feat(shared/safety): add retry, with-timeout, file-lock, dry-run, confirm-dangerous, and audit-event scripts with docs

Author: rudraditya21

docs/scripts/shared/safety/audit-event.md

@@ -0,0 +1,80 @@
+# audit-event.sh
+
+## Purpose
+Emit structured JSON audit events for operational actions, outcomes, and metadata.
+
+## Location
+`shared/safety/audit-event.sh`
+
+## Preconditions
+- Required tools: `bash`, `date`
+- Required permissions: write permissions for `--output` target file (if used)
+- Required environment variables: optional `AUDIT_ACTOR`
+
+## Arguments
+| Flag | Required | Default | Description |
+|------|----------|---------|-------------|
+| `--action TEXT` | Yes | N/A | Action identifier |
+| `--actor TEXT` | No | `AUDIT_ACTOR` or `USER` | Acting principal |
+| `--target TEXT` | No | empty | Target resource id |
+| `--status VALUE` | No | `info` | `info\|success\|failure\|warning` |
+| `--message TEXT` | No | empty | Human-readable message |
+| `--event-id ID` | No | generated id | Event correlation id |
+| `--source TEXT` | No | script basename | Originating component |
+| `--meta KEY=VALUE` | No | none | Metadata pair (repeatable, last key wins) |
+| `--timestamp-format F` | No | `%Y-%m-%dT%H:%M:%S%z` | Timestamp format |
+| `--output FILE` | No | stdout | Append event to file |
+| `--pretty` | No | `false` | Multi-line JSON output |
+
+## Scenarios
+- Happy path: emit audit JSON to stdout for stream ingestion.
+- Common operational path: append JSON lines to audit file.
+- Failure path: missing action, invalid status, or invalid meta key.
+- Recovery/rollback path: correct schema fields and rerun emit step.
+
+## Usage
+```bash
+shared/safety/audit-event.sh --action deploy.start --status info --target service/api
+shared/safety/audit-event.sh --action deploy.finish --status success --meta version=1.4.2 --meta env=prod
+shared/safety/audit-event.sh --action db.backup --status failure --message "snapshot timeout" --output /var/log/devops-audit.log
+```
+
+## Behavior
+- Main execution flow:
+  - validate required fields and enums
+  - generate timestamp/event id when absent
+  - build escaped JSON payload
+  - emit to stdout or append to output file
+- Idempotency notes: each execution emits a new event (non-idempotent by design).
+- Side effects: appends to audit file when `--output` is used.
+
+## Output
+- Standard output format: JSON object (compact by default, pretty with `--pretty`).
+- Exit codes:
+  - `0` event emitted successfully
+  - `2` validation/usage error
+
+## Failure Modes
+- Common errors and likely causes:
+  - missing `--action`
+  - invalid `--status`
+  - malformed `--meta` pair or invalid metadata key
+  - output directory does not exist
+- Recovery and rollback steps:
+  - correct required fields and enums
+  - ensure output path parent exists and is writable
+  - validate metadata format before emission
+
+## Security Notes
+- Secret handling: avoid including credentials/tokens in message or metadata.
+- Least-privilege requirements: restrict write access to audit output path.
+- Audit/logging expectations: designed for SIEM/log pipeline ingestion.
+
+## Testing
+- Unit tests:
+  - status enum and metadata validation
+  - JSON escaping logic
+- Integration tests:
+  - append behavior to output files
+- Manual verification:
+  - emit success/failure events and validate JSON schema

docs/scripts/shared/safety/confirm-dangerous.md

@@ -0,0 +1,71 @@
+# confirm-dangerous.sh
+
+## Purpose
+Enforce explicit human confirmation before running potentially destructive operations.
+
+## Location
+`shared/safety/confirm-dangerous.sh`
+
+## Preconditions
+- Required tools: `bash`, interactive stdin for prompted mode
+- Required permissions: none beyond script execution
+- Required environment variables: optional `CONFIRM_DANGEROUS`
+
+## Arguments
+| Flag | Required | Default | Description |
+|------|----------|---------|-------------|
+| `--message TEXT` | No | destructive warning message | Context shown to operator |
+| `--prompt TEXT` | No | `Type '<token>' to continue` | Prompt text |
+| `--expect TOKEN` | No | `CONFIRM` | Required input token |
+| `-y`, `--yes` | No | `false` | Non-interactive bypass |
+| `--timeout SEC` | No | `0` | Prompt timeout in seconds |
+
+## Scenarios
+- Happy path: operator types expected token and script exits `0`.
+- Common operational path: audited automation uses `--yes` or `CONFIRM_DANGEROUS=1`.
+- Failure path: mismatch, timeout, or non-interactive stdin without override exits `1`.
+- Recovery/rollback path: rerun with explicit approval and validated context.
+
+## Usage
+```bash
+shared/safety/confirm-dangerous.sh --message "About to delete production resources"
+shared/safety/confirm-dangerous.sh --expect DELETE --prompt "Type DELETE to continue"
+CONFIRM_DANGEROUS=1 shared/safety/confirm-dangerous.sh
+```
+
+## Behavior
+- Main execution flow:
+  - check non-interactive overrides
+  - require interactive input when override absent
+  - compare response with expected token
+- Idempotency notes: idempotent; no mutable side effects.
+- Side effects: user interaction and stderr messaging.
+
+## Output
+- Standard output format: confirmation status messages on stderr.
+- Exit codes:
+  - `0` confirmed
+  - `1` confirmation rejected/timed out/unavailable
+  - `2` invalid script arguments
+
+## Failure Modes
+- Common errors and likely causes:
+  - running in non-interactive session without `--yes`
+  - wrong confirmation token entered
+  - read timeout reached
+- Recovery and rollback steps:
+  - rerun in interactive shell or with explicit audited override
+  - confirm correct token before retry
+
+## Security Notes
+- Secret handling: avoid embedding secrets in prompt text.
+- Least-privilege requirements: no elevated permissions required.
+- Audit/logging expectations: pair with audit logging to record approval context.
+
+## Testing
+- Unit tests:
+  - option validation and token matching
+- Integration tests:
+  - non-interactive behavior with and without overrides
+- Manual verification:
+  - interactive acceptance/rejection and timeout paths

docs/scripts/shared/safety/dry-run.md

@@ -0,0 +1,73 @@
+# dry-run.sh
+
+## Purpose
+Standardize dry-run behavior for shell automation by printing command intent without executing mutations.
+
+## Location
+`shared/safety/dry-run.sh`
+
+## Preconditions
+- Required tools: `bash`
+- Required permissions: execute permission for wrapped command when not in dry-run mode
+- Required environment variables: optional `DRY_RUN`
+
+## Arguments
+| Flag | Required | Default | Description |
+|------|----------|---------|-------------|
+| `--dry-run` | No | from `DRY_RUN` env | Force dry-run mode |
+| `--execute` | No | from `DRY_RUN` env | Force execution mode |
+| `--prefix TEXT` | No | `DRY-RUN` | Prefix for dry-run message |
+| `--quiet` | No | `false` | Suppress dry-run message |
+| `-- COMMAND [ARGS...]` | Yes | N/A | Command to print/execute |
+
+## Scenarios
+- Happy path: in dry-run mode, command is printed and not executed.
+- Common operational path: CI pipeline toggles execution via `DRY_RUN`.
+- Failure path: missing command or bad flags returns usage error.
+- Recovery/rollback path: rerun with `--execute` after validation.
+
+## Usage
+```bash
+shared/safety/dry-run.sh --dry-run -- terraform apply
+DRY_RUN=1 shared/safety/dry-run.sh -- kubectl delete ns temp
+shared/safety/dry-run.sh --execute -- ./migrate.sh
+```
+
+## Behavior
+- Main execution flow:
+  - resolve dry-run mode from env/flags
+  - validate command input
+  - print quoted command in dry-run mode or execute directly
+- Idempotency notes: dry-run branch is non-mutating; execution branch depends on wrapped command.
+- Side effects: none in dry-run mode; wrapped command side effects in execute mode.
+
+## Output
+- Standard output format:
+  - dry-run mode: `<prefix>: <quoted command>` to stderr (unless `--quiet`)
+  - execute mode: wrapped command output
+- Exit codes:
+  - `0` dry-run success or wrapped command success
+  - wrapped command non-zero exit in execute mode
+  - `2` invalid script arguments
+
+## Failure Modes
+- Common errors and likely causes:
+  - no command passed after `--`
+  - conflicting assumptions on dry-run state
+- Recovery and rollback steps:
+  - pass explicit `--dry-run`/`--execute` for clarity
+  - verify command arguments before execution mode
+
+## Security Notes
+- Secret handling: dry-run output may include full arguments; avoid secret-bearing args in logged channels.
+- Least-privilege requirements: no elevated privileges for dry-run path.
+- Audit/logging expectations: useful for change preview in approval workflows.
+
+## Testing
+- Unit tests:
+  - env/flag precedence for dry-run mode
+  - command quoting behavior
+- Integration tests:
+  - verify no mutation occurs in dry-run mode
+- Manual verification:
+  - compare behavior for `--dry-run` vs `--execute`

docs/scripts/shared/safety/file-lock.md

@@ -0,0 +1,74 @@
+# file-lock.sh
+
+## Purpose
+Provide exclusive lock-based command execution to prevent concurrent unsafe operations.
+
+## Location
+`shared/safety/file-lock.sh`
+
+## Preconditions
+- Required tools: `bash`, `mkdir`, `rm`, `date`, `awk`, `sleep`, `stat`
+- Required permissions: write permissions on lock path parent directory
+- Required environment variables: none
+
+## Arguments
+| Flag | Required | Default | Description |
+|------|----------|---------|-------------|
+| `--lock-file PATH` | Yes | N/A | Lock directory path |
+| `--timeout SEC` | No | `0` | Wait timeout (`0` waits indefinitely) |
+| `--poll-interval SEC` | No | `0.2` | Poll interval while waiting |
+| `--stale-after SEC` | No | `0` | Break stale lock older than SEC |
+| `--quiet` | No | `false` | Suppress wait/stale logs |
+| `-- COMMAND [ARGS...]` | Yes | N/A | Command to run while lock is held |
+
+## Scenarios
+- Happy path: lock acquired immediately; command runs and lock is released.
+- Common operational path: multiple workers serialize writes safely.
+- Failure path: lock wait timeout expires or lock path cannot be created.
+- Recovery/rollback path: investigate stale lock owner, tune `--stale-after`, retry safely.
+
+## Usage
+```bash
+shared/safety/file-lock.sh --lock-file /tmp/deploy.lock -- ./deploy.sh
+shared/safety/file-lock.sh --lock-file /tmp/state.lock --timeout 60 -- terraform apply
+shared/safety/file-lock.sh --lock-file /tmp/sync.lock --stale-after 300 -- ./sync-state.sh
+```
+
+## Behavior
+- Main execution flow:
+  - attempt atomic lock acquisition via `mkdir`
+  - optionally break stale lock
+  - run command under lock
+  - release lock on exit/signals
+- Idempotency notes: lock handling is idempotent for same process lifecycle.
+- Side effects: lock directory create/remove and metadata file writes.
+
+## Output
+- Standard output format: wrapped command output; lock status logs on stderr unless `--quiet`.
+- Exit codes:
+  - wrapped command exit code
+  - `73` timeout waiting for lock
+  - `2` invalid script arguments
+
+## Failure Modes
+- Common errors and likely causes:
+  - missing or invalid `--lock-file`
+  - lock path parent not writable
+  - stale lock removal failure
+- Recovery and rollback steps:
+  - correct filesystem permissions
+  - inspect stale lock metadata (`.owner`)
+  - manually clear lock only after owner validation
+
+## Security Notes
+- Secret handling: do not store secret values in lock path names.
+- Least-privilege requirements: only filesystem permissions required for lock location.
+- Audit/logging expectations: lock wait/timeout logs useful for concurrency incident analysis.
+
+## Testing
+- Unit tests:
+  - timeout and stale lock validation logic
+- Integration tests:
+  - concurrent process contention and serialization behavior
+- Manual verification:
+  - run two commands against same lock path and confirm mutual exclusion

docs/scripts/shared/safety/retry.md

@@ -0,0 +1,77 @@
+# retry.sh
+
+## Purpose
+Retry a command on failure with configurable attempts, delay, backoff, and retry-code filtering.
+
+## Location
+`shared/safety/retry.sh`
+
+## Preconditions
+- Required tools: `bash`, `awk`, `sleep`, `date`
+- Required permissions: execute permission for target command and this script
+- Required environment variables: none
+
+## Arguments
+| Flag | Required | Default | Description |
+|------|----------|---------|-------------|
+| `--attempts N` | No | `3` | Total number of attempts |
+| `--delay SEC` | No | `1` | Initial delay before retry |
+| `--backoff FACTOR` | No | `2` | Multiplier applied to delay |
+| `--max-delay SEC` | No | `0` | Delay cap (`0` disables cap) |
+| `--jitter PERCENT` | No | `0` | Positive jitter percentage added to delay |
+| `--retry-on CODES` | No | all non-zero | Comma-separated exit codes to retry |
+| `--quiet` | No | `false` | Suppress retry logs |
+| `-- COMMAND [ARGS...]` | Yes | N/A | Command to execute and retry |
+
+## Scenarios
+- Happy path: command succeeds on first attempt and exits `0`.
+- Common operational path: transient failures recover after one or more retries.
+- Failure path: command keeps failing or returns non-retryable status.
+- Recovery/rollback path: tune retry policy (`--retry-on`, attempts/delay) and rerun.
+
+## Usage
+```bash
+shared/safety/retry.sh --attempts 5 --delay 1 --backoff 2 -- curl -fsS https://example.com/health
+shared/safety/retry.sh --retry-on 1,2,28 --attempts 4 --delay 0.5 -- terraform plan
+shared/safety/retry.sh --quiet --attempts 3 -- make deploy
+```
+
+## Behavior
+- Main execution flow:
+  - validate retry policy options
+  - execute command
+  - retry on eligible non-zero statuses until attempt limit
+  - exit with command status
+- Idempotency notes: wrapper is idempotent; wrapped command may not be.
+- Side effects: repeated execution of wrapped command.
+
+## Output
+- Standard output format: wrapped command output; retry logs on stderr unless `--quiet`.
+- Exit codes:
+  - `0` command eventually succeeded
+  - wrapped command exit code on final/non-retryable failure
+  - `2` invalid script arguments
+
+## Failure Modes
+- Common errors and likely causes:
+  - invalid numeric options (`--attempts`, `--delay`, etc.)
+  - missing command after `--`
+  - bad retry code list format
+- Recovery and rollback steps:
+  - correct option values
+  - ensure command is present and executable
+  - reduce retry scope for non-idempotent commands
+
+## Security Notes
+- Secret handling: avoid printing secrets in wrapped command args or stderr.
+- Least-privilege requirements: run with minimum privileges required by wrapped command.
+- Audit/logging expectations: retry logs support incident and change tracing.
+
+## Testing
+- Unit tests:
+  - argument validation
+  - retry-on filtering logic
+- Integration tests:
+  - flaky command simulation with deterministic exit codes
+- Manual verification:
+  - force failure then success and confirm retry timing/status behavior