Add Codex repository guidance and validation

scripts/check-ansible.sh

@@ -0,0 +1,95 @@
+#!/usr/bin/env bash
+set -o errexit
+set -o nounset
+set -o pipefail
+
+STRICT="${STRICT:-0}"
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+ANSIBLE_DIR="$ROOT_DIR/infra-run/ansible"
+
+ok_count=0
+warn_count=0
+fail_count=0
+
+ok() {
+  printf 'OK: %s\n' "$*"
+  ok_count=$((ok_count + 1))
+}
+
+warning() {
+  printf 'WARNING: %s\n' "$*"
+  warn_count=$((warn_count + 1))
+}
+
+critical() {
+  printf 'CRITICAL: %s\n' "$*"
+  fail_count=$((fail_count + 1))
+}
+
+if [[ ! -d "$ANSIBLE_DIR" ]]; then
+  warning "No infra-run/ansible directory found"
+  printf '\nAnsible summary: %d OK, %d WARNING, %d CRITICAL\n' "$ok_count" "$warn_count" "$fail_count"
+  exit 0
+fi
+
+mapfile -t yaml_files < <(find "$ANSIBLE_DIR" -type f \( -name '*.yml' -o -name '*.yaml' \) -print | sort)
+
+if ((${#yaml_files[@]} == 0)); then
+  warning "No Ansible YAML files found"
+else
+  ok "Found ${#yaml_files[@]} Ansible YAML files"
+fi
+
+if command -v ansible-playbook >/dev/null 2>&1; then
+  while IFS= read -r playbook; do
+    [[ -n "$playbook" ]] || continue
+    playbook_rel="${playbook#"$ANSIBLE_DIR"/}"
+    if (cd "$ANSIBLE_DIR" && ansible-playbook --syntax-check -i inventory/hosts.yml "$playbook_rel"); then
+      ok "ansible syntax $playbook_rel"
+    else
+      critical "ansible syntax failed $playbook_rel"
+    fi
+  done < <(find "$ANSIBLE_DIR/playbooks" -type f \( -name '*.yml' -o -name '*.yaml' \) -print | sort)
+else
+  if [[ "$STRICT" == "1" ]]; then
+    critical "ansible-playbook not installed"
+  else
+    warning "ansible-playbook not installed; skipped syntax checks"
+  fi
+fi
+
+if command -v ansible-lint >/dev/null 2>&1; then
+  if (cd "$ANSIBLE_DIR" && ansible-lint playbooks roles); then
+    ok "ansible-lint"
+  else
+    critical "ansible-lint reported issues"
+  fi
+else
+  if [[ "$STRICT" == "1" ]]; then
+    critical "ansible-lint not installed"
+  else
+    warning "ansible-lint not installed; skipped optional lint"
+  fi
+fi
+
+if command -v yamllint >/dev/null 2>&1; then
+  if yamllint "$ANSIBLE_DIR"; then
+    ok "yamllint infra-run/ansible"
+  else
+    critical "yamllint reported issues in infra-run/ansible"
+  fi
+else
+  if [[ "$STRICT" == "1" ]]; then
+    critical "yamllint not installed"
+  else
+    warning "yamllint not installed; skipped optional YAML lint"
+  fi
+fi
+
+printf '\nAnsible summary: %d OK, %d WARNING, %d CRITICAL\n' "$ok_count" "$warn_count" "$fail_count"
+
+if ((fail_count > 0)); then
+  exit 1
+fi
+
+exit 0

scripts/check-bash.sh

@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+set -o errexit
+set -o nounset
+set -o pipefail
+
+STRICT="${STRICT:-0}"
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+
+ok_count=0
+warn_count=0
+fail_count=0
+
+ok() {
+  printf 'OK: %s\n' "$*"
+  ok_count=$((ok_count + 1))
+}
+
+warning() {
+  printf 'WARNING: %s\n' "$*"
+  warn_count=$((warn_count + 1))
+}
+
+critical() {
+  printf 'CRITICAL: %s\n' "$*"
+  fail_count=$((fail_count + 1))
+}
+
+mapfile -t bash_files < <(find "$ROOT_DIR" -path "$ROOT_DIR/.git" -prune -o -type f -name '*.sh' -print | sort)
+
+if ((${#bash_files[@]} == 0)); then
+  warning "No Bash scripts found"
+else
+  for file in "${bash_files[@]}"; do
+    if bash -n "$file"; then
+      ok "bash -n ${file#"$ROOT_DIR"/}"
+    else
+      critical "bash syntax failed: ${file#"$ROOT_DIR"/}"
+    fi
+
+    first_line="$(sed -n '1p' "$file")"
+    if [[ "$first_line" != '#!/usr/bin/env bash' ]]; then
+      warning "Non-standard shebang in ${file#"$ROOT_DIR"/}"
+    fi
+
+    if ! grep -Eq 'set -o errexit|set -euo pipefail|set -eu|set -e' "$file"; then
+      warning "No errexit-style strict mode detected in ${file#"$ROOT_DIR"/}"
+    fi
+  done
+fi
+
+if command -v shellcheck >/dev/null 2>&1; then
+  if shellcheck -x \
+    -e SC1091 \
+    -P "$ROOT_DIR/infra-run/scripts/bash/disk-full" \
+    -P "$ROOT_DIR/infra-run/scripts/bash/gpfs" \
+    -P "$ROOT_DIR/infra-run/scripts/bash/veritas" \
+    "${bash_files[@]}"; then
+    ok "shellcheck"
+  else
+    critical "shellcheck reported issues"
+  fi
+else
+  if [[ "$STRICT" == "1" ]]; then
+    critical "shellcheck not installed"
+  else
+    warning "shellcheck not installed; skipped optional lint"
+  fi
+fi
+
+printf '\nBash summary: %d OK, %d WARNING, %d CRITICAL\n' "$ok_count" "$warn_count" "$fail_count"
+
+if ((fail_count > 0)); then
+  exit 1
+fi
+
+exit 0

scripts/check-docs.sh

@@ -0,0 +1,88 @@
+#!/usr/bin/env bash
+set -o errexit
+set -o nounset
+set -o pipefail
+
+STRICT="${STRICT:-0}"
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+
+ok_count=0
+warn_count=0
+fail_count=0
+
+ok() {
+  printf 'OK: %s\n' "$*"
+  ok_count=$((ok_count + 1))
+}
+
+warning() {
+  printf 'WARNING: %s\n' "$*"
+  warn_count=$((warn_count + 1))
+}
+
+critical() {
+  printf 'CRITICAL: %s\n' "$*"
+  fail_count=$((fail_count + 1))
+}
+
+mapfile -t markdown_files < <(find "$ROOT_DIR" -path "$ROOT_DIR/.git" -prune -o -type f -name '*.md' -print | sort)
+
+if ((${#markdown_files[@]} == 0)); then
+  warning "No Markdown files found"
+else
+  ok "Found ${#markdown_files[@]} Markdown files"
+fi
+
+missing_links=0
+while IFS= read -r link; do
+  [[ -n "$link" ]] || continue
+  file="${link%%:*}"
+  target="${link#*:}"
+
+  [[ "$target" == http://* || "$target" == https://* || "$target" == mailto:* || "$target" == \#* ]] && continue
+  target="${target%%#*}"
+  [[ -n "$target" ]] || continue
+
+  base_dir="$(dirname "$file")"
+  if [[ ! -e "$base_dir/$target" ]]; then
+    critical "Broken local Markdown link in ${file#"$ROOT_DIR"/}: $target"
+    missing_links=$((missing_links + 1))
+  fi
+done < <(
+  for file in "${markdown_files[@]}"; do
+    grep -Eo '\[[^]]+\]\([^)]+\)' "$file" \
+      | sed -E 's/.*\]\(([^)]+)\).*/'"${file//\//\\/}"':\1/' || true
+  done
+)
+
+if ((missing_links == 0)); then
+  ok "No obvious broken local Markdown links"
+fi
+
+if command -v markdownlint >/dev/null 2>&1; then
+  if markdownlint "${markdown_files[@]}"; then
+    ok "markdownlint"
+  else
+    critical "markdownlint reported issues"
+  fi
+elif command -v markdownlint-cli2 >/dev/null 2>&1; then
+  if markdownlint-cli2 "${markdown_files[@]}"; then
+    ok "markdownlint-cli2"
+  else
+    critical "markdownlint-cli2 reported issues"
+  fi
+else
+  if [[ "$STRICT" == "1" ]]; then
+    critical "markdownlint not installed"
+  else
+    warning "markdownlint not installed; skipped optional Markdown lint"
+  fi
+fi
+
+printf '\nDocs summary: %d OK, %d WARNING, %d CRITICAL\n' "$ok_count" "$warn_count" "$fail_count"
+
+if ((fail_count > 0)); then
+  exit 1
+fi
+
+exit 0

scripts/validate-repo.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+set -o errexit
+set -o nounset
+set -o pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+
+status=0
+
+run_check() {
+  local name="$1"
+  shift
+
+  printf '\n== %s ==\n' "$name"
+  if "$@"; then
+    printf 'OK: %s completed\n' "$name"
+  else
+    printf 'CRITICAL: %s failed\n' "$name"
+    status=1
+  fi
+}
+
+run_check "Bash" "$ROOT_DIR/scripts/check-bash.sh"
+run_check "Ansible" "$ROOT_DIR/scripts/check-ansible.sh"
+run_check "Docs" "$ROOT_DIR/scripts/check-docs.sh"
+
+printf '\n== Repository summary ==\n'
+if ((status == 0)); then
+  printf 'OK: repository validation completed with no critical failures\n'
+else
+  printf 'CRITICAL: one or more validation checks failed\n'
+fi
+
+exit "$status"