一键导入
dogfood
Dogfood forjar — rebuild, install, exercise every command, prove the C1–C10 claims and contracts against a sandboxed stack, check quality, file bugs
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Dogfood forjar — rebuild, install, exercise every command, prove the C1–C10 claims and contracts against a sandboxed stack, check quality, file bugs
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
| allowed-tools | Bash(cargo:*), Bash(forjar:*), Bash(pmat:*), Bash(gh:*), Bash(git:*), Bash(find:*), Bash(head:*), Bash(tail:*), Bash(wc:*), Bash(grep:*), Bash(diff:*), Bash(timeout:*), Bash(jq:*), Bash(python3:*), Bash(echo:*), Bash(cat:*), Bash(rm:*), Bash(mktemp:*), Bash(mkdir:*), Bash(sh:*), Bash(bashrs:*), Read, Glob, Grep, Agent |
| description | Dogfood forjar — rebuild, install, exercise every command, prove the C1–C10 claims and contracts against a sandboxed stack, check quality, file bugs |
Contracts (contracts/): idempotent-apply-v1, plan-apply-equivalence-v1,
destroy-undo-roundtrip-v1, dag-ordering-v1, blake3-state-v1,
execution-safety-v1, recipe-determinism-v1, codegen-dispatch-v1,
apply-summary-distinguishability-v1, plus binding.yaml (AllImplemented).
Claims: README falsifiable claims C1–C10.
Pattern: modeled on ../aprender/.claude/skills/dogfood/SKILL.md, adapted for an IaC tool.
forjar is Infrastructure as Code: apply, destroy, undo, import,
reseal, state-*, lock-rotate-keys, package/service/mount/network providers
mutate real state or the host. This dogfood is a read-only audit of the
host. Therefore:
init validate plan diff stack-diff fmt lint show graph status history explain doctor inventory bench suggest compare compliance policy-coverage test contracts prove lock-{info,stats,verify,audit,verify-chain,validate} audit and any
--help / --dry-run / --preview / --diff-only / --output-scripts.apply/destroy/undo may ONLY run against a
throwaway mktemp -d state dir + a config whose ONLY resources are
type: file/type: command writing under /tmp, on the local machine
(addr: 127.0.0.1 → direct bash, not loopback SSH). Never apply
package/service/mount/network/gpu/github_release resources to
this host. Never run destroy/undo/state-rm/lock-rotate-keys
against a real/default state dir.gh issue create --repo paiml/forjar). Clean up all tempdirs at the end.Never read $? after a pipe — it's the pipe's last stage, not the command's.
Use OUT=$(cmd 2>&1); EC=$?. (This exact mistake produced retracted false-positive
bugs in the aprender dogfood; see that skill's Pre-Gate note.)
grep -m1 '^version' Cargo.tomlgit rev-parse --short HEADforjar --version 2>/dev/null || echo "not installed"curl -s --max-time 8 https://crates.io/api/v1/crates/forjar | python3 -c 'import json,sys;print(json.load(sys.stdin)["crate"]["newest_version"])' 2>/dev/null || echo "(unreachable)"grep -cE '^\s+[A-Z][A-Za-z0-9]+\(' src/cli/commands/mod.rsls contracts/*.yaml 2>/dev/null | wc -lgrep -rc '#\[test\]' src/ 2>/dev/null | paste -sd+ | bc 2>/dev/null || echo '?'$ARGUMENTS
If an argument names a config file, exercise that one too (read-only/preview
only unless it is provably a /tmp-file-only local stack). Otherwise use
examples/*.yaml and a generated sandbox stack.
Run ALL gates. For each: run the check, report PASS/FAIL/SKIP with evidence. Run independent gates in parallel where safe. End with a GO / WARN / FAIL verdict. Read-only w.r.t. the host. File issues for bugs; do not fix code.
cargo install --path . --force 2>&1 | tail -5
forjar --version
git rev-parse --short HEAD
PASS if forjar --version is the source version and the build is clean.
WARN if the embedded SHA (if any) ≠ HEAD. FAIL on build error.
--help, no phantoms# Auto-discover every top-level subcommand and assert --help works (no panic,
# no "not implemented"). This is the phantom-subcommand + crash sweep.
forjar --help 2>&1 | awk '/^ [a-z]/{print $1}' | while read -r c; do
OUT=$(timeout 20 forjar "$c" --help 2>&1); EC=$?
if [ "$EC" -ne 0 ]; then echo "G2 FAIL $c: --help exit $EC"
elif echo "$OUT" | grep -qiE 'not.*implemented|todo|unimplemented'; then echo "G2 PHANTOM $c"
else echo "G2 ok $c"; fi
done | sort | uniq -c | sort -rn | head
Then spot-exercise the safe inspection commands on an example config:
CFG=$(ls examples/*.yaml 2>/dev/null | head -1)
for c in validate plan diff fmt lint show graph explain inventory; do
OUT=$(timeout 30 forjar "$c" -f "$CFG" 2>&1 || timeout 30 forjar "$c" "$CFG" 2>&1); EC=$?
echo "G2.$c: exit=$EC $(echo "$OUT" | head -1)"
done
PASS if every subcommand's --help exits 0 with no phantom/panic. FAIL on any panic.
Each maps to a README claim. Build a tiny sandbox stack first:
SBX=$(mktemp -d); ST="$SBX/state"; CFG="$SBX/forjar.yaml"; TGT="$SBX/out.txt"
cat > "$CFG" <<YAML
version: "1.0"
name: dogfood
machines: { local: { hostname: localhost, addr: 127.0.0.1 } }
resources:
a: { type: file, machine: local, path: $TGT, content: "dogfood" }
b: { type: command, machine: local, depends_on: [a], run: "true", creates: $SBX/b.done }
YAML
forjar plan runs over the same config
produce identical resource hashes (plan --output-scripts / plan diff = empty).forjar graph -f "$CFG" (or plan) yields a
stable topological order across 3 runs (diff = empty); b after a.forjar apply -f "$CFG" --state-dir "$ST" --yes,
then a second apply → summary shows 0 changed / all unchanged; with
--force, the summary must still distinguish M actual change(s) (M=0) from
forced no-ops. (Mutating, but /tmp-only local — SAFE.)a→b→a depends_on cycle → validate
exits non-zero with a clear cycle error (OUT=$(...); EC=$?)..b3 sidecars; forjar lock-verify/lock-verify-chain PASS.lock-verify is clean.{{inputs.*}}
→ validate fails loud non-zero.command/file content value containing
', $(), backticks is shell-escaped in plan --output-scripts output
(the payload is neutralized, not executed) — bashrs lint the emitted script.cargo metadata --no-deps --format-version 1 | jq '[.packages[0].dependencies[]|select(.kind==null)]|length' within the
README-stated bound.x fails its
pre_apply/check → apply fails loud (non-zero exit, x failed,
dependents cascade-skipped) and does not report success. (Recent fix:
a failing pre_apply hook fails apply and is not retried.)PASS if all 10 hold. FAIL on any claim that falsifies.
for c in contracts/*.yaml; do
python3 -c "import yaml;yaml.safe_load(open('$c'))" 2>&1 && echo " valid: $c" || echo " INVALID: $c"
done
# AllImplemented binding policy is enforced at build time:
cargo build 2>&1 | grep -iE 'CONTRACT|binding' | tail -3
# Contract-enforcing tests:
cargo test --lib falsification 2>&1 | grep 'test result' | tail -3
PASS if all contracts parse, cargo build reports all bindings bound, and the
falsification tests pass.
cargo test --lib 2>&1 | grep 'test result' | tail -1
cargo clippy --all-targets -- -D warnings 2>&1 | grep -c '^error'
cargo fmt --all -- --check && echo "fmt clean"
PASS if 0 test failures, 0 clippy errors, fmt clean. WARN on clippy warnings.
cargo llvm-cov --lib --summary-only 2>&1 | tail -5
PASS if line coverage ≥ 95%. (Slow; may SKIP with a note if llvm-cov absent.)
gh issue list --repo paiml/forjar --state open --limit 20
Always PASS.
Using the SBX from Gate 3 (local, /tmp-file-only — SAFE):
forjar apply -f "$CFG" --state-dir "$ST" --yes 2>&1 | tail -3 # converge
test -f "$TGT" && echo "applied: file created"
forjar apply -f "$CFG" --state-dir "$ST" --yes 2>&1 | grep -iE 'unchanged|0 changed' # C3
forjar check -f "$CFG" --state-dir "$ST" 2>&1 | tail -2 # no drift
forjar status --state-dir "$ST" 2>&1 | tail -3
forjar destroy -f "$CFG" --state-dir "$ST" --yes 2>&1 | tail -3 # tears down /tmp file
forjar undo --state-dir "$ST" 2>&1 | tail -3 # destroy-undo roundtrip
PASS if converge→idempotent-reapply→no-drift→destroy→undo all behave per contract. Never point this at a non-tempdir state dir.
OUT=$(forjar validate -f /nonexistent.yaml 2>&1); echo "missing file: exit=$?"
printf 'version: "1.0"\nname: x\nresources:\n a: {type: file, machine: nope, path: /tmp/x}\n' > "$SBX/bad.yaml"
OUT=$(forjar validate -f "$SBX/bad.yaml" 2>&1); echo "unknown machine: exit=$? :: $(echo "$OUT"|tail -1)"
OUT=$(forjar plan -f "$SBX/bad.yaml" 2>&1); echo "plan on bad: exit=$?"
PASS if every malformed/invalid input exits non-zero with a clear message. FAIL if any bad input is silently accepted (exit 0).
diff <(forjar status --state-dir "$ST") <(forjar status --state-dir "$ST" --json) must differ (no no-op flag); same for plan/plan --json.error/failed must exit non-zero (OUT=$(...);EC=$?).forjar status --json, plan --dry-run-json, lock-info --json (where supported) → jq . must parse.apply --force on a converged stack prints the note: --force re-ran N … (0 actual change(s)) line — C3 is observable through --force.forjar dist -f dist-forjar.yaml --verify 2>&1 Tier-1 static checks PASS (sh -n, bashrs, snippet/URL structure).PASS if all protocols hold.
forjar doctor 2>&1 | tail -10
forjar dist -f dist-forjar.yaml --installer -o "$SBX/install.sh" 2>&1 | tail -2 && sh -n "$SBX/install.sh" && echo "installer parses"
bashrs lint "$SBX/install.sh" 2>&1 | tail -1
PASS if doctor reports the toolchain and the generated installer is valid POSIX sh with 0 bashrs errors.
After all gates, provide:
File bugs: gh issue create --repo paiml/forjar --title "forjar <cmd>: <title>" --body "..."
rm -rf "$SBX" /tmp/forjar-dogfood-* 2>/dev/null
Do not delete or modify any real state dir, the repo, or examples/.