Refactor collecting rules, improving performance for admin baselines, fix issue with missing baseline

.github/workflows/cli-tests.yml

@@ -0,0 +1,94 @@
+---
+name: CLI Smoke Tests
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - dev_2.0
+    paths-ignore:
+      - 'archive/**'
+  pull_request:
+    branches:
+      - dev_2.0
+    paths-ignore:
+      - 'archive/**'
+
+jobs:
+  cli-smoke-tests:
+    name: CLI smoke tests
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+          cache: 'pip'
+
+      - name: Install dependencies
+        run: pip install -r requirements.txt
+
+      - name: list_platforms flag
+        run: python mscp.py --list_platforms
+
+      - name: baseline list_tags 
+        run: python mscp.py baseline --list_tags
+
+      - name: baseline generate (macos 800-53r5 moderate)
+        run: >
+          python mscp.py
+          --os_name macos --os_version 26.0
+          --output_dir /tmp/mscp-test-output
+          baseline --keyword 800-53r5_moderate
+
+      - name: baseline generate (macos cis_lvl1)
+        run: >
+          python mscp.py
+          --os_name macos --os_version 26.0
+          --output_dir /tmp/mscp-test-output
+          baseline --keyword cis_lvl1
+
+      - name: guidance markdown (macos 800-53r5 moderate)
+        run: >
+          python mscp.py
+          --os_name macos --os_version 26.0
+          --output_dir /tmp/mscp-test-output
+          guidance --markdown --no-docs
+          baselines/macos/800-53r5_moderate_macos_26.0.yaml
+
+      - name: guidance script (macos cis_lvl1)
+        run: >
+          python mscp.py
+          --os_name macos --os_version 26.0
+          --output_dir /tmp/mscp-test-output
+          guidance --script --no-docs
+          baselines/macos/cis_lvl1_macos_26.0.yaml
+
+      - name: scap xccdf (macos 800-53r5 moderate)
+        run: >
+          python mscp.py
+          --os_name macos --os_version 26.0
+          --output_dir /tmp/mscp-test-output
+          scap --xccdf --baseline 800-53r5_moderate
+
+      - name: admin validate
+        run: python mscp.py admin validate
+
+  cli_tests_success:
+    needs:
+      - cli-smoke-tests
+    if: always()
+    name: CLI tests successful
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check job status
+        if: >-
+          ${{
+              (
+                contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')
+              )
+          }}
+        run: exit 1

src/mscp/admin_utils/build_baselines.py

@@ -19,7 +19,8 @@
     mscp_data,
     remove_dir_contents,
 )
-from ..classes import Macsecurityrule
+from ..common_utils import logging_config
+from ..classes.rule_library import RuleLibrary
 from ..generate import (
     generate_baseline,
 )
@@ -52,6 +53,7 @@ def build_all_baselines(args: argparse.Namespace) -> None:
         new baseline YAML files into it.
     """
     logger.info("Building all supported baselines...")
+    logging_config.suppress_spinner = True
 
     # clear existing default baselines
     baselines_dir = Path(config.get("baseline_dir", ""))
@@ -75,25 +77,28 @@ def build_all_baselines(args: argparse.Namespace) -> None:
         "800-53r5_privacy",
     }
 
-    all_rules: list[Macsecurityrule] = Macsecurityrule.collect_all_rules(
-        args.os_name, args.os_version, args.tailor, parent_values="Default"
-    )
-
-    all_tags, benchmark_map = collect_tags_and_benchmarks(all_rules)
+    library = RuleLibrary.from_rules_dir()
+    all_tags, benchmark_map = collect_tags_and_benchmarks(list(library))
 
     all_tags[:] = [x for x in all_tags if x not in excluded_tags]
 
+    # cache rules per (platform, version) so generate_baseline doesn't re-collect on every call
+    platform_rules = {
+        platform: list(library.by_platform(platform).by_os(os_version=float(args.os_version)))
+        for platform in mscp_data["versions"]["platforms"]
+    }
+
     # process every discovered benchmark and generate a baseline file
     for keyword, platforms in benchmark_map.items():
         args.keyword = keyword
         for platform in platforms:
             args.os_name = platform.lower()
-            generate_baseline(args, admin=True)
+            generate_baseline(args, admin=True, preloaded_rules=platform_rules.get(args.os_name, []))
 
     # process every discovered tag and generate a baseline file for every supported platform
     for platform in mscp_data["versions"]["platforms"]:
         args.os_name = platform
 
         for tag in all_tags:
             args.keyword = tag
-            generate_baseline(args, admin=True)
+            generate_baseline(args, admin=True, preloaded_rules=platform_rules[platform])

src/mscp/classes/legacy_baseline.py

@@ -290,9 +290,9 @@ def migrate(
         )
 
         # 3. Load the current rule library for the target platform/version.
-        #    collect_all_rules assigns each rule its current section, so the
+        #    collect_platform_rules assigns each rule its current section, so the
         #    resulting baseline will reflect today's section structure.
-        all_current_rules = Macsecurityrule.collect_all_rules(
+        all_current_rules = Macsecurityrule.collect_platform_rules(
             os_type=os_type,
             os_version=int(os_version),
             parent_values=self.parent_values or "default",

src/mscp/classes/macsecurityrule.py

@@ -77,7 +77,7 @@ class Macsecurityrule(BaseModelWithAccessors):
     The top-level domain object for mSCP. Combines rule metadata (title,
     discussion, references), enforcement information (`check`, `fix`,
     `mechanism`), and platform / version targeting. Instances are normally
-    constructed via `load_rules` or `collect_all_rules` rather than
+    constructed via `load_rules` or `collect_platform_rules` rather than
     directly.
 
     Attributes:
@@ -492,30 +492,31 @@ def load_rules(
         return rules
 
     @classmethod
-    def collect_all_rules(
+    def collect_platform_rules(
         cls,
         os_type: str,
         os_version: int,
         tailoring: bool = False,
         parent_values: str = "default",
     ) -> list["Macsecurityrule"]:
-        """Load every rule under ``config["rules_dir"]`` for an OS/version.
+        """Load every rule under ``config["rules_dir"]`` for a specific OS type and version.
 
         Walks each subfolder of the rules directory (skipping
         ``sysprefs``), maps each folder name through `Sectionmap` to the
         matching section file, and delegates per-section loading to
-        `load_rules`.
+        `load_rules`. Rules that do not declare support for the requested
+        ``os_type`` / ``os_version`` are skipped.
 
         Args:
-            os_type: Operating system family (e.g. ``"macOS"``).
+            os_type: Operating system family (e.g. ``"macos"``).
             os_version: Operating system version.
             tailoring: If true, skips customization overrides. Defaults to
                 ``False``.
             parent_values: ODV lookup key forwarded to `load_rules`.
                 Defaults to ``"default"``.
 
         Returns:
-            All rules across all sections that match the given platform.
+            All rules across all sections that match the given platform and version.
         """
 
         logger.info("=== LOADING ALL RULES ===")

src/mscp/classes/rule_library.py

@@ -58,7 +58,7 @@ def from_rules_dir(cls) -> RuleLibrary:
 
         Reads the platform/version matrix from the bundled
         ``mscp-data.yaml`` (via ``mscp_data``) and calls
-        ``Macsecurityrule.collect_all_rules`` once per combination. Use
+        ``Macsecurityrule.collect_platform_rules`` once per combination. Use
         ``by_platform`` or ``by_os`` to narrow the result to a specific
         platform.
 
@@ -76,7 +76,7 @@ def from_rules_dir(cls) -> RuleLibrary:
                 if os_version is None:
                     continue
                 all_rules.extend(
-                    Macsecurityrule.collect_all_rules(
+                    Macsecurityrule.collect_platform_rules(
                         os_type=os_type,
                         os_version=os_version,
                     )

src/mscp/cli.py

@@ -478,6 +478,14 @@ def parse_cli() -> None:
         action="store_true",
     )
 
+    guidance_parser.add_argument(
+        "--no-docs",
+        dest="no_docs",
+        default=False,
+        help="skip generating the asciidoctor, PDF, and HTML documents",
+        action="store_true",
+    )
+
     mapping_parser: argparse.ArgumentParser = subparsers.add_parser(
         "mapping",
         help="generate custom rules from compliance framework mappings",

src/mscp/common_utils/logging_config.py

@@ -5,7 +5,7 @@
 ``-vv`` / ``--debug``, plus a rotating file sink under ``logs/mscp.log``.
 `function_filter` lets developers narrow stderr output to a single
 module via the ``MSCP_DEV_FILTER`` environment variable.
-The module-level `verbose_logging` flag is read by
+The module-level `verbose_logging` and `suppress_spinner` flags are read by
 `spinner_utils.conditional_inject_spinner` to decide whether to show a
 spinner.
 """
@@ -23,6 +23,7 @@
 from .logger_instance import logger
 
 verbose_logging: bool = False
+suppress_spinner: bool = False
 
 
 def function_filter(record):

src/mscp/common_utils/spinner_utils.py

@@ -4,22 +4,33 @@
 When verbose logging is active, log lines and a spinner clobber each
 other in the terminal. `conditional_inject_spinner` injects the spinner
 only when `logging_config.verbose_logging` is false; otherwise it runs
-the wrapped function with a stopped spinner so the log output stays
-clean.
+the wrapped function with a no-op shim so calls like `sp.ok()` and
+`sp.text =` are silently swallowed.
 """
 
 import functools
 from yaspin import yaspin
 from . import logging_config
 
 
+class _NoOpSpinner:
+    """Silent drop-in for a yaspin spinner used when output is suppressed."""
+
+    def __setattr__(self, name, value):
+        pass
+
+    def __getattr__(self, name):
+        return lambda *a, **kw: None
+
+
 def conditional_inject_spinner(**spinner_kwargs):
     """Decorator factory that injects a `yaspin` spinner only when quiet.
 
     Behaves like `yaspin.inject_spinner` (the spinner is started before
-    the wrapped call and stopped after), but skips both start and stop
-    when `logging_config.verbose_logging` is true. The wrapped function
-    receives the spinner as its first positional argument.
+    the wrapped call and stopped after), but passes a no-op shim instead
+    when `logging_config.verbose_logging` or `logging_config.suppress_spinner`
+    is true, so calls like `sp.ok()` and `sp.text =` inside the wrapped
+    function produce no output.
 
     Args:
         **spinner_kwargs: Keyword arguments forwarded to `yaspin()` to
@@ -33,16 +44,17 @@ def conditional_inject_spinner(**spinner_kwargs):
     def decorator(func):
         @functools.wraps(func)
         def wrapper(*args, **kwargs):
-            suppress = logging_config.verbose_logging
+            suppress = logging_config.verbose_logging or logging_config.suppress_spinner
+
+            if suppress:
+                return func(_NoOpSpinner(), *args, **kwargs)
 
             sp = yaspin(**spinner_kwargs)
-            if not suppress:
-                sp.start()
+            sp.start()
             try:
                 return func(sp, *args, **kwargs)
             finally:
-                if not suppress:
-                    sp.stop()
+                sp.stop()
 
         return wrapper
 

src/mscp/common_utils/validate_rules.py

@@ -12,6 +12,7 @@
 
 # Standard python modules
 import argparse
+import sys
 from pathlib import Path
 
 from jsonschema import Draft202012Validator
@@ -106,9 +107,11 @@ def validate_yaml_file(args: argparse.Namespace) -> None:
                 print(f"✅ VALID:   {yaml}")
                 logger.info(f"✅ VALID:   {yaml}")
 
-    if not error_found:
-        print(f"✅ All YAML files passed validation.")
-        logger.success(f"✅ All YAML files passed validation.")
+    if error_found:
+        sys.exit(1)
+
+    print(f"✅ All YAML files passed validation.")
+    logger.success(f"✅ All YAML files passed validation.")
 
 
 def validate_rule_folder_structure(path_str: str) -> Path:

src/mscp/data/rules/system_settings/system_settings_biometric_disable.yaml

@@ -18,7 +18,7 @@ references:
       macos_14:
         - CCE-93003-2
       visionos_26:
-        - CCE-95597-1        
+        - CCE-95597-1
     800-53r5:
       - IA-5
     800-171r3:
@@ -69,7 +69,7 @@ platforms:
   visionOS:
     '26.0':
       supervised: true
-    introduced: '2.0'    
+    introduced: '2.0'
 tags:
   - 800-53r5_low
   - 800-53r5_moderate