sjat/boma

sjat 703f1716e5 review-repo: harden scanner, apply safe fixes, record first review

First /review-repo run on boma. Hardened repo-scan.py (no TODO.md/prose false
positives). Applied 7 safe fixes (DNS staleness x2, STATUS factual correction,
hosts.yml path generalisation, trunk-based wording x2, scripts/README). Recorded
the run and 17 open findings in docs/reviews/2026-05-30-*.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-05-30 19:10:58 +02:00

671 B

Raw Blame History

scripts/

Small helper scripts. Python standard library only — no third-party dependencies (keeps them runnable anywhere without a venv).

tf_to_inventory.py — reads terraform output -json on stdin and writes an Ansible hosts.yml. Invoked by make tf-inventory. Data contract: ADR-009.
vault-pass-client.sh — fetches the master vault password from Vaultwarden via rbw. Wired as vault_password_file (ADR-002).
check-vault-encrypted.sh — pre-commit guard: fails if a vault.yml holds plaintext secrets.
repo-scan.py — Phase-0 deterministic scan for /review-repo (markers, broken refs, unencrypted vaults, inventory).

671 B Raw Blame History

scripts/

671 B

Raw Blame History