Dev/milestone c security report hardening

.github/scripts/test_milestone_c_internal_checks.py

@@ -0,0 +1,83 @@
+#!/usr/bin/env python3
+#
+# Copyright 2026 The Ethos maintainers
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+from __future__ import annotations
+
+import unittest
+from pathlib import Path
+
+
+ROOT = Path(__file__).resolve().parents[2]
+MAKEFILE = ROOT / "Makefile"
+
+
+def makefile_text() -> str:
+    return MAKEFILE.read_text(encoding="utf-8")
+
+
+def target_block(target: str) -> str:
+    lines = makefile_text().splitlines()
+    start = None
+    for index, line in enumerate(lines):
+        if line == f"{target}:":
+            start = index + 1
+            break
+    if start is None:
+        raise AssertionError(f"{target} target is missing")
+
+    block: list[str] = []
+    for line in lines[start:]:
+        if line and not line.startswith(("\t", " ")):
+            break
+        block.append(line)
+    return "\n".join(block)
+
+
+class MilestoneCInternalCheckTests(unittest.TestCase):
+    def test_target_is_declared_phony(self) -> None:
+        text = makefile_text()
+
+        self.assertIn(".PHONY:", text)
+        self.assertIn("milestone-c-internal-checks", text)
+
+    def test_target_composes_current_artifact_gates(self) -> None:
+        block = target_block("milestone-c-internal-checks")
+
+        required = [
+            "$(MAKE) rag-chunk-alpha PYTHON=$(PYTHON)",
+            "$(MAKE) security-report-alpha PYTHON=$(PYTHON)",
+            "$(PYTHON) .github/scripts/test_milestone_c_internal_checks.py",
+            "git diff --check",
+        ]
+        for command in required:
+            self.assertIn(command, block)
+
+    def test_target_stays_current_artifact_scoped(self) -> None:
+        block = target_block("milestone-c-internal-checks")
+
+        self.assertNotIn("verify-alpha", block)
+        self.assertNotIn("layout-evaluator-alpha", block)
+        self.assertNotIn("python-surface-test", block)
+        self.assertNotIn("verify-rendered-crops", block)
+        self.assertNotIn("compare-rendered-crops", block)
+        self.assertNotIn("release-", block)
+        self.assertNotIn("third-party-license-manifest", block)
+        self.assertNotIn("release-notice-draft", block)
+
+
+if __name__ == "__main__":
+    unittest.main()

.github/scripts/test_security_report_alpha.py

@@ -58,6 +58,7 @@ def test_target_composes_security_report_artifact_gates(self) -> None:
         block = target_block("security-report-alpha")
 
         required = [
+            "cargo test --locked -p ethos-cli --test security_report",
             "$(PYTHON) schemas/validate_examples.py",
             "$(PYTHON) schemas/test_security_report_validation.py",
             "$(PYTHON) .github/scripts/test_security_report_alpha.py",
@@ -69,7 +70,8 @@ def test_target_composes_security_report_artifact_gates(self) -> None:
     def test_target_stays_security_report_scoped(self) -> None:
         block = target_block("security-report-alpha")
 
-        self.assertNotIn("cargo test", block)
+        self.assertNotIn("cargo test --locked -p ethos-cli --test rag", block)
+        self.assertNotIn("cargo test --locked -p ethos-cli --test verify", block)
         self.assertNotIn("rag-chunk-alpha", block)
         self.assertNotIn("layout-evaluator-alpha", block)
         self.assertNotIn("python-surface-test", block)

Makefile

@@ -13,7 +13,7 @@ COMPARE_RENDERED_CROPS_LEFT ?= $(VERIFY_RENDERED_CROPS_OUT)/run1
 COMPARE_RENDERED_CROPS_RIGHT ?= $(VERIFY_RENDERED_CROPS_OUT)/run2
 LAYOUT_EVALUATOR_OUT ?= $(ROOT)/target/layout-evaluator-alpha
 
-.PHONY: verify-alpha verify-alpha-tree rag-chunk-alpha security-report-alpha verify-rendered-crops compare-rendered-crops layout-evaluator-alpha python-surface-test milestone-b-internal-checks release-hygiene release-advisory third-party-license-manifest release-notice-draft
+.PHONY: verify-alpha verify-alpha-tree rag-chunk-alpha security-report-alpha verify-rendered-crops compare-rendered-crops layout-evaluator-alpha python-surface-test milestone-b-internal-checks milestone-c-internal-checks release-hygiene release-advisory third-party-license-manifest release-notice-draft
 
 $(ETHOS_BIN):
 	cargo build --locked -p ethos-cli
@@ -41,6 +41,7 @@ rag-chunk-alpha:
 	git diff --check
 
 security-report-alpha:
+	cargo test --locked -p ethos-cli --test security_report
 	$(PYTHON) schemas/validate_examples.py
 	$(PYTHON) schemas/test_security_report_validation.py
 	$(PYTHON) .github/scripts/test_security_report_alpha.py
@@ -76,6 +77,12 @@ milestone-b-internal-checks:
 	$(PYTHON) .github/scripts/readiness_gate.py public
 	git diff --check
 
+milestone-c-internal-checks:
+	$(MAKE) rag-chunk-alpha PYTHON=$(PYTHON)
+	$(MAKE) security-report-alpha PYTHON=$(PYTHON)
+	$(PYTHON) .github/scripts/test_milestone_c_internal_checks.py
+	git diff --check
+
 release-hygiene:
 	cargo metadata --locked --offline --format-version 1 --no-deps >/dev/null
 	$(CARGO_DENY) --version

crates/ethos-cli/src/cmd/mod.rs

@@ -16,4 +16,5 @@
 
 pub(crate) mod doc;
 pub(crate) mod rag;
+pub(crate) mod security;
 pub(crate) mod verify;