From cc409fec5cca360f60bc063cc18879396ea794a2 Mon Sep 17 00:00:00 2001 From: Lakshman Patel Date: Sun, 21 Jun 2026 08:22:55 +0530 Subject: [PATCH 1/4] ci(boundary): add ecosystem boundary guard trace is a Hawk support engine whose trace/redaction event types are trace-local, so it stays contract-free. Add the one-way ecosystem boundary guard: - add scripts/check-ecosystem-boundaries.sh (forbids hawk/internal and hawk/shared/types imports) - wire the guard into the Makefile and CI - document the boundary rule in the README Scoped to the boundary guard only; unrelated in-progress changes in the working tree are intentionally left uncommitted. --- .github/workflows/ci.yml | 6 ++++++ Makefile | 7 +++++-- README.md | 8 ++++++++ scripts/check-ecosystem-boundaries.sh | 21 +++++++++++++++++++++ 4 files changed, 40 insertions(+), 2 deletions(-) create mode 100644 scripts/check-ecosystem-boundaries.sh diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7890a56..0304f4f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -48,6 +48,8 @@ jobs: with: go-version: ${{ env.GO_VERSION }} cache: true + - name: Boundary guard + run: bash ./scripts/check-ecosystem-boundaries.sh - name: gofumpt diff run: | go install mvdan.cc/gofumpt@v0.10.0 @@ -72,6 +74,8 @@ jobs: with: go-version: ${{ env.GO_VERSION }} cache: true + - name: Boundary guard + run: bash ./scripts/check-ecosystem-boundaries.sh - uses: golangci/golangci-lint-action@v9.2.1 with: version: v2.11.3 @@ -91,6 +95,8 @@ jobs: with: go-version: ${{ env.GO_VERSION }} cache: true + - name: Boundary guard + run: bash ./scripts/check-ecosystem-boundaries.sh - name: Tidy check run: | go mod tidy diff --git a/Makefile b/Makefile index bc73f73..ada1e01 100644 --- a/Makefile +++ b/Makefile @@ -31,9 +31,12 @@ GOVULNCHECK := $(GOBIN_DIR)/govulncheck # --------------------------------------------------------------------------- # Phony declarations (alphabetical). # --------------------------------------------------------------------------- -.PHONY: all bench build ci clean cover fmt help lint lint-fix \ +.PHONY: all bench boundaries build ci clean cover fmt help lint lint-fix \ security test test-10x test-race tidy version vet +boundaries: ## Enforce support-repo import boundaries. + bash ./scripts/check-ecosystem-boundaries.sh + # --------------------------------------------------------------------------- # Default target. # --------------------------------------------------------------------------- @@ -100,7 +103,7 @@ tidy: ## Tidy go.mod / go.sum. # --------------------------------------------------------------------------- # Composite gate used by CI and pre-push. # --------------------------------------------------------------------------- -ci: tidy fmt vet lint test-race security ## Run everything CI runs. +ci: tidy fmt vet lint boundaries test-race security ## Run everything CI runs. @echo "All CI checks passed." # --------------------------------------------------------------------------- diff --git a/README.md b/README.md index 840d777..589c174 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,14 @@ Trace hooks into your Git workflow to capture AI agent sessions as you work. Sessions are indexed alongside commits, creating a searchable record of *how* code was written — not just *what* changed. +## Ecosystem Boundaries + +Trace is a Hawk support engine. Keep the dependency edge one-way: + +- depend on `hawk-core-contracts` when a stable cross-repo contract is needed +- do not import `hawk/internal/*` +- do not add new imports of `hawk/shared/types`; that path is compatibility-only + ### What you get | Capability | Description | diff --git a/scripts/check-ecosystem-boundaries.sh b/scripts/check-ecosystem-boundaries.sh new file mode 100644 index 0000000..ba7de0b --- /dev/null +++ b/scripts/check-ecosystem-boundaries.sh @@ -0,0 +1,21 @@ +#!/usr/bin/env bash +set -euo pipefail + +ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" +cd "$ROOT_DIR" + +violations="$( + rg -n 'github\.com/GrayCodeAI/hawk/(internal/|shared/types)' \ + --glob '*.go' \ + . || true +)" + +if [[ -n "${violations}" ]]; then + echo "forbidden Hawk imports found:" + echo "${violations}" + echo + echo "support repos must use hawk-core-contracts or local contracts, not hawk/internal or hawk/shared/types" + exit 1 +fi + +echo "ecosystem boundary guard passed" From 64ee464f89491050fd5496a0ceb2215b297dbbef Mon Sep 17 00:00:00 2001 From: Lakshman Patel Date: Sun, 21 Jun 2026 14:40:22 +0530 Subject: [PATCH 2/4] docs: remove legacy shared types references --- README.md | 2 +- scripts/check-ecosystem-boundaries.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 589c174..8aaa74f 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ Trace is a Hawk support engine. Keep the dependency edge one-way: - depend on `hawk-core-contracts` when a stable cross-repo contract is needed - do not import `hawk/internal/*` -- do not add new imports of `hawk/shared/types`; that path is compatibility-only +- do not import removed legacy path `hawk/shared/types`; use `hawk-core-contracts/types` ### What you get diff --git a/scripts/check-ecosystem-boundaries.sh b/scripts/check-ecosystem-boundaries.sh index ba7de0b..04bb187 100644 --- a/scripts/check-ecosystem-boundaries.sh +++ b/scripts/check-ecosystem-boundaries.sh @@ -14,7 +14,7 @@ if [[ -n "${violations}" ]]; then echo "forbidden Hawk imports found:" echo "${violations}" echo - echo "support repos must use hawk-core-contracts or local contracts, not hawk/internal or hawk/shared/types" + echo "support repos must use hawk-core-contracts or local contracts, not hawk/internal or removed hawk/shared/types" exit 1 fi From 7d131671c46b7ab4c2d8ff89d9adfb2f70641a5a Mon Sep 17 00:00:00 2001 From: Lakshman Patel Date: Sun, 21 Jun 2026 15:36:03 +0530 Subject: [PATCH 3/4] chore: strip Co-authored-by trailers in lefthook hooks --- lefthook.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/lefthook.yml b/lefthook.yml index ba5700d..7d5bdaf 100644 --- a/lefthook.yml +++ b/lefthook.yml @@ -110,3 +110,18 @@ commit-msg: echo " full guide: https://www.conventionalcommits.org/" exit 1 fi + + strip-co-authored-by: + run: | + # Strip Co-authored-by: trailers that AI tools (Claude, Cursor, etc.) add. + # This enforces the rule that commits list only the human author. + sed '/^[Cc]o-[Aa]uthored-[Bb]y:/d' "{1}" > "{1}.tmp" && mv "{1}.tmp" "{1}" + +# --------------------------------------------------------------------------- +# prepare-commit-msg — strip AI co-author trailers after tools inject them. +# --------------------------------------------------------------------------- +prepare-commit-msg: + commands: + strip-co-authored-by: + run: | + sed '/^[Cc]o-[Aa]uthored-[Bb]y:/d' "{1}" > "{1}.tmp" && mv "{1}.tmp" "{1}" From ba6b5768eff6b6e4ea5b155a79a58eabe36cd48b Mon Sep 17 00:00:00 2001 From: Lakshman Patel Date: Sun, 21 Jun 2026 18:36:05 +0530 Subject: [PATCH 4/4] fix(boundary): fall back to grep when rg is unavailable Co-Authored-By: Claude Sonnet 4.6 --- scripts/check-ecosystem-boundaries.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/scripts/check-ecosystem-boundaries.sh b/scripts/check-ecosystem-boundaries.sh index 04bb187..57f81ba 100644 --- a/scripts/check-ecosystem-boundaries.sh +++ b/scripts/check-ecosystem-boundaries.sh @@ -4,11 +4,11 @@ set -euo pipefail ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" cd "$ROOT_DIR" -violations="$( - rg -n 'github\.com/GrayCodeAI/hawk/(internal/|shared/types)' \ - --glob '*.go' \ - . || true -)" +if command -v rg >/dev/null 2>&1; then + violations="$(rg -n 'github\.com/GrayCodeAI/hawk/(internal/|shared/types)' --glob '*.go' . || true)" +else + violations="$(grep -rn --include='*.go' -E 'github\.com/GrayCodeAI/hawk/(internal/|shared/types)' . || true)" +fi if [[ -n "${violations}" ]]; then echo "forbidden Hawk imports found:"