ci-pipeline-cleanup Phase 1: extract 20 regression guards to scripts/ci-guards/

Bundle: ci-pipeline-cleanup, Phase 1. Pure relocation — no behavior change. Each guard's bash logic is byte-identical to the prior inline version; the only changes are: (a) the guard becomes a sibling script under scripts/ci-guards/<id>.sh, (b) ci.yml's per-guard step is replaced by a single loop step that iterates all scripts. 20 scripts extracted (alphabetized): B-1-orphan-crud.sh, D-1-D-2-statusbadge-phantom.sh, G-1-jwt-auth-literal.sh, G-2-api-key-hash-json.sh, G-3-env-docs-drift.sh, H-001-bare-from.sh, H-009-readme-jwt.sh, L-001-insecure-skip-verify.sh, L-1-bulk-action-loop.sh, M-012-no-root-user.sh, P-1-documented-orphan-fns.sh, S-1-hardcoded-source-counts.sh, S-2-strings-contains-err.sh, T-1-frontend-page-coverage.sh, U-2-plaintext-healthcheck.sh, U-3-migration-mount.sh, bundle-8-L-015-target-blank-rel-noopener.sh, bundle-8-L-019-dangerously-set-inner-html.sh, bundle-8-M-009-bare-usemutation.sh, test-naming-convention.sh Plus scripts/ci-guards/README.md documenting the contract: - Each script must exit 0 on clean repo, non-zero with ::error:: prefix on regression - Runnable from repo root via 'bash scripts/ci-guards/<id>.sh' - Adding a new guard: drop a new <id>.sh; CI auto-picks it up ci.yml dropped 1488 → 557 lines (-931, -63%). Single CI loop step now collects ALL guard failures before failing the build instead of fail-fast — UX win for regressions that hit two guards at once. Two guards (QA-doc Part-count + seed-count, ci.yml lines 868-917) deliberately NOT extracted — they move to 'make verify-docs' in Phase 11 because they protect docs-the-operator-reads, not the product itself. Verification (sandbox): - All 20 scripts pass against HEAD (chmod +x; for g in scripts/ci-guards/*.sh; do bash $g; done) - New ci.yml YAML-parses cleanly - Job boundaries preserved: go-build-and-test, frontend-build, helm-lint, deploy-vendor-e2e, deploy-vendor-e2e-windows - Loop step appears twice (once at end of go-build-and-test, once at end of frontend-build) so both jobs continue running their set of guards
2026-06-12 20:08:53 +00:00 · 2026-04-30 20:36:26 +00:00
parent f6fa898b9a
commit 1caedd5fd3
22 changed files with 1121 additions and 962 deletions
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+# scripts/ci-guards/G-2-api-key-hash-json.sh
+#
+# G-2 closed cat-s5-apikey_leak by tagging Agent.APIKeyHash
+# `json:"-"` and adding a defense-in-depth Agent.MarshalJSON that
+# zeroes the field on the marshal-time copy. This script grep-fails
+# the build if `api_key_hash` reappears in any of the *additive*
+# JSON-emitting surfaces: a Go struct json tag in internal/domain/,
+# an OpenAPI Agent schema property, a TypeScript field declaration
+# in web/src/, or an enum-list / discriminator in handler
+# production code.
+#
+# Repository, migration, seed, service, integration-test, and
+# unit-test files are exempt — those are server-internal use
+# sites (the DB column stays, the in-memory struct field stays,
+# the auth-lookup path stays). Comment lines are exempt so the
+# G-2 closure rationale can stay in the source.
+#
+# See coverage-gap-audit-2026-04-24-v5/unified-audit.md
+# cat-s5-apikey_leak for the closure rationale, or
+# internal/domain/connector.go::Agent::MarshalJSON for the
+# redaction enforcement.
+
+set -e
+
+# Scoped patterns that indicate api_key_hash being added back
+# to a JSON-emitting surface. Each catches a regression shape
+# that pre-G-2 actually shipped or that a future refactor
+# could plausibly introduce:
+#   - Go struct tag:           `json:"api_key_hash"`
+#   - Frontend interface:      api_key_hash[?]: string
+#   - OpenAPI schema property: api_key_hash:   (column-aligned)
+#   - YAML enum / array:       - api_key_hash
+BAD=$(grep -rnEH \
+    -e 'json:"api_key_hash[",]' \
+    -e '^\s*api_key_hash\??\s*:' \
+    -e '^\s*-\s*api_key_hash\s*$' \
+    internal/domain/ \
+    internal/api/ \
+    cmd/ \
+    api/openapi.yaml \
+    web/src/ \
+    2>/dev/null \
+    | grep -v '_test.go' \
+    | grep -vE '^\s*[^:]+:[0-9]+:\s*(//|#)' \
+    || true)
+if [ -n "$BAD" ]; then
+  echo "::error::G-2 regression: api_key_hash reappeared in a JSON-emitting surface:"
+  echo "$BAD"
+  echo ""
+  echo "Allowed surface for api_key_hash literals: comment lines,"
+  echo "the database column (migrations/), the in-memory struct"
+  echo "field tagged \`json:\"-\"\`, and the repository / service"
+  echo "use sites. See internal/domain/connector.go::Agent and"
+  echo "coverage-gap-audit-2026-04-24-v5/unified-audit.md"
+  echo "cat-s5-apikey_leak for the closure rationale."
+  exit 1
+fi
+echo "G-2 api-key-hash-json: clean."