feat(audit): Phase 1 Quick-Wins (P81 + P85 + P70 + P83) + TCF DELETE/INSERT-Fix
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / detect-changes (push) Successful in 11s
CI / branch-name (push) Has been skipped
CI / loc-budget (push) Failing after 16s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Has been skipped
CI / validate-canonical-controls (push) Successful in 15s
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-backend (push) Successful in 38s
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
CI / test-go (push) Has been skipped
CI / guardrail-integrity (push) Has been skipped
CI / secret-scan (push) Has been skipped
CI / dep-audit (push) Has been skipped
CI / sbom-scan (push) Has been skipped
CI / detect-changes (push) Successful in 11s
CI / branch-name (push) Has been skipped
CI / loc-budget (push) Failing after 16s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / nodejs-build (push) Has been skipped
CI / validate-canonical-controls (push) Successful in 15s
CI / iace-gt-coverage (push) Has been skipped
CI / test-python-backend (push) Successful in 38s
CI / test-python-document-crawler (push) Has been skipped
CI / test-python-dsms-gateway (push) Has been skipped
CI / test-go (push) Has been skipped
P81 — tests/fixtures/golden_truth/vw_de.json: GT-Fixture mit must_find_cookies (47 VW-Cookies) + expected_vendors (Google, Adobe, Trade Desk, ...). Basis fuer kuenftige Regression-Tests. P85 — banner_screenshot_block.py + consent_scanner.py + main.py: consent-tester macht beim Banner-Detect einen base64-PNG-Screenshot (< 1.5MB). Backend rendert ihn als <img src="data:..."> direkt nach dem GF-1-Pager. Visueller Beweis 'so sah das Banner aus' fuer Dispute mit Marketing/DSB. P70 — rag_provenance.py: classify_finding_provenance() klassifiziert ein Finding als 'rag' (Norm + Quelle), 'mixed' (Norm ohne Quelle) oder 'heuristic' (eigene Interpretation). provenance_badge_html() rendert kleine Badges (✓ RAG / NORM / ⚠ HEURISTIK). Modul ist generisch, kann bei jedem Finding-Renderer einklinkt werden. P83 — scripts/check-rebuild-needed.sh: Prueft ob die im Container deployten BUILD_SHA mit local HEAD uebereinstimmen. Bei Mismatch exit 1 mit 'REBUILD REQUIRED'-Hinweis. Verhindert das 'alter Code im Container'-Problem das uns mehrfach erwischt hat (Frontend-Tabs sichtbar, Backend ohne neuen Service). TCF-Fix — tcf_vendor_authority.py: cookie_library hat keinen UNIQUE-Index auf cookie_name → ON CONFLICT war unmoeglich. Loesung: vor Insert DELETE WHERE source_name='iab_tcf_v2'. Idempotent. + per-Vendor-Commit damit ein Fail die naechsten nicht blockt. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Benjamin Admin
Executable
+49
@@ -0,0 +1,49 @@
|
||||
#!/usr/bin/env bash
|
||||
# P83 — verhindert "alter Code im Container"-Bug.
|
||||
#
|
||||
# Vergleicht den im Container deployten git-SHA mit dem aktuellen
|
||||
# Source-SHA. Wenn abweichend → exit 1 mit Hinweis Build/Recreate.
|
||||
#
|
||||
# Aufruf-Beispiele:
|
||||
# ./scripts/check-rebuild-needed.sh backend-compliance
|
||||
# ./scripts/check-rebuild-needed.sh admin-compliance
|
||||
# ./scripts/check-rebuild-needed.sh consent-tester
|
||||
#
|
||||
# CI-Verwendung: nach git push, vor dem ersten Health-Check.
|
||||
# Lokal: claude / dev kann es via pre-merge-hook nutzen.
|
||||
#
|
||||
# Voraussetzung: Container hat BUILD_SHA env (gesetzt im Dockerfile via
|
||||
# ARG BUILD_SHA + ENV BUILD_SHA=$BUILD_SHA). Falls leer → Warnung.
|
||||
|
||||
set -e
|
||||
|
||||
SERVICE="${1:-backend-compliance}"
|
||||
CONTAINER="bp-compliance-${SERVICE#*-}" # backend-compliance → bp-compliance-backend
|
||||
if [[ "$SERVICE" == "consent-tester" ]]; then
|
||||
CONTAINER="bp-compliance-consent-tester"
|
||||
fi
|
||||
|
||||
DOCKER="${DOCKER:-/usr/local/bin/docker}"
|
||||
|
||||
deployed_sha=$($DOCKER exec "$CONTAINER" sh -c 'echo "${BUILD_SHA:-unknown}"' 2>/dev/null || echo "container-down")
|
||||
local_sha=$(git rev-parse --short HEAD)
|
||||
|
||||
if [[ "$deployed_sha" == "container-down" ]]; then
|
||||
echo "❌ Container $CONTAINER is not running"
|
||||
exit 2
|
||||
fi
|
||||
|
||||
if [[ "$deployed_sha" == "unknown" ]]; then
|
||||
echo "⚠️ $CONTAINER has no BUILD_SHA env — cannot verify."
|
||||
echo " Add to Dockerfile: ARG BUILD_SHA / ENV BUILD_SHA=\$BUILD_SHA"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [[ "$deployed_sha" != "$local_sha"* && "$local_sha" != "$deployed_sha"* ]]; then
|
||||
echo "❌ $CONTAINER is on commit $deployed_sha, local is $local_sha"
|
||||
echo " REBUILD REQUIRED:"
|
||||
echo " docker compose build $SERVICE && docker compose up -d --no-deps --force-recreate $SERVICE"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "✓ $CONTAINER ($deployed_sha) matches local ($local_sha)"
|
||||
Reference in New Issue
Block a user