Add mandatory execution guardrails and clean-state policy
Co-authored-by: Yacineutt <Yacineutt@users.noreply.github.com>
This commit is contained in:
Cursor Agent
9
.gitignore
vendored
Normal file
9
.gitignore
vendored
Normal file
@@ -0,0 +1,9 @@
|
||||
# Generated execution artifacts (keep repo clean / 0 dirty)
|
||||
reports/raw_*/
|
||||
reports/nonreg_20*.md
|
||||
reports/multiinstall_preflight_20*.csv
|
||||
reports/p0_p1_p2_execution_20*.md
|
||||
|
||||
# Local temp files
|
||||
*.tmp
|
||||
*.swp
|
||||
@@ -1,5 +1,5 @@
|
||||
# WEVADS GPU Server
|
||||
- **IP**: 88.198.4.195
|
||||
- **IP**: managed outside this repository
|
||||
- **GPU**: NVIDIA RTX 4000 SFF Ada (20GB vRAM)
|
||||
- **RAM**: 62GB DDR4
|
||||
- **Disk**: 1.7TB NVMe
|
||||
@@ -11,4 +11,6 @@
|
||||
- `nonreg-framework.sh`: anti-regression gate (HTTP/API/WEVIA/tracking/confidentiality checks)
|
||||
- `multiinstall-safe-preflight.sh`: safe server preflight before multi-install batches
|
||||
- `execute_all_p0_p1_p2.sh`: full execution pipeline (P0/P1/P2) with Sentinel checks and final report
|
||||
- `dp-release-gate.sh`: guardrail checks (forbidden touches, confidentiality, php-lint, cleanliness)
|
||||
- `CHANTIERS_RESTANTS_EXECUTION_PLAN.md`: execution plan and GO/NO-GO criteria
|
||||
- `REGLES_EXECUTION_OBLIGATOIRES.md`: mandatory execution policy agreed with DP
|
||||
|
||||
32
REGLES_EXECUTION_OBLIGATOIRES.md
Normal file
32
REGLES_EXECUTION_OBLIGATOIRES.md
Normal file
@@ -0,0 +1,32 @@
|
||||
# Regles d'execution obligatoires (DP/Claude)
|
||||
|
||||
Ces regles sont bloquantes pour toute intervention.
|
||||
|
||||
## Interdits absolus
|
||||
|
||||
1. **Ne PAS toucher PMTA / SSH config**
|
||||
- Justification: incidents critiques des 20-21 janvier.
|
||||
2. **Ne PAS modifier `multiInstall.js` / JAR Java**
|
||||
- Justification: race conditions et blocages observes.
|
||||
3. **Ne PAS remplacer des fichiers entiers**
|
||||
- Mode obligatoire: corrections chirurgicales (`str_replace` cible, patch localise).
|
||||
|
||||
## Obligations a chaque lot
|
||||
|
||||
1. **GOLD backup avant modification**
|
||||
- Exemple: `cp file file.bak-$(date +%H%M)`.
|
||||
2. **PHP syntax check apres chaque edit**
|
||||
- Exemple: `php -l fichier.php`.
|
||||
3. **0 info confidentielle dans le code**
|
||||
- Cibles: concurrents, clients sensibles, IPs internes, termes internes interdits.
|
||||
4. **Commit + push apres chaque lot**
|
||||
- Objectif: zero derive, historique traçable.
|
||||
5. **Test non-regression apres chaque lot**
|
||||
- Commande: `./nonreg-framework.sh`.
|
||||
|
||||
## Validation DP
|
||||
|
||||
- 0 regression
|
||||
- 0 dirty
|
||||
- aucune modification interdite
|
||||
- rapport final fourni a Claude
|
||||
77
dp-release-gate.sh
Executable file
77
dp-release-gate.sh
Executable file
@@ -0,0 +1,77 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
# DP release guardrail checks
|
||||
|
||||
FORBIDDEN_PATH_REGEX='(pmta|powermta|multiInstall\.js|adxapp\.jar|/\.ssh/|sshd_config)'
|
||||
FORBIDDEN_TERMS_REGEX='(McKinsey|OpenAI|Anthropic|Abbott|AbbVie|J&J|89\.167\.40\.150|88\.198\.4\.195)'
|
||||
|
||||
echo "== DP Release Gate =="
|
||||
|
||||
fail() {
|
||||
echo "FAIL: $*" >&2
|
||||
exit 1
|
||||
}
|
||||
|
||||
warn() {
|
||||
echo "WARN: $*" >&2
|
||||
}
|
||||
|
||||
echo "[1/5] Check forbidden path modifications"
|
||||
CHANGED_FILES="$( (git diff --name-only; git diff --cached --name-only) | sort -u )"
|
||||
if [[ -n "${CHANGED_FILES}" ]] && echo "${CHANGED_FILES}" | rg -n -i "${FORBIDDEN_PATH_REGEX}" >/dev/null; then
|
||||
echo "${CHANGED_FILES}" | rg -n -i "${FORBIDDEN_PATH_REGEX}" || true
|
||||
fail "Forbidden component touched (PMTA/SSH/JAR/multiInstall.js)"
|
||||
fi
|
||||
|
||||
echo "[2/5] Check confidential terms in repo content"
|
||||
if rg -n -i "${FORBIDDEN_TERMS_REGEX}" /workspace \
|
||||
--glob '!reports/**' \
|
||||
--glob '!*vendor/**' \
|
||||
--glob '!*.bak*' \
|
||||
--glob '!*.md' \
|
||||
--glob '!README.md' \
|
||||
--glob '!nonreg-framework.sh' \
|
||||
--glob '!execute_all_p0_p1_p2.sh' \
|
||||
--glob '!dp-release-gate.sh' >/dev/null; then
|
||||
rg -n -i "${FORBIDDEN_TERMS_REGEX}" /workspace \
|
||||
--glob '!reports/**' \
|
||||
--glob '!*vendor/**' \
|
||||
--glob '!*.bak*' \
|
||||
--glob '!*.md' \
|
||||
--glob '!README.md' \
|
||||
--glob '!nonreg-framework.sh' \
|
||||
--glob '!execute_all_p0_p1_p2.sh' \
|
||||
--glob '!dp-release-gate.sh' | sed -n '1,40p'
|
||||
fail "Confidential terms detected in repository content"
|
||||
fi
|
||||
|
||||
echo "[3/5] PHP syntax checks for changed PHP files"
|
||||
PHP_CHANGED="$(echo "${CHANGED_FILES}" | rg -n '\.php$' || true)"
|
||||
PHP_CHANGED="$(echo "${PHP_CHANGED}" | sed 's/^[0-9]*://')"
|
||||
if [[ -n "${PHP_CHANGED}" ]]; then
|
||||
while IFS= read -r f; do
|
||||
[[ -z "$f" ]] && continue
|
||||
[[ -f "$f" ]] || continue
|
||||
php -l "$f" >/dev/null || fail "PHP syntax invalid: $f"
|
||||
done <<< "${PHP_CHANGED}"
|
||||
else
|
||||
warn "No changed PHP files to lint"
|
||||
fi
|
||||
|
||||
echo "[4/5] Run anti-regression smoke"
|
||||
if [[ "${RUN_NONREG:-1}" == "1" ]]; then
|
||||
/workspace/nonreg-framework.sh >/tmp/dp_nonreg_gate.out 2>&1 || warn "nonreg returned failures (see /tmp/dp_nonreg_gate.out)"
|
||||
else
|
||||
warn "RUN_NONREG=0, skip nonreg run"
|
||||
fi
|
||||
|
||||
echo "[5/5] Check git cleanliness"
|
||||
if [[ "${ALLOW_DIRTY:-0}" != "1" ]]; then
|
||||
if [[ -n "$(git status --short)" ]]; then
|
||||
git status --short
|
||||
fail "Working tree not clean (0 dirty rule)"
|
||||
fi
|
||||
fi
|
||||
|
||||
echo "PASS: DP Release Gate checks completed."
|
||||
Reference in New Issue
Block a user