diff --git a/.github/workflows/public-logic-ci.yml b/.github/workflows/public-logic-ci.yml new file mode 100644 index 0000000..2809772 --- /dev/null +++ b/.github/workflows/public-logic-ci.yml @@ -0,0 +1,68 @@ +name: Public Logic CI + +on: + pull_request: + branches: + - main + push: + branches: + - main + +permissions: + contents: read + +jobs: + validate-public-logic: + runs-on: ubuntu-latest + timeout-minutes: 20 + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + submodules: recursive + + - name: Setup Node + uses: actions/setup-node@v4 + with: + node-version: "20" + cache: npm + cache-dependency-path: governance/seven-shadow-system/package-lock.json + + - name: Validate policy JSON + run: python3 -m json.tool .seven-shadow/policy.json >/dev/null + + - name: Validate leveling JSON + run: python3 -m json.tool leveling.example.json >/dev/null + + - name: Validate public document links + run: | + python3 - <<'PY' + import pathlib + import re + import sys + + files = [pathlib.Path("README.md"), pathlib.Path("ARCHITECTURE.md")] + missing = [] + + for file_path in files: + text = file_path.read_text(encoding="utf-8") + for match in re.finditer(r"\[[^\]]+\]\(([^)]+)\)", text): + target = match.group(1).split("#", 1)[0].strip() + if not target or target.startswith(("http://", "https://", "mailto:")): + continue + if not (file_path.parent / target).exists(): + missing.append((str(file_path), target)) + + if missing: + for file_path, target in missing: + print(f"Missing relative link target in {file_path}: {target}") + sys.exit(1) + PY + + - name: Install governance dependencies + run: npm ci + working-directory: governance/seven-shadow-system + + - name: Build governance package + run: npm run build + working-directory: governance/seven-shadow-system diff --git a/docs/audits/public-logic-audit-2026-02-22.md b/docs/audits/public-logic-audit-2026-02-22.md new file mode 100644 index 0000000..6910ce8 --- /dev/null +++ b/docs/audits/public-logic-audit-2026-02-22.md @@ -0,0 +1,40 @@ +# Public Logic Audit - 2026-02-22 + +## Repo +- VontaJamal/shadow-gate + +## Scope +- Deep quality-control on existing public-facing logic only. +- No net-new product features. + +## Baseline Snapshot +- Open PR count at start: 0 +- Default branch: main +- Latest default-branch run (at start): + - None detected on default branch + +## Public Surface Inventory +- README and architecture docs +- Seven Shadow policy and governance wiring +- Governance submodule build path +- Public workflow coverage for existing governance logic + +## Command Matrix +| Check | Result | Notes | +|---|---|---| +| `.seven-shadow/policy.json` parse | PASS | Valid JSON | +| `leveling.example.json` parse | PASS | Valid JSON | +| `npm --prefix governance/seven-shadow-system ci` | PASS | Governance dependency install succeeded | +| `npm --prefix governance/seven-shadow-system run build` | PASS | Governance build succeeded | +| README/architecture link integrity | PASS | Relative links in public docs resolve | + +## Findings Register +| Severity | Area | Repro | Status | Fix | +|---|---|---|---|---| +| P1 | CI coverage gap | No default-branch `push`/`pull_request` workflow validated public governance logic | Fixed | Added `Public Logic CI` workflow on `main` push/PR | + +## Residual Risks / Follow-ups +- Continue monitoring governance submodule and policy bundle mode behavior in future waves. + +## Attestation +- This wave is maintenance and hardening only.