diff --git a/README.md b/README.md index d02634d..158d747 100644 --- a/README.md +++ b/README.md @@ -35,9 +35,10 @@ the GitHub Security tab. Inspect is a Hawk support engine. Keep the dependency edge one-way: -- use `hawk-core-contracts` for any cross-repo shared contracts +- use `hawk-core-contracts` for any cross-repo shared contracts (severity/finding vocabulary) - do not import `hawk/internal/*` - do not import removed legacy path `hawk/shared/types`; use `hawk-core-contracts/types` +- do not import other engines (`eyrie`, `yaad`, `tok`, `trace`, `sight`) — engines are peers, not dependencies ## Quick Start diff --git a/scripts/check-ecosystem-boundaries.sh b/scripts/check-ecosystem-boundaries.sh old mode 100644 new mode 100755 index 57f81ba..2f0b2f5 --- a/scripts/check-ecosystem-boundaries.sh +++ b/scripts/check-ecosystem-boundaries.sh @@ -4,10 +4,17 @@ set -euo pipefail ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" cd "$ROOT_DIR" +FORBIDDEN_HAWK='github\.com/GrayCodeAI/hawk/(internal/|shared/types)' +FORBIDDEN_ENGINES='github\.com/GrayCodeAI/(eyrie|yaad|tok|trace|sight)(/|")' + +exit_code=0 + if command -v rg >/dev/null 2>&1; then - violations="$(rg -n 'github\.com/GrayCodeAI/hawk/(internal/|shared/types)' --glob '*.go' . || true)" + violations="$(rg -n "$FORBIDDEN_HAWK" --glob '*.go' . || true)" + engine_violations="$(rg -n "$FORBIDDEN_ENGINES" --glob '*.go' . || true)" else - violations="$(grep -rn --include='*.go' -E 'github\.com/GrayCodeAI/hawk/(internal/|shared/types)' . || true)" + violations="$(grep -rn --include='*.go' -E "$FORBIDDEN_HAWK" . || true)" + engine_violations="$(grep -rn --include='*.go' -E "$FORBIDDEN_ENGINES" . || true)" fi if [[ -n "${violations}" ]]; then @@ -15,7 +22,19 @@ if [[ -n "${violations}" ]]; then echo "${violations}" echo echo "support repos must use hawk-core-contracts or local contracts, not hawk/internal or removed hawk/shared/types" - exit 1 + exit_code=1 +fi + +if [[ -n "${engine_violations}" ]]; then + echo "forbidden cross-engine imports found:" + echo "${engine_violations}" + echo + echo "support engines must not import other engines directly — they are peers, not dependencies" + exit_code=1 +fi + +if [[ $exit_code -ne 0 ]]; then + exit $exit_code fi echo "ecosystem boundary guard passed"