john/tractatus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tractatus/scripts/audit-enforcement.js
TheFlow e7efdc7810 feat(governance): second wave enforcement - 64% improvement (28% → 46%) 
Implements 7 additional architectural enforcement mechanisms:

 Prohibited Terms Detection (inst_016/017/018):
- scripts/check-prohibited-terms.js
- Scans for absolute assurance terms ("guarantee", "100% secure")
- Detects maturity claims without evidence ("production-ready", "battle-tested")
- Checks statistics require citation or [NEEDS VERIFICATION]
- Integrated into .git/hooks/pre-commit (Check 2)

 Credential Exposure Prevention (inst_069/070):
- scripts/check-credential-exposure.js
- Detects real API keys, secrets, passwords in documentation
- Validates example credentials use proper patterns (EXAMPLE/REDACTED)
- CRITICAL: Runs first in pre-commit (Check 0)

 Confidential Document Protection (inst_012/015):
- scripts/check-confidential-docs.js
- Prevents deployment of internal/session-handoff documents
- Scans filenames and content for [CONFIDENTIAL]/[INTERNAL] markers
- Integrated into scripts/deploy.sh pre-flight checks

 Enhanced Pre-Commit Hook:
Now runs 4 checks in order:
0. Credential exposure (CRITICAL)
1. CSP compliance
2. Prohibited terms
3. Test requirements

 Enhanced Deployment Script:
- Added confidential document check to deploy.sh
- Scans public/ and docs/ before deployment
- Blocks deployment if confidential markers found

 Updated Enforcement Map:
- Added all new mechanisms to audit-enforcement.js
- Updated inst_008_CONSOLIDATED mapping
- New mappings: inst_012, inst_015, inst_016, inst_017, inst_018, inst_069, inst_070

📊 Enforcement Progress:
- Wave 1: 11/39 imperative instructions enforced (28%)
- Wave 2: 18/39 imperative instructions enforced (46%)
- Improvement: +7 instructions = +64% increase
- Remaining gaps: 21/39 (54%)

🎯 Next Priority Gaps:
- inst_013/043/045: API security validation
- inst_019: Context pressure comprehensive accounting
- inst_025: Deployment file mapping
- inst_039/040: Batch operation verification
- inst_079/080/081: Values/principles (process-based)

🔒 Security Posture:
- CRITICAL security checks now run first (credential exposure)
- All text files scanned before commit
- All deployment candidates scanned before rsync

🤖 Generated with Claude Code

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-25 13:26:33 +13:00

142 lines
5.5 KiB
JavaScript
Executable file
Raw Blame History

#!/usr/bin/env node
/**
* Meta-Enforcement Monitoring System
* Scans instructions for MUST/NEVER/MANDATORY language and verifies enforcement
*
* Per ENFORCEMENT_AUDIT.md: "If it's MANDATORY, it must be ENFORCED architecturally"
*/
const fs = require('fs');
const path = require('path');
const INSTRUCTION_FILE = path.join(__dirname, '../.claude/instruction-history.json');
// Known enforcement mechanisms
const ENFORCEMENT_MAP = {
inst_008: ['.git/hooks/pre-commit', 'scripts/check-csp-violations.js'],
inst_008_CONSOLIDATED: ['.git/hooks/pre-commit', 'scripts/check-csp-violations.js'],
inst_012: ['scripts/check-confidential-docs.js', 'scripts/deploy.sh'],
inst_015: ['scripts/check-confidential-docs.js', 'scripts/deploy.sh'],
inst_016: ['scripts/check-prohibited-terms.js', '.git/hooks/pre-commit'],
inst_017: ['scripts/check-prohibited-terms.js', '.git/hooks/pre-commit'],
inst_018: ['scripts/check-prohibited-terms.js', '.git/hooks/pre-commit'],
inst_023: ['scripts/track-background-process.js', 'scripts/session-init.js', 'scripts/session-closedown.js'],
inst_027: ['.claude/hooks/framework-audit-hook.js'],
inst_038: ['.claude/hooks/framework-audit-hook.js'],
inst_046: ['scripts/verify-security-logging.js'],
inst_064: ['scripts/session-init.js'], // Framework activity verification
inst_065: ['scripts/session-init.js'],
inst_066: ['.git/hooks/commit-msg'],
inst_068: ['.git/hooks/pre-commit'],
inst_069: ['scripts/check-credential-exposure.js', '.git/hooks/pre-commit'],
inst_070: ['scripts/check-credential-exposure.js', '.git/hooks/pre-commit'],
inst_071: ['scripts/deploy.sh'],
inst_075: ['.claude/hooks/check-token-checkpoint.js'],
inst_077: ['scripts/session-closedown.js'],
inst_078: ['.claude/hooks/trigger-word-checker.js'],
inst_082: ['.claude/hooks/trigger-word-checker.js']
};
function loadInstructions() {
const data = JSON.parse(fs.readFileSync(INSTRUCTION_FILE, 'utf8'));
return data.instructions.filter(i => i.active);
}
function hasImperativeLanguage(text) {
const imperatives = [
/\bMUST\b/i,
/\bNEVER\b/i,
/\bMANDATORY\b/i,
/\bREQUIRED\b/i,
/\bBLOCK(S|ED)?\b/i,
/\bCRITICAL\b.*\bFAILURE\b/i,
/\bALWAYS\b/i,
/\bSHOULD NOT\b/i
];
return imperatives.some(pattern => pattern.test(text));
}
function checkEnforcementExists(instId, enforcementPaths) {
const missing = [];
const exists = [];
enforcementPaths.forEach(p => {
const fullPath = path.join(__dirname, '..', p);
if (fs.existsSync(fullPath)) {
exists.push(p);
} else {
missing.push(p);
}
});
return { exists, missing };
}
function main() {
console.log('\n🔍 Meta-Enforcement Audit\n');
console.log('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n');
const instructions = loadInstructions();
const highPersistence = instructions.filter(i => i.persistence === 'HIGH');
console.log(`Total active instructions: ${instructions.length}`);
console.log(`HIGH persistence instructions: ${highPersistence.length}\n`);
console.log('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n');
const imperativeInstructions = highPersistence.filter(i => hasImperativeLanguage(i.text));
console.log(`Instructions with imperative language: ${imperativeInstructions.length}\n`);
let enforced = 0;
let unenforced = 0;
const gaps = [];
imperativeInstructions.forEach(inst => {
const hasEnforcement = ENFORCEMENT_MAP[inst.id];
if (hasEnforcement) {
const check = checkEnforcementExists(inst.id, hasEnforcement);
if (check.missing.length === 0) {
console.log(`${inst.id}: ENFORCED`);
console.log(` Mechanisms: ${check.exists.join(', ')}`);
enforced++;
} else {
console.log(`⚠️ ${inst.id}: PARTIALLY ENFORCED`);
console.log(` Exists: ${check.exists.join(', ')}`);
console.log(` Missing: ${check.missing.join(', ')}`);
gaps.push({ id: inst.id, missing: check.missing, text: inst.text.substring(0, 80) + '...' });
unenforced++;
}
} else {
console.log(`${inst.id}: NO ENFORCEMENT`);
console.log(` Text: ${inst.text.substring(0, 80)}...`);
gaps.push({ id: inst.id, missing: ['No enforcement mechanism defined'], text: inst.text.substring(0, 80) + '...' });
unenforced++;
}
console.log('');
});
console.log('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n');
console.log('Summary:\n');
console.log(` Imperative instructions: ${imperativeInstructions.length}`);
console.log(` Enforced: ${enforced} (${Math.round(enforced/imperativeInstructions.length*100)}%)`);
console.log(` Unenforced/Partial: ${unenforced} (${Math.round(unenforced/imperativeInstructions.length*100)}%)`);
if (gaps.length > 0) {
console.log(`\n⚠️ ${gaps.length} enforcement gap(s) detected\n`);
console.log('Gaps should be addressed to prevent voluntary compliance failures.\n');
} else {
console.log('\n✅ All imperative instructions have enforcement mechanisms!\n');
}
console.log('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n');
if (gaps.length > 0) {
process.exit(1); // Exit with error if gaps exist
}
}
main();
Reference in a new issue View git blame Copy permalink