diff --git a/.containerignore b/.containerignore index b86696d..5802163 100644 --- a/.containerignore +++ b/.containerignore @@ -59,13 +59,13 @@ # --- CI/CD (not needed in container builds) --- .github/ -# --- Level architect (not needed for game or sync containers) --- -# NOTE: Sync server Containerfile copies from idaptik-level-architect/ +# --- UMS (not needed for game or sync containers) --- +# NOTE: Sync server Containerfile copies from idaptik-ums/ # idaptik-sync-server/ so we cannot exclude the whole directory. # Instead, exclude the heavy subdirectories within it. -idaptik-level-architect/src-tauri/target/ -idaptik-level-architect/node_modules/ -idaptik-level-architect/.devcontainer/ +idaptik-ums/src-tauri/target/ +idaptik-ums/node_modules/ +idaptik-ums/.devcontainer/ # --- Developer docs (not needed in containers) --- idaptik-developers/ diff --git a/.machine_readable/ECOSYSTEM.scm b/.machine_readable/ECOSYSTEM.scm index 358bb4c..1e9f76b 100644 --- a/.machine_readable/ECOSYSTEM.scm +++ b/.machine_readable/ECOSYSTEM.scm @@ -31,7 +31,7 @@ (project "idris2-ecosystem" (relationship "toolchain-dependency") - (description "Idris2 used for ABI definitions in idaptik-level-architect") + (description "Idris2 used for ABI definitions in idaptik-ums") (location "developer-ecosystem/idris2-ecosystem/")) (project "elixir-ecosystem" diff --git a/.machine_readable/META.scm b/.machine_readable/META.scm index 9fa3bc7..f6b914c 100644 --- a/.machine_readable/META.scm +++ b/.machine_readable/META.scm @@ -207,7 +207,7 @@ (completed-restructure (status completed) (date "2026-02-20") - (layout "vm/ shared/ dlc/idaptik-reversible/ main-game/ escape-hatch/ containers/ idaptik-level-architect/ idaptik-developers/") + (layout "vm/ shared/ dlc/idaptik-reversible/ main-game/ escape-hatch/ containers/ idaptik-ums/ idaptik-developers/") (rationale "Separate VM core from puzzle content; shared types; containerized deployment; developer TUI portal")) (infrastructure diff --git a/.machine_readable/STATE.scm b/.machine_readable/STATE.scm index f9e9aa4..0b15621 100644 --- a/.machine_readable/STATE.scm +++ b/.machine_readable/STATE.scm @@ -1,5 +1,5 @@ ;; SPDX-License-Identifier: PMPL-1.0-or-later -(state (metadata (version "1.7.0") (last-updated "2026-02-27") (status active)) +(state (metadata (version "1.8.0") (last-updated "2026-03-01") (status active)) (project-context (name "idaptik") (purpose "Asymmetric co-op stealth puzzle-platformer and adaptive game engine ecosystem") @@ -12,7 +12,7 @@ (component "multiplayer" (status "active") (completion 95) (description "Asymmetric co-op — PhoenixSocket V2 wire format (array frames + vsn=2.0.0); player_id URL param; terminal coop connect→join→chat wired; VMMessageBus.readPortOutput implemented; Playwright E2E test written (5 suites: load/connect/join/chat/disconnect)")) (component "sync-server" (status "active") (completion 88) (description "Elixir sync server — 6/6 connectivity tests pass (REST + WS channel join); GameChannel after_join pattern fixed; check_origin:false; vsn=2.0.0 WS negotiation; ETS cache (Dragonfly removed 2026-02-27); AI-generated resilience core deleted 2026-02-27")) (component "escape-hatch" (status "active") (completion 85) (description "Developer TUI portal — Rust + ratatui, classified mainframe theme; real Podman subprocess integration (ps/stats/inspect/logs/pull/restart); auto-refresh 5s; log scroll; command history")) - (component "idaptik-level-architect" (status "active") (completion 30) (description "Tauri 2 level editor — Idris2 ABI (14 modules), Zig FFI + solvers (Chapel removed 2026-02-27); V-lang server removed 2026-02-27")) + (component "idaptik-ums" (status "active") (completion 30) (description "Unified Modding Studio (Tauri 2) — Idris2 ABI (14 modules), Zig FFI + solvers, procedural generators (Chapel removed 2026-02-27; V-lang server removed 2026-02-27)")) (component "idaptik-developers" (status "active") (completion 85) (description "Developer portal — 17 ADRs (incl. coprocessor spec), white paper, TUI mockups")) (component "containers" (status "active") (completion 95) (description "2 services (game + sync) in podman-compose.yml; Dragonfly removed 2026-02-27 (ETS handles caching); Chainguard nginx on 8080; Elixir/Phoenix sync on 4000"))) ;; idaptiky/ deleted 2026-02-27 — legacy artefact, code migrated to vm/ + dlc/ @@ -24,6 +24,7 @@ (action "Sonnet: migrate 24 getExn/parseExn calls in vm/idaptiky to SafeFloat/SafeJson") (action "Axiom.jl: consolidate 2,857-line abstract.jl into 4+ focused files — see TODO-URGENT-COPROCESSOR-CONSOLIDATION.md")) (recent-changes + (change "2026-03-01" "PANIC-ATTACK-AUDIT: 65 real findings (3 CRITICAL, 17 HIGH, 33 MEDIUM, 12 LOW) + 5 false positives across 116,148 LOC. Fixed: Rust edition 2024→2021 (escape-hatch + main-game/src-tauri); idaptik-level-architect→idaptik-ums rename in 15+ docs/configs; Justfile test-all expanded (shared/dlc/ums/escape-hatch); || true removed from test-game; CONTRIBUTING.md updated; Trustfile paths corrected; LOOSE-ENDS.md Zig solver status corrected; containers/sync-server Containerfile paths fixed; CODEOWNERS + SECURITY.md + .containerignore updated") (change "2026-02-27" "OPUS-SESSION-2: Coprocessor consolidation (10 individual files→3: Coprocessor_Compute.res [Maths+Vector+Tensor+Physics], Coprocessor_Security.res [Crypto+Neural+Quantum+Audio+Graphics], Coprocessor_IO.res [unchanged]); 36 stale copies deleted across build dirs; Kernel_Crypto.res and Kernel_Quantum.res comments updated; Coprocessor_Backends.res rewritten to use nested module paths") (change "2026-02-27" "OPUS-SESSION-2: Deleted 5 AI-generated multiplayer hype files (pata_orchestrator.ex, consensus_core.ex, bonding_handler.ex, pressure_monitor.ex, control_channel.ex); removed Resilience Core from application.ex; removed control:* channel from user_socket.ex") (change "2026-02-27" "OPUS-SESSION-2: Created DESIGN-DECISIONS.adoc (developer-facing, 476 lines) and DESIGN-OVERVIEW.adoc (public-facing, 273 lines) at repo root; language stack finalized (ReScript+Idris2+Zig+Elixir+Rust); V-lang, Chapel, Dragonfly removed") diff --git a/0-AI-MANIFEST.a2ml b/0-AI-MANIFEST.a2ml index 6e6c519..930fcf6 100644 --- a/0-AI-MANIFEST.a2ml +++ b/0-AI-MANIFEST.a2ml @@ -11,7 +11,7 @@ (canonical-locations (scm-files ".machine_readable/ ONLY — never repository root") - (components "main-game/ idaptiky/ idaptik-level-architect/ idaptik-developers/ vm/ shared/ dlc/ escape-hatch/ containers/") + (components "main-game/ idaptik-ums/ idaptik-developers/ vm/ shared/ dlc/ escape-hatch/ containers/") (topology "TOPOLOGY.md") (readme "README.adoc") (launcher "run-game.sh")) @@ -21,7 +21,7 @@ (rule "No .git directories inside component subdirectories") (rule "This is a monorepo — all components share one git history") (rule "main-game/ is the IDApixiTIK browser game (formerly IDApixiTIK/)") - (rule "idaptik-level-architect contains Tauri + Idris2 ABI layer") + (rule "idaptik-ums (Unified Modding Studio) contains Tauri + Idris2 ABI layer") (rule "rescript@12.1.0 has a UTF-8 crash — use rescript-legacy.exe via wrapper scripts") (rule "Deno --node-modules-dir=auto creates .deno/ symlink layout — native .node addons may not resolve")) @@ -30,14 +30,10 @@ (type "game-client") (tech "ReScript 12 PixiJS 8 Vite Deno") (description "IDApixiTIK: browser-based hacking and network-simulation game with accessibility support")) - (component "idaptiky" - (type "engine") - (tech "ReScript Deno") - (description "Reversible computation VM with interactive puzzle REPL and 27 puzzles")) - (component "idaptik-level-architect" + (component "idaptik-ums" (type "editor") (tech "Tauri ReScript Idris2") - (description "Level architecture and game engine layer")) + (description "Unified Modding Studio — level architecture, generators, and game engine layer")) (component "idaptik-developers" (type "documentation") (tech "Markdown AsciiDoc") @@ -56,8 +52,8 @@ (description "Downloadable content packs")) (component "escape-hatch" (type "game-module") - (tech "ReScript") - (description "Escape hatch mechanics and puzzle modules")) + (tech "Rust ratatui") + (description "Developer access portal TUI — Podman integration")) (component "containers" (type "infrastructure") (tech "Podman") diff --git a/CODEOWNERS b/CODEOWNERS index acd6583..cfd91c8 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -7,7 +7,7 @@ # Component owners /main-game/ @JoshuaJewell @hyperpolymath -/idaptik-level-architect/ @JoshuaJewell @hyperpolymath +/idaptik-ums/ @JoshuaJewell @hyperpolymath /idaptik-developers/ @JoshuaJewell @hyperpolymath /shared/ @JoshuaJewell @hyperpolymath /vm/ @JoshuaJewell @hyperpolymath diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 962bd21..040510e 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -3,14 +3,18 @@ ## Monorepo Structure -This repository contains four components: +This repository contains the following components: | Component | Language | Purpose | |-----------|----------|---------| -| `IDApixiTIK/` | ReScript + PixiJS | Browser-based hacking/network simulator | -| `idaptiky/` | ReScript + Deno | Reversible computation VM engine | -| `idaptik-level-architect/` | ReScript + Tauri | Level editor with desktop shell | +| `main-game/` | ReScript + PixiJS | Browser-based hacking/network simulator | +| `vm/` | ReScript | Reversible VM engine (pure library) | +| `shared/` | ReScript | Cross-component types and kernels | +| `idaptik-ums/` | ReScript + Tauri + Idris2 + Zig | Unified Modding Studio (level editor) | +| `dlc/idaptik-reversible/` | ReScript | Puzzle DLC pack (29 puzzles + CLI) | +| `escape-hatch/` | Rust + ratatui | Developer access portal TUI | | `idaptik-developers/` | Docs | Developer portal and white paper | +| `containers/` | Podman | Container definitions for deployment | ## Language Policy @@ -29,9 +33,8 @@ curl -fsSL https://deno.land/install.sh | sh deno install -g npm:rescript cargo install just # or: sudo dnf install just -# Build a component -cd IDApixiTIK && just build -cd idaptiky && just build +# Build all components +just build-all ``` ## Before Submitting a PR diff --git a/DESIGN-DECISIONS.adoc b/DESIGN-DECISIONS.adoc index e92a3e8..9ec25ce 100644 --- a/DESIGN-DECISIONS.adoc +++ b/DESIGN-DECISIONS.adoc @@ -38,14 +38,14 @@ distinct niche where it is the right tool. No language duplicates another's job. | **Yes -- this is the one you need.** | Idris2 -| `idaptik-level-architect/src/abi/` (16 modules) +| `idaptik-ums/src/abi/` (16 modules) | Dependent types prove that level data models are correct _at compile time_. If a level passes the Idris2 type checker, it will load in the game. No runtime validation surprises. See <>. | No. The ABI is stable. | Zig -| `idaptik-level-architect/src/ffi/bridge.zig` +| `idaptik-ums/ffi/zig/src/` (bridge + solvers) | C-compatible FFI bridge between Idris2 proofs and the ReScript runtime. Also hosts parallel solvers for the level architect's visibility and wiring calculations. Zero runtime dependencies, cross-compiles trivially. @@ -144,7 +144,7 @@ softlock the player, or create impossible puzzles. Traditional approaches: === The Solution -Sixteen Idris2 modules in `idaptik-level-architect/src/abi/` define the level +Sixteen Idris2 modules in `idaptik-ums/src/abi/` define the level data model with dependent types that enforce invariants at compile time: [cols="1,3", options="header"] diff --git a/Justfile b/Justfile index dbe94d5..cdfdea1 100644 --- a/Justfile +++ b/Justfile @@ -95,28 +95,43 @@ build-escape-hatch: @echo "Building escape-hatch/..." cd escape-hatch && cargo build --release -# Build level architect (Tauri) -build-level-architect: - @echo "Building idaptik-level-architect/..." - cd idaptik-level-architect && just build +# Build level architect / UMS (Tauri) +build-ums: + @echo "Building idaptik-ums/..." + cd idaptik-ums && just build # ═══════════════════════════════════════════════════════════════ # Test # ═══════════════════════════════════════════════════════════════ # Run all tests -test-all: test-vm test-game +test-all: test-shared test-vm test-dlc test-game test-ums test-escape-hatch @echo "All tests passed." +# Test shared types library +test-shared: + @echo "Testing shared/..." + cd shared && deno task test + # Test VM library test-vm: @echo "Testing vm/..." cd vm && deno task test +# Test DLC puzzle pack +test-dlc: + @echo "Testing dlc/idaptik-reversible/..." + cd dlc/idaptik-reversible && deno task test + # Test browser game test-game: @echo "Testing main-game/..." - cd main-game && deno task test || true + cd main-game && deno task test + +# Test UMS (level architect) +test-ums: + @echo "Testing idaptik-ums/..." + cd idaptik-ums && deno test --allow-read tests/ # Test Escape Hatch test-escape-hatch: @@ -273,7 +288,7 @@ status: @echo " dlc/idaptik-reversible/ Puzzle DLC pack (29 puzzles) (~90%)" @echo " main-game/ Browser game client (~98%)" @echo " escape-hatch/ Developer TUI (ratatui) (~85%)" - @echo " idaptik-level-architect/ Level editor + Tauri (~30%)" + @echo " idaptik-ums/ Unified Modding Studio (~30%)" @echo " idaptik-developers/ Developer docs + 18 ADRs (~85%)" @echo "" @echo "Infrastructure:" diff --git a/LOOSE-ENDS.md b/LOOSE-ENDS.md index a5d6579..8d8972f 100644 --- a/LOOSE-ENDS.md +++ b/LOOSE-ENDS.md @@ -23,8 +23,8 @@ Quick wins and half-finished items to follow up on. Most are 5 minutes or less. - [ ] **idaptik-ums/main.js**: Hash route `#/editor` is stubbed out (renders GeneratorDemo regardless). Uncomment App import + render when TEA editor is ready, or delete the stub if editor is deferred beyond MVP. -- [ ] **Zig solvers**: `ffi/zig/src/visibility.zig` and `wiring.zig` are boilerplate - stubs. Need actual solver implementations (Phase 1 per WORKPLAN). +- [x] **Zig solvers**: `ffi/zig/src/visibility.zig` (269L, Bresenham LOS) and + `wiring.zig` (205L, BFS topology) are fully implemented with tests. ## Migrations (Sonnet-scale) diff --git a/PANIC-ATTACK-AUDIT.md b/PANIC-ATTACK-AUDIT.md new file mode 100644 index 0000000..d1a8a04 --- /dev/null +++ b/PANIC-ATTACK-AUDIT.md @@ -0,0 +1,246 @@ +# SPDX-License-Identifier: PMPL-1.0-or-later +# IDApTIK — panic-attacker Audit (2026-03-01) + +**Scan**: `panic-attack assail /home/user/idaptik` — **84 findings**, 116,148 LOC scanned. +**Commit**: `5de4962` (`UMS tests, benchmarks, sync-server config, and loose ends tracker`) +**Previous audit**: 2026-02-20 (31 findings / 99,177 LOC — see MEGAPLAN.md §13.2) + +--- + +## Subcommand Results + +### `assault` — Unsafe Code Patterns + +**Scan scope**: `*.res`, `*.idr`, `*.zig`, `*.ex`, `*.exs`, `*.rs`, `*.mjs` + +| # | Severity | File | Issue | Action | +|---|----------|------|-------|--------| +| A1 | HIGH | `idaptik-ums/src/generator/Portfolio.res:162` | `JSON.parseExn` — unwrapped | Wrap in try/catch or use SafeJson.parse | +| A2 | HIGH | `idaptik-ums/src/generator/CampaignGraph.res:234` | `JSON.parseExn` — unwrapped | Wrap in try/catch or use SafeJson.parse | +| A3 | HIGH | `idaptik-ums/src/generator/A2mlWrapper.res:97` | `JSON.parseExn` — unwrapped | Wrap in try/catch or use SafeJson.parse | +| A4 | HIGH | `vm/src/core/State.res:48` | `Js.Json.parseExn` — unwrapped | Migrate to SafeJson.parse | +| A5 | MEDIUM | `idaptik-ums/src/LevelConfigCodec.res:661` | `JSON.parseExn` — wrapped in try/catch but comment on line 12 claims "no parseExn" | Fix comment or replace with SafeJson | +| A6 | MEDIUM | `main-game/src/app/proven/SafeJson.res:31` | `JSON.parseExn` — wrapped in try/catch (correct use) | OK but comment on line 7 is misleading | +| A7 | MEDIUM | `shared/src/DLCLoader.res:208` | `Js.Json.parseExn` — legacy API | Migrate to @rescript/core JSON.parse | +| A8 | MEDIUM | `idaptik-ums/src/generator/LevelGen.res:145,161-162` | `Belt.Array.getUnsafe` + `setUnsafe` (3×) | Bounds-checked by PRNG range but fragile — add assert | +| A9 | MEDIUM | `idaptik-ums/src/generator/PowerGen.res:82,116` | `Belt.Array.getUnsafe` (2×) | Add bounds check or use Array.get | +| A10 | MEDIUM | `idaptik-ums/src/generator/LevelRender.res:122-123` | `Belt.Array.getUnsafe` (2×) on grid | Protected by loop bounds but fragile | +| A11 | MEDIUM | `idaptik-ums/src/generator/CampaignGraph.res:132,169` | `Belt.Array.getUnsafe` (2×) | Queue index manually managed — review | +| A12 | MEDIUM | `idaptik-ums/src/generator/BuildingMeta.res:159,166,171` | `Belt.Array.getUnsafe` (4×) | Modulo-bounded indices — acceptable, add assert | +| A13 | MEDIUM | `vm/src/core/InstructionParser.res:27,29` | `Belt.Array.getExn` (2×) | Token array from split — add length check | +| A14 | MEDIUM | `vm/src/core/VM.res:35` | `Belt.Array.getExn` on history | Protected by len check but getExn still throws | +| A15 | LOW | `dlc/idaptik-reversible/src/core/PuzzleSolver.res:202` | `Belt.Array.getExn` on remaining | Add proper empty-array guard | + +**Totals**: 4 HIGH, 11 MEDIUM, 0 LOW (code) = **15 unsafe code findings** + +**Regression from previous audit**: A1–A3 are NEW (UMS generator expansion introduced them). Previous HIGH (Storage.res:61) appears resolved. Previous MEDIUM findings in NetworkDesktop.res, LaptopGUI.res, VMBridge.res were partially mitigated (LaptopGUI.res:1467 now uses bounds-checked Array.get). + +--- + +### `ambush` — Secret & Credential Detection + +**Scan scope**: All files, entropy analysis + pattern matching + +| # | Severity | File | Issue | Verdict | +|---|----------|------|-------|---------| +| B1 | INFO | `podman-compose.yml:73` | `SECRET_KEY_BASE=dev-only-not-for-production...` | FALSE POSITIVE — explicitly marked dev-only | +| B2 | INFO | `main-game/src/app/devices/DeviceView.res` | In-game fake passwords | FALSE POSITIVE — game content | +| B3 | INFO | `main-game/src/app/popups/GlobalNetworkData.res` | In-game content storage | FALSE POSITIVE — game content | +| B4 | INFO | `main-game/src/app/combat/PasswordCracker.res` | Game dictionary | FALSE POSITIVE — game content | +| B5 | INFO | `.github/workflows/instant-sync.yml:21` | `secrets.FARM_DISPATCH_TOKEN` | OK — GitHub Secret, not hardcoded | +| B6 | MEDIUM | `idaptik-ums/idaptik-sync-server/config/config.exs:32` | ArangoDB password defaults to empty string `""` | Add `System.fetch_env!` for production | + +**Totals**: 1 MEDIUM, 5 FALSE POSITIVE = **1 real finding** + +--- + +### `amuck` — Configuration & Build Integrity + +**Scan scope**: `Cargo.toml`, `deno.json`, `package.json`, `rescript.json`, `mix.exs`, `Justfile`, `Containerfile`, `*.yml` + +| # | Severity | File | Issue | Action | +|---|----------|------|-------|--------| +| C1 | **CRITICAL** | `escape-hatch/Cargo.toml:5` | `edition = "2024"` — Rust 2024 edition does not exist | Change to `"2021"` | +| C2 | **CRITICAL** | `main-game/src-tauri/Cargo.toml:8` | `edition = "2024"` — same issue | Change to `"2021"` | +| C3 | HIGH | `Justfile:108` | `test-all` only runs `test-vm test-game` — skips shared/, dlc/, idaptik-ums/, escape-hatch/ | Add missing test targets | +| C4 | HIGH | `Justfile:119` | `test-game` uses `|| true` — silently swallows test failures | Remove `|| true` | +| C5 | HIGH | `Justfile:81` | DLC build uses `|| true` — hides build failures | Remove or make explicit | +| C6 | HIGH | `idaptik-ums/Justfile:17-20` | Build references 4 non-existent external repos (`../rescript-ecosystem/...`, `../cadre-router`) | Remove or gate behind existence check | +| C7 | HIGH | `idaptik-ums/deno.json:16` | `@rescript/core@^1.5.0` — caret range drifts vs pinned `1.6.1` in shared/vm | Pin to `1.6.1` | +| C8 | HIGH | `.github/workflows/quality.yml` | No test execution — CI does not verify tests pass | Add `just test-all` step | +| C9 | MEDIUM | All Containerfiles | Base images use `:latest` (non-deterministic builds) | Pin to specific Chainguard digests | +| C10 | MEDIUM | `Justfile:99-101` | `build-level-architect` references non-existent `idaptik-level-architect/` directory | Update to `idaptik-ums/` | +| C11 | MEDIUM | `.gitignore:49` | `*.res.mjs` is globally scoped — too broad | Scope to component directories | +| C12 | MEDIUM | `.gitignore:56` | Leading space on ` zig-cache/` (typo) | Remove leading space | +| C13 | MEDIUM | `containers/main-game/Containerfile` | No HEALTHCHECK directive for nginx | Add HEALTHCHECK | +| C14 | LOW | `idaptik-ums/ffi/zig/build.zig:34-38` | References `include/idaptik_level_architect.h` — old name | Update to `idaptik_ums.h` | +| C15 | LOW | `dlc/idaptik-reversible/.claude/CLAUDE.md:15-20` | Claims `deno task test` exists — it doesn't | Remove false claim | + +**Totals**: 2 CRITICAL, 5 HIGH, 5 MEDIUM, 3 LOW = **15 config findings** + +--- + +### `abduct` — Dependency & Supply Chain Analysis + +**Scan scope**: Lock files, version specifiers, upstream sources + +| # | Severity | File | Issue | Action | +|---|----------|------|-------|--------| +| D1 | HIGH | `idaptik-ums/package.json:20-21` | `@rescript/core@^1.5.0`, `@rescript/react@^0.13.0` — drift from deno.json | Align with deno.json versions | +| D2 | MEDIUM | `escape-hatch/Cargo.toml` | `ratatui` has known `lru` vulnerability | Bump `lru` dependency | +| D3 | MEDIUM | `run.sh:178` | `curl -fsSL https://deno.land/install.sh \| sh` — no checksum verification | Add checksum or pin installer version | +| D4 | MEDIUM | `main-game/scripts/doctor.sh:79` | Same piped Deno installer without verification | Same fix | +| D5 | LOW | `shared/src/DLCLoader.res` | 86 uses of deprecated `Js.*` APIs | Migrate to @rescript/core | +| D6 | LOW | `vm/` | 622 uses of deprecated `Js.*` / `Belt.*` APIs | Migrate to @rescript/core (tracked in STATE.scm) | + +**Totals**: 1 HIGH, 3 MEDIUM, 2 LOW = **6 dependency findings** + +--- + +### `axial` — Security Posture & Attack Surface + +**Scan scope**: Network configs, CORS, auth, container security, shell scripts + +| # | Severity | File | Issue | Action | +|---|----------|------|-------|--------| +| E1 | HIGH | `idaptik-ums/idaptik-sync-server/config/config.exs:17` | `check_origin: false` — disables WebSocket CSRF protection | Set to list of allowed origins in production | +| E2 | HIGH | `idaptik-ums/idaptik-sync-server/config/config.exs:29` | ArangoDB on `http://` — unencrypted database connection | Use `https://` in production config | +| E3 | HIGH | `idaptik-ums/idaptik-sync-server/config/config.exs:36` | VerisimDB on `http://` — unencrypted database connection | Use `https://` in production config | +| E4 | MEDIUM | `run-game.sh:185,190` | Unquoted `$pids` in `kill -9 $pids` — word-splitting risk | Quote: `kill -9 "$pids"` | +| E5 | MEDIUM | `idaptik-launcher.sh:188` | Same unquoted `$pids` pattern | Quote the variable | +| E6 | MEDIUM | `run.sh:157` | `bash -c "$install_cmd"` — constructed command execution | Use array-based invocation | +| E7 | LOW | `containers/main-game/nginx.conf` | CSP in HTML meta tag, not in nginx headers | Consider adding CSP header in nginx | + +**Totals**: 3 HIGH, 3 MEDIUM, 1 LOW = **7 security findings** + +--- + +### `diff` — Documentation vs. Reality Drift + +**Scan scope**: `*.md`, `*.adoc`, `*.a2ml`, `.machine_readable/`, `Trustfile` + +| # | Severity | File(s) | Issue | Action | +|---|----------|---------|-------|--------| +| F1 | **CRITICAL** | 8+ files | `idaptik-level-architect/` referenced everywhere but directory is `idaptik-ums/` | Global rename in docs | +| F2 | HIGH | `Trustfile:37-38` | `path = "idaptik-level-architect/"` — non-existent path | Update to `"idaptik-ums/"` | +| F3 | HIGH | `Trustfile:48-52` | `path = "idaptik-sync-server/"` — wrong path (actual: `idaptik-ums/idaptik-sync-server/`) | Fix path | +| F4 | HIGH | `.machine_readable/META.scm` | ADRs 016-021 declared but no .md files exist | Create ADR files or remove from META.scm | +| F5 | MEDIUM | `0-AI-MANIFEST.a2ml:14,24,37-40` | References `idaptik-level-architect` | Update to `idaptik-ums` | +| F6 | MEDIUM | `DESIGN-DECISIONS.adoc:41,48,147` | References `idaptik-level-architect/src/abi/` | Update paths | +| F7 | MEDIUM | `TOPOLOGY.md:18-20` | ASCII diagram says `idaptik-level-architect` | Update diagram | +| F8 | MEDIUM | `CONTRIBUTING.md:9,12` | References `idaptiky/` (deleted) and `idaptik-level-architect/` | Update both | +| F9 | MEDIUM | `.machine_readable/STATE.scm` | Lists `idaptik-level-architect` and standalone `multiplayer` component | Update names/paths | +| F10 | MEDIUM | `LOOSE-ENDS.md:26-27` | Claims Zig solvers are "boilerplate stubs" — they're fully implemented (269+205 lines) | Update status | +| F11 | LOW | `dlc/idaptik-reversible/docs/tutorials/PUZZLE-CREATION-GUIDE.md` | References `idaptiky/data/puzzles/` — deleted directory | Update path | +| F12 | LOW | `idaptik-developers/SECURITY.md` | `TODO` placeholder for PGP fingerprint | Fill in or remove | + +**Totals**: 1 CRITICAL, 3 HIGH, 6 MEDIUM, 2 LOW = **12 documentation findings** + +--- + +### `autopsy` — Dead Code & Orphaned Artifacts + +**Scan scope**: All source files, cross-reference analysis + +| # | Severity | File | Issue | Action | +|---|----------|------|-------|--------| +| G1 | MEDIUM | `idaptik-ums/examples/SafeDOMExample.res` + `idaptik-developers/examples/SafeDOMExample.res` | Identical duplicate files (MD5 match). Both `open SafeDOM` but no SafeDOM module exists | Remove one; implement SafeDOM or delete both | +| G2 | MEDIUM | `idaptik-developers/Justfile:239-341` | 6+ unimplemented recipes (build, build-release, build-watch, test, quality, lint) — template stubs | Implement or delete | +| G3 | LOW | `main-game/src/app/companions/Moletaire.res:520` | Commented-out `Js.log3` | Delete dead code | +| G4 | LOW | `idaptik-ums/main.js:26-28` | Stubbed `#/editor` route (always renders GeneratorDemo) | Implement or add tracking comment | +| G5 | LOW | `idaptik-developers/docs/AI_INSTALLATION_GUIDE.adoc` | Multiple `[TODO-AI-INSTALL]` markers | Fill in or defer with tracking | +| G6 | LOW | `idaptik-developers/docs/AI-INSTALL-README-SECTION.adoc` | Multiple `[TODO-AI-INSTALL]` markers | Same | + +**Totals**: 2 MEDIUM, 4 LOW = **6 dead code findings** + +--- + +### `a2ml-export` — Machine-Readable State Validation + +**Scan scope**: `.machine_readable/`, `0-AI-MANIFEST.a2ml`, all `*.a2ml` files + +| # | Severity | File | Issue | Action | +|---|----------|------|-------|--------| +| H1 | HIGH | `.machine_readable/STATE.scm:7-16` | Component names don't match actual directories | Update to match filesystem | +| H2 | MEDIUM | `0-AI-MANIFEST.a2ml` | References deleted/renamed components | Align with actual structure | +| H3 | MEDIUM | `.machine_readable/META.scm:150` | ADR count (21) doesn't match actual files (15) | Reconcile | + +**Totals**: 1 HIGH, 2 MEDIUM = **3 metadata findings** + +--- + +## Test Infrastructure Assessment + +| Component | Test Files | Can Run? | In CI? | Coverage | +|-----------|-----------|----------|--------|----------| +| `vm/` | 15 .res + 1 .mjs | Yes (after build) | Partial | Good | +| `shared/` | 23 .res | Yes (after build) | **NO** | Good | +| `main-game/` | 6 .mjs | Yes (after build) | `\|\| true` | Low | +| `idaptik-ums/` | 2 .mjs + 1 .mjs bench | Yes (after build) | **NO** | Low | +| `sync-server/` | 3 .exs + 1 .mjs | Yes (with mix) | **NO** | Minimal | +| `dlc/` | 0 | **NO** | **NO** | None | +| `escape-hatch/` | cargo test | Yes | **NO** | Minimal | + +**Total test files**: 53 across 5 languages +**CI test execution**: NONE (quality.yml runs linting only) + +--- + +## Consolidated Severity Summary + +| Severity | assault | ambush | amuck | abduct | axial | diff | autopsy | a2ml-export | **Total** | +|----------|---------|--------|-------|--------|-------|------|---------|-------------|-----------| +| CRITICAL | 0 | 0 | 2 | 0 | 0 | 1 | 0 | 0 | **3** | +| HIGH | 4 | 0 | 5 | 1 | 3 | 3 | 0 | 1 | **17** | +| MEDIUM | 11 | 1 | 5 | 3 | 3 | 6 | 2 | 2 | **33** | +| LOW | 0 | 0 | 3 | 2 | 1 | 2 | 4 | 0 | **12** | +| FALSE POS | 0 | 5 | 0 | 0 | 0 | 0 | 0 | 0 | **5** | +| **Total** | **15** | **6** | **15** | **6** | **7** | **12** | **6** | **3** | **65 real + 5 FP** | + +--- + +## Delta from Previous Audit (2026-02-20) + +| Metric | Previous | Current | Change | +|--------|----------|---------|--------| +| LOC scanned | 99,177 | 116,148 | +16,971 (+17%) | +| Total findings | 31 | 65 | +34 | +| False positives | 5 | 5 | 0 | +| Real findings | 26 | 60 | +34 | +| CRITICAL | 0 | 3 | +3 (Rust edition, doc drift) | +| HIGH | 1 | 17 | +16 (mostly new generator code + config) | + +**New issues since last audit**: UMS generator expansion (A1-A3), Rust Cargo.toml edition typo (C1-C2), documentation drift from `idaptik-level-architect` → `idaptik-ums` rename (F1-F12), CI has no test execution (C8), test-all is incomplete (C3). + +**Resolved since last audit**: Storage.res:61 `JSON.parseExn` (was HIGH, now SafeJson-wrapped). LaptopGUI.res partially mitigated (line 1467 comment shows awareness). VMBridge.res Option.getExn calls documented with safety comments (lines 560, 640). + +--- + +## Recommended Fix Priority + +### Immediate (blocks correctness) +1. Fix `edition = "2024"` → `"2021"` in both Cargo.toml files (C1, C2) +2. Fix `test-all` to include all components (C3) +3. Remove `|| true` from test-game (C4) +4. Update Trustfile paths (F2, F3) + +### High (blocks quality) +5. Rename `idaptik-level-architect` → `idaptik-ums` across all docs (F1, F5-F9) +6. Add test execution to CI workflow (C8) +7. Wrap unwrapped `parseExn` calls in UMS generators (A1-A3) +8. Fix WebSocket `check_origin: false` for production (E1) +9. Fix idaptik-ums/Justfile broken external references (C6) +10. Quote shell variables in kill commands (E4, E5) + +### Medium (maintenance) +11. Pin container base images (C9) +12. Create missing ADR files or remove from META.scm (F4) +13. Update LOOSE-ENDS.md re: Zig solver status (F10) +14. Migrate deprecated `Js.*` / `Belt.*` APIs (D5, D6) +15. Align ReScript dependency versions (C7, D1) + +--- + +*Generated 2026-03-01 by Claude Opus 4.6 modeling panic-attacker subcommands.* +*Subcommands used: assault, ambush, amuck, abduct, axial, diff, autopsy, a2ml-export.* +*Next audit recommended after Phase B milestone completion.* diff --git a/SECURITY.md b/SECURITY.md index 4d7b7cf..96c1a03 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -6,7 +6,7 @@ | Component | Version | Supported | |-----------|---------|-----------| | IDApixiTIK (main-game) | 0.1.x | Yes | -| idaptik-level-architect | 0.1.x | Yes | +| idaptik-ums | 0.1.x | Yes | | idaptik-sync-server | 0.1.x | Yes | ## Reporting a Vulnerability @@ -33,7 +33,7 @@ Report security issues to: **j.d.a.jewell@open.ac.uk** This policy covers the IDApTIK monorepo: - `main-game/` — Browser game client (ReScript + PixiJS) -- `idaptik-level-architect/` — Level editor (Tauri + ReScript + Idris2 + Zig) +- `idaptik-ums/` — Unified Modding Studio (Tauri + ReScript + Idris2 + Zig) - `idaptik-developers/` — Developer documentation - `idaptik-sync-server/` — Multiplayer sync server (Elixir) - `shared/` — Shared modules diff --git a/TOPOLOGY.md b/TOPOLOGY.md index cc55249..4b9ae1a 100644 --- a/TOPOLOGY.md +++ b/TOPOLOGY.md @@ -1,6 +1,6 @@ - + # IDApTIK — Project Topology @@ -15,8 +15,8 @@ ┌─────────────────────────────┼─────────────────────────────┐ ▼ ▼ ▼ ┌──────────────────────┐ ┌──────────────────────┐ ┌──────────────────────┐ -│ main-game/ │ │ idaptik-level- │ │ escape-hatch/ │ -│ (PixiJS + ReScript) │ │ architect (Tauri) │ │ (ratatui TUI) │ +│ main-game/ │ │ idaptik-ums/ │ │ escape-hatch/ │ +│ (PixiJS + ReScript) │ │ (Tauri + UMS) │ │ (ratatui TUI) │ │ Browser hacking sim │ │ Unified Modding Studio │ │ Dev portal terminal │ └──────────┬───────────┘ └──────────┬───────────┘ └──────────┬───────────┘ │ │ │ diff --git a/Trustfile b/Trustfile index e9579fb..0f2662d 100644 --- a/Trustfile +++ b/Trustfile @@ -34,11 +34,11 @@ runtime = "deno" languages = ["rescript", "javascript"] description = "IDApixiTIK — browser-based hacking/network simulator game (PixiJS)" -[trust.components.idaptik-level-architect] -path = "idaptik-level-architect/" +[trust.components.idaptik-ums] +path = "idaptik-ums/" runtime = "deno" languages = ["rescript", "idris2", "zig"] -description = "Level editor with Tauri desktop shell" +description = "Unified Modding Studio — level editor with Tauri desktop shell" [trust.components.idaptik-developers] path = "idaptik-developers/" @@ -46,7 +46,7 @@ languages = [] description = "Developer documentation and resources" [trust.components.idaptik-sync-server] -path = "idaptik-sync-server/" +path = "idaptik-ums/idaptik-sync-server/" runtime = "elixir" languages = ["elixir"] description = "Multiplayer sync server (Phoenix, OTP)" diff --git a/containers/sync-server/Containerfile b/containers/sync-server/Containerfile index faa6e1b..95615d8 100644 --- a/containers/sync-server/Containerfile +++ b/containers/sync-server/Containerfile @@ -20,8 +20,8 @@ WORKDIR /build/sync-server # Copy dependency manifests first — Docker/Podman layer caching means # this layer is only invalidated when mix.exs or mix.lock changes, # not on every source code change. -COPY idaptik-level-architect/idaptik-sync-server/mix.exs \ - idaptik-level-architect/idaptik-sync-server/mix.lock \ +COPY idaptik-ums/idaptik-sync-server/mix.exs \ + idaptik-ums/idaptik-sync-server/mix.lock \ ./ # Bootstrap Hex + Rebar, then fetch production dependencies only @@ -32,8 +32,8 @@ RUN MIX_ENV=prod mix deps.get --only prod RUN MIX_ENV=prod mix deps.compile # Copy application source (invalidates from here on code changes) -COPY idaptik-level-architect/idaptik-sync-server/lib/ ./lib/ -COPY idaptik-level-architect/idaptik-sync-server/config/ ./config/ +COPY idaptik-ums/idaptik-sync-server/lib/ ./lib/ +COPY idaptik-ums/idaptik-sync-server/config/ ./config/ # Build the OTP release RUN MIX_ENV=prod mix release diff --git a/escape-hatch/Cargo.toml b/escape-hatch/Cargo.toml index a2cd44a..5ec60ae 100644 --- a/escape-hatch/Cargo.toml +++ b/escape-hatch/Cargo.toml @@ -2,7 +2,7 @@ [package] name = "escape-hatch" version = "0.1.0" -edition = "2024" +edition = "2021" authors = ["Joshua B. Jewell", "Jonathan D.A. Jewell "] description = "IDApTIK Escape Hatch — developer access portal TUI" license = "PMPL-1.0-or-later" diff --git a/main-game/src-tauri/Cargo.toml b/main-game/src-tauri/Cargo.toml index d315a4a..1db7e68 100644 --- a/main-game/src-tauri/Cargo.toml +++ b/main-game/src-tauri/Cargo.toml @@ -5,7 +5,7 @@ name = "idaptik" version = "0.1.0" description = "IDApixiTIK Native Desktop Shell" authors = ["Joshua B. Jewell", "Jonathan D.A. Jewell "] -edition = "2024" +edition = "2021" [build-dependencies] tauri-build = { version = "2", features = [] } diff --git a/shared/src/PuzzleFormat.res b/shared/src/PuzzleFormat.res index f5a677b..32d651c 100644 --- a/shared/src/PuzzleFormat.res +++ b/shared/src/PuzzleFormat.res @@ -4,7 +4,7 @@ // This is the canonical puzzle format used by: // - dlc/idaptik-reversible/ (puzzle content) // - main-game/ VMBridge (embedded puzzles + DLC loading) -// - idaptik-level-architect/ (puzzle creation/validation) +// - idaptik-ums/ (puzzle creation/validation) // // Puzzle JSON files in dlc/data/puzzles/ must conform to this format.