From 2ce74029dc73c51797e6e8e1b48f08fcf17e6ece Mon Sep 17 00:00:00 2001 From: Vonta Date: Sun, 22 Feb 2026 14:01:40 -0500 Subject: [PATCH 1/2] chore: add public logic audit baseline artifact --- docs/audits/public-logic-audit-2026-02-22.md | 36 ++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 docs/audits/public-logic-audit-2026-02-22.md diff --git a/docs/audits/public-logic-audit-2026-02-22.md b/docs/audits/public-logic-audit-2026-02-22.md new file mode 100644 index 0000000..ff21fd0 --- /dev/null +++ b/docs/audits/public-logic-audit-2026-02-22.md @@ -0,0 +1,36 @@ +# Public Logic Audit - 2026-02-22 + +## Repo +- VontaJamal/shadow-gate + +## Scope +- Deep quality-control on existing public-facing logic only. +- No net-new product features. + +## Baseline Snapshot +- Open PR count at start: 0 +- Default branch: main +- Latest default-branch run (at start): + - None detected on default branch + +## Public Surface Inventory +- README and architecture docs +- Seven Shadow policy and governance wiring +- Governance submodule build path +- Public workflow coverage for existing governance logic + +## Command Matrix +| Check | Result | Notes | +|---|---|---| +| Pending baseline checks | Pending | To be filled during wave execution | + +## Findings Register +| Severity | Area | Repro | Status | Fix | +|---|---|---|---|---| +| None yet | - | - | Open | In progress | + +## Residual Risks / Follow-ups +- Pending deep audit pass. + +## Attestation +- This wave is maintenance and hardening only. From 9518d02cc2ac63c8d6bceeff5d6a56b56ceb2473 Mon Sep 17 00:00:00 2001 From: Vonta Date: Sun, 22 Feb 2026 14:06:42 -0500 Subject: [PATCH 2/2] ci: add public logic guardrails and audit findings --- .github/workflows/public-logic-ci.yml | 68 ++++++++++++++++++++ docs/audits/public-logic-audit-2026-02-22.md | 10 ++- 2 files changed, 75 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/public-logic-ci.yml diff --git a/.github/workflows/public-logic-ci.yml b/.github/workflows/public-logic-ci.yml new file mode 100644 index 0000000..2809772 --- /dev/null +++ b/.github/workflows/public-logic-ci.yml @@ -0,0 +1,68 @@ +name: Public Logic CI + +on: + pull_request: + branches: + - main + push: + branches: + - main + +permissions: + contents: read + +jobs: + validate-public-logic: + runs-on: ubuntu-latest + timeout-minutes: 20 + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + submodules: recursive + + - name: Setup Node + uses: actions/setup-node@v4 + with: + node-version: "20" + cache: npm + cache-dependency-path: governance/seven-shadow-system/package-lock.json + + - name: Validate policy JSON + run: python3 -m json.tool .seven-shadow/policy.json >/dev/null + + - name: Validate leveling JSON + run: python3 -m json.tool leveling.example.json >/dev/null + + - name: Validate public document links + run: | + python3 - <<'PY' + import pathlib + import re + import sys + + files = [pathlib.Path("README.md"), pathlib.Path("ARCHITECTURE.md")] + missing = [] + + for file_path in files: + text = file_path.read_text(encoding="utf-8") + for match in re.finditer(r"\[[^\]]+\]\(([^)]+)\)", text): + target = match.group(1).split("#", 1)[0].strip() + if not target or target.startswith(("http://", "https://", "mailto:")): + continue + if not (file_path.parent / target).exists(): + missing.append((str(file_path), target)) + + if missing: + for file_path, target in missing: + print(f"Missing relative link target in {file_path}: {target}") + sys.exit(1) + PY + + - name: Install governance dependencies + run: npm ci + working-directory: governance/seven-shadow-system + + - name: Build governance package + run: npm run build + working-directory: governance/seven-shadow-system diff --git a/docs/audits/public-logic-audit-2026-02-22.md b/docs/audits/public-logic-audit-2026-02-22.md index ff21fd0..6910ce8 100644 --- a/docs/audits/public-logic-audit-2026-02-22.md +++ b/docs/audits/public-logic-audit-2026-02-22.md @@ -22,15 +22,19 @@ ## Command Matrix | Check | Result | Notes | |---|---|---| -| Pending baseline checks | Pending | To be filled during wave execution | +| `.seven-shadow/policy.json` parse | PASS | Valid JSON | +| `leveling.example.json` parse | PASS | Valid JSON | +| `npm --prefix governance/seven-shadow-system ci` | PASS | Governance dependency install succeeded | +| `npm --prefix governance/seven-shadow-system run build` | PASS | Governance build succeeded | +| README/architecture link integrity | PASS | Relative links in public docs resolve | ## Findings Register | Severity | Area | Repro | Status | Fix | |---|---|---|---|---| -| None yet | - | - | Open | In progress | +| P1 | CI coverage gap | No default-branch `push`/`pull_request` workflow validated public governance logic | Fixed | Added `Public Logic CI` workflow on `main` push/PR | ## Residual Risks / Follow-ups -- Pending deep audit pass. +- Continue monitoring governance submodule and policy bundle mode behavior in future waves. ## Attestation - This wave is maintenance and hardening only.