Commit d7a7a1c
authored
feat(scripts): add instruction applyTo scope Pester suite (#1640)
# Pull Request
## Description
This PR adds a single Pester regression guard,
**`scripts/tests/linting/Test-InstructionApplyToScope.Tests.ps1`**, that
enforces phase-narrowed `applyTo` globs on every instruction file under
`.github/instructions/security/**` and
`.github/instructions/rai-planning/**`. Any file whose frontmatter
declares `applyTo: '**'` is rejected unless its repo-relative path is on
the in-script allowlist (currently empty, matching the Phase 6
audit-matrix migration map).
The suite is data-driven (`It -ForEach`) so each scanned file produces a
discrete test case (currently 18 cases, all passing). It uses
`powershell-yaml` (already required by
`scripts/linting/Validate-MarkdownFrontmatter.ps1` and other existing
suites — no new repo-level dependency) and explicitly throws on missing
frontmatter so silent skips cannot mask regressions.
This PR is a **sibling** of #1497, branched off `main`. It is
independent of PRs A/C/B in the post-#1497 stack and can land in any
order relative to them.
### Scope reduction
The originating plan listed four Pester suites under "planner linter
hardening." Three are deferred to **PR B** because they assert content
not yet on `main`:
* Rule 5 "discover" keyword in `security/identity.instructions.md` and
`sssc-identity.instructions.md`.
* `## Startup` H2 in six prompts under `.github/prompts/security/` and
`.github/prompts/security/sssc/`.
* "Informational" bucket in `security-model.instructions.md`.
Shipping those tests now would produce a red base. They will land in PR
B alongside the content edits they exercise.
## Related Issue(s)
Sibling of #1497. No other issue references.
## Type of Change
**Code & Documentation:**
* [x] New feature (non-breaking change adding functionality)
**Infrastructure & Configuration:**
* [x] Linting configuration (markdown, PowerShell, etc.)
**Other:**
* [x] Script/automation (`.ps1`, `.sh`, `.py`)
## Testing
Automated validation performed by the agent:
* `npm run test:ps -- -TestPath
scripts/tests/linting/Test-InstructionApplyToScope.Tests.ps1` — **18/18
passed**.
* `npm run lint:ps` — clean for repository code.
Security analysis findings:
* No secrets, credentials, or customer data in the diff.
* No new runtime dependencies. `powershell-yaml` is already required by
existing linting and test suites.
* No changes that broaden privilege boundaries; the test reads files
only.
Diff-based assessments:
* The new file follows the existing
`scripts/tests/linting/Test-*.Tests.ps1` naming and structure.
> [!NOTE]
> Manual testing was not performed.
## Checklist
### Required Checks
* [x] Documentation is updated (if applicable) — *(N/A — passive
regression test.)*
* [x] Files follow existing naming conventions.
* [x] Changes are backwards compatible.
* [x] Tests added for new functionality (if applicable).
### Required Automated Checks
* [x] PowerShell analysis: `npm run lint:ps`
## Security Considerations
* [x] This PR does not contain any sensitive or NDA information
* [x] Any new dependencies have been reviewed for security issues —
*(N/A — no new dependencies.)*
* [x] Security-related scripts follow the principle of least privilege —
*(N/A — read-only test.)*
## Additional Notes
Companion PRs in the post-#1497 work stream:
* **PR A (#1638)** — Security Planner state schema and fixtures.
* **PR C (#1639)** — Planner disclaimer SSOT migration.
* **PR B** — Security Planner agent and phase-gate parity (depends on PR
A); will also carry the three deferred Pester suites and their content
edits.
* **PR E** — Dev environment alignment (sibling off `main`, optional).1 parent ec35cec commit d7a7a1c
2 files changed
Lines changed: 72 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
115 | 115 | | |
116 | 116 | | |
117 | 117 | | |
| 118 | + | |
| 119 | + | |
| 120 | + | |
| 121 | + | |
| 122 | + | |
118 | 123 | | |
119 | 124 | | |
120 | 125 | | |
| |||
Lines changed: 67 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
0 commit comments