Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .machine_readable/REGISTRY.a2ml
Original file line number Diff line number Diff line change
Expand Up @@ -234,7 +234,7 @@ name = "DYADT — Did-You-Actually-Do-That"
stream = "governance"
home = "did-you-actually-do-that/"
canonical_doc = "did-you-actually-do-that/README.adoc"
source_hash = "sha256:2ae635b9ede51e76781cb7c171108f2a4505b0aae9ac97fb05c910915141eb2a"
source_hash = "sha256:453bf00d0dfac71576b5e7b4068fb8987abc3337d4bc3bf75c081e0332ae1dff"
route = "post-action agent-claim verification (Tier 4 accountability)"

[[spec]]
Expand Down
12 changes: 12 additions & 0 deletions Justfile
Original file line number Diff line number Diff line change
Expand Up @@ -85,12 +85,24 @@ dyadt-conformance:
dyadt-test:
@bash scripts/tests/wave4-dyadt-test.sh

# Structural lint for per-language testing guides (required sections + R1..R9)
language-guides-check:
@bash scripts/check-language-guide.sh

# Block reintroduction of deprecated names (6a2, agent_instructions) in new diff
canonical-names-check base="origin/main":
@bash scripts/check-canonical-names.sh "{{base}}"

# Aggregate compliance gate: registry drift is the HARD gate (registry-check,
# a hard dep). The RSR self-audit is INFORMATIONAL — a monorepo is not expected
# to score Gold — but a *broken* audit (exit 4 / unexpected) must fail loudly
# rather than pass silently under a blanket `|| true` (Wave-0 false-green fix).
validate: registry-check
@echo "=== validate: registry drift (HARD GATE) — passed as a dependency above ==="
@echo "=== validate: per-language testing guides (structural, HARD GATE) ==="
@bash scripts/check-language-guide.sh
@echo "=== validate: canonical-names reintroduction guard (vs origin/main) ==="
@bash scripts/check-canonical-names.sh origin/main || bash scripts/check-canonical-names.sh HEAD
@echo "=== validate: RSR self-audit (INFORMATIONAL grade; errors fail loudly) ==="
@bash scripts/rsr-selfaudit.sh .
@echo "=== validate: done ==="
Expand Down
49 changes: 49 additions & 0 deletions audits/licence-flags-2026-07.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
// SPDX-License-Identifier: CC-BY-SA-4.0
// SPDX-FileCopyrightText: 2026 Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>
= Licence Flags — Estate Audit & Optimization (2026-07)
:icons: font

[.lead]
Flag-only record for the estate audit-and-optimization program (umbrella
`hyperpolymath/standards#460`). Per the Manual-Only licence policy
(`.claude/CLAUDE.md`), this program made **no** licence/SPDX edits and generated
**no** automated licence-change PRs. This document records that discipline and
flags — for owner review only — anything licence-adjacent that surfaced.

== Discipline upheld

* No SPDX headers were added, changed, or swept in any wave (0, 1, 3, 4, 5, 6).
* New files created by the program carry the SPDX identifier matching the
repo's classification at birth (authoring, not relicensing): scripts →
`MPL-2.0`, prose/specs → `CC-BY-SA-4.0`. This is consistent with the estate
policy that new files may carry the correct SPDX from birth.
* The DYADT verifier (`did-you-actually-do-that/`) treats any licence/SPDX claim
as `manual-only` end to end — it returns `unverifiable`, never auto-`confirmed`,
and the consequence ledger's confirmation rate is explicitly unaffected by
licence verdicts. The Manual-Only policy is preserved *by construction* in the
new tooling.

== Flags for owner review (no action taken)

None of the following were edited; they are surfaced for the owner to rule on.

[cols="1,3", options="header"]
|===
| Location | Observation (flag-only)

| `rhodium-standard-repositories/rsr-audit.sh`
| Header carries a dual `SPDX-License-Identifier: MPL-2.0 AND Palimpsest-0.8`.
Palimpsest is a carve-out family; whether this file should carry a
Palimpsest component is an owner ruling, not an audit action. Left untouched.

| `SECURITY-ADVISORIES.adoc`
| A standing deferred `rand < 0.9.3` advisory is recorded. Not a licence matter,
but flagged alongside release hygiene: renew with an expiry date or bump.
(Tracked under the umbrella's release-hygiene item.)
|===

== No sweep, no auto-PR

This program did not run, and must not be read as licensing, any bulk SPDX
normalisation. Licence drift findings remain FLAG-ONLY and owner-gated, per the
neurophone#99 precedent and the estate licence-policy umbrella.
10 changes: 10 additions & 0 deletions did-you-actually-do-that/spec/CLAIM-FORMAT.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,16 @@ A verifier MUST reject (`unverifiable`) a claim whose `verifier` is not listed
as compatible with its `claim_class` in VERIFICATION-PROTOCOL — an
agent MUST NOT be able to choose a weaker verifier than the claim class warrants.

=== `contains:` regex dialect (normative)

The `contains:<regex>` predicate uses **POSIX Extended Regular Expressions
(ERE)**, matched case-sensitively against the whole file (`grep -E`). A pattern
that contains no literal character — i.e. is trivially always-matching (`.*`,
`.`, `^`, `$`, `.+`, and the like) — is NOT evidence and MUST be rejected as
`unverifiable` (reason `trivial-pattern`); it would otherwise confirm any
non-empty file. `stdout-contains:<s>` is a fixed-string (non-regex) substring
match.

== Honesty constraints (normative)

. A claim's verdict MUST be derived from primary evidence re-collected by the
Expand Down
10 changes: 10 additions & 0 deletions did-you-actually-do-that/spec/conformance/always-match.a2ml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
[claims]
schema = "dyadt/claim@1"
actor = "conformance"
[[claim]]
id = "C1"
claim_class = "file-changed"
statement = "a vacuous always-matching contains pattern"
target = "README.adoc"
expect = "contains:.*"
verifier = "git-diff"
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
C1 unverifiable
11 changes: 11 additions & 0 deletions hooks/pre-commit
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,17 @@ if [ -f scripts/build-registry.sh ]; then
fi
fi

# Canonical-names guard: block reintroduction of the deprecated names listed in
# CANONICAL-NAMES.adoc within the staged diff. Only added lines are checked, so
# not-yet-migrated existing occurrences do not trip it.
if [ -f scripts/check-canonical-names.sh ]; then
if ! bash scripts/check-canonical-names.sh HEAD >/dev/null 2>&1; then
echo -e "${RED}✗ Deprecated name reintroduced (see CANONICAL-NAMES.adoc):${NC}"
bash scripts/check-canonical-names.sh HEAD 2>&1 | grep '❌' || true
ERRORS=$((ERRORS + 1))
fi
fi

# Final result
echo ""
if [ $ERRORS -gt 0 ]; then
Expand Down
70 changes: 70 additions & 0 deletions scripts/check-canonical-names.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
#!/usr/bin/env bash
# SPDX-License-Identifier: MPL-2.0
#
# check-canonical-names.sh — block REINTRODUCTION of deprecated names.
#
# CANONICAL-NAMES.adoc (owner mandate 2026-06-30) deprecates:
# * 6a2 -> descriptiles
# * agent_instructions -> bot_directives
# The bulk migration of existing occurrences is chartered separately; this guard
# stops NEW occurrences from landing in the meantime. It inspects only the
# ADDED lines of a diff (grandfathered existing text is untouched), so it can be
# wired into pre-commit and CI without tripping on the not-yet-migrated files.
#
# Usage: check-canonical-names.sh [base-ref]
# base-ref default: origin/main (CI) then HEAD (pre-commit staged diff).
# Exit: 0 no new deprecated tokens · 1 a deprecated token was added · 2 usage

set -uo pipefail
cd "$(git rev-parse --show-toplevel)"

BASE="${1:-}"
if [ -z "$BASE" ]; then

Check failure on line 22 in scripts/check-canonical-names.sh

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Use '[[' instead of '[' for conditional tests. The '[[' construct is safer and more feature-rich.

See more on https://sonarcloud.io/project/issues?id=hyperpolymath_standards&issues=AZ8l0496RtbAQg66KdZj&open=AZ8l0496RtbAQg66KdZj&pullRequest=459
if git rev-parse --verify -q origin/main >/dev/null 2>&1; then BASE="origin/main"; else BASE="HEAD"; fi
fi

# Deprecated token -> canonical replacement (for the error message).
declare -A REPL=( ["6a2"]="descriptiles" ["agent_instructions"]="bot_directives" )

# Files that legitimately NAME the deprecated tokens (the mandate itself, this
# guard, migration/charter docs). Excluded from the check.
is_excluded() {
case "$1" in

Check failure on line 32 in scripts/check-canonical-names.sh

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Add a default case (*) to handle unexpected values.

See more on https://sonarcloud.io/project/issues?id=hyperpolymath_standards&issues=AZ8l0496RtbAQg66KdZk&open=AZ8l0496RtbAQg66KdZk&pullRequest=459

Check warning on line 32 in scripts/check-canonical-names.sh

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Assign this positional parameter to a local variable.

See more on https://sonarcloud.io/project/issues?id=hyperpolymath_standards&issues=AZ8l0496RtbAQg66KdZl&open=AZ8l0496RtbAQg66KdZl&pullRequest=459
CANONICAL-NAMES.adoc|scripts/check-canonical-names.sh|scripts/tests/*|\
*MIGRATION*|*migration*|*CHANGELOG*|*/6a2/*|.machine_readable/6a2/*) return 0 ;;
esac
return 1
}

# Added lines in the working diff vs BASE, per file.
added_diff() { git diff "$BASE" -- . 2>/dev/null; }

Check warning on line 40 in scripts/check-canonical-names.sh

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Add an explicit return statement at the end of the function.

See more on https://sonarcloud.io/project/issues?id=hyperpolymath_standards&issues=AZ8l0496RtbAQg66KdZm&open=AZ8l0496RtbAQg66KdZm&pullRequest=459

rc=0
current_file=""
while IFS= read -r line; do
case "$line" in

Check failure on line 45 in scripts/check-canonical-names.sh

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Add a default case (*) to handle unexpected values.

See more on https://sonarcloud.io/project/issues?id=hyperpolymath_standards&issues=AZ8l0496RtbAQg66KdZn&open=AZ8l0496RtbAQg66KdZn&pullRequest=459
"+++ b/"*) current_file="${line#+++ b/}" ;;
"+"*)
is_excluded "$current_file" && continue
body="${line#+}"
# Skip a line that is DESCRIBING the deprecation rather than using the old
# name — it also mentions the canonical replacement or the mandate itself
# (e.g. tooling comments, this guard's own wiring, docs about the rename).
if printf '%s' "$body" | grep -Eqi 'deprecat|canonical|reintroduc|descriptiles|bot_directives'; then
continue
fi
for tok in "${!REPL[@]}"; do
# word-ish boundary so e.g. 'v6a2ml' style false hits are limited
if printf '%s' "$body" | grep -Eq "(^|[^A-Za-z0-9])$tok([^A-Za-z0-9]|$)"; then
echo "❌ $current_file: reintroduces deprecated '$tok' — use '${REPL[$tok]}' (CANONICAL-NAMES.adoc)"
echo " + $body"
rc=1
fi
done ;;
esac
done < <(added_diff)

if [ "$rc" -eq 0 ]; then

Check failure on line 67 in scripts/check-canonical-names.sh

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Use '[[' instead of '[' for conditional tests. The '[[' construct is safer and more feature-rich.

See more on https://sonarcloud.io/project/issues?id=hyperpolymath_standards&issues=AZ8l0496RtbAQg66KdZo&open=AZ8l0496RtbAQg66KdZo&pullRequest=459
echo "✅ no deprecated names reintroduced (vs $BASE)"
fi
exit $rc
55 changes: 55 additions & 0 deletions scripts/check-language-guide.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
#!/usr/bin/env bash
# SPDX-License-Identifier: MPL-2.0
#
# check-language-guide.sh — structural lint for per-language testing guides.
#
# Every guide built from templates/language-testing-guide-TEMPLATE.md MUST carry
# the required sections and the R1–R9 requirement-mapping table. A guide that
# silently omits a section (e.g. "Known gaps") is a false-completeness hole —
# this fails loudly instead.
#
# Usage: check-language-guide.sh [guide.md ...]
# With no args, checks every standards/*-testing-guide.md.
# Exit: 0 all valid · 1 a guide is missing a required section

set -uo pipefail

ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd)"

REQUIRED_SECTIONS=(
"## Requirement mapping"
"## Tools"
"## Recommended CI pipeline"
"## Best practices"
"## Known gaps"
"## Resources"
)

check_one() { # file
local f="$1" rc=0 sec
if [ ! -f "$f" ]; then echo " ❌ $f: not found"; return 1; fi

Check failure on line 30 in scripts/check-language-guide.sh

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Use '[[' instead of '[' for conditional tests. The '[[' construct is safer and more feature-rich.

See more on https://sonarcloud.io/project/issues?id=hyperpolymath_standards&issues=AZ8lybSYKburwM6v9Z-M&open=AZ8lybSYKburwM6v9Z-M&pullRequest=459
for sec in "${REQUIRED_SECTIONS[@]}"; do
grep -Fqx "$sec" "$f" || { echo " ❌ $(basename "$f"): missing section '$sec'"; rc=1; }
done
# The requirement mapping MUST reference the R1..R9 rows (at least R1 and R9).
grep -Eq '\bR1\b' "$f" && grep -Eq '\bR9\b' "$f" || { echo " ❌ $(basename "$f"): requirement mapping does not reference R1..R9"; rc=1; }
# A SPDX header is required.
head -3 "$f" | grep -q 'SPDX-License-Identifier' || { echo " ❌ $(basename "$f"): missing SPDX header"; rc=1; }
[ "$rc" -eq 0 ] && echo " ✅ $(basename "$f")"

Check failure on line 38 in scripts/check-language-guide.sh

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Use '[[' instead of '[' for conditional tests. The '[[' construct is safer and more feature-rich.

See more on https://sonarcloud.io/project/issues?id=hyperpolymath_standards&issues=AZ8lybSYKburwM6v9Z-N&open=AZ8lybSYKburwM6v9Z-N&pullRequest=459
return $rc
}

if [ "$#" -gt 0 ]; then

Check failure on line 42 in scripts/check-language-guide.sh

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Use '[[' instead of '[' for conditional tests. The '[[' construct is safer and more feature-rich.

See more on https://sonarcloud.io/project/issues?id=hyperpolymath_standards&issues=AZ8lybSYKburwM6v9Z-O&open=AZ8lybSYKburwM6v9Z-O&pullRequest=459
files=("$@")
else
mapfile -t files < <(ls "$ROOT"/standards/*-testing-guide.md 2>/dev/null)
fi

if [ "${#files[@]}" -eq 0 ]; then

Check failure on line 48 in scripts/check-language-guide.sh

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Use '[[' instead of '[' for conditional tests. The '[[' construct is safer and more feature-rich.

See more on https://sonarcloud.io/project/issues?id=hyperpolymath_standards&issues=AZ8lybSYKburwM6v9Z-P&open=AZ8lybSYKburwM6v9Z-P&pullRequest=459
echo "no language testing guides found (standards/*-testing-guide.md)"; exit 0
fi

rc=0
echo "Language testing guides:"
for f in "${files[@]}"; do check_one "$f" || rc=1; done
exit $rc
10 changes: 10 additions & 0 deletions scripts/tests/wave4-dyadt-test.sh
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,16 @@ target = "echo marker >&2; true"
expect = "stdout-contains:marker"
verifier = "command-transcript"'
[[ "$(reason_of "$TMP/se.a2ml" C1)" == REFUTED* ]] && ok "stderr does not satisfy stdout-contains" || bad "stderr false-confirmed stdout claim"
# an always-matching contains: regex is not evidence (#461)
mk am.a2ml '[claims]
[[claim]]
id = "C1"
claim_class = "file-changed"
target = "README.adoc"
expect = "contains:.*"
verifier = "git-diff"'
[[ "$(reason_of "$TMP/am.a2ml" C1)" == unverifiable*trivial-pattern ]] && ok "always-matching contains: -> unverifiable" || bad "always-match pattern confirmed vacuously"

# licence claim phrased only in the statement is still manual-only
mk lic.a2ml '[claims]
[[claim]]
Expand Down
41 changes: 41 additions & 0 deletions scripts/tests/wave5-language-guides-test.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
#!/usr/bin/env bash
# SPDX-License-Identifier: MPL-2.0
set -uo pipefail
#
# Wave-5 regression: the per-language testing guide lint must accept a
# template-conformant guide and reject one missing a required section.

ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
CHK="$ROOT/scripts/check-language-guide.sh"
TMP="$(mktemp -d)"; trap 'rm -rf "$TMP"' EXIT

pass=0 fail=0
ok() { echo " ✅ $1"; pass=$((pass + 1)); }

Check warning on line 13 in scripts/tests/wave5-language-guides-test.sh

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Add an explicit return statement at the end of the function.

See more on https://sonarcloud.io/project/issues?id=hyperpolymath_standards&issues=AZ8lybPrKburwM6v9Z-G&open=AZ8lybPrKburwM6v9Z-G&pullRequest=459

Check warning on line 13 in scripts/tests/wave5-language-guides-test.sh

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Assign this positional parameter to a local variable.

See more on https://sonarcloud.io/project/issues?id=hyperpolymath_standards&issues=AZ8lybPrKburwM6v9Z-H&open=AZ8lybPrKburwM6v9Z-H&pullRequest=459
bad() { echo " ❌ $1"; fail=$((fail + 1)); }

Check warning on line 14 in scripts/tests/wave5-language-guides-test.sh

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Assign this positional parameter to a local variable.

See more on https://sonarcloud.io/project/issues?id=hyperpolymath_standards&issues=AZ8lybPrKburwM6v9Z-J&open=AZ8lybPrKburwM6v9Z-J&pullRequest=459

Check warning on line 14 in scripts/tests/wave5-language-guides-test.sh

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Add an explicit return statement at the end of the function.

See more on https://sonarcloud.io/project/issues?id=hyperpolymath_standards&issues=AZ8lybPrKburwM6v9Z-I&open=AZ8lybPrKburwM6v9Z-I&pullRequest=459

echo "== real guides pass =="
bash "$CHK" >/dev/null 2>&1 && ok "estate guides pass structural lint" || bad "estate guides failed lint"
bash "$CHK" "$ROOT/standards/affinescript-testing-guide.md" >/dev/null 2>&1 && ok "affinescript guide valid" || bad "affinescript guide invalid"

echo "== rejects incomplete guides =="
# missing a required section
g="$TMP/foo-testing-guide.md"
printf '<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->\n# Foo\n## Requirement mapping\nR1 ... R9 ...\n## Tools\n## Recommended CI pipeline\n## Best practices\n## Resources\n' > "$g"
bash "$CHK" "$g" >/dev/null 2>&1 && bad "missing 'Known gaps' not caught" || ok "missing section rejected"
# missing SPDX header
g2="$TMP/bar-testing-guide.md"
printf '# Bar\n## Requirement mapping\nR1 R9\n## Tools\n## Recommended CI pipeline\n## Best practices\n## Known gaps\n## Resources\n' > "$g2"
bash "$CHK" "$g2" >/dev/null 2>&1 && bad "missing SPDX not caught" || ok "missing SPDX rejected"
# missing R1..R9 reference
g3="$TMP/baz-testing-guide.md"
printf '<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->\n# Baz\n## Requirement mapping\nno numbers here\n## Tools\n## Recommended CI pipeline\n## Best practices\n## Known gaps\n## Resources\n' > "$g3"
bash "$CHK" "$g3" >/dev/null 2>&1 && bad "missing R1..R9 not caught" || ok "missing R1..R9 rejected"

echo "== the stale duplicate snapshot is gone =="
[ ! -f "$ROOT/standards/language-testing-standards-v1.0.0-2024-04-14.md" ] && ok "duplicate snapshot removed" || bad "duplicate snapshot still present"

Check failure on line 35 in scripts/tests/wave5-language-guides-test.sh

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Use '[[' instead of '[' for conditional tests. The '[[' construct is safer and more feature-rich.

See more on https://sonarcloud.io/project/issues?id=hyperpolymath_standards&issues=AZ8lybPrKburwM6v9Z-K&open=AZ8lybPrKburwM6v9Z-K&pullRequest=459
echo "== the standard is v2.0.0 with RFC-2119 =="
grep -q 'Version:\*\* 2.0.0' "$ROOT/standards/language-testing-standards.md" && grep -qi 'RFC-2119' "$ROOT/standards/language-testing-standards.md" && ok "standard refreshed to v2.0.0 RFC-2119" || bad "standard not refreshed"

echo
echo "Wave-5 language-guides regression: $pass passed, $fail failed"
[ "$fail" -eq 0 ]

Check failure on line 41 in scripts/tests/wave5-language-guides-test.sh

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Use '[[' instead of '[' for conditional tests. The '[[' construct is safer and more feature-rich.

See more on https://sonarcloud.io/project/issues?id=hyperpolymath_standards&issues=AZ8lybPrKburwM6v9Z-L&open=AZ8lybPrKburwM6v9Z-L&pullRequest=459
39 changes: 39 additions & 0 deletions scripts/tests/wave6-canonical-names-test.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
#!/usr/bin/env bash
# SPDX-License-Identifier: MPL-2.0
set -uo pipefail
#
# Wave-6 regression: the canonical-names reintroduction guard must block a NEW
# deprecated token while leaving grandfathered existing occurrences alone.

ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
CHK="$ROOT/scripts/check-canonical-names.sh"

pass=0 fail=0
ok() { echo " ✅ $1"; pass=$((pass + 1)); }

Check warning on line 12 in scripts/tests/wave6-canonical-names-test.sh

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Add an explicit return statement at the end of the function.

See more on https://sonarcloud.io/project/issues?id=hyperpolymath_standards&issues=AZ8l047VRtbAQg66KdZe&open=AZ8l047VRtbAQg66KdZe&pullRequest=459

Check warning on line 12 in scripts/tests/wave6-canonical-names-test.sh

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Assign this positional parameter to a local variable.

See more on https://sonarcloud.io/project/issues?id=hyperpolymath_standards&issues=AZ8l047VRtbAQg66KdZf&open=AZ8l047VRtbAQg66KdZf&pullRequest=459
bad() { echo " ❌ $1"; fail=$((fail + 1)); }

Check warning on line 13 in scripts/tests/wave6-canonical-names-test.sh

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Assign this positional parameter to a local variable.

See more on https://sonarcloud.io/project/issues?id=hyperpolymath_standards&issues=AZ8l047VRtbAQg66KdZh&open=AZ8l047VRtbAQg66KdZh&pullRequest=459

Check warning on line 13 in scripts/tests/wave6-canonical-names-test.sh

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Add an explicit return statement at the end of the function.

See more on https://sonarcloud.io/project/issues?id=hyperpolymath_standards&issues=AZ8l047VRtbAQg66KdZg&open=AZ8l047VRtbAQg66KdZg&pullRequest=459

cd "$ROOT"

echo "== guard blocks a newly-added deprecated token =="
f="wave6_guard_probe.txt"
printf 'this file uses the 6a2 layout\n' > "$f"
git add "$f" 2>/dev/null
if bash "$CHK" HEAD >/dev/null 2>&1; then bad "new '6a2' token not blocked"; else ok "new '6a2' token blocked"; fi
# agent_instructions too
printf 'agent_instructions live here\n' > "$f"
git add "$f" 2>/dev/null
if bash "$CHK" HEAD >/dev/null 2>&1; then bad "new 'agent_instructions' not blocked"; else ok "new 'agent_instructions' blocked"; fi
git reset -q "$f" 2>/dev/null; rm -f "$f"

echo "== guard passes with no offending additions =="
printf 'a perfectly canonical descriptiles + bot_directives line\n' > "$f"
git add "$f" 2>/dev/null
bash "$CHK" HEAD >/dev/null 2>&1 && ok "canonical names pass" || bad "canonical names wrongly blocked"
git reset -q "$f" 2>/dev/null; rm -f "$f"

echo "== the guard excludes CANONICAL-NAMES.adoc itself =="
grep -q 'CANONICAL-NAMES.adoc' "$CHK" && ok "mandate doc is excluded from the guard" || bad "mandate doc not excluded"

echo
echo "Wave-6 canonical-names regression: $pass passed, $fail failed"
[ "$fail" -eq 0 ]

Check failure on line 39 in scripts/tests/wave6-canonical-names-test.sh

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Use '[[' instead of '[' for conditional tests. The '[[' construct is safer and more feature-rich.

See more on https://sonarcloud.io/project/issues?id=hyperpolymath_standards&issues=AZ8l047VRtbAQg66KdZi&open=AZ8l047VRtbAQg66KdZi&pullRequest=459
5 changes: 5 additions & 0 deletions scripts/verify-claims.sh
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,11 @@
contains:*)
local re="${expect#contains:}"
[ -n "$re" ] || { echo "unverifiable empty-pattern"; return; }
# Reject a trivially-always-matching regex (`.*`, `^`, `$`, `.`, `.+`, …):
# a pattern with no literal character is not evidence — it confirms any
# non-empty file. Require at least one literal after stripping ERE metachars.
local bare; bare="$(printf '%s' "$re" | tr -d '.^$*+?()[]{}|\\')"
[ -n "$bare" ] || { echo "unverifiable trivial-pattern"; return; }

Check failure on line 102 in scripts/verify-claims.sh

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Use '[[' instead of '[' for conditional tests. The '[[' construct is safer and more feature-rich.

See more on https://sonarcloud.io/project/issues?id=hyperpolymath_standards&issues=AZ8l04-RRtbAQg66KdZp&open=AZ8l04-RRtbAQg66KdZp&pullRequest=459
if [ ! -f "$target" ]; then echo "unverifiable not-a-regular-file"; return; fi
if [ ! -r "$target" ]; then echo "unverifiable unreadable"; return; fi
# distinguish "pattern absent" (refuted) from "bad regex" (unverifiable)
Expand Down
Loading
Loading