f77c1b7fdc
Security hotfix — v0.15.1 Wave 1 fixes from 4-parallel audit. RED-1 (CVE): KEI_DISABLED_HOOKS tokenized match — was `*all*` substring-glob (trivially bypassable via "install", "wall-clock", etc.), now exact-token split on comma/space. Patched in all 9 hooks: no-hand-edit-agents, assemble-agents, assemble-validate, tomd-preread, agent-fork-logger, site-wysiwyd-check, error-spike-detector, milestone-commit-hook, session-end-dump. RED-2 (observability): minimal profile whitelist now includes agent-fork-logger and session-end-dump (ledger + trace paths) so observability is not silently lost on minimal installs. HIGH: review.json schema minItems:1 on findings — rejects empty reviews; new Rust test review_schema_rejects_empty_findings. HIGH: typed-handoff wire-up — produces_artifact declared at top level on 5 manifests (kei-security-auditor, kei-validator, kei-architect, kei-code-implementer, kei-critic); duplicate per-handoff declarations removed. MED: kei-artifact validate.rs gains warn_unsupported_keywords — non-fatal stderr warning when schema uses keywords outside the hand-rolled 2020-12 subset. LOW: CI Node matrix dropped 18, now ['20','22']. Doc drift: skills/hooks-control/SKILL.md reflects tokenized-match semantics and updated minimal-profile hook list. Tests: 191 Rust workspace + 30 assembler (both pass). RED-1 reproducer 10/10 (4 former-CVE vectors blocked, 5 legit vectors accepted, empty passes). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
79 lines
2.3 KiB
YAML
79 lines
2.3 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
|
|
jobs:
|
|
rust-assembler:
|
|
runs-on: ${{ matrix.os }}
|
|
strategy:
|
|
matrix:
|
|
os: [ubuntu-latest, macos-latest]
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: dtolnay/rust-toolchain@stable
|
|
- uses: Swatinem/rust-cache@v2
|
|
with:
|
|
workspaces: _assembler
|
|
- run: cd _assembler && cargo test --release
|
|
|
|
rust-primitives:
|
|
runs-on: ${{ matrix.os }}
|
|
strategy:
|
|
matrix:
|
|
os: [ubuntu-latest, macos-latest]
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: dtolnay/rust-toolchain@stable
|
|
- uses: Swatinem/rust-cache@v2
|
|
with:
|
|
workspaces: _primitives/_rust
|
|
- run: cd _primitives/_rust && cargo test --workspace --release
|
|
|
|
ts-packages:
|
|
runs-on: ${{ matrix.os }}
|
|
strategy:
|
|
matrix:
|
|
os: [ubuntu-latest, macos-latest]
|
|
node: ['20', '22']
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: ${{ matrix.node }}
|
|
- run: cd _ts_packages && npm ci
|
|
- run: cd _ts_packages && npm run build --workspaces
|
|
- run: cd _ts_packages && npm test --workspaces --if-present
|
|
|
|
install-dry-run:
|
|
runs-on: ${{ matrix.os }}
|
|
strategy:
|
|
matrix:
|
|
os: [ubuntu-latest, macos-latest]
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: dtolnay/rust-toolchain@stable
|
|
- name: Install hard deps (Ubuntu)
|
|
if: matrix.os == 'ubuntu-latest'
|
|
run: sudo apt-get update && sudo apt-get install -y jq pandoc
|
|
- name: Install hard deps (macOS)
|
|
if: matrix.os == 'macos-latest'
|
|
run: brew install jq pandoc
|
|
- run: bash -n install.sh
|
|
- run: ./install.sh --no-execute --profile=minimal
|
|
- run: ./install.sh --no-execute --profile=dev
|
|
- run: ./install.sh --no-execute --profile=full
|
|
|
|
shell-lint:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- run: sudo apt-get update && sudo apt-get install -y shellcheck
|
|
- name: shellcheck (advisory)
|
|
run: find hooks _primitives -name '*.sh' -exec shellcheck -S warning {} +
|
|
# v0.15.1: kept advisory because local shellcheck sweep not yet clean
|
|
# (quoted-var nits in hooks). Flip to fatal once the sweep is committed;
|
|
# planned for v0.16.
|
|
continue-on-error: true
|