Skip to content

Commit 91ab68d

Browse files
committed
Merge dev and port security hardening
2 parents ef64f0b + b25e936 commit 91ab68d

988 files changed

Lines changed: 221539 additions & 21693 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,62 @@
1+
---
2+
name: completion-verifier
3+
description: Verifies ACES SDL repo-policy, requirement-governance, changelog, and ADR-index completion before Claude stops.
4+
tools: Read, Grep, Glob, Bash
5+
model: sonnet
6+
maxTurns: 20
7+
---
8+
9+
# Completion Verifier
10+
11+
You verify that implementation work is complete for ACES SDL. Prefer the
12+
repo-owned policy scripts over ad hoc reasoning.
13+
14+
Run these checks and return your verdict:
15+
16+
## 1. Determine changed files and requirement context
17+
18+
- Run `git diff --name-only HEAD` to see what files changed.
19+
- Determine whether Python implementation or test files changed under
20+
`implementations/python/`.
21+
- Determine the active requirement UID from `ACES_REQUIREMENT_UID` or the branch
22+
name.
23+
24+
## 2. Run repo policy checks
25+
26+
- Run `implementations/python/.venv/bin/python tools/check_repo_policy.py`.
27+
- If a requirement UID is available, run
28+
`implementations/python/.venv/bin/python tools/check_requirement_governance.py --requirement-uid <UID>`.
29+
- If either command fails, this is a FAILURE. Include the concrete rule output
30+
in the reason.
31+
32+
## 3. CHANGELOG and ADR index
33+
34+
If Python source files changed:
35+
- Verify `CHANGELOG.md` is in the diff.
36+
- If not, this is a FAILURE.
37+
38+
If any ADR file under `docs/decisions/adrs/` changed:
39+
- Verify `docs/decisions/adrs/README.md` is also updated.
40+
- If not, this is a FAILURE.
41+
42+
## 4. Ground Control traceability and status
43+
44+
If a requirement UID is available and implementation/test files changed:
45+
- Verify the requirement-governance script passed.
46+
- Call out missing IMPLEMENTS or TESTS traceability as a FAILURE, not a warning.
47+
- If the work appears to complete a DRAFT requirement, verify the requirement is
48+
not left in DRAFT unintentionally.
49+
50+
## 5. Return verdict
51+
52+
If all required checks pass:
53+
```json
54+
{"ok": true}
55+
```
56+
57+
If any required check fails:
58+
```json
59+
{"ok": false, "reason": "Missing: CHANGELOG.md not updated despite Python source changes in implementations/python/packages/..."}
60+
```
61+
62+
Be specific about what's missing so Claude can fix it.
Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
#!/usr/bin/env bash
2+
set -euo pipefail
3+
4+
FILE_PATH=$(jq -r '.tool_input.file_path // empty')
5+
6+
if [[ -z "$FILE_PATH" ]]; then
7+
exit 0
8+
fi
9+
10+
cd "$CLAUDE_PROJECT_DIR"
11+
implementations/python/.venv/bin/python tools/check_repo_policy.py --check-set file-local "$FILE_PATH"

.claude/hooks/protect_files.sh

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
#!/bin/bash
2+
# Block edits to sensitive files and generated authority surfaces.
3+
FILE_PATH=$(jq -r '.tool_input.file_path // empty')
4+
5+
if [[ -z "$FILE_PATH" ]]; then
6+
exit 0
7+
fi
8+
9+
BASENAME=$(basename "$FILE_PATH")
10+
11+
# Block .env files
12+
if [[ "$BASENAME" == .env* ]] || [[ "$BASENAME" == "local_settings.py" ]]; then
13+
echo "BLOCKED: Editing $BASENAME is not allowed. These files contain secrets." >&2
14+
exit 2
15+
fi
16+
17+
# Block key/credential files
18+
if [[ "$BASENAME" == *.key ]] || [[ "$BASENAME" == *.pem ]] || [[ "$BASENAME" == "credentials"* ]]; then
19+
echo "BLOCKED: Editing $BASENAME is not allowed. These files contain secrets." >&2
20+
exit 2
21+
fi
22+
23+
# Block direct edits to generated schemas.
24+
if [[ "$FILE_PATH" == contracts/schemas/* ]]; then
25+
echo "BLOCKED: contracts/schemas/ is generated. Update generator inputs and regenerate instead." >&2
26+
exit 2
27+
fi
28+
29+
exit 0

.claude/hooks/verify-extra.sh

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
#!/usr/bin/env bash
2+
# Project-specific implementation checks.
3+
# Sourced by the user-level verify-implementation.sh Stop hook.
4+
# $CHANGED is passed in as an env var containing the git diff file list.
5+
# Output any failure reasons to stdout; empty output = all checks pass.
6+
7+
ROOT="$(cd "$(dirname "$0")/../.." && pwd)"
8+
PY="$ROOT/implementations/python/.venv/bin/python"
9+
10+
if [[ ! -x "$PY" ]]; then
11+
echo -n "Missing implementations/python/.venv/bin/python; cannot run repo verification."
12+
exit 0
13+
fi
14+
15+
if ! "$PY" "$ROOT/tools/check_repo_policy.py" >/tmp/aces-sdl-policy.out 2>&1; then
16+
tr '\n' ' ' </tmp/aces-sdl-policy.out
17+
exit 0
18+
fi
19+
20+
if ! "$PY" "$ROOT/tools/check_requirement_governance.py" >/tmp/aces-sdl-gc.out 2>&1; then
21+
tr '\n' ' ' </tmp/aces-sdl-gc.out
22+
exit 0
23+
fi
24+
25+
echo -n ""
Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
---
2+
paths:
3+
- "backend/src/**/*.java"
4+
- "frontend/src/**/*.ts"
5+
- "frontend/src/**/*.tsx"
6+
---
7+
8+
## Implementation Standards
9+
10+
- Never take shortcuts. Implement features properly and completely.
11+
You are not under time pressure. You operate at 200x human coding
12+
speed. There is no reason to cut corners, use placeholder
13+
implementations, or defer work.
14+
15+
- Never recommend deferring a fix or improvement "for later" or
16+
"in a follow-up". If something is broken or missing, fix it now.
17+
Tech debt has zero justification when the fix is within reach.
18+
19+
- Always check your implementation against the full requirement
20+
statement clause by clause before declaring completion.
21+
22+
- When you encounter an architectural decision, prefer the approach
23+
that follows existing patterns in the codebase over inventing
24+
something new. Read surrounding code first.
25+
26+
- Do not add unnecessary abstractions, indirection layers, or
27+
"extensibility" that isn't required by the current task. Three
28+
similar lines of code are better than a premature abstraction.
29+
30+
- Do not create stub or placeholder implementations that "will be
31+
filled in later." Either implement it fully or don't create it.

.claude/rules/review-standards.md

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
## Review Fix Standards
2+
3+
- Fix ALL issues found during code review and security review.
4+
Do not categorize issues as "defer" or "low priority" to avoid
5+
doing work. If the fix is straightforward, do it.
6+
7+
- Never recommend deferring fixes because of "time constraints",
8+
"scope", or "follow-up PRs". You are an LLM. You do not have
9+
time constraints. Just do the work.
10+
11+
- The only valid reason to stop and consult the user is if a fix
12+
would require a significant architectural change that could break
13+
other features. "Significant" means touching 5+ files outside the
14+
current feature scope.
15+
16+
- Do not surface nitpicks about PR titles or descriptions unless
17+
they are grossly misleading.

.claude/settings.json

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
{
2+
"hooks": {
3+
"PreToolUse": [
4+
{
5+
"matcher": "Edit|Write",
6+
"hooks": [
7+
{
8+
"type": "command",
9+
"command": "$CLAUDE_PROJECT_DIR/.claude/hooks/protect_files.sh"
10+
}
11+
]
12+
}
13+
],
14+
"PostToolUse": [
15+
{
16+
"matcher": "Edit|Write",
17+
"hooks": [
18+
{
19+
"type": "command",
20+
"command": "$CLAUDE_PROJECT_DIR/.claude/hooks/check_policy_after_edit.sh",
21+
"timeout": 30
22+
}
23+
]
24+
}
25+
]
26+
}
27+
}

0 commit comments

Comments
 (0)