Code Rooms
import fs from "node:fs";
import path from "node:path";
import crypto from "node:crypto";
const root = path.resolve(new URL("..", import.meta.url).pathname);
const args = new Set(process.argv.slice(2));
const requiredPaths = [
"README.md",
".github/workflows/validate.yml",
"AGENTS.md",
"CONTRIBUTING.md",
"SECURITY.md",
".codex-plugin/plugin.json",
"skills/kognit1v/SKILL.md",
"skills/kognit1v/agents/openai.yaml",
"docs/AGENT_OPERATING_MANUAL.md",
"docs/RUNTIME_REQUIREMENTS.md",
"docs/TOOLCHAIN.md",
"protocols/cognitive-stack.json",
"protocols/kognit1v-runbook.json",
"protocols/toolchain.json",
"scripts/bootstrap-kognit1v.mjs",
"scripts/smoke-install.mjs",
"contracts/intent-blueprint.schema.json",
"contracts/capability-gap.schema.json",
"contracts/proof-contract.schema.json",
"contracts/apply-gate.schema.json",
"contracts/handoff-envelope.schema.json",
"contracts/adapter-pack.schema.json",
"examples/intent-blueprint.example.json",
"examples/capability-gap.example.json",
"examples/proof-contract.example.json",
"examples/apply-gate.example.json",
"examples/handoff-envelope.example.json",
"examples/adapter-pack.example.json"
];
const exampleRequirements = {
"examples/intent-blueprint.example.json": ["id", "intent", "owner", "route", "inputs", "non_claims"],
"examples/capability-gap.example.json": ["id", "summary", "owner_layer", "maturity", "required_contract", "non_claims"],
"examples/proof-contract.example.json": ["id", "claim", "proof_type", "commands", "artifacts", "positive_assertions", "negative_proofs", "non_claims"],
"examples/apply-gate.example.json": ["operation_id", "mode", "plan_identity", "idempotency_key", "authorization_required", "human_review", "redaction_checks"],
"examples/handoff-envelope.example.json": ["operation_id", "current_state", "intent_blueprint", "proofs", "blocked_checks", "next_agent", "non_claims"],
"examples/adapter-pack.example.json": ["id", "provider_class", "allowed_effects", "allowed_hosts", "required_env_names", "redacted_fields", "modes", "idempotency_policy"]
};
const secretPatterns = [
{ name: "openai_key", re: /\bsk-[A-Za-z0-9_-]{20,}\b/g },
{ name: "anthropic_key", re: /\bsk-ant-[A-Za-z0-9_-]{20,}\b/g },
{ name: "google_key", re: /\bAIza[A-Za-z0-9_-]{20,}\b/g },
{ name: "bearer_token", re: /Bearer\s+[A-Za-z0-9._~+/=-]{20,}/gi },
{ name: "private_key", re: /-----BEGIN (?:RSA |EC |OPENSSH |)PRIVATE KEY-----/g },
{ name: "env_assignment_secret", re: /\b(?:OPENAI|ANTHROPIC|GEMINI|GOOGLE|STRIPE|GITHUB|HF|HUGGINGFACE|ELEVENLABS)_[A-Z0-9_]*(?:KEY|TOKEN|SECRET)[ \t]*=[ \t]*['"]?[A-Za-z0-9._~+/=-]{8,}/g }
const portabilityPatterns = [
{ name: "absolute_kle1nz_path", re: /\/Users\/kle1nz\b/g },
{ name: "lan_ip", re: /\b192\.168\.\d{1,3}\.\d{1,3}\b/g },
{ name: "private_archive_mount", re: /\/mnt\/rorshack\b/g }
function escapeRegExp(value) {
return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
}
function configuredBlockedTerms() {
const terms = [];
const envTerms = process.env.KOGNIT1V_BLOCKED_TERMS;
if (envTerms) terms.push(...envTerms.split(","));
const localBlocklist = path.join(root, ".kognit1v", "blocked-terms.txt");
if (fs.existsSync(localBlocklist)) {
terms.push(...fs.readFileSync(localBlocklist, "utf8").split(/\r?\n/));
return terms.map((term) => term.trim()).filter(Boolean);
const blockedTermPatterns = configuredBlockedTerms().map((term) => ({
name: `blocked_term:${term.length}`,
re: new RegExp(escapeRegExp(term), "gi")
}));
const textExtensions = new Set([
".md",
".json",
".yaml",
".yml",
".js",
".mjs",
".py",
".sh",
".txt",
".example",
".gitignore"
]);
function rel(file) {
return path.relative(root, file);
function readJson(relativePath) {
return JSON.parse(fs.readFileSync(path.join(root, relativePath), "utf8"));
function walk(dir, out = []) {
for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
if (entry.name === ".git" || entry.name === "node_modules") continue;
const full = path.join(dir, entry.name);
if (entry.isDirectory()) walk(full, out);
else out.push(full);
return out;
const failures = [];
for (const relativePath of requiredPaths) {
if (!fs.existsSync(path.join(root, relativePath))) {
failures.push(`missing required path: ${relativePath}`);
for (const [relativePath, keys] of Object.entries(exampleRequirements)) {
if (!fs.existsSync(path.join(root, relativePath))) continue;
const data = readJson(relativePath);
for (const key of keys) {
if (!(key in data)) failures.push(`example ${relativePath} missing key: ${key}`);
for (const file of walk(root)) {
const relativePath = rel(file);
if (path.basename(file) === ".DS_Store") {
failures.push(`macOS metadata file is not allowed: ${relativePath}`);
if (relativePath.includes("__pycache__") || relativePath.endsWith(".pyc")) {
failures.push(`python cache is not allowed: ${relativePath}`);
if (relativePath.endsWith("ingest_roots.json")) {
failures.push(`local ingest root metadata is not allowed: ${relativePath}`);
if (path.basename(file).startsWith(".env") && relativePath !== ".env.example") {
failures.push(`live env-like file is not allowed: ${relativePath}`);
const ext = path.extname(file);
if (!textExtensions.has(ext) && !["LICENSE", "README", "AGENTS"].includes(path.basename(file))) continue;
const text = fs.readFileSync(file, "utf8");
for (const pattern of secretPatterns) {
pattern.re.lastIndex = 0;
const matches = text.match(pattern.re);
if (matches) failures.push(`possible secret (${pattern.name}) in ${relativePath}`);
for (const pattern of portabilityPatterns) {
if (matches) failures.push(`non-portable local reference (${pattern.name}) in ${relativePath}`);
for (const pattern of blockedTermPatterns) {
if (matches) failures.push(`configured blocked term (${pattern.name}) in ${relativePath}`);
const proof = {
id: "proof.kognit1v.validation.latest",
generated_at: new Date().toISOString(),
root: ".",
repo_name: path.basename(root),
required_paths_checked: requiredPaths.length,
examples_checked: Object.keys(exampleRequirements).length,
files_scanned: walk(root).length,
status: failures.length ? "failed" : "passed",
failures,
digest: crypto
.createHash("sha256")
.update(requiredPaths.join("\n"))
.digest("hex")
if (args.has("--write-proof")) {
const proofPath = path.join(root, "proofs/validation/latest.json");
fs.mkdirSync(path.dirname(proofPath), { recursive: true });
fs.writeFileSync(proofPath, `${JSON.stringify(proof, null, 2)}\n`);
if (args.has("--doctor") || args.has("--write-proof")) {
console.log(JSON.stringify(proof, null, 2));
} else {
console.log(`${proof.status}: checked ${proof.required_paths_checked} required paths, ${proof.examples_checked} examples, ${proof.files_scanned} files`);
if (failures.length) {
process.exitCode = 1;