mirror of
https://github.com/affaan-m/everything-claude-code.git
synced 2026-05-20 19:29:58 +08:00
feat: extend harness audit integration scoring (#1990)
Salvages the useful harness-audit scoring work from #1989 while preserving the current hook registry and newer plugin install detection. Adds GitHub integration checks, conditional deploy-provider categories, dynamic applicable category metadata, and CODEOWNERS coverage.
This commit is contained in:
Affaan Mustafa
@@ -12,8 +12,53 @@ const CATEGORIES = [
|
||||
'Eval Coverage',
|
||||
'Security Guardrails',
|
||||
'Cost Efficiency',
|
||||
'GitHub Integration',
|
||||
'Vercel Integration',
|
||||
'Netlify Integration',
|
||||
'Cloudflare Integration',
|
||||
'Fly Integration',
|
||||
];
|
||||
|
||||
const RUBRIC_VERSION = '2026-05-19';
|
||||
|
||||
const PROVIDERS = {
|
||||
Vercel: {
|
||||
detect: (rootDir) =>
|
||||
fileExists(rootDir, 'vercel.json') ||
|
||||
fileExists(rootDir, '.vercel/project.json') ||
|
||||
fileExists(rootDir, '.vercel'),
|
||||
keyPattern: /vercel/i,
|
||||
buildPattern: /vercel/i,
|
||||
workflowPattern: /(vercel-action|vercel\s+(deploy|--prod))/i,
|
||||
},
|
||||
Netlify: {
|
||||
detect: (rootDir) =>
|
||||
fileExists(rootDir, 'netlify.toml') || fileExists(rootDir, '.netlify'),
|
||||
keyPattern: /netlify/i,
|
||||
buildPattern: /netlify/i,
|
||||
workflowPattern: /(netlify\/actions|netlify\s+deploy)/i,
|
||||
},
|
||||
Cloudflare: {
|
||||
detect: (rootDir) =>
|
||||
fileExists(rootDir, 'wrangler.toml') || fileExists(rootDir, 'wrangler.jsonc'),
|
||||
keyPattern: /\b(cloudflare|wrangler)\b/i,
|
||||
buildPattern: /(wrangler|cloudflare)/i,
|
||||
workflowPattern: /(cloudflare\/wrangler-action|wrangler\s+(deploy|publish))/i,
|
||||
},
|
||||
Fly: {
|
||||
detect: (rootDir) => fileExists(rootDir, 'fly.toml'),
|
||||
keyPattern: /fly[_-]?(api|io)/i,
|
||||
buildPattern: /fly\s+(deploy|launch)/i,
|
||||
workflowPattern: /(superfly\/flyctl-actions|flyctl\s+deploy|fly\s+deploy)/i,
|
||||
},
|
||||
};
|
||||
|
||||
function getApplicableProviders(rootDir) {
|
||||
return Object.entries(PROVIDERS)
|
||||
.filter(([_, spec]) => spec.detect(rootDir))
|
||||
.map(([name]) => name);
|
||||
}
|
||||
|
||||
function normalizeScope(scope) {
|
||||
const value = (scope || 'repo').toLowerCase();
|
||||
if (!['repo', 'hooks', 'skills', 'commands', 'agents'].includes(value)) {
|
||||
@@ -607,9 +652,172 @@ function getRepoChecks(rootDir) {
|
||||
pass: fileExists(rootDir, 'commands/model-route.md'),
|
||||
fix: 'Add commands/model-route.md and route policies for cheap-default execution.',
|
||||
},
|
||||
...buildGithubChecks(rootDir),
|
||||
];
|
||||
}
|
||||
|
||||
// GitHub Integration is intentionally repo-scoped. Scoped audits such as hooks,
|
||||
// skills, commands, and agents should keep reporting only that surface.
|
||||
function buildGithubChecks(rootDir) {
|
||||
return [
|
||||
{
|
||||
id: 'github-workflows',
|
||||
category: 'GitHub Integration',
|
||||
points: 3,
|
||||
scopes: ['repo'],
|
||||
path: '.github/workflows/',
|
||||
description: 'GitHub Actions workflows are checked in',
|
||||
pass: hasFileWithExtension(rootDir, '.github/workflows', ['.yml', '.yaml']),
|
||||
fix: 'Add at least one workflow under .github/workflows/ so CI runs on every PR.',
|
||||
},
|
||||
{
|
||||
id: 'github-pr-template',
|
||||
category: 'GitHub Integration',
|
||||
points: 2,
|
||||
scopes: ['repo'],
|
||||
path: '.github/PULL_REQUEST_TEMPLATE.md',
|
||||
description: 'A pull request template is configured',
|
||||
pass:
|
||||
fileExists(rootDir, '.github/PULL_REQUEST_TEMPLATE.md') ||
|
||||
fileExists(rootDir, '.github/pull_request_template.md'),
|
||||
fix: 'Add .github/PULL_REQUEST_TEMPLATE.md so PR descriptions follow a consistent shape.',
|
||||
},
|
||||
{
|
||||
id: 'github-issue-templates',
|
||||
category: 'GitHub Integration',
|
||||
points: 2,
|
||||
scopes: ['repo'],
|
||||
path: '.github/ISSUE_TEMPLATE/',
|
||||
description: 'Issue templates are configured',
|
||||
pass: hasFileWithExtension(rootDir, '.github/ISSUE_TEMPLATE', ['.md', '.yml', '.yaml']),
|
||||
fix: 'Add at least one issue template under .github/ISSUE_TEMPLATE/.',
|
||||
},
|
||||
{
|
||||
id: 'github-codeowners',
|
||||
category: 'GitHub Integration',
|
||||
points: 1,
|
||||
scopes: ['repo'],
|
||||
path: '.github/CODEOWNERS',
|
||||
description: 'A CODEOWNERS file routes reviews',
|
||||
pass:
|
||||
fileExists(rootDir, 'CODEOWNERS') ||
|
||||
fileExists(rootDir, '.github/CODEOWNERS') ||
|
||||
fileExists(rootDir, 'docs/CODEOWNERS'),
|
||||
fix: 'Add a CODEOWNERS file so PRs auto-request the right reviewers.',
|
||||
},
|
||||
{
|
||||
id: 'github-dep-updates',
|
||||
category: 'GitHub Integration',
|
||||
points: 2,
|
||||
scopes: ['repo'],
|
||||
path: '.github/dependabot.yml',
|
||||
description: 'Automated dependency updates are configured',
|
||||
pass:
|
||||
fileExists(rootDir, '.github/dependabot.yml') ||
|
||||
fileExists(rootDir, '.github/dependabot.yaml') ||
|
||||
fileExists(rootDir, 'renovate.json') ||
|
||||
fileExists(rootDir, '.github/renovate.json') ||
|
||||
fileExists(rootDir, '.renovaterc'),
|
||||
fix: 'Add a Dependabot or Renovate config so dependency updates land automatically.',
|
||||
},
|
||||
];
|
||||
}
|
||||
|
||||
function readAllWorkflowsText(rootDir) {
|
||||
const dir = path.join(rootDir, '.github/workflows');
|
||||
if (!fs.existsSync(dir)) {
|
||||
return '';
|
||||
}
|
||||
|
||||
const stack = [dir];
|
||||
let combined = '';
|
||||
|
||||
while (stack.length > 0) {
|
||||
const current = stack.pop();
|
||||
const entries = fs.readdirSync(current, { withFileTypes: true });
|
||||
|
||||
for (const entry of entries) {
|
||||
const nextPath = path.join(current, entry.name);
|
||||
if (entry.isDirectory()) {
|
||||
stack.push(nextPath);
|
||||
} else if (entry.name.endsWith('.yml') || entry.name.endsWith('.yaml')) {
|
||||
try {
|
||||
combined += `${fs.readFileSync(nextPath, 'utf8')}\n`;
|
||||
} catch (_error) {
|
||||
// Ignore unreadable workflow files; the finding should stay deterministic.
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return combined;
|
||||
}
|
||||
|
||||
function buildProviderChecks(rootDir, provider, sharedContext) {
|
||||
const spec = PROVIDERS[provider];
|
||||
const packageJson = sharedContext.packageJson || {};
|
||||
const scriptsText = Object.values(packageJson.scripts || {}).join('\n');
|
||||
const category = `${provider} Integration`;
|
||||
|
||||
return [
|
||||
{
|
||||
id: `${provider.toLowerCase()}-config`,
|
||||
category,
|
||||
points: 3,
|
||||
scopes: ['repo'],
|
||||
path: `${provider} config`,
|
||||
description: `${provider} deployment config is checked in`,
|
||||
pass: spec.detect(rootDir),
|
||||
fix: `Commit ${provider} configuration so deploys are reproducible from source.`,
|
||||
},
|
||||
{
|
||||
id: `${provider.toLowerCase()}-build-script`,
|
||||
category,
|
||||
points: 2,
|
||||
scopes: ['repo'],
|
||||
path: 'package.json scripts',
|
||||
description: `package.json scripts reference ${provider}`,
|
||||
pass: spec.buildPattern.test(scriptsText),
|
||||
fix: `Add a build or deploy script in package.json that runs ${provider}.`,
|
||||
},
|
||||
{
|
||||
id: `${provider.toLowerCase()}-env-doc`,
|
||||
category,
|
||||
points: 2,
|
||||
scopes: ['repo'],
|
||||
path: '.env.example',
|
||||
description: `${provider} env keys are documented in .env.example`,
|
||||
pass: spec.keyPattern.test(sharedContext.envExample),
|
||||
fix: `Document ${provider} environment variables in .env.example.`,
|
||||
},
|
||||
{
|
||||
id: `${provider.toLowerCase()}-workflow-uses`,
|
||||
category,
|
||||
points: 3,
|
||||
scopes: ['repo'],
|
||||
path: '.github/workflows/',
|
||||
description: `A GitHub workflow uses the ${provider} action or CLI`,
|
||||
pass: spec.workflowPattern.test(sharedContext.workflowsText),
|
||||
fix: `Reference the ${provider} action or CLI from a workflow under .github/workflows/.`,
|
||||
},
|
||||
];
|
||||
}
|
||||
|
||||
function collectProviderChecks(rootDir, packageJson) {
|
||||
const providers = getApplicableProviders(rootDir);
|
||||
if (providers.length === 0) {
|
||||
return [];
|
||||
}
|
||||
|
||||
const sharedContext = {
|
||||
packageJson: packageJson || {},
|
||||
envExample: `${safeRead(rootDir, '.env.example')}\n${safeRead(rootDir, '.env.sample')}`,
|
||||
workflowsText: readAllWorkflowsText(rootDir),
|
||||
};
|
||||
|
||||
return providers.flatMap(provider => buildProviderChecks(rootDir, provider, sharedContext));
|
||||
}
|
||||
|
||||
function getConsumerChecks(rootDir) {
|
||||
const packageJson = safeParseJson(safeRead(rootDir, 'package.json'));
|
||||
const gitignore = safeRead(rootDir, '.gitignore');
|
||||
@@ -731,6 +939,8 @@ function getConsumerChecks(rootDir) {
|
||||
pass: projectHooks.includes('PreToolUse') || projectHooks.includes('beforeSubmitPrompt') || fileExists(rootDir, '.claude/hooks.json'),
|
||||
fix: 'Add project-local hook settings or hook definitions for prompt/tool guardrails.',
|
||||
},
|
||||
...buildGithubChecks(rootDir),
|
||||
...collectProviderChecks(rootDir, packageJson),
|
||||
];
|
||||
}
|
||||
|
||||
@@ -764,6 +974,7 @@ function buildReport(scope, options = {}) {
|
||||
const overallScore = checks
|
||||
.filter(check => check.pass)
|
||||
.reduce((sum, check) => sum + check.points, 0);
|
||||
const applicableCategories = CATEGORIES.filter(name => categoryScores[name]?.max > 0);
|
||||
|
||||
const failedChecks = checks.filter(check => !check.pass);
|
||||
const topActions = failedChecks
|
||||
@@ -781,10 +992,12 @@ function buildReport(scope, options = {}) {
|
||||
root_dir: rootDir,
|
||||
target_mode: targetMode,
|
||||
deterministic: true,
|
||||
rubric_version: '2026-03-30',
|
||||
rubric_version: RUBRIC_VERSION,
|
||||
overall_score: overallScore,
|
||||
max_score: maxScore,
|
||||
categories: categoryScores,
|
||||
applicable_categories: applicableCategories,
|
||||
category_count: applicableCategories.length,
|
||||
checks: checks.map(check => ({
|
||||
id: check.id,
|
||||
category: check.category,
|
||||
|
||||
Reference in New Issue
Block a user