# Tested

This file documents the validation status for `infra-run`.

## Tested Locally

- Repository structure and documentation links were reviewed.
- Bash scripts were reviewed for dry-run defaults, quoting, and obvious unsafe cleanup behavior.
- Disk-full examples use fake data and can be read without access to production systems.

## Syntax Checked

Recommended local checks:

```bash
find infra-run/scripts/bash -name '*.sh' -print0 | xargs -0 shellcheck -x -P infra-run/scripts/bash/disk-full -P infra-run/scripts/bash/gpfs -P infra-run/scripts/bash/veritas
yamllint .
cd infra-run/ansible && ansible-lint playbooks roles
```

The GitHub Actions workflow runs shell and YAML validation. `ansible-lint` is non-blocking because role behavior depends on platform facts, installed collections, and target OS support.

## Not Tested Against Real Systems

- Veritas VxVM/VCS commands were not tested against a live Veritas cluster here.
- GPFS / IBM Spectrum Scale commands were not tested against a live GPFS cluster here.
- AIX hardening tasks were not tested against a real AIX LPAR here.
- SSH hardening was not validated across every possible `sshd_config` layout.

## Known Limitations

- Destructive storage operations are dry-run by default where applicable, but dry-run output is not a substitute for peer review.
- Some scripts require vendor commands that are not available on a normal Linux workstation.
- Ansible examples are selected baseline controls, not full hardening benchmarks.
- Local linting does not prove production safety.

## Suggested Validation Steps

1. Run `shellcheck` against all Bash scripts.
2. Run `yamllint` against repository YAML.
3. Run `cd infra-run/ansible && ansible-lint playbooks roles` and review any non-blocking warnings.
4. Run disk-full read-only scripts on disposable local paths.
5. For Veritas or GPFS, test only in a lab with fake volumes/disks or a controlled training environment.
6. Validate SSH changes on a disposable host using the full effective `sshd` configuration.