Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -232,7 +232,7 @@ Design rules live in docs and scripts rather than screenshots alone:
| `make release-smoke` | Release payload, CLI smoke artifact, ad-hoc app signing, archive, checksum, and DMG verification. |
| `make release-signing-readiness` | Developer ID / notarization readiness evidence. |
| `make app-accessibility-evidence-status` | Per-scenario manual accessibility evidence progress without converting pending work into pass. |
| `make evidence-status` | Current local evidence status, including pending manual accessibility and blocked Developer ID signing prerequisites. |
| `make evidence-status` | Current local evidence status, including pending manual accessibility counts and blocked Developer ID signing prerequisites. |
| `pre-commit run --all-files` | Local hook suite before commit. |

CI runs `guard`, `quality`, `release-smoke`, `gitleaks`, and `trivy`. The protected
Expand Down
2 changes: 1 addition & 1 deletion docs/VERIFICATION.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ prove its own contract will drift into wishful UI.
| Release Signing Evidence Template | `scripts/release-signing-evidence-template.sh` | Pending local evidence can be generated for Developer ID signing and notarization, or pending-only manifests can refresh SHA/artifact paths without overwriting notes or falsely passing review. |
| Release Signing Evidence Template Contract | `scripts/release-signing-evidence-template-contract.sh` | Pending signing evidence refresh preserves notes, updates current SHA/artifact paths, and rejects non-pending signing result fields. |
| Release Signing Evidence Review | `scripts/release-signing-evidence-review.sh` | Signed app, notarized/stapled DMG, checksum, release-candidate evidence, non-template reviewer, and UTC ISO-8601 review timestamp are verified for the current Git SHA and dirty state. |
| Evidence Status | `scripts/evidence-status.sh` | Current local evidence is summarized without replacing review gates: automatic evidence must be current, manual evidence can remain `pending`, and external signing prerequisites plus dependent signing evidence are reported as `blocked` until readiness passes. |
| Evidence Status | `scripts/evidence-status.sh` | Current local evidence is summarized without replacing review gates: automatic evidence must be current, manual evidence can remain `pending` with pending scenario/field counts, and external signing prerequisites plus dependent signing evidence are reported as `blocked` until readiness passes. |
| Security | GitHub Actions `gitleaks` and `trivy` | Secret leaks, high-risk dependency and config findings. |
| Branch Protection | GitHub `main` protection | Required checks, PR flow, linear history, and force-push prevention. |

Expand Down
20 changes: 20 additions & 0 deletions scripts/evidence-status.sh
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,25 @@ accessibility_evidence_is_current_pending() {
[[ "$pending_found" == true ]]
}

accessibility_pending_summary() {
local output
local pending_scenarios
local pending_fields

output="$("$script_dir/app-accessibility-evidence-status.sh")" || return 1
pending_scenarios="$(
printf '%s\n' "$output" |
awk -F= '$1 == "pending_scenarios" { print $2; found = 1 } END { exit(found ? 0 : 1) }'
)" || return 1
pending_fields="$(
printf '%s\n' "$output" |
awk -F= '$1 == "pending_fields" { print $2; found = 1 } END { exit(found ? 0 : 1) }'
)" || return 1

printf 'app_accessibility_manual_pending_scenarios=%s\n' "$pending_scenarios"
printf 'app_accessibility_manual_pending_fields=%s\n' "$pending_fields"
}

release_signing_evidence_is_current_pending() {
local evidence_dir="${KEYDEX_RELEASE_SIGNING_EVIDENCE_DIR:-tmp/release-signing-evidence}"
local payload_dir="tmp/release-smoke/keydex-$head_sha-Darwin-arm64"
Expand Down Expand Up @@ -205,6 +224,7 @@ run_review() {
app_accessibility_manual)
if accessibility_evidence_is_current_pending; then
print_review_result "$label" "$pending_state" "$reason"
accessibility_pending_summary
return 0
fi
;;
Expand Down
3 changes: 3 additions & 0 deletions scripts/project-contract.sh
Original file line number Diff line number Diff line change
Expand Up @@ -554,6 +554,9 @@ expect_file_contains scripts/evidence-status.sh "release_signing_readiness"
expect_file_contains scripts/evidence-status.sh "release_signing_evidence"
expect_file_contains scripts/evidence-status.sh "needs-attention"
expect_file_contains scripts/evidence-status.sh "accessibility_evidence_is_current_pending"
expect_file_contains scripts/evidence-status.sh "accessibility_pending_summary"
expect_file_contains scripts/evidence-status.sh "app_accessibility_manual_pending_fields"
expect_file_contains scripts/evidence-status.sh "app-accessibility-evidence-status.sh"
expect_file_contains scripts/evidence-status.sh "release_signing_evidence_is_current_pending"
expect_file_contains scripts/evidence-status.sh "missing Developer ID Application signing identity"
expect_file_contains scripts/evidence-status.sh "missing Apple notarytool"
Expand Down
Loading