vyre-conform 0.1.0

Conformance suite for vyre backends — proves byte-identical output to CPU reference
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71

//! CODEOWNERS coverage test for the contributor trust boundary.
//!
//! Every path listed in the trust table of `coordination/contributor-boundary.md`
//! must have a corresponding rule in `.github/CODEOWNERS` assigning it to the
//! canonical maintainer team. If a path is missing, the test fails with an
//! actionable error message so the PR author knows exactly what to add.
//!
//! Threats covered: T35 (CODEOWNERS bypass), T59 (self-reference).

use std::fs;

const REQUIRED_PATHS: &[&str] = &[
    "spec/src/lib.rs",
    "spec/**",
    "conform/src/reference/**",
    "conform/src/harnesses/**",
    "conform/src/algebra/laws/**",
    "mutations.toml",
    "test-infra/test_catalog.toml",
    ".github/CODEOWNERS",
    ".github/workflows/**",
    "scripts/apply-branch-protection.sh",
    "scripts/mutants.sh",
    "scripts/append-only.sh",
    "Cargo.toml",
    "coordination/adversary-threat-model.md",
];

const MAINTAINER_TEAM: &str = "@santhsecurity/core-maintainers";

#[test]
fn codeowners_coverage_for_trust_boundary() {
    let codeowners =
        fs::read_to_string(".github/CODEOWNERS").expect("failed to read .github/CODEOWNERS");

    let mut missing = Vec::new();

    for required in REQUIRED_PATHS {
        let mut found = false;
        for line in codeowners.lines() {
            let trimmed = line.trim();
            if trimmed.is_empty() || trimmed.starts_with('#') {
                continue;
            }
            let parts: Vec<&str> = trimmed.split_whitespace().collect();
            if parts.len() < 2 {
                continue;
            }
            let pattern = parts[0];
            let owners = &parts[1..];
            if pattern == *required && owners.contains(&MAINTAINER_TEAM) {
                found = true;
                break;
            }
        }
        if !found {
            missing.push(*required);
        }
    }

    assert!(
        missing.is_empty(),
        "CODEOWNERS coverage test FAILED. Missing rules for maintainer-only paths:\n{}\n\
         Fix: add `<path> {MAINTAINER_TEAM}` to .github/CODEOWNERS",
        missing
            .iter()
            .map(|p| format!("  - {p}"))
            .collect::<Vec<_>>()
            .join("\n")
    );
}