[DRAFT 2.0] spine: behavioral changes parked for Cacti 2.0

.clang-tidy

@@ -0,0 +1,10 @@
+---
+Checks: >
+  clang-analyzer-*,
+  bugprone-*,
+  cert-*,
+  -cert-err58-cpp
+WarningsAsErrors: ""
+HeaderFilterRegex: ".*"
+FormatStyle: none
+...

.devcontainer/devcontainer.json

@@ -0,0 +1,31 @@
+{
+  "name": "spine dev",
+  "image": "mcr.microsoft.com/devcontainers/cpp:ubuntu-24.04",
+  "features": {
+    "ghcr.io/devcontainers/features/common-utils:2": {
+      "installZsh": true
+    },
+    "ghcr.io/devcontainers/features/github-cli:1": {}
+  },
+  "postCreateCommand": "sudo apt-get update && sudo apt-get install -y libsnmp-dev libmariadb-dev-compat libssl-dev libsystemd-dev pkg-config cmake ninja-build cppcheck clang-tools && cmake -G Ninja -S . -B build -DSPINE_BUILD_MAIN=ON && cmake --build build -j",
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "ms-vscode.cpptools",
+        "llvm-vs-code-extensions.vscode-clangd",
+        "twxs.cmake",
+        "ms-vscode.cmake-tools",
+        "github.vscode-github-actions",
+        "github.vscode-pull-request-github"
+      ],
+      "settings": {
+        "C_Cpp.intelliSenseEngine": "disabled",
+        "clangd.arguments": [
+          "--background-index",
+          "--compile-commands-dir=build"
+        ]
+      }
+    }
+  },
+  "remoteUser": "vscode"
+}

.dockerignore

@@ -1,10 +1,19 @@
 # Test fixtures and CI scripts -- not needed for the spine build
 tests/
 .git/
+.github/
+.claude/
+.omc/
+.worktrees/
+build/
+build-*/
+build-reports/
 *.md
-config/
 m4/
 autom4te.cache/
-.omc/
-*.conf.dist
 *.log
+*.o
+*.a
+*.so
+*.dylib
+.php-cs-fixer.cache

.github/actions/install-apt-deps/action.yml

@@ -0,0 +1,16 @@
+name: Install apt dependencies
+description: Update apt cache and install a whitespace-delimited package list.
+inputs:
+  packages:
+    description: Whitespace-delimited package names to install.
+    required: true
+runs:
+  using: composite
+  steps:
+    - name: Install packages
+      shell: bash
+      run: |
+        set -euo pipefail
+        sudo apt-get update
+        # Intentionally unquoted to split package tokens.
+        sudo apt-get install -y ${{ inputs.packages }}

.github/cppcheck-baseline.txt

@@ -0,0 +1 @@
+

.github/instructions/instructions.md

@@ -32,6 +32,9 @@ GNU autotools.
   bounds.
 - String buffers: declare length constants; do not use magic numbers for
   buffer sizes.
+- Public APIs: prefer `const char *` for input-only string parameters.
+  Document ownership expectations in function comments when transfer is not
+  obvious.
 
 ## SNMP
 
@@ -62,6 +65,8 @@ GNU autotools.
 - Before opening a PR, run `cppcheck --enable=all --std=c11 *.c *.h`
   locally and fix all errors (warnings are informational).
 - flawfinder level-5 hits fail CI; lower levels are informational.
+- CI has a guardrail for newly introduced unsafe C APIs (`sprintf`, `strcpy`,
+  `strcat`, `gets`, `vsprintf`) and fails closed on additions.
 
 ## Commits and PRs
 

.github/nightly-leak-baseline.json

@@ -0,0 +1,12 @@
+{
+  "valgrind": {
+    "max_definitely_lost_bytes": 0,
+    "max_indirectly_lost_bytes": 0,
+    "max_possibly_lost_bytes": 0,
+    "max_error_summary": 0
+  },
+  "asan": {
+    "max_asan_error_events": 0,
+    "max_ubsan_error_events": 0
+  }
+}

.github/perf-baseline.json

@@ -0,0 +1,20 @@
+{
+  "sample_size": 20,
+  "commands": {
+    "./spine --version": {
+      "median_seconds": 0.35,
+      "allowed_regression_factor": 1.5,
+      "max_rss_kb": 32768
+    },
+    "./spine --help": {
+      "median_seconds": 0.45,
+      "allowed_regression_factor": 1.5,
+      "max_rss_kb": 40960
+    },
+    "snmpget -v2c -c public -On 127.0.0.1:1161 1.3.6.1.2.1.1.3.0": {
+      "median_seconds": 0.25,
+      "allowed_regression_factor": 2.0,
+      "max_rss_kb": 32768
+    }
+  }
+}

.github/scripts/check-leak-trend.py

@@ -0,0 +1,92 @@
+#!/usr/bin/env python3
+"""Parse sanitizer/valgrind logs and enforce nightly leak thresholds."""
+
+from __future__ import annotations
+
+import argparse
+import glob
+import json
+import re
+from pathlib import Path
+
+
+DEF_RE = re.compile(r"definitely lost:\s*([0-9,]+)\s+bytes")
+IND_RE = re.compile(r"indirectly lost:\s*([0-9,]+)\s+bytes")
+POS_RE = re.compile(r"possibly lost:\s*([0-9,]+)\s+bytes")
+ERR_RE = re.compile(r"ERROR SUMMARY:\s*([0-9,]+)\s+errors")
+
+
+def as_int(value: str) -> int:
+	return int(value.replace(",", ""))
+
+
+def parse_valgrind(log_text: str) -> dict[str, int]:
+	return {
+		"definitely_lost_bytes": sum(as_int(v) for v in DEF_RE.findall(log_text)),
+		"indirectly_lost_bytes": sum(as_int(v) for v in IND_RE.findall(log_text)),
+		"possibly_lost_bytes": sum(as_int(v) for v in POS_RE.findall(log_text)),
+		"error_summary": sum(as_int(v) for v in ERR_RE.findall(log_text)),
+	}
+
+
+def parse_asan(log_text: str) -> dict[str, int]:
+	return {
+		"asan_error_events": len(re.findall(r"AddressSanitizer", log_text)),
+		"ubsan_error_events": len(re.findall(r"runtime error:", log_text)),
+	}
+
+
+def collect_text(patterns: list[str]) -> str:
+	parts: list[str] = []
+	for pat in patterns:
+		matches = sorted(glob.glob(pat))
+		for path in matches:
+			try:
+				parts.append(Path(path).read_text(encoding="utf-8", errors="replace"))
+			except OSError:
+				continue
+	return "\n".join(parts)
+
+
+def enforce(summary: dict[str, int], baseline: dict[str, int]) -> list[str]:
+	failures: list[str] = []
+	for key, value in summary.items():
+		limit = int(baseline.get(f"max_{key}", 0))
+		if value > limit:
+			failures.append(f"{key}={value} exceeded max_{key}={limit}")
+	return failures
+
+
+def main() -> int:
+	parser = argparse.ArgumentParser()
+	parser.add_argument("--mode", choices=("valgrind", "asan"), required=True)
+	parser.add_argument("--baseline", required=True)
+	parser.add_argument("--output", required=True)
+	parser.add_argument("--logs", nargs="+", required=True)
+	args = parser.parse_args()
+
+	baseline_doc = json.loads(Path(args.baseline).read_text(encoding="utf-8"))
+	mode_cfg = baseline_doc.get(args.mode, {})
+	text = collect_text(args.logs)
+
+	if args.mode == "valgrind":
+		summary = parse_valgrind(text)
+	else:
+		summary = parse_asan(text)
+
+	Path(args.output).write_text(json.dumps(summary, indent=2) + "\n", encoding="utf-8")
+
+	failures = enforce(summary, mode_cfg)
+	if failures:
+		print("Leak trend gate failed:")
+		for line in failures:
+			print(f"- {line}")
+		return 1
+
+	print(f"{args.mode} leak trend gate passed.")
+	print(json.dumps(summary, indent=2))
+	return 0
+
+
+if __name__ == "__main__":
+	raise SystemExit(main())

.github/scripts/check-unsafe-api-additions.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+base_commit=""
+
+if [[ -n "${GITHUB_BASE_REF:-}" ]]; then
+  git fetch --no-tags --unshallow origin "${GITHUB_BASE_REF}" 2>/dev/null ||
+    git fetch --no-tags origin "${GITHUB_BASE_REF}"
+  base_commit="$(git merge-base HEAD "origin/${GITHUB_BASE_REF}" 2>/dev/null || true)"
+fi
+
+if [[ -z "${base_commit}" ]]; then
+  base_commit="$(git rev-parse HEAD~1 2>/dev/null || git rev-list --max-parents=0 HEAD)"
+fi
+
+banned_regex='\b(sprintf|vsprintf|strcpy|strcat|gets)\s*\('
+
+new_hits="$(
+  git diff --unified=0 "${base_commit}"...HEAD -- '*.c' '*.h' |
+    grep -E '^\+[^+]' |
+    grep -E "${banned_regex}" || true
+)"
+
+if [[ -n "${new_hits}" ]]; then
+  echo "Unsafe C APIs were newly added in this change:"
+  echo "${new_hits}"
+  exit 1
+fi
+
+echo "No newly added banned C APIs detected."

.github/scripts/check-workflow-policy.py

@@ -0,0 +1,105 @@
+#!/usr/bin/env python3
+"""Enforce workflow hygiene policy on GitHub Actions files."""
+
+from __future__ import annotations
+
+import re
+import sys
+from pathlib import Path
+
+import yaml
+
+
+PINNED_REF_RE = re.compile(r"^[0-9a-f]{40}$")
+CURL_PIPE_RE = re.compile(r"curl\b[^\n|]*\|\s*(?:sh|bash)\b")
+# Accept either the strict bash form or the POSIX-sh-compatible 'set -eu'.
+# Container steps on minimal images (alpine uses ash, some Debian fragments
+# run under dash) cannot use 'pipefail' because dash/ash do not implement it.
+ACCEPTED_FIRST_LINES = ("set -euo pipefail", "set -eu")
+STRICT_LINE = "set -euo pipefail"
+WORKFLOW_GLOB = ".github/workflows/*"
+ALLOWLIST_CURL_PIPE = {}
+
+
+def normalize_steps(job: dict) -> list[dict]:
+	steps = job.get("steps")
+	return steps if isinstance(steps, list) else []
+
+
+def check_uses(path: str, step_name: str, uses_value: str, violations: list[str]) -> None:
+	if uses_value.startswith("./") or uses_value.startswith("docker://"):
+		return
+
+	if "@" not in uses_value:
+		violations.append(f"{path}:{step_name}: uses reference is missing @ref: {uses_value}")
+		return
+
+	ref = uses_value.split("@", 1)[1]
+	if not PINNED_REF_RE.fullmatch(ref):
+		violations.append(f"{path}:{step_name}: action ref must be a pinned SHA: {uses_value}")
+
+
+def check_run(path: str, step_name: str, run_value: str, violations: list[str]) -> None:
+	lines = [ln.strip() for ln in run_value.splitlines() if ln.strip()]
+	if not lines:
+		return
+
+	if len(run_value.splitlines()) > 1:
+		if lines[0] not in ACCEPTED_FIRST_LINES:
+			violations.append(f"{path}:{step_name}: multiline run must start with one of {ACCEPTED_FIRST_LINES}")
+
+	for match in CURL_PIPE_RE.finditer(run_value):
+		_ = match
+		allow_tokens = ALLOWLIST_CURL_PIPE.get(path, [])
+		if not any(token in run_value for token in allow_tokens):
+			violations.append(f"{path}:{step_name}: curl|sh is not allowlisted")
+
+
+def main() -> int:
+	root = Path(__file__).resolve().parents[2]
+	workflow_files = sorted(
+		p for p in root.glob(WORKFLOW_GLOB) if p.suffix in (".yml", ".yaml")
+	)
+	violations: list[str] = []
+
+	for wf in workflow_files:
+		rel = str(wf.relative_to(root))
+		try:
+			doc = yaml.safe_load(wf.read_text(encoding="utf-8"))
+		except Exception as exc:  # pragma: no cover
+			violations.append(f"{rel}: failed to parse YAML: {exc}")
+			continue
+
+		jobs = doc.get("jobs", {}) if isinstance(doc, dict) else {}
+		if not isinstance(jobs, dict):
+			continue
+
+		for job_name, job in jobs.items():
+			if not isinstance(job, dict):
+				continue
+
+			for idx, step in enumerate(normalize_steps(job), start=1):
+				if not isinstance(step, dict):
+					continue
+				step_name = str(step.get("name", f"{job_name}.step{idx}"))
+
+				uses_value = step.get("uses")
+				if isinstance(uses_value, str):
+					check_uses(rel, step_name, uses_value.strip(), violations)
+
+				run_value = step.get("run")
+				if isinstance(run_value, str):
+					check_run(rel, step_name, run_value, violations)
+
+	if violations:
+		print("Workflow policy violations:")
+		for v in violations:
+			print(f"- {v}")
+		return 1
+
+	print("Workflow policy checks passed.")
+	return 0
+
+
+if __name__ == "__main__":
+	raise SystemExit(main())