print(USAGE, file=sys.stderr)
+        return 2
+
+    rc = _dispatch(cmd, rest)
+    return rc
+
+
+if __name__ == "__main__":  # pragma: no cover
+    sys.exit(main())

intent_audit_harness-1.2.0/src/intent_audit_harness/scripts/arch-check.sh

@@ -0,0 +1,185 @@
+#!/usr/bin/env bash
+# arch-check.sh — Wall 7 architecture-constraint dispatcher.
+#
+# Detects the primary language of the repo, invokes the appropriate
+# dependency / architecture checker with the project's rule pack, and
+# normalizes the exit code.
+#
+# Exit codes:
+#   0 — all rules pass
+#   1 — rule violations detected
+#   2 — no tool installed / no config / unsupported language
+#
+# Usage:
+#   bash arch-check.sh              # run from repo root
+#   bash arch-check.sh --json       # emit JSON summary to stdout
+#   bash arch-check.sh --help
+
+set -euo pipefail
+
+# Bash version floor: these gates rely on bash 4+ features. Refuse early with a
+# clear message on bash 3.x (e.g. macOS system bash) instead of failing later
+# with a cryptic syntax error (jcgw).
+[ "${BASH_VERSINFO:-0}" -ge 4 ] || { echo 'audit-harness requires bash >= 4' >&2; exit 3; }
+
+# Cross-platform SHA-256: `sha256sum` ships with GNU coreutils (Linux);
+# macOS only has `shasum -a 256`. Both produce identical `<hash>  <file>`
+# output, so downstream awk parsing is unchanged. Same pattern as
+# harness-hash.sh / escape-scan.sh / bias-count.sh.
+if command -v sha256sum >/dev/null 2>&1; then
+  SHA256_CMD=(sha256sum)
+elif command -v shasum >/dev/null 2>&1; then
+  SHA256_CMD=(shasum -a 256)
+else
+  echo "arch-check: neither sha256sum nor shasum found in PATH" >&2
+  exit 2
+fi
+
+ROOT="${ROOT:-$(pwd)}"
+JSON_OUT=0
+REPORT_DIR="${ROOT}/reports/arch"
+
+usage() {
+  sed -n '2,20p' "$0"
+  exit 0
+}
+
+for arg in "$@"; do
+  case "$arg" in
+    --json) JSON_OUT=1 ;;
+    --help|-h) usage ;;
+    *) echo "arch-check: unknown flag $arg" >&2; exit 2 ;;
+  esac
+done
+
+mkdir -p "$REPORT_DIR"
+
+emit_result() {
+  local tool="$1" status="$2" violations="$3" log="$4"
+  if [[ "$JSON_OUT" -eq 1 ]]; then
+    # status: pass / fail / missing-tool / not-configured
+    local result
+    case "$status" in
+      pass) result="PASS" ;;
+      fail) result="FAIL" ;;
+      missing-tool|not-configured) result="NOT_APPLICABLE" ;;
+      *) result="ADVISORY" ;;
+    esac
+    local input_hash="sha256:0000000000000000000000000000000000000000000000000000000000000000"
+    local policy_hash="sha256:0000000000000000000000000000000000000000000000000000000000000000"
+    # Best-effort: input_hash is the source tree fingerprint when running against ROOT/src
+    if [[ -d "${ROOT}/src" ]]; then
+      input_hash=$(find "${ROOT}/src" -type f \( -name "*.ts" -o -name "*.tsx" -o -name "*.js" -o -name "*.py" -o -name "*.go" -o -name "*.rs" -o -name "*.java" -o -name "*.kt" -o -name "*.cs" -o -name "*.php" \) -exec "${SHA256_CMD[@]}" {} \; 2>/dev/null | sort | "${SHA256_CMD[@]}" | awk '{print "sha256:"$1}')
+    fi
+    # Hash the architecture rule config (whichever tool's config was used)
+    for cfg in .dependency-cruiser.js .dependency-cruiser.cjs .importlinter deptrac.yaml arch-go.yml; do
+      if [[ -f "${ROOT}/${cfg}" ]]; then
+        policy_hash=$("${SHA256_CMD[@]}" "${ROOT}/${cfg}" | awk '{print "sha256:"$1}')
+        break
+      fi
+    done
+    local fail_block=""
+    [[ "$result" == "FAIL" ]] && fail_block=',"failure_mode":"arch-violation"'
+    printf '{"gate_id":"audit-harness:%s:arch-check","result":"%s"%s,"input_hash":"%s","policy_hash":"%s","metadata":{"tool":"%s","status":"%s","violations":%s,"log":"%s"}}\n' \
+      "${AUDIT_HARNESS_SIDE:-ci}" "$result" "$fail_block" "$input_hash" "$policy_hash" \
+      "$tool" "$status" "$violations" "$log"
+  else
+    echo "arch-check: tool=$tool status=$status violations=$violations"
+    echo "           log=$log"
+  fi
+}
+
+# 1. dependency-cruiser (JS/TS)
+if [[ -f "${ROOT}/.dependency-cruiser.js" || -f "${ROOT}/.dependency-cruiser.cjs" ]]; then
+  LOG="${REPORT_DIR}/dep-cruiser.log"
+  if command -v npx >/dev/null 2>&1; then
+    if npx --no-install dependency-cruiser --validate --output-type err "${ROOT}/src" > "$LOG" 2>&1; then
+      emit_result dependency-cruiser pass 0 "$LOG"
+      exit 0
+    else
+      VIOL=$(grep -c "error" "$LOG" || echo 0)
+      emit_result dependency-cruiser fail "$VIOL" "$LOG"
+      exit 1
+    fi
+  else
+    emit_result dependency-cruiser missing-tool 0 "$LOG"
+    exit 2
+  fi
+fi
+
+# 2. import-linter (Python)
+if [[ -f "${ROOT}/.importlinter" ]] || grep -q "^\[importlinter\]" "${ROOT}/pyproject.toml" 2>/dev/null; then
+  LOG="${REPORT_DIR}/import-linter.log"
+  if command -v lint-imports >/dev/null 2>&1; then
+    if (cd "$ROOT" && lint-imports) > "$LOG" 2>&1; then
+      emit_result import-linter pass 0 "$LOG"
+      exit 0
+    else
+      VIOL=$(grep -c "BROKEN" "$LOG" || echo 0)
+      emit_result import-linter fail "$VIOL" "$LOG"
+      exit 1
+    fi
+  else
+    emit_result import-linter missing-tool 0 "$LOG"
+    exit 2
+  fi
+fi
+
+# 3. deptrac (PHP)
+if [[ -f "${ROOT}/deptrac.yaml" ]]; then
+  LOG="${REPORT_DIR}/deptrac.log"
+  if [[ -x "${ROOT}/vendor/bin/deptrac" ]]; then
+    if (cd "$ROOT" && vendor/bin/deptrac analyse --no-progress) > "$LOG" 2>&1; then
+      emit_result deptrac pass 0 "$LOG"
+      exit 0
+    else
+      VIOL=$(grep -Ec "violation" "$LOG" || echo 0)
+      emit_result deptrac fail "$VIOL" "$LOG"
+      exit 1
+    fi
+  else
+    emit_result deptrac missing-tool 0 "$LOG"
+    exit 2
+  fi
+fi
+
+# 4. arch-go
+if [[ -f "${ROOT}/arch-go.yml" ]]; then
+  LOG="${REPORT_DIR}/arch-go.log"
+  if command -v arch-go >/dev/null 2>&1; then
+    if (cd "$ROOT" && arch-go) > "$LOG" 2>&1; then
+      emit_result arch-go pass 0 "$LOG"
+      exit 0
+    else
+      VIOL=$(grep -c "Violation" "$LOG" || echo 0)
+      emit_result arch-go fail "$VIOL" "$LOG"
+      exit 1
+    fi
+  else
+    emit_result arch-go missing-tool 0 "$LOG"
+    exit 2
+  fi
+fi
+
+# 5. ArchUnit (Java/Kotlin) — run via build tool
+if [[ -f "${ROOT}/build.gradle" || -f "${ROOT}/build.gradle.kts" ]] && \
+   grep -rq "com.tngtech.archunit" "${ROOT}" --include="*.gradle*" 2>/dev/null; then
+  LOG="${REPORT_DIR}/archunit.log"
+  if [[ -x "${ROOT}/gradlew" ]]; then
+    if (cd "$ROOT" && ./gradlew test --tests '*ArchitectureTest*' --tests '*ArchTest*') > "$LOG" 2>&1; then
+      emit_result archunit pass 0 "$LOG"
+      exit 0
+    else
+      VIOL=$(grep -Ec "violated|FAILED" "$LOG" || echo 0)
+      emit_result archunit fail "$VIOL" "$LOG"
+      exit 1
+    fi
+  else
+    emit_result archunit missing-tool 0 "$LOG"
+    exit 2
+  fi
+fi
+
+# No tool / config found
+emit_result none not-configured 0 "$REPORT_DIR/none.log"
+exit 2