Skip to content

feat: add Linux official evidence audit gate#140

Merged
SSobol77 merged 1 commit into
mainfrom
feature/f4-linux-official-evidence-audit-gate
Jul 10, 2026
Merged

feat: add Linux official evidence audit gate#140
SSobol77 merged 1 commit into
mainfrom
feature/f4-linux-official-evidence-audit-gate

Conversation

@SSobol77

@SSobol77 SSobol77 commented Jul 10, 2026

Copy link
Copy Markdown
Owner

Summary

Add a release-facing Linux official evidence audit gate.

This PR exposes the official distro evidence drift helpers through a deterministic report helper and CLI check/report modes.

This is an audit/check change only. It does not add new official evidence records, does not promote new mappings, and does not change generated evidence semantics.

What changed

Added:

  • linux_official_distro_evidence_audit_report()
  • --official-evidence-audit
  • --check-official-evidence-drift

Audit report helper

linux_official_distro_evidence_audit_report() returns:

  • summary
  • matrix
  • drift_errors
  • ok

ok is true only when linux_official_distro_evidence_drift_errors() is empty.

Current state:

ok == True
drift_errors == []
summary.official_override_count == 6
summary.non_debian_override_count == 0
len(matrix) == 6

CLI report mode

scripts/f4_linter_linux_provisioning.py --official-evidence-audit

Behavior:

  • prints deterministic sorted JSON to stdout
  • exits 0
  • writes no files
  • creates no generated artifacts

CLI check mode

scripts/f4_linter_linux_provisioning.py --check-official-evidence-drift

Current clean behavior:

PASS: Linux official distro evidence drift audit clean

Exit behavior:

  • exits 0 when drift errors are empty
  • exits 2 when official evidence drift is detected

Contract scope

This gate checks drift between the configured official evidence registry and generated ECLI distro evidence.

It is not a live network audit of Debian web pages.

Behavior preserved

Exactly six generated Debian evidence records remain verified-official-source:

  • deb/yamllint
  • deb/shellcheck
  • deb/clang-tidy
  • deb/cppcheck
  • deb/clang-format
  • deb/checkstyle

No Docker helper record is promoted.

No non-Debian mapping is promoted.

All Docker DEB helper records remain repository-local-policy/current-policy-baseline.

RPM/openSUSE/Arch/Slackware mappings remain unchanged.

Tests

Added tests for:

  • clean audit report helper
  • CLI JSON report mode
  • CLI drift check mode
  • existing empty drift state

Existing promotion, Docker baseline, generated manifest, and negative tamper tests remain passing.

Scope controls

This PR does not:

  • add official evidence records
  • promote additional mappings
  • demote existing mappings
  • change package names
  • change executable names
  • change URLs
  • change OS_PACKAGE_NAMES
  • change versions
  • add checksums
  • run package managers
  • download anything
  • perform network operations
  • vendor binaries or archives
  • add generated artifacts
  • weaken verifier logic
  • change promotion-gate policy
  • touch UI/provider/parser/runtime/TextMate/theme code

Validation

Passed locally / by agent report:

uv run ruff check src tests scripts
uv run ruff format --check src tests scripts
uv run python scripts/check_runtime_imports.py
uv run pytest -q tests/packaging/test_f4_linter_linux_provisioning.py
uv run pytest -q tests/packaging
uv run pytest -q tests/extensions/linters
uv run pytest -q tests/docs
git diff --check

Observed results:

tests/packaging/test_f4_linter_linux_provisioning.py: 124 passed
tests/packaging: 497 passed
tests/extensions/linters: 226 passed
tests/docs: 18 passed

Additional CLI smoke:

uv run python scripts/f4_linter_linux_provisioning.py --official-evidence-audit | python -m json.tool >/dev/null
uv run python scripts/f4_linter_linux_provisioning.py --check-official-evidence-drift

Safety:

No new package names.
No OS_PACKAGE_NAMES changes.
No executable-name changes.
No URL changes.
No package versions as contract fields.
No checksums.
No package-manager calls.
No downloads.
No network operations.
No generated artifacts.
No vendored binaries.
No UI/provider/parser/runtime/TextMate/theme changes.

Next work

A follow-up PR can wire this official evidence audit gate into release verification or packaging evidence checks, still without promoting additional distro families.

Summary by CodeRabbit

  • New Features

    • Added a command-line audit that outputs Linux distribution evidence details in JSON format.
    • Added an evidence drift check with clear PASS/FAIL output and status codes.
    • Added validation feedback for invalid command-line arguments.
  • Tests

    • Added coverage for audit reports, JSON output, drift checks, and expected evidence mappings.

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The Linux provisioning script now exposes official distro evidence audits through a reusable report function and two CLI modes. Tests validate report contents, JSON output, drift-check output, and successful exit behavior.

Changes

Official distro evidence audit

Layer / File(s) Summary
Audit report contract
scripts/f4_linter_linux_provisioning.py
Adds exit status constants and linux_official_distro_evidence_audit_report(), which returns the evidence summary, matrix, drift errors, and ok status.
Audit CLI and validation
scripts/f4_linter_linux_provisioning.py, tests/packaging/test_f4_linter_linux_provisioning.py
Adds mutually exclusive audit commands, standardized invalid-argument exits, JSON and PASS/FAIL output, script entrypoint wiring, and subprocess tests for the report and drift-check modes.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Sequence Diagram(s)

sequenceDiagram
  participant CLI
  participant main
  participant AuditReport
  participant Output
  CLI->>main: pass audit command
  main->>AuditReport: collect summary, matrix, and drift errors
  AuditReport-->>main: return JSON-friendly audit report
  main->>Output: print JSON or drift-check result
  Output-->>CLI: return formatted output and exit status
Loading

Possibly related PRs

  • SSobol77/ecli#130: Provides the distro evidence matrix and verification machinery used by this audit.
  • SSobol77/ecli#131: Extends the official-source evidence schema and matrices consumed by the audit.
  • SSobol77/ecli#133: Changes Debian evidence matrix content validated by the new report and tests.
🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 12.50% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: adding a Linux official evidence audit gate.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feature/f4-linux-official-evidence-audit-gate

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@sonarqubecloud

Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/f4_linter_linux_provisioning.py`:
- Around line 2798-2853: Add tests covering the missing CLI failure paths:
invoke main() with mocked linux_official_evidence_drift_errors() returning
errors and assert EXIT_OFFICIAL_EVIDENCE_DRIFT plus correctly formatted stderr
output from _official_evidence_drift_check_message; add subprocess tests for no
mode flag and both mutually exclusive flags, asserting EXIT_INVALID and argparse
error output from _ContractArgumentParser.error().
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 75acf318-41e9-464b-988f-c30ebdca14eb

📥 Commits

Reviewing files that changed from the base of the PR and between cade8bb and fb251d3.

📒 Files selected for processing (2)
  • scripts/f4_linter_linux_provisioning.py
  • tests/packaging/test_f4_linter_linux_provisioning.py

Comment thread scripts/f4_linter_linux_provisioning.py
@SSobol77 SSobol77 merged commit 1110aef into main Jul 10, 2026
5 checks passed
@SSobol77 SSobol77 deleted the feature/f4-linux-official-evidence-audit-gate branch July 10, 2026 16:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant