coreason-meta-engineering 0.1.0

Rust port of the CoReason Agentic Forge & AST Manipulation Layer
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90

name: Advanced Security (Malware & Secrets)

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main, develop ]
  workflow_dispatch:

permissions: read-all

env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"

jobs:
  secret-scan:
    name: High-Entropy Secret Sweeper
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Harden Runner (Endpoint Network Security)
        uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.19.1
        with:
          egress-policy: audit

      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.2.2
        with:
          fetch-depth: 0

      - name: Gitleaks Scan
        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

  malware-scan:
    name: Repository-Wide Malware Scan (ClamAV)
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Harden Runner (Endpoint Network Security)
        uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.19.1
        with:
          egress-policy: audit

      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.2.2

      - name: Cache ClamAV Database
        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
        with:
          path: /var/lib/clamav
          key: ${{ runner.os }}-clamav-db-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-clamav-db-

      - name: Install ClamAV
        run: |
          sudo apt-get update
          sudo apt-get install -y clamav clamav-daemon
          sudo systemctl stop clamav-freshclam
          sudo chown -R clamav:clamav /var/lib/clamav || true
          for i in {1..3}; do sudo freshclam && break || sleep 5; done

      - name: Run ClamAV Scan
        run: clamscan -r -i ./

  license-firewall:
    name: Dependency License Firewall (Copyleft Block)
    if: github.event_name == 'pull_request'
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    steps:
      - name: Harden Runner (Endpoint Network Security)
        uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.19.1
        with:
          egress-policy: audit

      - name: Checkout Repository
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.2.2

      - name: Dependency Review & Legal Firewall
        uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
        with:
          comment-summary-in-pr: always
          fail-on-severity: high
          deny-licenses: AGPL-1.0, AGPL-3.0, GPL-1.0, GPL-2.0, GPL-3.0, LGPL-2.0, LGPL-2.1, LGPL-3.0