Makefile

PY := .venv/bin/python
WARDLINE := /home/john/.local/bin/wardline

.PHONY: setup tour verify test scan docs ci

# Provision the demo's gitignored secrets so a fresh clone "just goes".
# Idempotent: only generates .env when absent — never clobbers a hand-edited one.
setup: .env
	@echo "✓ demo secrets ready (.env, gitignored). Next: make tour | make verify"

# Shared HMAC for the Wardline→Legis signed scan handshake. Generated locally,
# 0600, never committed (.env is gitignored). Both names carry the SAME value:
# wardline signs with WARDLINE_LEGIS_ARTIFACT_KEY, legis verifies with
# LEGIS_WARDLINE_ARTIFACT_KEY. Absent → the tour degrades to an UNSIGNED handshake.
#
# LEGIS_HMAC_KEY is a DISTINCT, independent secret (its own fresh value, NOT the
# artifact key): it enables the legis binding ledger / closure gate. Gitignored,
# 0600, never committed. The standing legis MCP server reads it from the shell
# env — export before launching Claude Code (see README); absent → the gate stays
# disabled (CELL_NOT_ENABLED).
.env:
	@umask 077; KEY=$$(python3 -c 'import secrets; print(secrets.token_hex(32))'); \
	HMAC=$$(python3 -c 'import secrets; print(secrets.token_hex(32))'); \
	{ \
	  echo "# Lacuna demo secrets — GITIGNORED, generated by 'make setup'. Never commit."; \
	  echo "# Regenerate: rm .env && make setup"; \
	  echo "WARDLINE_LEGIS_ARTIFACT_KEY=$$KEY"; \
	  echo "LEGIS_WARDLINE_ARTIFACT_KEY=$$KEY"; \
	  echo "LEGIS_HMAC_KEY=$$HMAC"; \
	} > .env
	@echo "✓ generated .env (0600) with a fresh shared HMAC key + legis ledger key"

tour: .env
	$(PY) -m tour tour
	$(PY) -m tour.docs_gen

verify: .env
	$(PY) -m tour verify

test:
	$(PY) -m pytest

scan:
	# Trusted local checkout: the repo-owned baseline (deliberate planted
	# specimen flaws) is allowed to clear the gate. CI-on-PR should instead
	# scope to new findings with `--new-since <merge-base>`.
	$(WARDLINE) scan . --fail-on ERROR --trust-suppressions

docs:
	$(PY) -m tour.docs_gen

ci: test scan verify