fix: bash script parity bugs in gitignore, evidence, delta-audit (v1.1.10)

- check-gitignore-consistency.sh: correct severity field order; blocked exits 1 on bash

- collect-audit-evidence.sh: full transcript under set -e; only quickstart fails exit

- run-delta-audit.sh: awk instead of python; fix empty diff output

- run-audit-quickstart.ps1: isolated workdir copies dotfiles

- regression tests for tracked-but-ignored fixture

Author: saiganakato

CHANGELOG.md

@@ -4,6 +4,19 @@ All notable changes to this regulation shelf are documented here.
 
 The detailed shelf changelog lives in `regulation/shelf/SHELF_CHANGELOG.md`.
 
+## [1.1.10] - 2026-06-17
+
+### Fixed
+
+- `check-gitignore-consistency.sh` stores finding fields as `severity|category|path|reason` (blocked findings now exit 1 on bash)
+- `collect-audit-evidence.sh` collects full transcript under `set -e` (screening/gitignore/gitleaks/pytest/gh no longer abort early)
+- `run-delta-audit.sh` uses `awk` instead of `python`; empty changed-path list no longer prints spurious `M` line
+- `run-audit-quickstart.ps1` isolated workdir copies dotfiles (`.gitignore`, `.github/`, etc.)
+
+### Added
+
+- regulation tests for tracked-but-ignored fixture and evidence transcript continuity
+
 ## [1.1.9] - 2026-06-17
 
 ### Fixed

regulation/shelf/SHELF_CHANGELOG.md

@@ -2,6 +2,15 @@
 
 All notable changes to the generic regulation shelf.
 
+## 1.1.10 — 2026-06-17
+
+### Fixed
+
+- bash gitignore consistency severity field order; blocked exit parity with PowerShell
+- bash evidence collector no longer aborts on screening/gitignore non-zero
+- delta-audit bash: no python dependency; empty diff list output
+- quickstart isolated copy includes dotfiles on Windows
+
 ## 1.1.9 — 2026-06-17
 
 ### Fixed

regulation/shelf/SHELF_VERSION.md

@@ -5,7 +5,7 @@ Status: Active
 ## Current
 
 ```text
-1.1.9
+1.1.10
 ```
 
 ## Meaning

scripts/check-gitignore-consistency.sh

@@ -8,7 +8,8 @@ REPO_PATH="$(pwd)"
 declare -a findings=()
 
 add_finding() {
-  findings+=("$2|$3|$1|$4")
+  local path="$1" category="$2" severity="$3" reason="$4"
+  findings+=("$severity|$category|$path|$reason")
 }
 
 recommended=(

scripts/collect-audit-evidence.sh

@@ -24,12 +24,16 @@ echo "Tracked files: $(git ls-files | wc -l | tr -d ' ')"
 
 SCREEN_SCRIPT="$(cd "$(dirname "$0")" && pwd)/check-tracked-files.sh"
 if [[ -f "$SCREEN_SCRIPT" ]]; then
+  set +e
   bash "$SCREEN_SCRIPT" "$REPO_PATH"
+  set -e
 fi
 
 GITIGNORE_SCRIPT="$(cd "$(dirname "$0")" && pwd)/check-gitignore-consistency.sh"
 if [[ -f "$GITIGNORE_SCRIPT" ]]; then
+  set +e
   bash "$GITIGNORE_SCRIPT" "$REPO_PATH"
+  set -e
 fi
 
 section "Large Tracked Files (>512KB)"
@@ -65,23 +69,35 @@ done
 
 section "Gitleaks"
 if command -v gitleaks >/dev/null 2>&1; then
+  set +e
   gitleaks detect --source . --no-banner 2>&1 | tail -n 3
+  set -e
 else
   echo "gitleaks: not installed"
 fi
 
 if [[ -f pytest.ini || -d tests ]]; then
   section "Pytest"
-  python -m pytest -q 2>&1 | tail -n 5
+  set +e
+  if command -v python3 >/dev/null 2>&1; then
+    python3 -m pytest -q 2>&1 | tail -n 5
+  elif command -v python >/dev/null 2>&1; then
+    python -m pytest -q 2>&1 | tail -n 5
+  else
+    echo "python: not installed"
+  fi
+  set -e
 fi
 
 if [[ -n "$HOSTED_REPO" ]] && command -v gh >/dev/null 2>&1; then
   section "Hosted Metadata"
+  set +e
   gh api "repos/$HOSTED_REPO" --jq '{description, topics: .topics, homepage, visibility}'
   gh api "repos/$HOSTED_REPO/community/profile" --jq '{health_percentage}'
   gh api "repos/$HOSTED_REPO" --jq '.security_and_analysis'
   section "Latest CI"
   gh run list -R "$HOSTED_REPO" --limit 3
+  set -e
 fi
 
 MANIFEST_PATH="$REPO_PATH/audit.manifest.yml"

scripts/run-audit-quickstart.ps1

@@ -38,7 +38,11 @@ $tempRoot = $null
 if ($workdir -eq "isolated") {
     $tempRoot = Join-Path ([System.IO.Path]::GetTempPath()) ("audit-quickstart-" + [guid]::NewGuid().ToString("n"))
     New-Item -ItemType Directory -Path $tempRoot | Out-Null
-    Copy-Item -Path (Join-Path $RepoPath "*") -Destination $tempRoot -Recurse -Force
+    Get-ChildItem -LiteralPath $RepoPath -Force |
+        Where-Object { $_.Name -notin '.', '..' } |
+        ForEach-Object {
+            Copy-Item -LiteralPath $_.FullName -Destination (Join-Path $tempRoot $_.Name) -Recurse -Force
+        }
     $runRoot = $tempRoot
     Write-Output "Isolated workdir: $runRoot"
 } else {

scripts/run-delta-audit.sh

@@ -68,23 +68,20 @@ PRESENT_HEAD="$(git rev-parse HEAD)"
 PRIOR_FULL="$(git rev-parse "$PRIOR_HEAD")"
 PRIOR_COUNT="$(git ls-tree -r --name-only "$PRIOR_FULL" | wc -l | tr -d ' ')"
 PRESENT_COUNT="$(git ls-files | wc -l | tr -d ' ')"
-DELTA_PERCENT="$(python - <<PY
-prior=$PRIOR_COUNT
-present=$PRESENT_COUNT
-print(round(abs(present-prior)*100.0/prior, 1) if prior else 100.0)
-PY
-)"
+DELTA_PERCENT="$(awk -v prior="$PRIOR_COUNT" -v present="$PRESENT_COUNT" \
+  'BEGIN{d=present-prior; if (d<0) d=-d; printf "%.1f", (prior ? 100*d/prior : 100)}')"
 
 mapfile -t CHANGED < <(git diff --name-only "$PRIOR_FULL" "$PRESENT_HEAD")
 mapfile -t UNTRACKED < <(git ls-files --others --exclude-standard)
 
 invalidations=()
-OVER20="$(python -c "print(1 if float('$DELTA_PERCENT') > 20.0 else 0)")"
+OVER20="$(awk -v d="$DELTA_PERCENT" 'BEGIN{print (d>20)?1:0}')"
 if [[ "$OVER20" == "1" && "$ALLOW_LARGE_DELTA" != "1" ]]; then
   invalidations+=("inventory delta ${DELTA_PERCENT}% exceeds 20%")
 fi
 
-for p in "${CHANGED[@]:-}"; do
+for p in "${CHANGED[@]}"; do
+  [[ -z "$p" ]] && continue
   case "$p" in
     LICENSE|SECURITY.md|audit.manifest.yml|.github/workflows/*)
       invalidations+=("sensitive path changed: $p")
@@ -113,7 +110,9 @@ echo "Prior tracked count: $PRIOR_COUNT"
 echo "Present tracked count: $PRESENT_COUNT"
 echo "Inventory delta: ${DELTA_PERCENT}%"
 echo "Changed tracked paths: ${#CHANGED[@]}"
-for p in "${CHANGED[@]:-}"; do echo "  M $p"; done
+for p in "${CHANGED[@]}"; do
+  [[ -n "$p" ]] && echo "  M $p"
+done
 if [[ ${#UNTRACKED[@]} -gt 0 ]]; then
   echo "New untracked (non-ignored): ${#UNTRACKED[@]}"
   for p in "${UNTRACKED[@]:0:20}"; do echo "  ? $p"; done
@@ -137,7 +136,7 @@ if [[ "$DELTA_MODE" == "upgrade-to-full" ]]; then
 else
   echo "1. Read regulation/execution/RE_AUDIT_POLICY.md delta rules"
   echo "2. G-21 full read only changed paths + dependency cone listed above"
-  echo "3. Rescore gates affected by the change set"
+  echo "3. Rescore gates affected by the change set; carry forward others only when allowed"
   echo "4. Update audits/$SLUG/audit-report.md and fill delta-audit-record.md"
 fi
 echo "5. Refresh R-02, R-09 when audit mode is release or strict-product"

scripts/tests/run-regulation-tests.ps1

@@ -58,6 +58,26 @@ Assert-ExitCode "check-gitignore-consistency on fixture" 0 {
     & (Join-Path $Shelf "scripts\check-gitignore-consistency.ps1") -RepoPath $fixture
 }
 
+$trackedIgnoredFixture = Join-Path $Shelf "scripts\tests\fixtures\tracked-ignored-repo"
+if (-not (Test-Path (Join-Path $trackedIgnoredFixture ".git"))) {
+    Push-Location $trackedIgnoredFixture
+    git init | Out-Null
+    git add README.md LICENSE SECURITY.md .gitignore
+    git add -f AGENTS.md
+    git -c user.email="fixture@test" -c user.name="fixture" commit -m "init tracked-ignored fixture" | Out-Null
+    Pop-Location
+}
+
+Assert-ExitCode "check-gitignore-consistency blocked tracked-ignored fixture" 1 {
+    & (Join-Path $Shelf "scripts\check-gitignore-consistency.ps1") -RepoPath $trackedIgnoredFixture
+}
+
+Assert-Pass "collect-audit-evidence completes after blocked gitignore" {
+    $out = & (Join-Path $Shelf "scripts\collect-audit-evidence.ps1") -RepoPath $trackedIgnoredFixture 2>&1 | Out-String
+    if ($LASTEXITCODE -ne 0) { throw "expected exit 0, got $LASTEXITCODE" }
+    if ($out -notmatch "=== Root Files ===") { throw "evidence transcript truncated before Root Files" }
+}
+
 $presentHead = (git -C $Shelf rev-parse HEAD)
 # v1.1.4 → present always includes audit.manifest.yml change (v1.1.5); stable across future commits
 $manifestPriorHead = (git -C $Shelf rev-parse 'v1.1.4^{commit}')

scripts/tests/run-regulation-tests.sh

@@ -40,6 +40,26 @@ run_exit "check-tracked-files on shelf" 0 bash "$SHELF/scripts/check-tracked-fil
 run_exit "check-tracked-files on fixture" 0 bash "$SHELF/scripts/check-tracked-files.sh" "$FIXTURE"
 run_exit "check-gitignore-consistency on shelf" 0 bash "$SHELF/scripts/check-gitignore-consistency.sh" "$SHELF"
 run_exit "check-gitignore-consistency on fixture" 0 bash "$SHELF/scripts/check-gitignore-consistency.sh" "$FIXTURE"
+TRACKED_IGNORED="$SHELF/scripts/tests/fixtures/tracked-ignored-repo"
+if [[ ! -d "$TRACKED_IGNORED/.git" ]]; then
+  git -C "$TRACKED_IGNORED" init
+  git -C "$TRACKED_IGNORED" add README.md LICENSE SECURITY.md .gitignore
+  git -C "$TRACKED_IGNORED" add -f AGENTS.md
+  git -C "$TRACKED_IGNORED" -c user.email=fixture@test -c user.name=fixture commit -m "init tracked-ignored fixture"
+fi
+run_exit "check-gitignore-consistency blocked tracked-ignored fixture" 1 \
+  bash "$SHELF/scripts/check-gitignore-consistency.sh" "$TRACKED_IGNORED"
+echo "TEST: collect-audit-evidence completes after blocked gitignore"
+set +e
+evidence_out="$(bash "$SHELF/scripts/collect-audit-evidence.sh" "$TRACKED_IGNORED" 2>&1)"
+evidence_code=$?
+set -e
+if [[ "$evidence_code" -eq 0 ]] && echo "$evidence_out" | grep -q "=== Root Files ==="; then
+  echo "  PASS"
+else
+  echo "  FAIL: expected exit 0 and Root Files section, got exit $evidence_code"
+  failures=$((failures + 1))
+fi
 PRESENT_HEAD="$(git -C "$SHELF" rev-parse HEAD)"
 # v1.1.4 → present always includes audit.manifest.yml change (v1.1.5); stable across future commits
 MANIFEST_PRIOR_HEAD="$(git -C "$SHELF" rev-parse "v1.1.4^{commit}")"