feat: harden profile installs and validate council-lite artifacts

dtsong · dtsong · commit b0cfde9faccf · 2026-02-11T15:04:41.000-08:00
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
@@ -8,7 +8,12 @@ on:
 
 jobs:
   validation:
-    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+
+    runs-on: ${{ matrix.os }}
 
     steps:
       - name: Checkout
@@ -30,6 +35,8 @@ jobs:
         run: |
           ./install.sh --list-profiles
           ./install.sh --status
+          ./install.sh --conflict-policy fail --profiles core,council-lite
+          ./install.sh --conflict-policy skip --profiles core,council-lite
           ./install.sh --profiles core,council-lite
           ./install.sh --enable-profile council-research
           ./install.sh --disable-profile council-research
@@ -54,4 +61,19 @@ jobs:
           PY
           )
           ./scripts/council-lite.sh resume "$SESSION_ID"
+          ./scripts/validate-council-lite.sh --latest
           ./install.sh --uninstall
+
+  secret-scan:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/README.md b/README.md
@@ -38,13 +38,18 @@ Common commands:
 # set exact profiles (dependencies auto-added)
 ./install.sh --profiles core,council-lite
 
+# choose conflict behavior when target paths already exist
+./install.sh --conflict-policy fail --profiles core,council-lite
+./install.sh --conflict-policy skip --profiles core,council-lite
+
 # enable or disable one profile
 ./install.sh --enable-profile council-lite
 ./install.sh --disable-profile council-lite
 
 # start a council-lite session scaffold
 ./scripts/council-lite.sh run "Design safe billing webhooks"
 ./scripts/council-lite.sh list
+./scripts/validate-council-lite.sh --latest
 ```
 
 Profile state is persisted at:
@@ -57,6 +62,9 @@ For profile adoption guidance, see `docs/profiles.md`.
 
 `install.sh` creates symlinks into `~/.config/opencode/` so edits in this repo apply immediately.
 
+If a managed target path already exists and is not a symlink, install fails by default.
+Use `--conflict-policy skip` to leave conflicting paths untouched and continue linking non-conflicting paths.
+
 `./install.sh --uninstall` removes managed symlinks and profile state.
 
 ## Directory Layout
@@ -87,6 +95,7 @@ See `docs/roadmap.md`.
 - `scripts/ops-check.sh` - stack-aware quality gate checks
 - `scripts/issue-pr-loop.sh` - issue to branch to draft PR flow
 - `scripts/council-lite.sh` - lightweight multi-agent session scaffold
+- `scripts/validate-council-lite.sh` - council-lite artifact structure validator
 
 See `docs/workflows-playbook.md` for usage patterns.
 
diff --git a/commands/README.md b/commands/README.md
@@ -15,3 +15,4 @@ Script mappings:
 - `scripts/ops-check.sh`
 - `scripts/issue-pr-loop.sh`
 - `scripts/council-lite.sh`
+- `scripts/validate-council-lite.sh`
diff --git a/commands/council-lite.md b/commands/council-lite.md
@@ -11,10 +11,12 @@ Usage:
 ./scripts/council-lite.sh list
 ./scripts/council-lite.sh run "Design safe billing webhooks"
 ./scripts/council-lite.sh resume <session-id>
+./scripts/validate-council-lite.sh --latest
 ```
 
 Notes:
 - `council-lite` profile must be enabled.
 - Enable with `./install.sh --enable-profile council-lite`.
 - Sessions are written to `memory/council-lite/<session-id>/`.
 - Artifacts include intake, assembly, deliberation rounds, and execution plan.
+- Validate generated artifacts with `scripts/validate-council-lite.sh`.
diff --git a/docs/profiles.md b/docs/profiles.md
@@ -23,8 +23,21 @@ Profiles let you choose how much capability to install.
 # enable/disable one profile
 ./install.sh --enable-profile council-lite
 ./install.sh --disable-profile council-lite
+
+# conflict handling policy
+./install.sh --conflict-policy fail --profiles core,council-lite
+./install.sh --conflict-policy skip --profiles core,council-lite
 ```
 
+## Conflict Policy
+
+When a managed path in `~/.config/opencode/` already exists and is not a symlink:
+
+- `--conflict-policy fail` (default): abort install before writing state
+- `--conflict-policy skip`: continue, but skip conflicting paths
+
+Recommended default is `fail` so you do not accidentally mix unmanaged and managed configuration.
+
 ## State Location
 
 Profile state is stored at:
@@ -45,6 +58,7 @@ After enabling `council-lite`, run:
 ./scripts/council-lite.sh run "Design safe billing webhooks"
 ./scripts/council-lite.sh list
 ./scripts/council-lite.sh resume <session-id>
+./scripts/validate-council-lite.sh --latest
 ```
 
 ## Experimental Warning: council-research
diff --git a/docs/release-checklist.md b/docs/release-checklist.md
@@ -18,11 +18,14 @@ Use this checklist before tagging a release.
   - [ ] `./install.sh`
   - [ ] `./install.sh --list-profiles`
   - [ ] `./install.sh --status`
+  - [ ] `./install.sh --conflict-policy fail --profiles core,council-lite`
+  - [ ] `./install.sh --conflict-policy skip --profiles core,council-lite`
   - [ ] `./install.sh --profiles core,council-lite`
   - [ ] `./install.sh --enable-profile council-research`
   - [ ] `./install.sh --disable-profile council-research`
   - [ ] `./scripts/council-lite.sh run "Smoke test"`
   - [ ] `./scripts/council-lite.sh list`
+  - [ ] `./scripts/validate-council-lite.sh --latest`
   - [ ] `./install.sh --uninstall`
 - [ ] experimental warning shown when `council-research` is enabled
 - [ ] profile state removed on uninstall (`~/.config/opencode/profiles-enabled.json`)
diff --git a/docs/workflows-playbook.md b/docs/workflows-playbook.md
@@ -59,9 +59,11 @@ This creates one branch and one draft PR per issue.
 ./scripts/council-lite.sh list
 ./scripts/council-lite.sh run "Design safe billing webhooks"
 ./scripts/council-lite.sh resume <session-id>
+./scripts/validate-council-lite.sh --latest
 ```
 
 Notes:
 - requires `council-lite` profile enabled
 - creates session artifacts in `memory/council-lite/<session-id>/`
 - includes intake, assembly, deliberation rounds, and plan templates
+- validation script checks required files and headings
diff --git a/install.sh b/install.sh
@@ -6,6 +6,7 @@ TARGET_DIR="$HOME/.config/opencode"
 PROFILES_DIR="$REPO_DIR/profiles"
 REGISTRY_PATH="$PROFILES_DIR/registry.json"
 STATE_PATH="$TARGET_DIR/profiles-enabled.json"
+CONFLICT_POLICY="fail"
 
 MANAGED_ITEMS=(
   "agents"
@@ -31,13 +32,51 @@ Profile management:
   --profiles <csv>                Set enabled profiles (dependencies auto-added).
   --enable-profile <id>           Enable one profile.
   --disable-profile <id>          Disable one profile (core cannot be disabled).
+  --conflict-policy <fail|skip>   Behavior when target path already exists.
 
 Other:
   --uninstall                     Remove managed symlinks and profile state.
   -h, --help                      Show this help.
 EOF
 }
 
+collect_conflicts() {
+  mkdir -p "$TARGET_DIR"
+  local conflicts=()
+  local item
+  for item in "${MANAGED_ITEMS[@]}"; do
+    local target_path="$TARGET_DIR/$item"
+    if [[ -e "$target_path" && ! -L "$target_path" ]]; then
+      conflicts+=("$target_path")
+    fi
+  done
+
+  if [[ "${#conflicts[@]}" -eq 0 ]]; then
+    return 0
+  fi
+
+  echo "Detected install path conflicts:"
+  for path in "${conflicts[@]}"; do
+    echo "- $path"
+  done
+  echo ""
+  echo "Conflicts happen when files/directories already exist and are not symlinks."
+  echo "Recommended: move or remove conflicting paths, then rerun ./install.sh"
+
+  if [[ "$CONFLICT_POLICY" == "fail" ]]; then
+    echo ""
+    echo "Aborting install due to conflict policy: fail"
+    echo "To proceed without replacing conflicting paths, rerun with:"
+    echo "  ./install.sh --conflict-policy skip"
+    return 1
+  fi
+
+  echo ""
+  echo "Continuing with conflict policy: skip"
+  echo "Only non-conflicting paths will be linked."
+  return 0
+}
+
 require_registry() {
   if [[ ! -f "$REGISTRY_PATH" ]]; then
     echo "Profile registry missing: $REGISTRY_PATH"
@@ -234,6 +273,8 @@ install_with_csv() {
     exit 1
   }
 
+  collect_conflicts || exit 1
+
   save_state_csv "$resolved_csv"
   link_managed_items
 
@@ -323,6 +364,28 @@ uninstall_all() {
 }
 
 main() {
+  while [[ $# -gt 0 ]]; do
+    case "$1" in
+      --conflict-policy)
+        if [[ -z "${2:-}" ]]; then
+          echo "Error: --conflict-policy requires a value (fail|skip)."
+          usage
+          exit 1
+        fi
+        if [[ "$2" != "fail" && "$2" != "skip" ]]; then
+          echo "Error: invalid --conflict-policy value: $2"
+          usage
+          exit 1
+        fi
+        CONFLICT_POLICY="$2"
+        shift 2
+        ;;
+      *)
+        break
+        ;;
+    esac
+  done
+
   case "${1:-}" in
     "")
       install_with_csv "$(load_enabled_profiles)"
@@ -357,6 +420,11 @@ main() {
       fi
       disable_profile "$2"
       ;;
+    --conflict-policy)
+      echo "Error: --conflict-policy must be combined with an install action."
+      usage
+      exit 1
+      ;;
     --uninstall)
       uninstall_all
       ;;
diff --git a/profiles/council-lite/README.md b/profiles/council-lite/README.md
@@ -21,6 +21,7 @@ Council Lite provides a lightweight deliberation workflow on top of the core pro
 ./scripts/council-lite.sh run "Design safe billing webhooks"
 ./scripts/council-lite.sh list
 ./scripts/council-lite.sh resume <session-id>
+./scripts/validate-council-lite.sh --latest
 ```
 
 This initializes a structured session under `memory/council-lite/<session-id>/` with:
diff --git a/scripts/validate-council-lite.sh b/scripts/validate-council-lite.sh
@@ -0,0 +1,123 @@
+#!/bin/bash
+set -euo pipefail
+
+WORKSPACE="$(git rev-parse --show-toplevel 2>/dev/null || pwd)"
+COUNCIL_DIR="$WORKSPACE/memory/council-lite"
+INDEX_PATH="$COUNCIL_DIR/index.json"
+
+usage() {
+  cat <<'EOF'
+Usage: validate-council-lite.sh [--latest | <session-id> | <session-path>]
+
+Examples:
+  ./scripts/validate-council-lite.sh --latest
+  ./scripts/validate-council-lite.sh 20260211-150000-design-safe-billing-webhooks
+  ./scripts/validate-council-lite.sh memory/council-lite/20260211-150000-design-safe-billing-webhooks
+EOF
+}
+
+resolve_session_path() {
+  local input="${1:-}"
+  python3 - "$INDEX_PATH" "$COUNCIL_DIR" "$input" <<'PY'
+import json
+import os
+import sys
+from pathlib import Path
+
+index_path = Path(sys.argv[1])
+council_dir = Path(sys.argv[2])
+input_value = sys.argv[3].strip()
+
+if not index_path.exists():
+    raise SystemExit("No council-lite index found. Run council-lite first.")
+
+data = json.loads(index_path.read_text(encoding="utf-8"))
+sessions = data.get("sessions", [])
+if not sessions:
+    raise SystemExit("No council-lite sessions found in index.")
+
+if input_value in ("", "--latest"):
+    print(sessions[-1]["path"])
+    raise SystemExit(0)
+
+input_path = Path(input_value)
+if input_path.exists() and input_path.is_dir():
+    print(str(input_path.resolve()))
+    raise SystemExit(0)
+
+for session in sessions:
+    if session.get("id") == input_value:
+        print(session.get("path", ""))
+        raise SystemExit(0)
+
+candidate = council_dir / input_value
+if candidate.exists() and candidate.is_dir():
+    print(str(candidate.resolve()))
+    raise SystemExit(0)
+
+raise SystemExit(f"Session not found: {input_value}")
+PY
+}
+
+main() {
+  case "${1:-}" in
+    -h | --help)
+      usage
+      exit 0
+      ;;
+  esac
+
+  local selector="${1:---latest}"
+  local session_path
+  session_path="$(resolve_session_path "$selector")"
+
+  python3 - "$session_path" <<'PY'
+import sys
+from pathlib import Path
+
+session_path = Path(sys.argv[1])
+required_files = [
+    "session.md",
+    "intake.md",
+    "assembly.md",
+    "deliberation/round1-position.md",
+    "deliberation/round2-challenge.md",
+    "deliberation/round3-converge.md",
+    "plan.md",
+]
+
+missing = [f for f in required_files if not (session_path / f).is_file()]
+if missing:
+    print("Validation failed: missing required files")
+    for item in missing:
+        print(f"- {item}")
+    raise SystemExit(1)
+
+checks = {
+    "session.md": ["# Council Lite Session", "Session ID:", "Goal:"],
+    "intake.md": ["# Intake", "## Goal", "## Success Criteria"],
+    "assembly.md": ["# Assembly", "## Recommended Agents", "## Selection Rationale"],
+    "deliberation/round1-position.md": ["# Round 1 - Position"],
+    "deliberation/round2-challenge.md": ["# Round 2 - Challenge"],
+    "deliberation/round3-converge.md": ["# Round 3 - Converge"],
+    "plan.md": ["# Execution Plan", "## Ordered Steps", "## Verification"],
+}
+
+errors = []
+for rel_path, required_tokens in checks.items():
+    text = (session_path / rel_path).read_text(encoding="utf-8")
+    for token in required_tokens:
+        if token not in text:
+            errors.append(f"{rel_path}: missing token '{token}'")
+
+if errors:
+    print("Validation failed: content checks did not pass")
+    for err in errors:
+        print(f"- {err}")
+    raise SystemExit(1)
+
+print(f"Council-lite artifact validation passed: {session_path}")
+PY
+}
+
+main "$@"
