boma/scripts/README.md
sjat 703f1716e5 review-repo: harden scanner, apply safe fixes, record first review
First /review-repo run on boma. Hardened repo-scan.py (no TODO.md/prose false
positives). Applied 7 safe fixes (DNS staleness x2, STATUS factual correction,
hosts.yml path generalisation, trunk-based wording x2, scripts/README). Recorded
the run and 17 open findings in docs/reviews/2026-05-30-*.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-30 19:10:58 +02:00

13 lines
671 B
Markdown

# scripts/
Small helper scripts. **Python standard library only** — no third-party
dependencies (keeps them runnable anywhere without a venv).
- `tf_to_inventory.py` — reads `terraform output -json` on stdin and writes an
Ansible `hosts.yml`. Invoked by `make tf-inventory`. Data contract: **ADR-009**.
- `vault-pass-client.sh` — fetches the master vault password from Vaultwarden via
`rbw`. Wired as `vault_password_file` (ADR-002).
- `check-vault-encrypted.sh` — pre-commit guard: fails if a `vault.yml` holds
plaintext secrets.
- `repo-scan.py` — Phase-0 deterministic scan for `/review-repo` (markers, broken
refs, unencrypted vaults, inventory).