3320ef94fc
Squash of branch refactor/phase0-guardrails-and-models-split — 4 commits,
81 files, 173/173 pytest green, OpenAPI contract preserved (360 paths /
484 operations).
## Phase 0 — Architecture guardrails
Three defense-in-depth layers to keep the architecture rules enforced
regardless of who opens Claude Code in this repo:
1. .claude/settings.json PreToolUse hook on Write/Edit blocks any file
that would exceed the 500-line hard cap. Auto-loads in every Claude
session in this repo.
2. scripts/githooks/pre-commit (install via scripts/install-hooks.sh)
enforces the LOC cap locally, freezes migrations/ without
[migration-approved], and protects guardrail files without
[guardrail-change].
3. .gitea/workflows/ci.yaml gains loc-budget + guardrail-integrity +
sbom-scan (syft+grype) jobs, adds mypy --strict for the new Python
packages (compliance/{services,repositories,domain,schemas}), and
tsc --noEmit for admin-compliance + developer-portal.
Per-language conventions documented in AGENTS.python.md, AGENTS.go.md,
AGENTS.typescript.md at the repo root — layering, tooling, and explicit
"what you may NOT do" lists. Root CLAUDE.md is prepended with the six
non-negotiable rules. Each of the 10 services gets a README.md.
scripts/check-loc.sh enforces soft 300 / hard 500 and surfaces the
current baseline of 205 hard + 161 soft violations so Phases 1-4 can
drain it incrementally. CI gates only CHANGED files in PRs so the
legacy baseline does not block unrelated work.
## Deprecation sweep
47 files. Pydantic V1 regex= -> pattern= (2 sites), class Config ->
ConfigDict in source_policy_router.py (schemas.py intentionally skipped;
it is the Phase 1 Step 3 split target). datetime.utcnow() ->
datetime.now(timezone.utc) everywhere including SQLAlchemy default=
callables. All DB columns already declare timezone=True, so this is a
latent-bug fix at the Python side, not a schema change.
DeprecationWarning count dropped from 158 to 35.
## Phase 1 Step 1 — Contract test harness
tests/contracts/test_openapi_baseline.py diffs the live FastAPI /openapi.json
against tests/contracts/openapi.baseline.json on every test run. Fails on
removed paths, removed status codes, or new required request body fields.
Regenerate only via tests/contracts/regenerate_baseline.py after a
consumer-updated contract change. This is the safety harness for all
subsequent refactor commits.
## Phase 1 Step 2 — models.py split (1466 -> 85 LOC shim)
compliance/db/models.py is decomposed into seven sibling aggregate modules
following the existing repo pattern (dsr_models.py, vvt_models.py, ...):
regulation_models.py (134) — Regulation, Requirement
control_models.py (279) — Control, Mapping, Evidence, Risk
ai_system_models.py (141) — AISystem, AuditExport
service_module_models.py (176) — ServiceModule, ModuleRegulation, ModuleRisk
audit_session_models.py (177) — AuditSession, AuditSignOff
isms_governance_models.py (323) — ISMSScope, Context, Policy, Objective, SoA
isms_audit_models.py (468) — Finding, CAPA, MgmtReview, InternalAudit,
AuditTrail, Readiness
models.py becomes an 85-line re-export shim in dependency order so
existing imports continue to work unchanged. Schema is byte-identical:
__tablename__, column definitions, relationship strings, back_populates,
cascade directives all preserved.
All new sibling files are under the 500-line hard cap; largest is
isms_audit_models.py at 468. No file in compliance/db/ now exceeds
the hard cap.
## Phase 1 Step 3 — infrastructure only
backend-compliance/compliance/{schemas,domain,repositories}/ packages
are created as landing zones with docstrings. compliance/domain/
exports DomainError / NotFoundError / ConflictError / ValidationError /
PermissionError — the base classes services will use to raise
domain-level errors instead of HTTPException.
PHASE1_RUNBOOK.md at backend-compliance/PHASE1_RUNBOOK.md documents
the nine-step execution plan for Phase 1: snapshot baseline,
characterization tests, split models.py (this commit), split schemas.py
(next), extract services, extract repositories, mypy --strict, coverage.
## Verification
backend-compliance/.venv-phase1: uv python install 3.12 + pip -r requirements.txt
PYTHONPATH=. pytest compliance/tests/ tests/contracts/
-> 173 passed, 0 failed, 35 warnings, OpenAPI 360/484 unchanged
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
124 lines
3.9 KiB
Bash
Executable File
124 lines
3.9 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# check-loc.sh — File-size budget enforcer for breakpilot-compliance.
|
|
#
|
|
# Soft target: 300 LOC. Hard cap: 500 LOC.
|
|
#
|
|
# Usage:
|
|
# scripts/check-loc.sh # scan whole repo, respect exceptions
|
|
# scripts/check-loc.sh --changed # only files changed vs origin/main
|
|
# scripts/check-loc.sh path/to/file.py # check specific files
|
|
# scripts/check-loc.sh --json # machine-readable output
|
|
#
|
|
# Exit codes:
|
|
# 0 — clean (no hard violations)
|
|
# 1 — at least one file exceeds the hard cap (500)
|
|
# 2 — invalid invocation
|
|
#
|
|
# Behavior:
|
|
# - Skips test files, generated files, vendor dirs, node_modules, .git, dist, build,
|
|
# .next, __pycache__, migrations, and anything matching .claude/rules/loc-exceptions.txt.
|
|
# - Counts non-blank, non-comment-only lines is NOT done — we count raw lines so the
|
|
# rule is unambiguous. If you want to game it with blank lines, you're missing the point.
|
|
|
|
set -euo pipefail
|
|
|
|
SOFT=300
|
|
HARD=500
|
|
REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
|
|
EXCEPTIONS_FILE="$REPO_ROOT/.claude/rules/loc-exceptions.txt"
|
|
|
|
CHANGED_ONLY=0
|
|
JSON=0
|
|
TARGETS=()
|
|
|
|
for arg in "$@"; do
|
|
case "$arg" in
|
|
--changed) CHANGED_ONLY=1 ;;
|
|
--json) JSON=1 ;;
|
|
-h|--help)
|
|
sed -n '2,18p' "$0"; exit 0 ;;
|
|
-*) echo "unknown flag: $arg" >&2; exit 2 ;;
|
|
*) TARGETS+=("$arg") ;;
|
|
esac
|
|
done
|
|
|
|
# Patterns excluded from the budget regardless of path.
|
|
is_excluded() {
|
|
local f="$1"
|
|
case "$f" in
|
|
*/node_modules/*|*/.next/*|*/.git/*|*/dist/*|*/build/*|*/__pycache__/*|*/vendor/*) return 0 ;;
|
|
*/migrations/*|*/alembic/versions/*) return 0 ;;
|
|
*_test.go|*.test.ts|*.test.tsx|*.spec.ts|*.spec.tsx) return 0 ;;
|
|
*/tests/*|*/test/*) return 0 ;;
|
|
*.md|*.json|*.yaml|*.yml|*.lock|*.sum|*.mod|*.toml|*.cfg|*.ini) return 0 ;;
|
|
*.svg|*.png|*.jpg|*.jpeg|*.gif|*.ico|*.pdf|*.woff|*.woff2|*.ttf) return 0 ;;
|
|
*.generated.*|*.gen.*|*_pb.go|*_pb2.py|*.pb.go) return 0 ;;
|
|
esac
|
|
return 1
|
|
}
|
|
|
|
is_in_exceptions() {
|
|
[[ -f "$EXCEPTIONS_FILE" ]] || return 1
|
|
local rel="${1#$REPO_ROOT/}"
|
|
grep -Fxq "$rel" "$EXCEPTIONS_FILE"
|
|
}
|
|
|
|
collect_targets() {
|
|
if (( ${#TARGETS[@]} > 0 )); then
|
|
printf '%s\n' "${TARGETS[@]}"
|
|
elif (( CHANGED_ONLY )); then
|
|
git -C "$REPO_ROOT" diff --name-only --diff-filter=AM origin/main...HEAD 2>/dev/null \
|
|
|| git -C "$REPO_ROOT" diff --name-only --diff-filter=AM HEAD
|
|
else
|
|
git -C "$REPO_ROOT" ls-files
|
|
fi
|
|
}
|
|
|
|
violations_hard=()
|
|
violations_soft=()
|
|
|
|
while IFS= read -r f; do
|
|
[[ -z "$f" ]] && continue
|
|
abs="$f"
|
|
[[ "$abs" != /* ]] && abs="$REPO_ROOT/$f"
|
|
[[ -f "$abs" ]] || continue
|
|
is_excluded "$abs" && continue
|
|
is_in_exceptions "$abs" && continue
|
|
loc=$(wc -l < "$abs" | tr -d ' ')
|
|
if (( loc > HARD )); then
|
|
violations_hard+=("$loc $f")
|
|
elif (( loc > SOFT )); then
|
|
violations_soft+=("$loc $f")
|
|
fi
|
|
done < <(collect_targets)
|
|
|
|
if (( JSON )); then
|
|
printf '{"hard":['
|
|
first=1; for v in "${violations_hard[@]}"; do
|
|
loc="${v%% *}"; path="${v#* }"
|
|
(( first )) || printf ','; first=0
|
|
printf '{"loc":%s,"path":"%s"}' "$loc" "$path"
|
|
done
|
|
printf '],"soft":['
|
|
first=1; for v in "${violations_soft[@]}"; do
|
|
loc="${v%% *}"; path="${v#* }"
|
|
(( first )) || printf ','; first=0
|
|
printf '{"loc":%s,"path":"%s"}' "$loc" "$path"
|
|
done
|
|
printf ']}\n'
|
|
else
|
|
if (( ${#violations_soft[@]} > 0 )); then
|
|
echo "::warning:: $((${#violations_soft[@]})) file(s) exceed soft target ($SOFT lines):"
|
|
printf ' %s\n' "${violations_soft[@]}" | sort -rn
|
|
fi
|
|
if (( ${#violations_hard[@]} > 0 )); then
|
|
echo "::error:: $((${#violations_hard[@]})) file(s) exceed HARD CAP ($HARD lines) — split required:"
|
|
printf ' %s\n' "${violations_hard[@]}" | sort -rn
|
|
echo
|
|
echo "If a file legitimately must exceed $HARD lines (generated code, large data tables),"
|
|
echo "add it to .claude/rules/loc-exceptions.txt with a one-line rationale comment above it."
|
|
fi
|
|
fi
|
|
|
|
(( ${#violations_hard[@]} == 0 ))
|