Collapse ward lint + security surface under ward doctor umbrella #40

Closed
opened 2026-06-03 22:43:04 +00:00 by coilysiren · 0 comments
Owner

Scope

Sub-issue of #4. Collapse ward's diagnostic surface into a single ward doctor umbrella. Supersedes #39 — the security block surfaces as a doctor check group, not its own command.

Supersedes #39 (closing as reshaped).

What

  • ward doctor — top-level subcommand. Runs every check group and exits non-zero on any failure. Default verbosity prints one summary line per group; --verbose prints per-check detail.
  • ward doctor allowlist — current ward lint logic relocated. Validates .ward/ward.yamlMakefile contract.
  • ward doctor security — reads cfg.Security, reports protected-binary count, sudo posture, hook-policy presence. No host probing yet (that's a separate sub-issue: passwordless sudo, PATH posture, credential env).
  • ward lint — kept as a thin alias for ward doctor allowlist for one minor release so the cross-repo pre-commit suite doesn't break. Aliased path prints a deprecation line to stderr. Removal tracked in a follow-up issue (referenced in the deprecation message).
  • Internal: lift the resolved-config helper from loadDefault so doctor groups share a single resolve + load. The #38 precedence (--config > $WARD_CONFIG > walk-up) applies to every doctor group.

Acceptance

  • ward doctor runs both groups, exits 0 on clean, non-zero with grouped output on failure.
  • ward doctor allowlist produces the same output ward lint produces today (modulo subcommand path in error prefixes).
  • ward doctor security against a config with a populated security: block prints protected-binary count, sudo posture, and hook-policy presence. Against a config with no block, prints "no security: declared" and counts as a pass.
  • ward lint still works, prints a one-line deprecation pointing at ward doctor allowlist and the follow-up issue.
  • Tests cover: clean run, allowlist failure surfaces under doctor, security block populated vs empty, alias path emits deprecation.
  • docs/doctor.md documents the umbrella and check groups; docs/lint.md reduces to a deprecation pointer.

Out of scope

  • Host-side security probing (passwordless sudo, PATH shim detection, credential env scan). Separate sub-issue of #4.
  • Hook wiring for protected binaries. Separate sub-issue of #4.
  • Removing the ward lint alias. Follow-up issue once downstream consumers migrate.
## Scope Sub-issue of #4. Collapse ward's diagnostic surface into a single `ward doctor` umbrella. Supersedes #39 — the security block surfaces as a doctor check group, not its own command. Supersedes #39 (closing as reshaped). ## What - `ward doctor` — top-level subcommand. Runs every check group and exits non-zero on any failure. Default verbosity prints one summary line per group; `--verbose` prints per-check detail. - `ward doctor allowlist` — current `ward lint` logic relocated. Validates `.ward/ward.yaml` ↔ `Makefile` contract. - `ward doctor security` — reads `cfg.Security`, reports protected-binary count, sudo posture, hook-policy presence. No host probing yet (that's a separate sub-issue: passwordless sudo, PATH posture, credential env). - `ward lint` — kept as a thin alias for `ward doctor allowlist` for one minor release so the cross-repo pre-commit suite doesn't break. Aliased path prints a deprecation line to stderr. Removal tracked in a follow-up issue (referenced in the deprecation message). - Internal: lift the resolved-config helper from `loadDefault` so doctor groups share a single resolve + load. The #38 precedence (`--config` > `$WARD_CONFIG` > walk-up) applies to every doctor group. ## Acceptance - `ward doctor` runs both groups, exits 0 on clean, non-zero with grouped output on failure. - `ward doctor allowlist` produces the same output `ward lint` produces today (modulo subcommand path in error prefixes). - `ward doctor security` against a config with a populated `security:` block prints protected-binary count, sudo posture, and hook-policy presence. Against a config with no block, prints "no security: declared" and counts as a pass. - `ward lint` still works, prints a one-line deprecation pointing at `ward doctor allowlist` and the follow-up issue. - Tests cover: clean run, allowlist failure surfaces under doctor, security block populated vs empty, alias path emits deprecation. - `docs/doctor.md` documents the umbrella and check groups; `docs/lint.md` reduces to a deprecation pointer. ## Out of scope - Host-side security probing (passwordless sudo, PATH shim detection, credential env scan). Separate sub-issue of #4. - Hook wiring for protected binaries. Separate sub-issue of #4. - Removing the `ward lint` alias. Follow-up issue once downstream consumers migrate.
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/ward#40
No description provided.