Skip to content

Rcx hardening #62

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Agaslez wants to merge 103 commits into
base: main
Choose a base branch
from
Open

Rcx hardening #62

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
103 commits
Select commit Hold shift + click to select a range
ac4fc4c
fix(release): resolve lint errors + strengthen RC release
Agaslez Jan 13, 2026
91fb2b6
test(hardening): add E2E npm pack, chaos, fuzz, security tests + test…
Jan 13, 2026
fbdd949
docs(checklist): mark CEL Hardening Pack complete
Jan 13, 2026
1f88015
test(brutal-mode): add fs-hostile, cli-signals, contract-corruption, …
Jan 13, 2026
dfc91a6
test(scripts): add test:brutal for cross-platform matrix tests
Jan 13, 2026
116d5d1
feat: RCX Hardening Pack - 8 test suites (195 tests, 180 passing)
Jan 13, 2026
bceff93
fix: RCX test suite - API-based tests, remove CLI dependencies, fix d…
Jan 13, 2026
8c6ed14
docs: update RCX_FINAL_PROOF.md with Phase 3 completion (200 tests pa…
Jan 13, 2026
f38d3f5
fix: add missing cwd property to OrchestratorRunOptions in perf-regre…
Jan 13, 2026
6163b89
fix: repair 6 failing test suites after API changes
Jan 13, 2026
af6f04a
refactor: use makeRunOptions helper in adapter-executor tests
Jan 13, 2026
acf6d36
ci: add rcx-hardening to test workflows and support rcx-hardening branch
Jan 13, 2026
2c785bc
ci: verify rcx workflow triggers
Jan 13, 2026
cb73626
ci: add fetch-depth, concurrency, timeout-minutes and if conditions f…
Jan 13, 2026
3250f3a
docs: add CI_RCX_PROOF and PR template for workflow verification
Jan 13, 2026
73a34e1
fix: remove corrupted cerber-core self-reference from package.json de…
Jan 13, 2026
7b9ee23
ci: dogfooding jobs - only run on main push, skip on PR (non-blocking)
Jan 13, 2026
2e9abe7
chore(lock): regenerate after removing file dependency
Jan 13, 2026
803df2f
ci: add guard check to prevent file: dependencies in package.json
Jan 13, 2026
fb8e24e
docs: add PR #62 evidence and verification report
Jan 13, 2026
91c451a
fix(ci): ensure executable permissions on scripts and fix windows-spe…
Jan 13, 2026
5517e7a
fix(workflow): build dist/ before running unit tests
Jan 13, 2026
a03e908
fix: cli-signals test accept exit code -1 on signal
Jan 13, 2026
065aa8b
docs: update PR #62 evidence with final fix status
Jan 13, 2026
370a6e3
feat: implement real Guardian hook installer with --dry-run support
Jan 13, 2026
6185dbb
docs: add comprehensive PR #62 final status report
Jan 13, 2026
e11973e
fix: split test:release and npm-pack-smoke, add .unref() to timers fo…
Jan 13, 2026
3adfb8b
fix: add missing eslint.config.js (ESLint v9 compliance)
Jan 13, 2026
5ac7315
fix: remove .unref() from critical setTimeout in cli-signals - kill t…
Jan 13, 2026
7027458
fix: update eslint.config.js for backend (remove React deps)
Jan 13, 2026
d0af246
fix: configure ESLint v9 flat config with pragmatic rules for codebase
Jan 13, 2026
b71b5ce
refactor: replace 'any' types with proper typing (JsonValue, error ha…
Jan 13, 2026
17ba743
chore: add ESLint max-warnings ratchet + detectOpenHandles gate + imp…
Jan 13, 2026
e4b9532
test(e2e): refactor cli-signals to use long-running _signals-test com…
Jan 14, 2026
03cd653
refactor: move _signals-test from bin/cerber to src/cli/signals-test.ts
Jan 14, 2026
29f93f4
fix: add CERBER_TEST_MODE=1 to build_and_unit for signal tests
Jan 14, 2026
dc7defe
fix: remove duplicate program.parse() in bin/cerber
Jan 14, 2026
75139d1
fix: enhance cli-signals helper to log stderr in errors
Jan 14, 2026
52a23b8
fix: use bin/cerber instead of dist/bin/cerber in cli-signals tests
Jan 14, 2026
c940a4a
fix(signals-test): use process.stdout.write() with guaranteed flush +…
Jan 14, 2026
d1bdd32
update(audit): finalize test results - 1630/1630 tests passing (100%)
Jan 14, 2026
b256029
docs(audit): add CI run links + full jest.config.cjs and cerber-verif…
Jan 14, 2026
e38ffec
feat(CEL-2): Complete One Truth Architecture integration - Doctor dri…
Jan 14, 2026
d3e4690
docs(CEL-2): Add final verification report with production readiness …
Jan 14, 2026
43df4cf
feat(CEL-3): Complete test organization - tag 81 tests with @fast/@e2…
Jan 14, 2026
e5d0d21
fix(guardian): Use relative git root path in pre-commit hook
Jan 14, 2026
29ef91d
fix: Make tests deterministic - update snapshots and resilience test
Jan 14, 2026
2413d1a
fix: Update contract profiles with failOn arrays
Jan 14, 2026
8ac6729
docs: Add PROOF.md for ZADANIE 1 completion - all checks green
Jan 14, 2026
7d6c65a
fix(test-stability): Stabilize cli-signals and npm-pack-smoke tests +…
Jan 14, 2026
796d4fa
docs: Add ZADANIE 2 completion report - CI stability verified
Jan 14, 2026
0e8a22c
docs: Add SESSION_SUMMARY.md - ZADANIE 1 & 2 complete
Jan 14, 2026
8b2c883
fix(tests): Stabilize cli-signals and npm-pack-smoke + document requi…
Jan 14, 2026
c75a4d4
feat(ZADANIE-2.3): Add ONE TRUTH policy + protected files enforcement…
Jan 14, 2026
4c706bb
docs(PROOF): Add ZADANIE 2.3 owner approval marker
Jan 14, 2026
f27f5fe
docs(ZADANIE-2.3): Add branch protection configuration guide
Jan 14, 2026
89d8368
docs(ZADANIE-2.3): Complete implementation summary
Jan 14, 2026
2095634
docs(ZADANIE-2.3): Add comprehensive verification report
Jan 14, 2026
0fe72e0
feat(CEL): Add CEL 1 & CEL 2 enforcement - ZIELONO + JEDNA PRAWDA
Jan 14, 2026
6b78d2a
docs: Add comprehensive CEL summary (ZIELONO + JEDNA PRAWDA)
Jan 14, 2026
9f9a275
docs: Add quick action plan for GitHub configuration
Jan 14, 2026
0fbdf8e
feat(ZADANIE-2.3): Production GitHub integration - final phase
Jan 14, 2026
b4e8960
ci(tamper-gate): enforce owner approval via GitHub API
Jan 14, 2026
0738d3c
feat(task-3): npm-pack-smoke validates tarball content (not repo)
Jan 14, 2026
f8e6cee
docs: Add comprehensive proof of completion for all tasks
Jan 14, 2026
21dac0c
docs: Add comprehensive proof for ZADANIE 1 — ZIELONO (all checks green)
Jan 14, 2026
3037278
docs: Complete ZAD 2 & 3 — CI stability proofs, One Truth enforcement…
Jan 14, 2026
712658b
fix(critical): cli-signals stability — add KEEPALIVE + improve test h…
Jan 14, 2026
95afb89
docs: Add signals test diagnostic guide + commands
Jan 14, 2026
2348abe
docs: Add summary of critical signals test fix
Jan 14, 2026
376e796
docs: Add comprehensive session summary (Jan 14)
Jan 14, 2026
f2623fb
fix: Reduce ESLint warnings to 68 (below CI threshold of 69)
Jan 14, 2026
581a199
fix: Stabilize cli-signals test for CI
Jan 14, 2026
88a172e
fix: Increase timeouts and add safety exit for cli-signals
Jan 14, 2026
2fdff54
fix: Handle TypeScript unknown type + improve error handling in CLI
Jan 14, 2026
c40f815
fix: Use createRequire for _signals-test import in bin/cerber
Jan 14, 2026
64f81a5
fix: Simplify dynamic import in bin/cerber _signals-test command
Jan 14, 2026
d50fa47
fix: Use const for safetyTimeout instead of let, restructure before c…
Jan 14, 2026
e15fa6a
fix: Isolate unit and e2e tests + add debug logging + fix logger timi…
Jan 14, 2026
3fefae0
fix: Remove conflicting --runInBand and --maxWorkers flags
Jan 14, 2026
6c5718c
fix: Add stdout flush guarantee + diagnostic logging + runInBand for …
Jan 14, 2026
4d186a7
fix: Make cleanup handler SYNCHRONOUS to guarantee CLEANUP_DONE is ex…
Jan 14, 2026
e6fbe34
fix: Make signals-test.ts synchronous + use setImmediate for flush gu…
Jan 14, 2026
cccc856
fix: Use setTimeout(100ms) for stdout flush + increase CI timeouts to…
Jan 14, 2026
2eef1cc
Make cleanup async + add SIGNAL_DELAY to ensure handlers ready before…
Jan 14, 2026
ae9fbbd
Use process.stdout.write callback-based flush for guaranteed buffer f…
Jan 14, 2026
aa18937
Add cleanupStarted guard + comprehensive debug logs for signal handling
Jan 14, 2026
dc932be
Use process.stdout.cork/uncork for atomic flush guarantee - most reli…
Jan 14, 2026
06216e4
Use setTimeout(50ms) after uncork, extend CI timeouts to 60s, isolate…
Jan 14, 2026
8dd8e37
Add stdin.destroy() + ISO timestamps + 90s/120s timeouts + --runInBan…
Jan 14, 2026
78dec10
Add comprehensive diagnostics, improved waitForText, solid afterEach …
Jan 14, 2026
e036558
chore(deps-lock): update package-lock & add Phase 1 report
Jan 14, 2026
4951171
ci: add npm caching to all workflow jobs + Phase 1 final report
Jan 14, 2026
8da8d3d
chore(deps): update package.json with security fixes
Jan 14, 2026
cca3d8b
cleanup: remove documentation reports - focus on green CI only
Jan 14, 2026
2fd2eae
ci: enable workflow trigger for rcx-** branches
Jan 14, 2026
d092c42
test(e2e): optimize CI with conditional E2E tests and increased timeouts
Jan 14, 2026
6fae1fa
refactor(e2e): stabilize CLI signal tests with isolated utilities and…
Jan 14, 2026
3b91c6e
feat: add _signals-test CLI command with process-cleanup integration
Jan 14, 2026
4c0a898
ci: enable E2E signal tests in verification workflow
Jan 14, 2026
fc87ab6
feat(ci): add conditional test execution for main vs feature branches
Jan 14, 2026
9405003
fix(ci): update test file references to refactored version
Jan 14, 2026
9c66a21
fix(ci): correct test name pattern for refactored E2E test
Jan 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
296 changes: 241 additions & 55 deletions .cerber/contract.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,71 +1,223 @@
# Node.js CI Contract
# Base contract for Node.js projects with npm/yarn
# Cerber Core: One Truth CI/CD Architecture
# Source of truth for gates, protected files, and test organization
# This contract drives automatic generation of CERBER.md and workflows
# DO NOT EDIT GENERATED FILES - edit this contract instead, then run: npm run cerber:generate

contractVersion: 1
name: nodejs-ci-contract
version: 1.0.0

metadata:
description: 'Base contract for Node.js CI/CD workflows'
description: 'One Truth: CI gates, test tags, protected files'
author: 'Cerber Core'
tags:
- nodejs
- npm
- ci

# Extend base nodejs contract
extends: '@cerber-core/contracts/nodejs-base'

defaults:
permissionsPolicy:
maxLevel: read
allowedScopes:
- contents
- pull-requests
actionPinning: required
secretsPolicy: no-hardcoded
nodeVersion:
required: true
minVersion: '18.0.0'
- ci-gates
- test-organization
generatedFilesHeader: 'AUTO-GENERATED BY CERBER — DO NOT EDIT'

# ============================================
# Rule Configuration
# ============================================
rules:
# Security rules
security/no-hardcoded-secrets:
'security/no-hardcoded-secrets':
severity: error
gate: true # Always block merge
security/require-action-pinning:
severity: error
gate: true
security/limit-permissions:
gate: true # Always block

'security/limit-permissions':
severity: error
gate: false # Warn but don't block
security/no-wildcard-triggers:
severity: warning
security/checkout-persist-credentials:
severity: warning

# Best practices
best-practices/cache-dependencies:
severity: warning
best-practices/setup-node-with-version:
severity: error
best-practices/parallelize-matrix:
'best-practices/cache-dependencies':
severity: warning
# gate: undefined (falls back to profile.failOn)

# ============================================
# GOAL 1: CI Gate Separation (FAST vs HEAVY)
# ============================================
gates:
fast:
name: 'PR Fast Checks'
description: 'Fast gates for PR validation (< 5 min)'
requiredOn: pull_request
timeout: 300 # 5 minutes
jobs:
- name: lint_and_typecheck
description: 'ESLint + TypeScript type check'
command: 'npm run lint && npx tsc --noEmit'
- name: build_and_unit
description: 'Build + unit tests only'
command: 'npm run build && npm run test:fast'
commands:
- npm ci
- npm run build
- npm run lint
- npm run test:fast
testFilters:
- '@fast'
excludeTests:
- '**/cli-signals.test.ts'
- '**/npm-pack-install.test.ts'
- '**/e2e/**'

# Performance
performance/avoid-unnecessary-checkout:
severity: warning
performance/use-composite-actions:
severity: info
heavy:
name: 'Heavy Verification'
description: 'Heavy gates for main branch and nightly runs'
requiredOn:
- push # main branch only
optionalOn:
- pull_request # Available but not required for PR
timeout: 1800 # 30 minutes
jobs:
- name: integration_tests
description: 'Real git ops, file discovery, adapters'
command: 'npm run test:integration'
- name: e2e_tests
description: 'npm-pack, install-from-tarball, multi-mode'
command: 'npm run test:e2e'
- name: signals_tests
description: 'Process signal handling'
command: 'npm run test:signals'
testTags:
- '@integration'
- '@e2e'
- '@signals'
retries: 1
retryTimeoutIncrement: 5000

# ============================================
# GOAL 2: Test Organization with Tags
# ============================================
testTags:
fast:
name: 'Fast Unit Tests'
description: 'Unit tests, deterministic, <1s each'
command: 'npm run test:fast'
timeout: 1000
maxRetries: 0
jestArgs: '--testNamePattern="@fast"'
examples:
- 'schema validation'
- 'parser unit tests'
- 'utility functions'

integration:
name: 'Integration Tests'
description: 'Real git ops, file discovery, real adapters'
command: 'npm run test:integration'
timeout: 5000
maxRetries: 0
jestArgs: '--testNamePattern="@integration"'
includes:
- 'orchestrator real git'
- 'file discovery with globs'
- 'adapter real tool execution'
exclusions:
- 'mocked dependencies'

e2e:
name: 'End-to-End Tests'
description: 'npm-pack, install-from-tarball, multi-mode'
command: 'npm run test:e2e'
timeout: 30000
maxRetries: 1
jestArgs: '--testNamePattern="@e2e"'
examples:
- 'npm pack integration'
- 'install from tarball'
- 'multi-mode validation'

signals:
name: 'Signal Handling Tests'
description: 'Process signal handling (SIGINT, SIGTERM)'
command: 'npm run test:signals'
timeout: 10000
maxRetries: 1
jestArgs: '--testNamePattern="@signals"'
includes:
- 'SIGINT graceful shutdown'
- 'SIGTERM cleanup'
- 'zombie process prevention'

# ============================================
# GOAL 3: Protected Files Policy
# ============================================
protectedFiles:
enabled: true
requireOwnerAck: true
description: 'Prevent drift between contract and actual files'

autoGeneratedPatterns:
- path: CERBER.md
source: '.cerber/contract.yml'
command: 'npm run cerber:generate'
protected: true

- path: .github/workflows/cerber-pr-fast.yml
source: '.cerber/contract.yml'
command: 'npm run cerber:generate'
protected: true

- path: .github/workflows/cerber-main-heavy.yml
source: '.cerber/contract.yml'
command: 'npm run cerber:generate'
protected: true

- path: .github/CODEOWNERS
source: '.cerber/contract.yml'
command: 'npm run cerber:generate'
protected: true
onlyIfTeamMode: true

manualEditPatterns:
- path: '.cerber/contract.yml'
description: 'Source of truth - edit directly'
protected: false

- path: 'src/cli/generator.ts'
description: 'CLI command for generation'
protected: false

- path: 'src/cli/drift-checker.ts'
description: 'CLI command for drift detection'
protected: false

- path: 'src/cli/guardian.ts'
description: 'Pre-commit guardian'
protected: false

- path: 'src/cli/doctor.ts'
description: 'Health check command'
protected: false

criticalPatterns:
- CERBER.md
- .cerber/contract.yml
- .cerber/contracts/**
- bin/cerber-guardian
- src/guardian/**
- src/core/Orchestrator.ts
- package.json
- tsconfig.json

# ============================================
# CI Profiles
# ============================================
profiles:
dev-fast:
gates:
- fast
tools:
- actionlint
failOn:
- error
description: 'Fast pre-commit check (<2s)'

dev:
gates:
- fast
- heavy
tools:
- actionlint
- zizmor
Expand All @@ -75,6 +227,9 @@ profiles:
description: 'Full development check'

team:
gates:
- fast
- heavy
tools:
- actionlint
- zizmor
Expand All @@ -83,20 +238,51 @@ profiles:
- error
- warning
description: 'Team CI with secrets scanning'
codeowners: true
protectedBranch: true

requiredActions:
- action: actions/checkout@v4
minVersion: '4'
- action: actions/setup-node@v4
minVersion: '4'
# ============================================
# Drift Detection Settings
# ============================================
driftDetection:
enabled: true
checkOnCI: true
failOnDrift: true
reportFormat: markdown
diffTool: git
ignoreWhitespace: false

requiredSteps:
- name: Install dependencies
command: npm ci
- name: Run tests
command: npm test
# ============================================
# Branch Protection Requirements
# ============================================
branchProtection:
mainBranch: main
requiredChecks:
- 'lint_and_typecheck'
- 'build_and_unit'
optionalChecks:
- 'cerber_e2e_all_modes'
- 'npm_package_validation'
requireUpToDate: true
requireCodeOwnerReview: true
allowForcePush: false

allowedTriggers:
- push
- pull_request
- workflow_dispatch
# ============================================
# Generation Rules
# ============================================
generation:
outputDirectory: .
workflows:
outputDirectory: .github/workflows
format: yaml
includeComments: true
documentation:
outputDirectory: .
format: markdown
toc: true
codeowners:
enabled: true
outputPath: .github/CODEOWNERS
onlyTeamMode: true
autoCommit: false
autoGeneratedHeader: '<!-- AUTO-GENERATED BY CERBER — DO NOT EDIT -->'
27 changes: 27 additions & 0 deletions .github/CODEOWNERS
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# Code owners for Cerber One Truth infrastructure
# Changes to protected files require approval from codeowners

# One Truth contract and policy
CERBER.md @owner
.cerber/ @owner
.github/workflows/ @owner

# Critical dependencies
package.json @owner
package-lock.json @owner

# CLI entry points
bin/ @owner

# Guardian system (enforcement)
src/guardian/ @owner

# Core infrastructure
src/core/Orchestrator.ts @owner
src/cli/generator.ts @owner
src/cli/drift-checker.ts @owner
src/cli/guardian.ts @owner
src/cli/doctor.ts @owner

# Branch protection documentation
docs/BRANCH_PROTECTION.md @owner
Loading
Loading