From 97598101602ec8f7b380179a84f402c3dda2fdaf Mon Sep 17 00:00:00 2001
From: Ralf Anton Beier <ralf_beier@me.com>
Date: Fri, 1 May 2026 18:07:26 +0200
Subject: [PATCH] =?UTF-8?q?chore:=20hygiene=20cluster=20=E2=80=94=20LICENS?=
 =?UTF-8?q?E,=20fail=20audit=20on=20findings,=20enforce=20verify-netcup?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Three small wins from `docs/agent-fleet/bugs.md`:

## #34 — `LICENSE` file added
`package.json` declared MIT but the repo carried no LICENSE at root.
Standard MIT text added with copyright "PulseEngine, 2026". Wave-1
supply-chain reviewer's finding.

## #23 — `npm audit` no longer swallows findings
`.github/workflows/ci.yml` had `npm audit --audit-level=moderate || true`,
which silently kept builds green even with known CVEs. Dropped the `|| true`
so moderate-or-higher findings actually fail the gate. Wave-1 supply-chain.

## #33 — `verify-netcup-deployment.sh` is now enforcing
The previous version's checks were `echo` lines that never exited non-zero
unless core files were missing. Wave-1 DevOps agent flagged it as theatre.
Rewritten with `set -euo pipefail`, `fail`/`ok` helpers, env-var presence
check (canonical AND legacy names), and `WEBHOOK_SECRET != "development"`
guard so a misconfigured `.env` never reaches `pm2 start`.

## Test plan
- [x] 834 tests pass
- [x] eslint clean
- [x] `bash -n verify-netcup-deployment.sh` clean
- [ ] After merge: `npm audit` would fail the next CI run if a moderate
      finding exists in the lockfile.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml    |   2 +-
 LICENSE                     |  21 +++++++
 verify-netcup-deployment.sh | 109 +++++++++++++++---------------------
 3 files changed, 67 insertions(+), 65 deletions(-)
 create mode 100644 LICENSE

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index db93296..3444639 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -18,7 +18,7 @@ jobs:
       - run: npm ci
       - run: npm test -- --coverage
       - name: Security audit
-        run: npm audit --audit-level=moderate || true
+        run: npm audit --audit-level=moderate
       - name: Upload coverage
         if: always()
         uses: actions/upload-artifact@v4
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..32b9bcb
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 PulseEngine
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/verify-netcup-deployment.sh b/verify-netcup-deployment.sh
index 3dd22de..9b6d5c1 100755
--- a/verify-netcup-deployment.sh
+++ b/verify-netcup-deployment.sh
@@ -1,79 +1,60 @@
 #!/bin/bash
+# Netcup deployment verification.
+#
+# Each check exits non-zero on failure so this script can be wired into a
+# post-deploy hook. (Wave-1 DevOps agent flagged the previous all-`echo`
+# version as performative, Bug #33 in `docs/agent-fleet/bugs.md`.)
+#
+# Run from the deploy directory (`/opt/temper` on netcup) AFTER `npm ci
+# --production`.
 
-echo "🔍 Netcup Deployment Verification Script"
-echo "========================================"
-echo ""
+set -euo pipefail
 
-# Check if running on Netcup
-echo "📋 Checking environment..."
-if [ -f "/etc/netcup-hosting" ]; then
-    echo "✅ Netcup environment detected"
-else
-    echo "ℹ️  Not running on Netcup (or detection failed)"
-fi
+fail() { echo "❌ $*"; exit 1; }
+ok()   { echo "✅ $*"; }
 
-echo ""
-echo "📁 Checking file structure..."
-if [ -f "index.js" ] && [ -f "package.json" ] && [ -f "config.yml" ]; then
-    echo "✅ All required files present"
-else
-    echo "❌ Missing required files"
-    exit 1
-fi
+echo "🔍 Netcup Deployment Verification"
+echo "================================="
 
 echo ""
-echo "📦 Checking Node.js dependencies..."
-if [ -d "node_modules" ]; then
-    echo "✅ node_modules directory exists"
-else
-    echo "⚠️  node_modules missing - run 'npm install --production'"
-fi
+echo "📁 File structure"
+[ -f index.js ] && [ -f package.json ] && [ -f config.yml ] \
+  || fail "missing one of: index.js / package.json / config.yml"
+ok "core files present"
 
 echo ""
-echo "🔐 Checking environment variables..."
-if [ -f ".env" ]; then
-    echo "✅ .env file exists"
-    # Check for required variables
-    if grep -q "GITHUB_APP_ID" .env && grep -q "GITHUB_PRIVATE_KEY" .env && grep -q "GITHUB_WEBHOOK_SECRET" .env; then
-        echo "✅ All required environment variables present"
-    else
-        echo "❌ Missing required environment variables in .env"
-    fi
-else
-    echo "❌ .env file missing"
-fi
+echo "📦 Dependencies"
+[ -d node_modules ] || fail "node_modules missing — run 'npm ci --production'"
+ok "node_modules present"
 
 echo ""
-echo "📄 Checking .htaccess configuration..."
-if [ -f ".htaccess" ]; then
-    echo "✅ .htaccess file exists"
-    if grep -q "RewriteRule" .htaccess && grep -q "localhost:3000" .htaccess; then
-        echo "✅ Proxy rules configured"
-    else
-        echo "⚠️  Proxy rules may be missing"
+echo "🔐 Environment file"
+[ -f .env ] || fail ".env missing"
+for var in APP_ID PRIVATE_KEY WEBHOOK_SECRET; do
+  if ! grep -qE "^${var}=" .env; then
+    # Accept legacy GITHUB_-prefixed names (mapped at runtime).
+    if ! grep -qE "^GITHUB_${var}=" .env; then
+      fail ".env missing required variable: ${var} (or GITHUB_${var})"
     fi
+  fi
+done
+# WEBHOOK_SECRET cannot be empty or the literal "development".
+secret=$(grep -E '^(GITHUB_)?WEBHOOK_SECRET=' .env | head -1 | cut -d= -f2-)
+[ -n "$secret" ] || fail "WEBHOOK_SECRET is empty"
+[ "$secret" != "development" ] || fail "WEBHOOK_SECRET cannot be the literal 'development'"
+ok "required env vars present and non-default"
+
+echo ""
+echo "🌐 Reverse proxy"
+if [ -f .htaccess ]; then
+  grep -q "RewriteRule" .htaccess && grep -q "localhost:3000" .htaccess \
+    || fail ".htaccess present but missing RewriteRule → localhost:3000"
+  ok ".htaccess proxy configured"
 else
-    echo "⚠️  .htaccess file missing - create for Apache proxy"
+  echo "ℹ️  no .htaccess (skip if not using Apache)"
 fi
 
 echo ""
-echo "🌐 Checking domain configuration..."
-echo "Please ensure:"
-echo "  - Domain points to your Netcup server"
-echo "  - SSL certificate is installed"
-echo "  - Webhook URL is set to https://your-domain.com/"
-
-echo ""
-echo "🚀 Ready for deployment!"
-echo ""
-echo "To start the application:"
-echo "  node index.js &"
-echo ""
-echo "To test the endpoints:"
-echo "  curl https://your-domain.com/health"
-echo "  curl https://your-domain.com/webhook"
-echo ""
-echo "For troubleshooting, check:"
-echo "  - Netcup error logs in control panel"
-echo "  - Node.js console output"
-echo "  - Apache access/error logs"
+echo "✅ Verification complete. Start the bot:"
+echo "    pm2 start npm --name temper -- start"
+echo "    curl http://localhost:3000/health"