john/tractatus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tractatus/scripts/add-governance-rules.js
TheFlow 2af47035ac refactor: remove website code and fix critical startup crashes (Phase 8) 
CRITICAL FIX: Server would CRASH ON STARTUP (multiple import errors)

REMOVED (2 scripts):
1. scripts/framework-watchdog.js
   - Monitored .claude/session-state.json (OUR Claude Code setup)
   - Monitored .claude/token-checkpoints.json (OUR file structure)
   - Implementers won't have our .claude/ directory

2. scripts/init-db.js
   - Created website collections: blog_posts, media_inquiries, case_submissions
   - Created website collections: resources, moderation_queue, users, citations
   - Created website collections: translations, koha_donations
   - Next steps referenced deleted scripts (npm run seed:admin)

REWRITTEN (2 files):

src/models/index.js (29 lines → 27 lines)
- REMOVED imports: Document, BlogPost, MediaInquiry, CaseSubmission, Resource
- REMOVED imports: ModerationQueue, User (all deleted in Phase 2)
- KEPT imports: AuditLog, DeliberationSession, GovernanceLog, GovernanceRule
- KEPT imports: Precedent, Project, SessionState, VariableValue, VerificationLog
- Result: Only framework models exported

src/server.js (284 lines → 163 lines, 43% reduction)
- REMOVED: Imports to deleted middleware (csrf-protection, response-sanitization)
- REMOVED: Stripe webhook handling (/api/koha/webhook)
- REMOVED: Static file caching (for deleted public/ directory)
- REMOVED: Static file serving (public/ deleted in Phase 6)
- REMOVED: CSRF token endpoint
- REMOVED: Website homepage with "auth, documents, blog, admin" references
- REMOVED: Instruction sync (scripts/sync-instructions-to-db.js reference)
- REMOVED: Hardcoded log path (${process.env.HOME}/var/log/tractatus/...)
- REMOVED: Website-specific security middleware
- KEPT: Security headers, rate limiting, CORS, body parsers
- KEPT: API routes, governance services, MongoDB connections
- RESULT: Clean framework-only server

RESULT: Repository can now start without crashes, all imports resolve

🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-21 22:17:02 +13:00

230 lines
8.3 KiB
JavaScript
Executable file
Raw Blame History

#!/usr/bin/env node
/**
* Add inst_026 and inst_027 to Governance Rules Database
* These rules emerged from blog implementation validation
*/
const mongoose = require('mongoose');
const GovernanceRule = require('../src/models/GovernanceRule.model');
// Connect to MongoDB
const MONGODB_URI = process.env.MONGODB_URI || 'mongodb://localhost:27017/tractatus_dev';
const rules = [
{
id: 'inst_026',
text: `Client-Side Code Quality Standards (OPERATIONAL)
All client-side JavaScript (public/js/**) must adhere to these quality standards:
1. **Framework Usage**: Use vanilla JavaScript unless framework is explicitly approved
- No React, Vue, Angular without approval
- Prefer native DOM APIs
- Minimize external dependencies
2. **XSS Prevention**: Include HTML escaping for all user-generated content
- Implement escapeHtml() function
- Use textContent instead of innerHTML where possible
- Sanitize all dynamic content before rendering
3. **URL Portability**: Use relative URLs (no hardcoded hosts)
- ✓ Good: "/api/blog", "/blog.html"
- ✗ Bad: "http://localhost:9000/api/blog", "https://agenticgovernance.digital/blog.html"
- Ensures code works in dev, staging, and production
4. **Performance**: Implement debouncing for search inputs
- Minimum 300ms debounce for search/filter inputs
- Prevents excessive API calls and DOM updates
- Use setTimeout/clearTimeout pattern
5. **Event Handling**: Use event delegation for dynamic elements
- Attach listeners to parent containers
- Use event.target.closest() for delegation
- Prevents memory leaks from repeated listener attachment
6. **User Experience**: Include loading, error, and empty states
- Loading: Spinner or skeleton UI
- Error: User-friendly error message with recovery action
- Empty: Helpful message explaining why no data exists
7. **Linting**: Pass ESLint validation with zero warnings
- Run: npx eslint <file> --max-warnings 0
- Fix all auto-fixable issues
- Manually resolve remaining warnings
**Validation**:
- Check for escapeHtml() function
- grep for hardcoded URLs (localhost, production domain)
- Verify debounce implementation on search inputs
- Confirm event delegation usage
- Run ESLint with --max-warnings 0
**Boundary Classification**: TECHNICAL (safe for automation)
These are objective, testable code quality standards with no values component.`,
quadrant: 'OPERATIONAL',
persistence: 'MEDIUM',
scope: 'PROJECT_SPECIFIC',
applicableProjects: ['tractatus'],
category: 'technical',
priority: 70,
temporalScope: 'PROJECT',
source: 'user_instruction',
createdBy: 'claude_code',
active: true,
notes: 'Created after blog implementation validation. Emerged from CSP violations in navbar.js and need for consistent client-side code quality.',
examples: [
'XSS Prevention: function escapeHtml(text) { const div = document.createElement("div"); div.textContent = text; return div.innerHTML; }',
'Debouncing: let timeout; input.addEventListener("input", (e) => { clearTimeout(timeout); timeout = setTimeout(() => filter(e.target.value), 300); });',
'Event Delegation: container.addEventListener("click", (e) => { const btn = e.target.closest(".btn"); if (btn) handleClick(btn); });'
],
relatedRules: ['inst_008', 'inst_027']
},
{
id: 'inst_027',
text: `Production Deployment Checklist (TACTICAL)
Before deploying to production, verify ALL of the following:
**1. Code Cleanliness**
- [ ] No console.log() statements (console.error() allowed for error handling)
- [ ] No console.debug(), console.warn() in production code
- [ ] No TODO, FIXME, DEBUG, HACK, or XXX comments
- [ ] No commented-out code blocks
**2. Environment Independence**
- [ ] No hardcoded localhost URLs
- [ ] No hardcoded production URLs (use relative paths)
- [ ] No hardcoded IP addresses
- [ ] Environment variables used for configuration
**3. Security Validation**
- [ ] CSP compliance (inst_008) validated on all HTML/JS files
- [ ] No inline event handlers (onclick, onload, etc.)
- [ ] No inline styles (use CSS classes)
- [ ] No inline scripts
- [ ] No javascript: URLs
**4. File Organization**
- [ ] All files in production-ready locations (public/, src/)
- [ ] No temporary files (.tmp, .bak, ~)
- [ ] No development-only files
- [ ] .rsyncignore excludes sensitive files
**5. Cache Busting**
- [ ] CSS version parameter updated (?v=TIMESTAMP)
- [ ] JavaScript version parameter updated (?v=TIMESTAMP)
- [ ] Image version parameters if needed
**6. Sensitive Data Protection**
- [ ] .env files NOT included in deployment
- [ ] CLAUDE.md NOT included (verify in .rsyncignore)
- [ ] Session state (.claude/) NOT included
- [ ] No API keys, secrets, or credentials in code
**7. Testing**
- [ ] Manual testing in development environment
- [ ] All API endpoints return expected responses
- [ ] Error states display correctly
- [ ] Loading states work
- [ ] Mobile responsive layout verified
**Validation Commands**:
\`\`\`bash
# Check for console statements
grep -r "console\\.log" public/ || echo "✓ No console.log found"
# Check for development comments
grep -r "TODO\\|FIXME\\|DEBUG" public/ || echo "✓ No dev comments found"
# Check for hardcoded URLs
grep -r "localhost\\|http://\\|https://" public/ | grep -v ".html" || echo "✓ No hardcoded URLs found"
# Verify CSP compliance
node scripts/pre-action-check.js file-edit public/index.html "Deployment validation"
# Verify .rsyncignore coverage
grep "CLAUDE.md" .rsyncignore && grep ".claude/" .rsyncignore && echo "✓ Sensitive files excluded"
\`\`\`
**Deployment Process**:
1. Run all validation commands above
2. Execute: ./scripts/deploy-full-project-SAFE.sh
3. Review dry-run output carefully
4. Confirm deployment
5. SSH to production and verify sensitive files NOT deployed
6. Restart service: sudo systemctl restart tractatus
7. Test production site: https://agenticgovernance.digital
**Boundary Classification**: TECHNICAL (automated checklist)
All checks are objective and can be automated. No values decisions required.`,
quadrant: 'TACTICAL',
persistence: 'HIGH',
scope: 'UNIVERSAL',
applicableProjects: ['*'],
category: 'process',
priority: 85,
temporalScope: 'PERMANENT',
source: 'user_instruction',
createdBy: 'claude_code',
active: true,
notes: 'Created after blog implementation validation. Prevents common deployment errors like console.log statements, hardcoded URLs, and CSP violations from reaching production.',
examples: [
'Pre-deployment validation: grep -r "console.log" public/ && echo "FAIL: console.log found" && exit 1',
'CSP validation: node scripts/pre-action-check.js file-edit public/blog.html "Deployment check"',
'Sensitive file check: ssh production "ls /var/www/tractatus/CLAUDE.md 2>/dev/null && echo FAIL || echo OK"'
],
relatedRules: ['inst_008', 'inst_026']
}
];
async function addRules() {
try {
console.log('Connecting to MongoDB:', MONGODB_URI);
await mongoose.connect(MONGODB_URI);
console.log('✓ Connected to MongoDB\n');
for (const rule of rules) {
console.log(`Adding ${rule.id}...`);
// Check if rule already exists
const existing = await GovernanceRule.findOne({ id: rule.id });
if (existing) {
console.log(` ⚠ Rule ${rule.id} already exists. Updating...`);
await GovernanceRule.updateOne({ id: rule.id }, rule);
console.log(` ✓ Updated ${rule.id}`);
} else {
await GovernanceRule.create(rule);
console.log(` ✓ Created ${rule.id}`);
}
console.log(` Quadrant: ${rule.quadrant}`);
console.log(` Persistence: ${rule.persistence}`);
console.log(` Scope: ${rule.scope}`);
console.log(` Priority: ${rule.priority}`);
console.log('');
}
console.log('✓ All rules added successfully!\n');
// Show summary
const allRules = await GovernanceRule.find({ active: true }).sort({ id: 1 });
console.log(`Total active rules: ${allRules.length}`);
console.log('Rule IDs:', allRules.map(r => r.id).join(', '));
await mongoose.disconnect();
console.log('\n✓ Disconnected from MongoDB');
process.exit(0);
} catch (error) {
console.error('Error adding rules:', error);
await mongoose.disconnect();
process.exit(1);
}
}
addRules();
Reference in a new issue View git blame Copy permalink