InsuranceBot / audit /README.md
rohitsar567's picture
feat(audit): selftest in pytest gate (static-scoped, no recursion) + opt-in git hooks + README
22a03fc
|
Raw
History Blame Contribute Delete
3.8 kB
# `audit/` β€” the repo's self-verifying error/risk gate
One runnable command that asserts the repo is sound. **24 checks across 5 tiers.**
Every check traces to a real incident this project hit (LFS quota silent
failures, deleted-module import breakage, ChromaDB disk bloat, etc.) β€” the
auditor exists so those classes of failure cannot ship silently again.
The auditor itself is verified: `--selftest` reconstructs the broken state of
each incident in a temp fixture and asserts the matching check still flags it.
A check that no longer detects its incident is reported as "not self-verifying".
## CLI
```
tools/audit.sh --static|--build|--functional|--deploy|--all|--selftest [--json]
```
`tools/audit.sh` just execs `.venv/bin/python -m audit "$@"` from the repo root.
(Note: `tools/audit.sh` is the entrypoint β€” unrelated to the pre-existing
`tools/audit/` tool directory.)
`--json` emits the per-check results as a JSON array instead of the text
report (id / status / evidence / remediation).
## Tiers
| Flag | Runs | Checks | When to run |
|------|------|--------|-------------|
| `--static` | static | T1.* + T2.* (11) | **Pre-commit.** Seconds. Pure repo/AST/import/lint β€” no build, no network, no servers. |
| `--build` | static + build | + T3.* (14) | Before push. Runs the full `pytest` gate, `next build` (production static export), and boots the backend for `/api/health`. Minutes. |
| `--functional` | static + build + functional | + T4.* (20) | Needs a **local backend on :8000 and frontend** up. API smoke (health/coverage/chat/upload/profile) + Playwright E2E journeys. |
| `--deploy` | deploy only | T5.* (4) | **Read-only** prod/deploy safety: LFS pre-push simulation, Dockerfile coherence, deployed-SHA vs local, standing tripwires. |
| `--all` | static + build + functional + deploy | all 24 | Everything. Run with backend (and ideally frontend) up. |
## Exit codes
- Exit is **non-zero iff any check is `FAIL`**.
- `WARN` **never fails the gate** (it surfaces a soft / deferred condition,
e.g. T5.3 deferred-deploy SHA mismatch or T2.3 a stale-doc note).
- `SKIP` (e.g. a prerequisite service is down) also does not fail the gate.
## `--selftest`
```
.venv/bin/python -m audit --selftest # full: 24 checks
```
For every check, a fixture stands up the broken state from the original
incident; the check must return its `selftest_expect` status on that fixture
(`FAIL` for most; `WARN` for T5.3 / T5.4 which are advisory by design). Output:
`24 checks Β· 0 not self-verifying`. A non-zero "not self-verifying" count means
the auditor has silently rotted and is no longer catching its own incident.
The pytest gate (`tests/test_audit_selftest.py`) runs the selftest **scoped to
the static tier only** β€” `core.selftest(only_tiers={"static"})`. The
build/functional/deploy tiers are deliberately excluded from the unit gate:
T3.1's fixture shells `pytest`, which would recurse into that very test; T3.2
runs a multi-minute `next build`; Tier 4 needs a live backend. The full
24-check selftest is run via `tools/audit.sh --selftest` (manual / pre-push).
## Opt-in git hooks
`.githooks/` ships a `pre-commit` (`--static`) and a `pre-push`
(`--build` then `--deploy`). They are **opt-in** β€” enable per clone with:
```
git config core.hooksPath .githooks
```
This repo does not set that automatically; nothing changes your git config
until you run the command above.
## Tier 5 is read-only against prod
Every Tier 5 check is strictly read-only with respect to deployed
infrastructure: it inspects local artifacts (Dockerfile, LFS attributes,
tripwire state) and at most *reads* the deployed SHA for comparison. It never
pushes, deploys, mutates remote state, or touches the HF Space β€” so `--deploy`
and `--all` are safe to run at any time.