From 7bc22ae6b0a05ae19f368bed121f8f106d9488d1 Mon Sep 17 00:00:00 2001
From: grobomo <grobomo@users.noreply.github.com>
Date: Fri, 3 Apr 2026 21:29:31 -0500
Subject: [PATCH] T026: DRY worker config, archive stale scripts, tighten audit
 regex

- Extract worker IPs to shared scripts/worker-config.sh (was duplicated in 5 scripts)
- Refactor deploy-to-worker.sh, deploy-to-all-workers.sh, check-worker-install.sh to source it
- Archive redundant deploy-to-workers.sh and stale verify-worker.sh
- Fix audit-logger.js broad /test/i regex to path-bounded /[\/\]tests?[\/\]/i
- 10/10 new tests + 28/28 existing e2e tests pass
---
 hooks/PostToolUse/shtd_audit-logger.js |  2 +-
 scripts/check-worker-install.sh        | 10 ++-
 scripts/deploy-to-all-workers.sh       |  5 +-
 scripts/deploy-to-worker.sh            |  9 +--
 scripts/deploy-to-workers.sh           | 85 --------------------------
 scripts/test/test-T026-code-review.sh  | 76 +++++++++++++++++++++++
 scripts/verify-worker.sh               | 14 -----
 scripts/worker-config.sh               | 29 +++++++++
 8 files changed, 116 insertions(+), 114 deletions(-)
 delete mode 100644 scripts/deploy-to-workers.sh
 create mode 100644 scripts/test/test-T026-code-review.sh
 delete mode 100644 scripts/verify-worker.sh
 create mode 100644 scripts/worker-config.sh

diff --git a/hooks/PostToolUse/shtd_audit-logger.js b/hooks/PostToolUse/shtd_audit-logger.js
index 65bccdc..122a849 100644
--- a/hooks/PostToolUse/shtd_audit-logger.js
+++ b/hooks/PostToolUse/shtd_audit-logger.js
@@ -17,7 +17,7 @@ module.exports = function(input) {
       audit.logEvent('spec_created', { file: path.basename(filePath) });
     } else if (/specs\/.*tasks\.md/i.test(filePath)) {
       audit.logEvent('tasks_defined', { file: path.basename(filePath) });
-    } else if (/test/i.test(filePath) && !/node_modules/.test(filePath)) {
+    } else if (/[\/\\]tests?[\/\\]/i.test(filePath) && !/node_modules/.test(filePath)) {
       audit.logEvent('test_created', { file: path.basename(filePath) });
     }
   }
diff --git a/scripts/check-worker-install.sh b/scripts/check-worker-install.sh
index 517d5e9..a99cd75 100644
--- a/scripts/check-worker-install.sh
+++ b/scripts/check-worker-install.sh
@@ -5,13 +5,11 @@
 set -euo pipefail
 
 WORKER="${1:-1}"
-KEY_DIR="$HOME/.ssh/ccc-keys"
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 
-declare -A IPS=([1]="18.219.224.145" [2]="18.223.188.176" [3]="3.143.229.17" [4]="52.14.228.211")
-IP="${IPS[$WORKER]:-}"
-[ -z "$IP" ] && echo "Unknown worker: $WORKER" && exit 1
-KEY="$KEY_DIR/worker-${WORKER}.pem"
-SSH_OPTS="-o StrictHostKeyChecking=no -o ConnectTimeout=10 -i $KEY"
+source "$SCRIPT_DIR/worker-config.sh"
+IP=$(resolve_worker "$WORKER")
+SSH_OPTS=$(ssh_opts_for "$WORKER")
 
 echo "=== Worker $WORKER ($IP) — Installation Check ==="
 echo ""
diff --git a/scripts/deploy-to-all-workers.sh b/scripts/deploy-to-all-workers.sh
index 9adba3d..be20424 100644
--- a/scripts/deploy-to-all-workers.sh
+++ b/scripts/deploy-to-all-workers.sh
@@ -5,8 +5,9 @@
 set -uo pipefail
 
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "$SCRIPT_DIR/worker-config.sh"
 
-for w in 1 2 3 4; do
+for w in $ALL_WORKERS; do
   echo ""
   echo "========================================="
   echo "  Deploying to Worker $w"
@@ -19,7 +20,7 @@ echo "========================================="
 echo "  Deployment complete — verifying all"
 echo "========================================="
 
-for w in 1 2 3 4; do
+for w in $ALL_WORKERS; do
   echo ""
   echo "--- Worker $w ---"
   bash "$SCRIPT_DIR/check-worker-install.sh" "$w" 2>&1 | grep -E "\[OK\]|\[FAIL\]|not found|error" | head -5
diff --git a/scripts/deploy-to-worker.sh b/scripts/deploy-to-worker.sh
index 0241370..89fa3a6 100644
--- a/scripts/deploy-to-worker.sh
+++ b/scripts/deploy-to-worker.sh
@@ -9,13 +9,10 @@ set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 PROJECT_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
 WORKER="${1:-1}"
-KEY_DIR="$HOME/.ssh/ccc-keys"
 
-declare -A IPS=([1]="18.219.224.145" [2]="18.223.188.176" [3]="3.143.229.17" [4]="52.14.228.211")
-IP="${IPS[$WORKER]:-}"
-[ -z "$IP" ] && echo "Unknown worker: $WORKER" && exit 1
-KEY="$KEY_DIR/worker-${WORKER}.pem"
-SSH_OPTS="-o StrictHostKeyChecking=no -o ConnectTimeout=10 -i $KEY"
+source "$SCRIPT_DIR/worker-config.sh"
+IP=$(resolve_worker "$WORKER")
+SSH_OPTS=$(ssh_opts_for "$WORKER")
 
 echo "=== Deploying SHTD Flow to Worker $WORKER ($IP) ==="
 
diff --git a/scripts/deploy-to-workers.sh b/scripts/deploy-to-workers.sh
deleted file mode 100644
index 4b51295..0000000
--- a/scripts/deploy-to-workers.sh
+++ /dev/null
@@ -1,85 +0,0 @@
-#!/usr/bin/env bash
-# Deploy SHTD Flow to CCC workers via SSH+Docker
-# Usage: bash deploy-to-workers.sh [WORKER_NUMS...]
-#   Default: deploys to workers 1-4
-#   Example: bash deploy-to-workers.sh 1 3  (only workers 1 and 3)
-set -euo pipefail
-
-SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
-KEY_DIR="${HOME}/.ssh/ccc-keys"
-
-# Worker IPs (from EC2 list)
-declare -A WORKER_IPS=(
-  [1]="18.219.224.145"
-  [2]="18.223.188.176"
-  [3]="3.143.229.17"
-  [4]="52.14.228.211"
-)
-
-WORKERS="${@:-1 2 3 4}"
-PASS=0; FAIL=0
-
-RED='\033[0;31m'; GREEN='\033[0;32m'; NC='\033[0m'
-
-for w in $WORKERS; do
-  IP="${WORKER_IPS[$w]:-}"
-  KEY="${KEY_DIR}/worker-${w}.pem"
-
-  if [ -z "$IP" ]; then
-    echo -e "${RED}[SKIP]${NC} Worker $w — no IP configured"
-    ((FAIL++)) || true
-    continue
-  fi
-
-  if [ ! -f "$KEY" ]; then
-    echo -e "${RED}[SKIP]${NC} Worker $w — key not found: $KEY"
-    ((FAIL++)) || true
-    continue
-  fi
-
-  echo ""
-  echo "=== Worker $w ($IP) ==="
-
-  # Check connectivity
-  if ! ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5 -i "$KEY" ubuntu@"$IP" "echo ok" >/dev/null 2>&1; then
-    echo -e "${RED}[FAIL]${NC} Worker $w — SSH unreachable"
-    ((FAIL++)) || true
-    continue
-  fi
-
-  # Check Docker container
-  if ! ssh -o StrictHostKeyChecking=no -i "$KEY" ubuntu@"$IP" "docker ps -q -f name=claude-portable" 2>/dev/null | grep -q .; then
-    echo -e "${RED}[FAIL]${NC} Worker $w — claude-portable container not running"
-    ((FAIL++)) || true
-    continue
-  fi
-
-  # Clone and install inside container
-  INSTALL_OUTPUT=$(ssh -o StrictHostKeyChecking=no -i "$KEY" ubuntu@"$IP" \
-    "docker exec claude-portable bash -c 'rm -rf /tmp/spec-hook && git clone --depth 1 https://github.com/grobomo/spec-hook.git /tmp/spec-hook && bash /tmp/spec-hook/install.sh'" 2>&1) || true
-
-  if echo "$INSTALL_OUTPUT" | grep -q "FAIL"; then
-    echo -e "${RED}[FAIL]${NC} Worker $w — install had failures"
-    echo "$INSTALL_OUTPUT" | tail -5
-    ((FAIL++)) || true
-    continue
-  fi
-
-  # Verify
-  VERIFY_OUTPUT=$(ssh -o StrictHostKeyChecking=no -i "$KEY" ubuntu@"$IP" \
-    "docker exec claude-portable bash -c 'bash /tmp/spec-hook/install.sh --check'" 2>&1) || true
-
-  if echo "$VERIFY_OUTPUT" | grep -q "FAIL"; then
-    echo -e "${RED}[FAIL]${NC} Worker $w — verification had failures"
-    echo "$VERIFY_OUTPUT" | tail -5
-    ((FAIL++)) || true
-  else
-    echo -e "${GREEN}[OK]${NC} Worker $w — SHTD installed and verified"
-    ((PASS++)) || true
-  fi
-done
-
-echo ""
-echo "=== Deploy Summary ==="
-echo "Passed: $PASS  Failed: $FAIL"
-[ "$FAIL" -eq 0 ] && exit 0 || exit 1
diff --git a/scripts/test/test-T026-code-review.sh b/scripts/test/test-T026-code-review.sh
new file mode 100644
index 0000000..8e96e10
--- /dev/null
+++ b/scripts/test/test-T026-code-review.sh
@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+# Test T026: Code review fixes — DRY worker config, no stale scripts, audit regex tightened
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+PROJECT_DIR="$(cd "$SCRIPT_DIR/../.." && pwd)"
+PASS=0; FAIL=0
+
+pass() { echo "  PASS: $1"; ((PASS++)) || true; }
+fail() { echo "  FAIL: $1"; ((FAIL++)) || true; }
+
+echo "=== T026: Code Review Fixes ==="
+echo ""
+
+# 1. worker-config.sh exists and is sourceable
+echo "--- 1. Shared worker config ---"
+if [ -f "$PROJECT_DIR/scripts/worker-config.sh" ]; then
+  # Source it and check that WORKER_IPS is populated
+  (
+    source "$PROJECT_DIR/scripts/worker-config.sh"
+    if [ "${#WORKER_IPS[@]}" -eq 4 ]; then
+      exit 0
+    else
+      exit 1
+    fi
+  ) && pass "worker-config.sh has 4 worker IPs" || fail "worker-config.sh missing IPs"
+else
+  fail "worker-config.sh not found"
+fi
+
+# 2. Scripts that use worker IPs source from worker-config.sh (no hardcoded IPs)
+echo ""
+echo "--- 2. No hardcoded IPs in worker scripts ---"
+for script in deploy-to-worker.sh deploy-to-all-workers.sh check-worker-install.sh; do
+  if [ -f "$PROJECT_DIR/scripts/$script" ]; then
+    if grep -q 'worker-config.sh' "$PROJECT_DIR/scripts/$script"; then
+      pass "$script sources worker-config.sh"
+    else
+      fail "$script doesn't source worker-config.sh"
+    fi
+    # Should NOT have its own declare -A IPS or WORKER_IPS
+    if grep -q 'declare -A.*IPS' "$PROJECT_DIR/scripts/$script"; then
+      fail "$script has hardcoded IP array"
+    else
+      pass "$script has no hardcoded IP array"
+    fi
+  fi
+done
+
+# 3. Stale scripts archived
+echo ""
+echo "--- 3. Stale scripts archived ---"
+for stale in deploy-to-workers.sh verify-worker.sh; do
+  if [ -f "$PROJECT_DIR/scripts/$stale" ]; then
+    fail "$stale still in scripts/ (should be archived)"
+  else
+    pass "$stale archived"
+  fi
+done
+
+# 4. Audit logger regex tightened (no bare /test/i)
+echo ""
+echo "--- 4. Audit logger regex ---"
+AUDIT_LOGGER="$PROJECT_DIR/hooks/PostToolUse/shtd_audit-logger.js"
+if [ -f "$AUDIT_LOGGER" ]; then
+  # Should NOT have bare /test/i (without path separators)
+  if grep -P '\/test\/i' "$AUDIT_LOGGER" | grep -qv '[\/\\\\]'; then
+    fail "audit-logger.js still uses bare /test/i regex"
+  else
+    pass "audit-logger.js regex is path-bounded"
+  fi
+fi
+
+echo ""
+echo "=== Results: $PASS passed, $FAIL failed ==="
+[ "$FAIL" -eq 0 ] && exit 0 || exit 1
diff --git a/scripts/verify-worker.sh b/scripts/verify-worker.sh
deleted file mode 100644
index bc7bb38..0000000
--- a/scripts/verify-worker.sh
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/usr/bin/env bash
-# Verify SHTD installation on a CCC worker
-# Usage: bash verify-worker.sh WORKER_NUM
-set -euo pipefail
-
-W="${1:?Usage: verify-worker.sh WORKER_NUM}"
-KEY_DIR="${HOME}/.ssh/ccc-keys"
-
-declare -A IPS=([1]="18.219.224.145" [2]="18.223.188.176" [3]="3.143.229.17" [4]="52.14.228.211")
-IP="${IPS[$W]:-}"
-[ -z "$IP" ] && echo "Unknown worker: $W" && exit 1
-
-ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 -i "${KEY_DIR}/worker-${W}.pem" \
-  ubuntu@"$IP" "docker exec claude-portable bash -c 'bash /tmp/spec-hook/install.sh --check'" 2>&1
diff --git a/scripts/worker-config.sh b/scripts/worker-config.sh
new file mode 100644
index 0000000..a69835a
--- /dev/null
+++ b/scripts/worker-config.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+# Shared worker configuration — single source of truth for CCC worker IPs and SSH settings.
+# Source this from any worker script: source "$(dirname "$0")/worker-config.sh"
+
+KEY_DIR="${HOME}/.ssh/ccc-keys"
+
+declare -A WORKER_IPS=(
+  [1]="18.219.224.145"
+  [2]="18.223.188.176"
+  [3]="3.143.229.17"
+  [4]="52.14.228.211"
+)
+
+ALL_WORKERS="1 2 3 4"
+
+ssh_opts_for() {
+  local w="$1"
+  echo "-o StrictHostKeyChecking=no -o ConnectTimeout=10 -i ${KEY_DIR}/worker-${w}.pem"
+}
+
+resolve_worker() {
+  local w="$1"
+  local ip="${WORKER_IPS[$w]:-}"
+  if [ -z "$ip" ]; then
+    echo "Unknown worker: $w" >&2
+    return 1
+  fi
+  echo "$ip"
+}