fix(audit): close all missing-references rows in script audit
The audit's "missing references" table held 15 rows — 2 real doc bugs and 13 grep false-positives — making Pillar 3 Phase B triage noisier than it needed to be. - Wrote themes/engine/scripts/nomarchy-theme-next so SKILL.md's documented "cycle to next theme" command actually resolves. - Scrubbed three stale `nomarchy-dev-*` references from SKILL.md (skill frontmatter, body, and Out-of-Scope list) — they hallucinated a workflow that doesn't exist and broke AI-assisted use of the skill. - Added a line-context filter to both nomarchy-docs-scripts generators that drops `nomarchy-*` tokens appearing in Nix pname/derivation idents, /tmp/ and /etc/sudoers.d/ paths, nixosConfigurations.* / packages.* flake outputs, mktemp -t prefixes, systemd unit vars, ./result/bin/run- binaries, and docker container references. - Added a small token-level denylist for five residual non-script identifiers (nomarchy-plymouth, nomarchy-sddm-theme, nomarchy-live, nomarchy-rev, nomarchy-windows) that survive line filtering because they appear as bare Nix list refs, comment backticks, or compose-heredoc identifiers. Regenerated docs/SCRIPTS.md; the "Missing references" section is now empty. Logged in docs/ROADMAP.md Shipped. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Bernardo Magri
@@ -81,13 +81,34 @@ ref_files_per_cmd() {
|
||||
# Final char must be alphanumeric — dropping trailing-dash matches like
|
||||
# `nomarchy-pkg-` that come from glob references (`for c in nomarchy-pkg-*`).
|
||||
# Restrict to grep_includes so binaries / tmpfiles don't pollute the set.
|
||||
# We also filter out common prefix-only tokens that are false positives from
|
||||
# wildcards/expansions.
|
||||
all_refs=$(grep -rohE 'nomarchy-[a-z0-9]([a-z0-9-]*[a-z0-9])?' \
|
||||
# The first `grep -vE` drops lines where `nomarchy-*` is a derivation /
|
||||
# tmp file / sudoers basename / systemd unit / flake output / docker
|
||||
# container identifier rather than a shell invocation.
|
||||
# The second `grep -vE` is a token-level safety net for prefix-only
|
||||
# tokens left over from wildcards/expansions (e.g. `nomarchy-pkg-*`).
|
||||
all_refs=$(grep -rhE 'nomarchy-[a-z0-9]([a-z0-9-]*[a-z0-9])?' \
|
||||
"${grep_includes[@]}" \
|
||||
"${search_dirs[@]}" 2>/dev/null \
|
||||
| grep -vE \
|
||||
-e '(pname|name)[[:space:]]*=[[:space:]]*"nomarchy-' \
|
||||
-e '/tmp/nomarchy-' \
|
||||
-e '/etc/sudoers\.d/[^"[:space:]]*nomarchy-' \
|
||||
-e 'nixosConfigurations\.nomarchy-' \
|
||||
-e 'packages\.[^.]+\.nomarchy-' \
|
||||
-e '\./result/bin/run-nomarchy-' \
|
||||
-e 'mktemp[[:space:]]+[^|]*-t[[:space:]]+nomarchy-' \
|
||||
-e '(TIMER_NAME|NOPASSWD_FILE|UNIT_NAME)=.*nomarchy-' \
|
||||
-e 'docker[[:space:]]+[^|]*nomarchy-' \
|
||||
| grep -oE 'nomarchy-[a-z0-9]([a-z0-9-]*[a-z0-9])?' \
|
||||
| grep -vE '^(nomarchy-launch|nomarchy-brightness|nomarchy-cmd|nomarchy-pkg|nomarchy-restart|nomarchy-toggle|nomarchy-theme|nomarchy-webapp-handler|nomarchy-font-selector|nomarchy-theme-selector|nomarchy-wallpaper-selector|nomarchy-setup|nomarchy-refresh|nomarchy-scripts|nomarchy-system-scripts|nomarchy-theme-engine-scripts)$' \
|
||||
| grep -vE '^(nomarchy-plymouth|nomarchy-sddm-theme|nomarchy-live|nomarchy-rev|nomarchy-windows)$' \
|
||||
| sort -u)
|
||||
# The second denylist covers identifiers whose ambiguity survives the line
|
||||
# filter: `nomarchy-plymouth` / `nomarchy-sddm-theme` are Nix derivation
|
||||
# names referenced as bare idents in `[...]` lists, `nomarchy-live` is an
|
||||
# ISO label that shows up in comments, `nomarchy-rev` is `/etc/nomarchy-rev`
|
||||
# (written by the ISO), and `nomarchy-windows` is a docker container name
|
||||
# in compose heredocs.
|
||||
|
||||
# --- Render: header --------------------------------------------------------
|
||||
|
||||
|
||||
Reference in New Issue
Block a user