mirror of
https://github.com/kuhyx/testsAndMisc.git
synced 2026-07-04 15:43:06 +02:00
- Remove skip_app_ids from user-editable Config; callers updated - Split PROTECTED_APP_IDS: only Steam infra/Proton IDs remain; game IDs moved to a new time-locked exception system - Add _whitelist.py: 24-hour cooldown on new exceptions, entropy- checked justification (>= 5 words), append-only audit log, chattr +i immutability on enforcement-critical config files - Add is_protected_app() in game_install.py; used everywhere instead of direct PROTECTED_APP_IDS membership checks - Add 'add-exception' CLI command (cmd_add_exception in main.py) - Call promote_pending_exceptions() and lock_enforcement_files() in each _enforce_loop_iteration - 590 tests, 100% branch coverage on all steam_backlog_enforcer modules - Add .worktrees to .gitignore
34 lines
2.0 KiB
JSON
34 lines
2.0 KiB
JSON
{
|
|
"intent": "Harden Steam Backlog Enforcer so the whitelist cannot be trivially circumvented by editing config files or adding arbitrary app IDs.",
|
|
"scope": [
|
|
"python_pkg/steam_backlog_enforcer/ — all source modules and tests",
|
|
"Non-goals: changing game assignment logic, HLTB integration, or store-blocking"
|
|
],
|
|
"changes": [
|
|
"Removed skip_app_ids from user-editable Config dataclass; all callers updated",
|
|
"Stripped non-infra game IDs from PROTECTED_APP_IDS; only Steam runtimes and Proton versions remain",
|
|
"Added _whitelist.py: 24h time-locked exceptions, entropy-checked justification (>=5 words), append-only audit log, chattr +i immutability",
|
|
"Added is_protected_app() in game_install.py; replaces direct PROTECTED_APP_IDS membership checks throughout",
|
|
"Added 'add-exception' CLI command (cmd_add_exception) in main.py",
|
|
"Integrated promote_pending_exceptions() and lock_enforcement_files() into _enforce_loop_iteration",
|
|
"Added _whitelist.py constants (_ADD_EXCEPTION_USAGE, _MIN_ADD_EXCEPTION_ARGS) to module level (ruff N806 fix)",
|
|
"Fixed COMMANDS type annotation from Callable[..., None] to Callable[..., object] (mypy compliance)",
|
|
"590 tests pass, 100% branch coverage on all steam_backlog_enforcer modules"
|
|
],
|
|
"verification": [
|
|
{
|
|
"command": "pre-commit run --files python_pkg/steam_backlog_enforcer/... (17 files)",
|
|
"result": "pass",
|
|
"evidence": "ruff Passed, ruff format Passed, mypy Passed, pylint Passed, bandit Passed, pytest with coverage enforcement Passed — all hooks green"
|
|
}
|
|
],
|
|
"risks": [
|
|
"chattr +i on config file requires root or appropriate capabilities; silently skipped if chattr is unavailable",
|
|
"The 24h cooldown is wall-clock based; NTP jumps or hibernation could affect timing"
|
|
],
|
|
"rollback": [
|
|
"git revert HEAD on steam-backlog-hardening branch, then fast-forward main",
|
|
"Validate: pytest python_pkg/steam_backlog_enforcer/tests/ --cov=python_pkg.steam_backlog_enforcer --cov-fail-under=100"
|
|
]
|
|
}
|