mirror of
https://github.com/x1xhlol/system-prompts-and-models-of-ai-tools.git
synced 2026-06-18 15:29:36 +00:00
3ef62652aa
Saves the DEALIX_PHASE2_EXECUTION_WAVES.md 90-day plan and scaffolds every
artifact the coding agent can produce. Wave A-E execution is explicitly
blocked until the Week-12 Phase Gate (§3) returns Green.
Added:
§1 Verification Protocol (V001-V007)
- scripts/v001_secret_scan.sh — trufflehog + gitleaks full-history scan
- backend/tests/security/test_rls_fuzz.py — 10K cross-tenant fuzz
- docs/verification/V003_pentest_engagement.md — vendor RFP + scope
- docs/verification/V004_no_founder_demo_test.md — 3-tester protocol
- scripts/v005_truth_registry_audit.py — independent audit tool
- infra/load-tests/baseline.js — k6 perf baseline
- frontend/tests/a11y/baseline.spec.ts — Playwright+axe baseline
- docs/baselines/README.md + docs/verification/README.md
§2 Founder Decision Sprint (FD001-FD005)
- docs/internal/legal_entity_decision.md — MISA/DIFC/Delaware brief
- docs/internal/trademark_status.md — SAIP filing kit tracker
- docs/hiring/{design_engineer, backend_engineer, head_of_cs}.md
§3 Customer Validation (CV001-CV004)
- docs/customer_learnings/pilot_agreement_template.md
- docs/customer_learnings/pilot_template/success_criteria.md
- docs/customer_learnings/pilot_template/kickoff_checklist.md
- docs/customer_learnings/friction_log.md + feature_requests.yaml
- docs/customer_learnings/weekly_review_template.md
Truth registry updates
- docs/registry/TRUTH.yaml — new verification_protocol,
founder_decision_sprint, customer_validation sections
Gates (post-change):
architecture_brief.py 40/40
release_readiness_matrix 94/94 (added 30 new scaffold checks)
v005_truth_registry_audit 19/19 SUPPORTED
94 lines
3.2 KiB
Bash
Executable File
94 lines
3.2 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# V001 — Full Git History Secret Scan (trufflehog + gitleaks)
|
|
#
|
|
# Scans the FULL commit history (not just HEAD) with two independent tools.
|
|
# Writes findings to docs/internal/secret_audit_log.md.
|
|
#
|
|
# Usage:
|
|
# ./scripts/v001_secret_scan.sh
|
|
#
|
|
# Prerequisites:
|
|
# - trufflehog: https://github.com/trufflesecurity/trufflehog
|
|
# - gitleaks: https://github.com/gitleaks/gitleaks
|
|
#
|
|
# Exit codes:
|
|
# 0 = no verified findings
|
|
# 1 = verified findings present — halt Phase 2 execution
|
|
|
|
set -euo pipefail
|
|
|
|
REPO_ROOT="$(git rev-parse --show-toplevel)"
|
|
OUT_DIR="${REPO_ROOT}/salesflow-saas/docs/internal"
|
|
OUT_FILE="${OUT_DIR}/secret_audit_log.md"
|
|
TS="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
|
|
|
|
mkdir -p "${OUT_DIR}"
|
|
|
|
echo "# Secret Audit Log" > "${OUT_FILE}"
|
|
echo "" >> "${OUT_FILE}"
|
|
echo "**Scan timestamp (UTC)**: ${TS}" >> "${OUT_FILE}"
|
|
echo "**Scope**: Full git history (all commits)" >> "${OUT_FILE}"
|
|
echo "**Tools**: trufflehog + gitleaks (two-tool rule)" >> "${OUT_FILE}"
|
|
echo "" >> "${OUT_FILE}"
|
|
|
|
TRUFFLEHOG_FINDINGS=0
|
|
GITLEAKS_FINDINGS=0
|
|
|
|
# --- trufflehog ---
|
|
echo "## trufflehog" >> "${OUT_FILE}"
|
|
echo "" >> "${OUT_FILE}"
|
|
if command -v trufflehog >/dev/null 2>&1; then
|
|
echo "\`\`\`" >> "${OUT_FILE}"
|
|
if trufflehog git "file://${REPO_ROOT}" --only-verified --json > /tmp/trufflehog.jsonl 2>/dev/null; then
|
|
TRUFFLEHOG_FINDINGS=$(wc -l < /tmp/trufflehog.jsonl | tr -d ' ')
|
|
if [ "${TRUFFLEHOG_FINDINGS}" -gt 0 ]; then
|
|
cat /tmp/trufflehog.jsonl >> "${OUT_FILE}"
|
|
else
|
|
echo "No verified findings." >> "${OUT_FILE}"
|
|
fi
|
|
else
|
|
echo "trufflehog exited with non-zero; see raw output at /tmp/trufflehog.jsonl" >> "${OUT_FILE}"
|
|
fi
|
|
echo "\`\`\`" >> "${OUT_FILE}"
|
|
else
|
|
echo "> trufflehog not installed. Install: \`go install github.com/trufflesecurity/trufflehog/v3@latest\`" >> "${OUT_FILE}"
|
|
fi
|
|
echo "" >> "${OUT_FILE}"
|
|
|
|
# --- gitleaks ---
|
|
echo "## gitleaks" >> "${OUT_FILE}"
|
|
echo "" >> "${OUT_FILE}"
|
|
if command -v gitleaks >/dev/null 2>&1; then
|
|
echo "\`\`\`" >> "${OUT_FILE}"
|
|
if gitleaks detect --source "${REPO_ROOT}" --redact --no-banner --report-format json --report-path /tmp/gitleaks.json >/dev/null 2>&1; then
|
|
echo "No findings (clean)." >> "${OUT_FILE}"
|
|
else
|
|
GITLEAKS_FINDINGS=$(python3 -c "import json;print(len(json.load(open('/tmp/gitleaks.json'))))" 2>/dev/null || echo 0)
|
|
cat /tmp/gitleaks.json >> "${OUT_FILE}" 2>/dev/null || true
|
|
fi
|
|
echo "\`\`\`" >> "${OUT_FILE}"
|
|
else
|
|
echo "> gitleaks not installed. Install: \`brew install gitleaks\`" >> "${OUT_FILE}"
|
|
fi
|
|
echo "" >> "${OUT_FILE}"
|
|
|
|
# --- Summary ---
|
|
echo "## Summary" >> "${OUT_FILE}"
|
|
echo "" >> "${OUT_FILE}"
|
|
echo "| Tool | Verified Findings |" >> "${OUT_FILE}"
|
|
echo "|------|-------------------|" >> "${OUT_FILE}"
|
|
echo "| trufflehog | ${TRUFFLEHOG_FINDINGS} |" >> "${OUT_FILE}"
|
|
echo "| gitleaks | ${GITLEAKS_FINDINGS} |" >> "${OUT_FILE}"
|
|
echo "" >> "${OUT_FILE}"
|
|
|
|
TOTAL=$((TRUFFLEHOG_FINDINGS + GITLEAKS_FINDINGS))
|
|
if [ "${TOTAL}" -eq 0 ]; then
|
|
echo "**Verdict**: CLEAN — no verified secrets in history." >> "${OUT_FILE}"
|
|
echo "[V001] CLEAN"
|
|
exit 0
|
|
else
|
|
echo "**Verdict**: FINDINGS (${TOTAL}) — rotate all exposed credentials, document in rotation_log.md, HALT Phase 2 until clean." >> "${OUT_FILE}"
|
|
echo "[V001] FINDINGS: ${TOTAL}"
|
|
exit 1
|
|
fi
|