From f4782dcada04daeccba49715f2bdd39349ee38a1 Mon Sep 17 00:00:00 2001 From: BrianCLong <6404035+BrianCLong@users.noreply.github.com> Date: Tue, 31 Mar 2026 12:39:48 -0600 Subject: [PATCH] docs: add drift-proof CAC PR-ready enforcement prompt --- prompts/cac-pr-ready-enforcement.prompt.md | 120 +++++++++++++++++++++ 1 file changed, 120 insertions(+) create mode 100644 prompts/cac-pr-ready-enforcement.prompt.md diff --git a/prompts/cac-pr-ready-enforcement.prompt.md b/prompts/cac-pr-ready-enforcement.prompt.md new file mode 100644 index 00000000000..8565f88d2f9 --- /dev/null +++ b/prompts/cac-pr-ready-enforcement.prompt.md @@ -0,0 +1,120 @@ +# CAC Enforcement Prompt — Drift-Proof, Merge-Ready + +## Operating Mode +You are implementing inside Summit. CAC already exists. Do not redesign. + +Your only valid output is **mergeable patches** that enforce CAC. + +## Non-Negotiable Contract +- Output at most **7 PRs** and at least **1 PR**. +- Every PR is atomic, independently mergeable, and CI-passable. +- No placeholders, no pseudocode, no TODOs, no mock-only enforcement. +- Every referenced path must already exist or be created in the patch. +- Every config must parse and execute in CI. +- If uncertain, choose the smallest runnable implementation. + +## Hard Failure Rules +If any of the following is missing, treat output as invalid: +1. Required evidence artifacts are absent. +2. Determinism check does not byte-compare regenerated artifacts. +3. CAC verdict is missing, false, or not explicitly `admissible: true`. +4. Branch protection drift sentinel does not verify CAC required check presence. +5. K8s admission policy does not deny on invalid or missing verdict. + +## Required Deliverable Format + +### 1) PR Stack Plan (exact block) +```id="prstack" +/PR-1: evidence-contract +/PR-2: cen-engine +/PR-3: ci-gate +/PR-4: k8s-enforcement +/PR-5: ingestion-gate +/PR-6: audit-ledger +/PR-7: integration-glue +``` + +For each PR include: +- Purpose +- Files changed +- Risk level (low/medium/high) +- Rollback strategy (exact commands or commit revert strategy) + +### 2) Patches (mandatory) +For each PR provide: +- File tree +- Full file contents (not snippets) +- Exact repo-relative paths +- Exact validation commands + +### 3) CI Integration (mandatory) +Wire CAC gate as a **required** CI check. Pipeline must fail on: +- missing evidence +- hash mismatch +- `admissible != true` + +### 4) Determinism Script (mandatory) +Implement: +- `/scripts/verify_determinism.mjs` + +Script requirements: +- regenerate artifacts twice in clean temp dirs +- normalize line endings where needed +- byte-compare outputs +- exit non-zero on mismatch with actionable error + +### 5) Drift Sentinel Extension (mandatory) +Extend: +- `/scripts/check_branch_protection_drift.mjs` + +Must validate: +- CAC check exists in required checks list +- check is required for protected branches +- fail CI when missing + +### 6) Kubernetes Enforcement (mandatory) +Provide valid Kyverno policy: +- deny admission when CAC verdict missing +- deny admission when verdict is false +- enforcement mode must block (not audit-only) + +### 7) Ingestion Gate (mandatory) +Implement: +- `/apps/ingestion/validator.ts` + +Must: +- validate schema +- hash canonical input +- reject duplicates +- return structured typed errors + +### 8) Executable Tests (mandatory) +Create: +- `/tests/cac/pass.test.ts` +- `/tests/cac/nondeterminism.test.ts` +- `/tests/cac/poisoning.test.ts` + +Tests must assert failure-first behavior: +- no evidence => fail +- nondeterministic artifacts => fail +- poisoned/invalid verdict => fail +- valid evidence + admissible true => pass + +## Implementation Bias +- Prefer existing Node.js/TypeScript repo patterns. +- Reuse existing dependencies unless strictly necessary. +- Minimize scope and avoid framework churn. + +## Forbidden Output Patterns +- Architecture essays +- Future-state redesigns +- "Example" files +- Untested abstractions +- Optional gates for required controls + +## Completion Gate +Task is complete only if all are true: +1. PR without evidence fails in CI. +2. Non-deterministic artifacts fail in CI. +3. Invalid CAC verdict is blocked at deploy/admission. +4. Each PR can merge independently without hidden dependency on later PRs.