-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathMakefile
More file actions
130 lines (101 loc) · 6.57 KB
/
Copy pathMakefile
File metadata and controls
130 lines (101 loc) · 6.57 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
.PHONY: build build-cli build-cdk build-dashboard build-serve release test mock integration deploy synth clean lint lint-terms generate-types check-types generate-knowledge check-knowledge generate-policy check-policy third-party-notices
GOPACKAGES = ./internal/... ./pkg/... ./cmd/...
DIST = ./dist
LAMBDA = $(DIST)/lambda
build: build-cli build-cdk build-dashboard ## Build all artefacts
build-cli: ## Build the CryptaMap CLI for the host platform
@mkdir -p $(DIST)
go build -o $(DIST)/cryptamap ./cmd/cryptamap
build-lambda: ## Build the Lambda bootstrap binary (linux/arm64)
@mkdir -p $(LAMBDA)
GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -tags lambda -ldflags="-s -w" -o $(LAMBDA)/bootstrap ./cmd/cryptamap
build-cdk: ## Build CDK TypeScript and synth templates
cd cdk && npm run build && npx cdk synth >/dev/null
build-dashboard: ## Build the React dashboard
cd dashboard && npm run build
build-serve: build-dashboard ## Build the CLI with the real dashboard embedded for `cryptamap serve`
@rm -rf cmd/cryptamap/webdist
@mkdir -p cmd/cryptamap/webdist
cp -R dashboard/dist/. cmd/cryptamap/webdist/
@# LEAK GUARD: never embed real-account data into the shipped binary. *.local.json
@# is the local real-org-data convention; go:embed ignores .gitignore, so strip them
@# from the staged bundle, then FAIL the build if any survive (a tripped guard means
@# real data almost entered a distributable artifact).
@find cmd/cryptamap/webdist -name '*.local.json' -delete
@if find cmd/cryptamap/webdist -name '*.local.json' | grep -q .; then \
echo "ERROR: *.local.json present in embed staging — refusing to build (real-data leak guard)"; exit 1; \
fi
@mkdir -p $(DIST)
go build -o $(DIST)/cryptamap ./cmd/cryptamap
@echo "Built $(DIST)/cryptamap with the dashboard embedded. Bundled /mock data is the SYNTHETIC demo (mode=mock); real-data *.local.json is stripped by the leak guard. NOTE: cmd/cryptamap/webdist is staged build output (gitignored); the committed placeholder keeps plain 'go build' working."
release: third-party-notices ## Cross-compile signed-ready air-gap release binaries into dist/release
bash scripts/release-build.sh
# THIRD-PARTY-NOTICES.md in the repo root is a hand-authored SUMMARY of the major
# direct dependencies (see the file header). The authoritative, complete report of
# EVERY transitive dependency and its license is regenerated at release time by the
# recipe below, which requires license tooling that is NOT installed in this repo:
# - go-licenses: go install github.com/google/go-licenses@latest
# - license-checker: npm install -g license-checker
# The recipe is intentionally guarded so a plain `make release` does not fail when the
# tooling is absent; it prints guidance and leaves the committed summary in place.
third-party-notices: ## Regenerate THIRD-PARTY-NOTICES.md from license tooling (release-time; requires go-licenses + license-checker)
@if command -v go-licenses >/dev/null 2>&1 && (cd dashboard && npx --no-install license-checker --version >/dev/null 2>&1); then \
echo "# Third-Party Notices (generated)" > THIRD-PARTY-NOTICES.generated.md; \
echo "\n## Go modules\n" >> THIRD-PARTY-NOTICES.generated.md; \
go-licenses report ./... 2>/dev/null >> THIRD-PARTY-NOTICES.generated.md; \
echo "\n## npm (dashboard, production)\n" >> THIRD-PARTY-NOTICES.generated.md; \
(cd dashboard && npx license-checker --production --csv) >> ../THIRD-PARTY-NOTICES.generated.md; \
echo "\n## npm (cdk, production)\n" >> THIRD-PARTY-NOTICES.generated.md; \
(cd cdk && npx license-checker --production --csv) >> ../THIRD-PARTY-NOTICES.generated.md; \
echo "Wrote THIRD-PARTY-NOTICES.generated.md — review, then replace THIRD-PARTY-NOTICES.md."; \
else \
echo "NOTE: go-licenses and/or license-checker not installed; skipping full regeneration."; \
echo " Install them to regenerate, or keep the hand-authored THIRD-PARTY-NOTICES.md summary."; \
echo " go install github.com/google/go-licenses@latest"; \
echo " npm install -g license-checker"; \
fi
generate-knowledge: ## Regenerate the embedded PQC knowledge JSON from the Go literals
go run ./cmd/gen-knowledge
check-knowledge: ## Fail if the embedded PQC knowledge JSON is stale (CI staleness guard)
go run ./cmd/gen-knowledge -check
generate-policy: ## Regenerate the scanner IAM action artifacts from the Go source list (single source of truth)
go run ./cmd/gen-policy
check-policy: ## Fail if the scanner IAM action artifacts are stale (CI drift guard for least-privilege policy)
go run ./cmd/gen-policy -check
generate-types: ## Generate dashboard TS types from the Go models (single source of truth)
go run ./cmd/gen-ts
check-types: generate-types ## Fail if dashboard/src/types/generated.ts is stale (regenerate + diff)
@git diff --exit-code -- dashboard/src/types/generated.ts \
|| { echo "ERROR: dashboard/src/types/generated.ts is stale. Run 'make generate-types' and commit."; exit 1; }
test: ## Run Go unit tests with coverage
go test $(GOPACKAGES) -cover
test-verbose: ## Run Go unit tests verbose
go test $(GOPACKAGES) -v -cover
vet: ## Run go vet
go vet $(GOPACKAGES)
mock: build-cli ## Run a mock end-to-end scan
@mkdir -p $(DIST)/mock-output
$(DIST)/cryptamap --mock --mock-scale 10 --regions us-east-1,ap-south-1 --output-dir $(DIST)/mock-output
mock-small: build-cli ## Run a small mock scan
$(DIST)/cryptamap --mock --mock-scale 3 --regions ap-south-1 --output-dir $(DIST)/mock-output
scan: build-cli ## Run a live scan in the configured AWS account/region
$(DIST)/cryptamap --regions ap-south-1 --output-dir $(DIST)/scan-output --verbose
synth: build-cdk ## CDK synth (no deploy)
cd cdk && npx cdk synth
# In CI (CI=1) skip the interactive prompts; interactively (default) keep the
# approval / confirmation gates so IAM changes and teardowns are not silent.
DEPLOY_FLAGS := $(if $(filter 1,$(CI)),--require-approval never,)
DESTROY_FLAGS := $(if $(filter 1,$(CI)),--force,)
deploy: build-lambda build-cdk build-dashboard ## CDK deploy to current AWS account
cd cdk && npx cdk deploy --all $(DEPLOY_FLAGS)
destroy: ## Tear down CryptaMap CDK stacks (DESTRUCTIVE)
cd cdk && npx cdk destroy --all $(DESTROY_FLAGS)
clean: ## Remove build artefacts
rm -rf $(DIST) cdk/cdk.out dashboard/dist
lint-terms: ## Banned-term gate: fail if user-visible "quantum-safe" wording regresses (use "quantum-resistant")
bash scripts/lint-terms.sh
lint: lint-terms ## Run linters
go vet $(GOPACKAGES)
cd dashboard && npm run lint || true
help: ## Show this help
@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}'