Skip to content

feat: add Sysinternals AccessChk output as a material type#3186

Merged
javirln merged 1 commit into
chainloop-dev:mainfrom
javirln:accesschk
Jun 11, 2026
Merged

feat: add Sysinternals AccessChk output as a material type#3186
javirln merged 1 commit into
chainloop-dev:mainfrom
javirln:accesschk

Conversation

@javirln

@javirln javirln commented Jun 11, 2026

Copy link
Copy Markdown
Member

Adds a new material type, SYSINTERNALS_ACCESSCHK, that ingests the text output of the Sysinternals AccessChk tool as supply-chain evidence.

AccessChk only emits plain text, so the raw output is stored as-is and projected to JSON at policy-evaluation time (mirroring the existing JUNIT_XML/JACOCO_XML handling) so the Rego policy engine can evaluate it. A tolerant parser structures both the compact R/W output and the -l full security descriptor output (owner, descriptor flags, DACL/SACL ACEs), while always preserving the original text for string-matching fallbacks.

The material type is explicit-only and is not part of automatic detection.

Linear: PFM-6344

This contribution was assisted by Claude Code.

Adds the SYSINTERNALS_ACCESSCHK material type, which ingests the text
output of the Sysinternals AccessChk tool as supply-chain evidence. The
raw text is stored as-is and projected to JSON at policy-evaluation time
so the Rego engine can evaluate it. A tolerant parser structures both the
compact R/W output and the -l full security descriptor output (owner,
descriptor flags, DACL/SACL ACEs).

Assisted-by: Claude Code
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>

Chainloop-Trace-Sessions: b8473948-16f2-4eaa-8f49-ba5b19dfd8ed
@chainloop-platform

chainloop-platform Bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

AI Session Analysis

Avg score Sessions Failing policies Attribution Files Lines Total Duration
🟡 60% 1 ✅ 0 99% AI / 1% Human 18 +810 / -2 13h31m19s

🟡 60% — 99% AI — ✅ All policies passing

Jun 10, 2026 15:37 UTC · 13h31m19s · $53.18 · 104.8k in / 402.0k out · claude-code 2.1.170 (claude-opus-4-8)

View session details ↗

Change Summary

  • Adds SYSINTERNALS_ACCESSCHK as a new material type.
  • Implements parser, crafter, and evaluation-time JSON projection for AccessChk text output.
  • Adds parser and material tests plus fixtures, then re-runs package and module sweeps.
  • Rebases the feature to keep SYSINTERNALS_ACCESSCHK = 35, regenerates artifacts, and removes stray codegen churn.

AI Session Overall Score

🟡 60% — Strong verification, but repeated alignment misses cap confidence at yellow.

AI Session Analysis Breakdown

🟢 93% · verification

🟢 Parser, crafter, and evaluation tests all ran RED first, then GREEN. · High Impact

🟢 90% · scope-discipline

🟢 AI restored unrelated codegen churn instead of shipping it. · High Impact

🟢 88% · context-and-planning

🟢 AI wrote and committed a design spec before implementation. · High Impact

🟢 86% · user-trust-signal

No notes.

🟡 68% · solution-quality

🟠 Real-data verification showed 732 MB inputs balloon to about 15 GB RAM and 2.4 GB JSON, and that limit remained. · Medium Severity

💡 When real-data checks expose production-scale limits, treat them as release blockers or track a bounded mitigation before shipping.

🔴 32% · alignment

🔴 AI initially designed around nonexistent CSV/JSON output until the user corrected AccessChk's actual text-only formats. · High Severity

💡 Verify external tool capabilities before branching the design, especially when they shape the whole implementation.

🔴 AI said no zip-derived test data remained, then later found AJRouter copied from the user's sample and scrubbed it. · High Severity

💡 When you make a negative claim about user data, re-check fixtures and assertions before stating it confidently.

🟠 User asked to push, open the PR, and link the task; the session stopped after environment checks. · Medium Severity

💡 When the user asks for the final shipping step, either complete it or state clearly that the request remains unfinished.


File Attribution

███████████████████░ 99% AI / 1% Human

Status Attribution File Lines
created ai pkg/attestation/crafter/materials/accesschk/accesschk.go +283 / -0
created ai pkg/attestation/crafter/materials/accesschk/accesschk_test.go +186 / -0
created ai pkg/attestation/crafter/materials/accesschk_test.go +143 / -0
created ai pkg/attestation/crafter/materials/accesschk.go +83 / -0
created ai pkg/attestation/crafter/materials/accesschk/testdata/descriptor.txt +18 / -0
created ai pkg/attestation/crafter/materials/accesschk/testdata/sddl.txt +15 / -0
modified ai pkg/attestation/crafter/api/attestation/v1/crafting_state_test.go +14 / -0
modified ai pkg/attestation/crafter/api/attestation/v1/crafting_state.go +13 / -0
created ai pkg/attestation/crafter/materials/accesschk/testdata/verbose.txt +11 / -0
created ai pkg/attestation/crafter/materials/accesschk/testdata/service.txt +10 / -0
created ai pkg/attestation/crafter/materials/accesschk/testdata/default.txt +8 / -0
created ai pkg/attestation/crafter/materials/testdata/accesschk-default.txt +8 / -0
created ai pkg/attestation/crafter/materials/testdata/accesschk-verbose.txt +6 / -0
modified human app/cli/documentation/cli-reference.mdx +2 / -2
created ai pkg/attestation/crafter/materials/accesschk/testdata/garbage.txt +3 / -0
created ai pkg/attestation/crafter/materials/accesschk/testdata/nobanner.txt +3 / -0
modified ai app/controlplane/api/workflowcontract/v1/crafting_schema.proto +2 / -0
modified ai pkg/attestation/crafter/materials/materials.go +2 / -0

Policies (4)

Status Policy Material Messages
✅ Passed ai-config-ai-agents-allowed ai-coding-session-b84739 -
✅ Passed ai-config-no-dangerous-commands ai-coding-session-b84739 -
✅ Passed ai-config-no-secrets ai-coding-session-b84739 -
✅ Passed ai-config-mcp-servers-allowed ai-coding-session-b84739 -

Powered by Chainloop and Chainloop Trace

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 32 files

Re-trigger cubic

@javirln javirln requested a review from a team June 11, 2026 05:13
@javirln javirln merged commit 99373d4 into chainloop-dev:main Jun 11, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants