#!/usr/bin/env bash set -euo pipefail repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" policy_doc="$repo_root/docs/identity-redis-mirror-policy-2026-06-09.md" allowed_files="$( cat <<'EOF' backend/cmd/adminctl/main.go backend/cmd/fix_kratos_roles.go backend/internal/bootstrap/admin_account.go backend/internal/bootstrap/kratos_seed.go backend/internal/handler/auth_handler.go backend/internal/handler/user_handler.go backend/internal/service/kratos_admin_service.go backend/internal/service/identity_write_service.go backend/internal/service/ory_service.go backend/internal/service/user_group_service.go scripts/clear_orphan_tenant_memberships.sh EOF )" pattern='admin/identities|KratosAdmin[.]UpdateIdentity|KratosAdmin[.]DeleteIdentity|kratos[.]UpdateIdentity|kratosAdmin[.]UpdateIdentity|identityAdmin[.]CreateUser|identityAdmin[.]UpdateIdentityPassword|idp[.]CreateUser|IdpProvider[.]CreateUser|IdpProvider[.]UpdateUserPassword|OryProvider[.]CreateUser|OryProvider[.]UpdateUserPassword|UPDATE identities' findings="$( git -C "$repo_root" grep -nE "$pattern" -- \ backend \ scripts \ ':(exclude)backend/**/*_test.go' \ ':(exclude)scripts/backup' || true )" unexpected="" if [ -n "$findings" ]; then while IFS= read -r finding; do file="${finding%%:*}" if ! grep -Fxq "$file" <<<"$allowed_files"; then unexpected="${unexpected}${finding}"$'\n' fi done <<<"$findings" fi if [ -n "$unexpected" ]; then echo "ERROR: undocumented Kratos identity write path detected." >&2 printf '%s' "$unexpected" >&2 exit 1 fi if [ ! -f "$policy_doc" ]; then echo "ERROR: missing identity Redis mirror policy document: $policy_doc" >&2 exit 1 fi if grep -Fq "admin/identities/" "$repo_root/backend/internal/handler/auth_handler.go"; then echo "ERROR: auth_handler must not call Kratos admin identity endpoints directly; use KratosAdminService or IdentityWriteService." >&2 exit 1 fi if ! grep -Fq "maintenance-window" "$repo_root/backend/cmd/fix_kratos_roles.go" || \ ! grep -Fq "dry-run" "$repo_root/backend/cmd/fix_kratos_roles.go" || \ ! grep -Fq "mark-mirror-stale" "$repo_root/backend/cmd/fix_kratos_roles.go"; then echo "ERROR: fix_kratos_roles must require dry-run/maintenance-window/mark-mirror-stale guards." >&2 exit 1 fi if ! grep -Fq "CONFIRM_KRATOS_DB_MAINTENANCE" "$repo_root/scripts/clear_orphan_tenant_memberships.sh" || \ ! grep -Fq "MARK_IDENTITY_MIRROR_STALE" "$repo_root/scripts/clear_orphan_tenant_memberships.sh"; then echo "ERROR: clear_orphan_tenant_memberships.sh must require explicit Kratos DB maintenance and mirror-stale guards." >&2 exit 1 fi if ! grep -Fq "## Kratos write 경로 감사" "$policy_doc"; then echo "ERROR: policy document must include the Kratos write path audit section." >&2 exit 1 fi while IFS= read -r file; do if [ -n "$file" ] && ! grep -Fq "$file" "$policy_doc"; then echo "ERROR: allowed Kratos write path is not documented: $file" >&2 exit 1 fi done <<<"$allowed_files" echo "kratos identity write path policy checks passed"