feat(ci): item-2 cross-surface contract parity (stdlib-only package)

internal/ciparity/ — new stdlib-only package with four tests: 1. TestSurfaceParity_MCPToolCatalogue (HARD GATE): - Every MCP tool name conforms to certctl_<word>(_<word>)* - No duplicate names across the five tools*.go files - Total tools ≥ mcpBaselineFloor (150; current count 155) Catches accidental tool deletions + naming-convention drift. 2. TestSurfaceParity_CLICommandCatalogue (INFORMATIONAL): Walks cmd/cli/main.go's switch-case dispatcher. Logs the 31 distinct verbs. Per frozen decision 0.9, warn-only until the CLI surface stabilizes. 3. TestSurfaceParity_OpenAPI_MCPHeuristicCoverage (INFORMATIONAL): Reports the fraction of OpenAPI ops whose path tokens overlap with MCP tool name tokens. Trend metric; current coverage 92%. 4. TestSurfaceParity_Summary (INFORMATIONAL): One-glance count of router routes / OpenAPI ops / MCP tools / CLI verbs. Easy eyeball for a PR reviewer. Verified in sandbox: - gofmt clean - go vet clean - go test -short -count=1: all four PASS in 0.017s Stdlib-only by design — the tests read source files with os.ReadFile + regexp + go/ast. Keeps the test runnable without pulling in the rest of the codebase's transitive deps; fast self-contained signal. Router ↔ OpenAPI parity (TestRouter_OpenAPIParity) stays in internal/api/router/openapi_parity_test.go where it already lives. This bundle does not duplicate it. Allowlist scaffold at scripts/ci-guards/surface-parity-mcp-exemptions.yaml for the day TestSurfaceParity_OpenAPI_MCP* is promoted from informational to hard gate. Audit-Closes: post-v2.1.0-anti-rot/item-2
2026-06-07 12:31:29 +00:00 · 2026-05-12 14:09:32 +00:00
parent 0ab6bc4a73
commit e3a9317693
3 changed files with 333 additions and 0 deletions
@@ -0,0 +1,34 @@
+# scripts/ci-guards/surface-parity-mcp-exemptions.yaml
+#
+# Allowlist for OpenAPI operations that are intentionally NOT mirrored
+# in the MCP tool catalogue. Consumed by
+# internal/api/router/surface_parity_test.go::TestSurfaceParity_*.
+#
+# The current MCP parity tests are informational (per frozen decision
+# 0.9). This file exists so when those tests are promoted to hard
+# gates, the carve-outs are already documented and the promotion is
+# mechanical.
+#
+# Each entry shape:
+#
+#   - operation: "METHOD /api/v1/path"
+#     justification: "one-line reason this is legitimately HTTP-only"
+#     expires: "YYYY-MM-DD"        # required; 90-day default
+#
+# Categories of legitimate carve-outs (DO add these when the test is
+# promoted to fail-on-miss):
+#
+#   - ACME wire protocol (RFC 8555 + RFC 9773 ARI)
+#   - SCEP wire protocol (RFC 8894)
+#   - EST wire protocol (RFC 7030)
+#   - OCSP responder
+#   - CRL distribution
+#   - Healthcheck / readiness / version endpoints
+#   - OIDC callback / back-channel-logout
+#   - SPA fallback for the embedded web UI
+#
+# DO NOT add entries here to silence the test on an oversight. If an
+# operation should have an MCP tool and doesn't, that's the bug — add
+# the tool.
+
+exceptions: []