chore: merge dev (take dev version for conflicts)

.github/workflows/ci.yml

@@ -5,6 +5,7 @@ on:
     branches: [dev, main]
   pull_request:
     branches: [dev, main]
+  workflow_dispatch:
 
 env:
   CORE_VERSION: dev
@@ -25,11 +26,9 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.1-dev
 
-      - name: Install core CLI
+      - name: Build core CLI
         run: |
-          curl -fsSL "https://github.com/host-uk/core/releases/download/${{ env.CORE_VERSION }}/core-linux-amd64" -o /tmp/core
-          chmod +x /tmp/core
-          sudo mv /tmp/core /usr/local/bin/core
+          go build -ldflags "-X github.com/host-uk/core/pkg/cli.AppVersion=${{ env.CORE_VERSION }}" -o /usr/local/bin/core .
           core --version
 
       - name: Generate code

.github/workflows/coverage.yml

@@ -5,6 +5,7 @@ on:
     branches: [dev, main]
   pull_request:
     branches: [dev, main]
+  workflow_dispatch:
 
 env:
   CORE_VERSION: dev
@@ -25,11 +26,9 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.1-dev
 
-      - name: Install core CLI
+      - name: Build core CLI
         run: |
-          curl -fsSL "https://github.com/host-uk/core/releases/download/${{ env.CORE_VERSION }}/core-linux-amd64" -o /tmp/core
-          chmod +x /tmp/core
-          sudo mv /tmp/core /usr/local/bin/core
+          go build -ldflags "-X github.com/host-uk/core/pkg/cli.AppVersion=${{ env.CORE_VERSION }}" -o /usr/local/bin/core .
           core --version
 
       - name: Generate code

AUDIT-DEPENDENCIES.md

@@ -0,0 +1,143 @@
+# Dependency Security Audit
+
+**Date:** 2026-02-02
+**Auditor:** Claude Code
+**Project:** host-uk/core (Go CLI)
+
+## Executive Summary
+
+✅ **No vulnerabilities found** in current dependencies.
+
+All modules verified successfully with `go mod verify` and `govulncheck`.
+
+---
+
+## Dependency Analysis
+
+### Direct Dependencies (15)
+
+| Package | Version | Purpose | Status |
+|---------|---------|---------|--------|
+| github.com/Snider/Borg | v0.1.0 | Framework utilities | ✅ Verified |
+| github.com/getkin/kin-openapi | v0.133.0 | OpenAPI parsing | ✅ Verified |
+| github.com/leaanthony/debme | v1.2.1 | Debounce utilities | ✅ Verified |
+| github.com/leaanthony/gosod | v1.0.4 | Go service utilities | ✅ Verified |
+| github.com/minio/selfupdate | v0.6.0 | Self-update mechanism | ✅ Verified |
+| github.com/modelcontextprotocol/go-sdk | v1.2.0 | MCP SDK | ✅ Verified |
+| github.com/oasdiff/oasdiff | v1.11.8 | OpenAPI diff | ✅ Verified |
+| github.com/spf13/cobra | v1.10.2 | CLI framework | ✅ Verified |
+| github.com/stretchr/testify | v1.11.1 | Testing assertions | ✅ Verified |
+| golang.org/x/mod | v0.32.0 | Module utilities | ✅ Verified |
+| golang.org/x/net | v0.49.0 | Network utilities | ✅ Verified |
+| golang.org/x/oauth2 | v0.34.0 | OAuth2 client | ✅ Verified |
+| golang.org/x/term | v0.39.0 | Terminal utilities | ✅ Verified |
+| golang.org/x/text | v0.33.0 | Text processing | ✅ Verified |
+| gopkg.in/yaml.v3 | v3.0.1 | YAML parser | ✅ Verified |
+
+### Transitive Dependencies
+
+- **Total modules:** 161 indirect dependencies
+- **Verification:** All modules verified via `go mod verify`
+- **Integrity:** go.sum contains 18,380 bytes of checksums
+
+### Notable Indirect Dependencies
+
+| Package | Purpose | Risk Assessment |
+|---------|---------|-----------------|
+| github.com/go-git/go-git/v5 | Git operations | Low - well-maintained |
+| github.com/ProtonMail/go-crypto | Cryptography | Low - security-focused org |
+| github.com/cloudflare/circl | Cryptographic primitives | Low - Cloudflare maintained |
+| cloud.google.com/go | Google Cloud SDK | Low - Google maintained |
+
+---
+
+## Vulnerability Scan Results
+
+### govulncheck Output
+
+```
+$ govulncheck ./...
+No vulnerabilities found.
+```
+
+### go mod verify Output
+
+```
+$ go mod verify
+all modules verified
+```
+
+---
+
+## Lock Files
+
+| File | Status | Notes |
+|------|--------|-------|
+| go.mod | ✅ Committed | 2,995 bytes, properly formatted |
+| go.sum | ✅ Committed | 18,380 bytes, integrity hashes present |
+| go.work | ✅ Committed | Workspace configuration |
+| go.work.sum | ✅ Committed | Workspace checksums |
+
+---
+
+## Supply Chain Assessment
+
+### Package Sources
+
+- ✅ All dependencies from official Go module proxy (proxy.golang.org)
+- ✅ No private/unverified package sources
+- ✅ Checksum database verification enabled (sum.golang.org)
+
+### Typosquatting Risk
+
+- **Low risk** - all dependencies are from well-known organizations:
+  - golang.org/x/* (Go team)
+  - github.com/spf13/* (Steve Francia - Cobra maintainer)
+  - github.com/stretchr/* (Stretchr - testify maintainers)
+  - cloud.google.com/go/* (Google)
+
+### Build Process Security
+
+- ✅ Go modules with verified checksums
+- ✅ Reproducible builds via go.sum
+- ✅ CI runs `go mod verify` before builds
+
+---
+
+## Recommendations
+
+### Immediate Actions
+
+None required - no vulnerabilities detected.
+
+### Ongoing Maintenance
+
+1. **Enable Dependabot** - Automated dependency updates via GitHub
+2. **Regular audits** - Run `govulncheck ./...` in CI pipeline
+3. **Version pinning** - All dependencies are properly pinned
+
+### CI Integration
+
+Add to CI workflow:
+
+```yaml
+- name: Verify dependencies
+  run: go mod verify
+
+- name: Check vulnerabilities
+  run: |
+    go install golang.org/x/vuln/cmd/govulncheck@latest
+    govulncheck ./...
+```
+
+---
+
+## Appendix: Full Dependency Tree
+
+Run `go mod graph` to generate the complete dependency tree.
+
+Total dependency relationships: 445
+
+---
+
+*Audit generated by Claude Code on 2026-02-02*

pkg/cache/cache.go

@@ -7,7 +7,6 @@ import (
 	"path/filepath"
 	"time"
 
-	"github.com/host-uk/core/pkg/errors"
 	"github.com/host-uk/core/pkg/io"
 )
 
@@ -34,7 +33,7 @@ func New(baseDir string, ttl time.Duration) (*Cache, error) {
 		// Use .core/cache in current working directory
 		cwd, err := os.Getwd()
 		if err != nil {
-			return nil, errors.E("cache.New", "failed to get working directory", err)
+			return nil, err
 		}
 		baseDir = filepath.Join(cwd, ".core", "cache")
 	}
@@ -46,12 +45,12 @@ func New(baseDir string, ttl time.Duration) (*Cache, error) {
 	// Convert to absolute path for io.Local
 	absBaseDir, err := filepath.Abs(baseDir)
 	if err != nil {
-		return nil, errors.E("cache.New", "failed to resolve absolute path", err)
+		return nil, err
 	}
 
 	// Ensure cache directory exists
 	if err := io.Local.EnsureDir(absBaseDir); err != nil {
-		return nil, errors.E("cache.New", "failed to create cache directory", err)
+		return nil, err
 	}
 
 	baseDir = absBaseDir
@@ -76,7 +75,7 @@ func (c *Cache) Get(key string, dest interface{}) (bool, error) {
 		if os.IsNotExist(err) {
 			return false, nil
 		}
-		return false, errors.E("cache.Get", "failed to read cache file", err)
+		return false, err
 	}
 	data := []byte(content)
 
@@ -93,7 +92,7 @@ func (c *Cache) Get(key string, dest interface{}) (bool, error) {
 
 	// Unmarshal the actual data
 	if err := json.Unmarshal(entry.Data, dest); err != nil {
-		return false, errors.E("cache.Get", "failed to unmarshal cache data", err)
+		return false, err
 	}
 
 	return true, nil
@@ -106,7 +105,7 @@ func (c *Cache) Set(key string, data interface{}) error {
 	// Marshal the data
 	dataBytes, err := json.Marshal(data)
 	if err != nil {
-		return errors.E("cache.Set", "failed to marshal data", err)
+		return err
 	}
 
 	entry := Entry{
@@ -117,35 +116,26 @@ func (c *Cache) Set(key string, data interface{}) error {
 
 	entryBytes, err := json.MarshalIndent(entry, "", "  ")
 	if err != nil {
-		return errors.E("cache.Set", "failed to marshal cache entry", err)
+		return err
 	}
 
 	// io.Local.Write creates parent directories automatically
-	if err := io.Local.Write(path, string(entryBytes)); err != nil {
-		return errors.E("cache.Set", "failed to write cache file", err)
-	}
-	return nil
+	return io.Local.Write(path, string(entryBytes))
 }
 
 // Delete removes an item from the cache.
 func (c *Cache) Delete(key string) error {
 	path := c.Path(key)
 	err := io.Local.Delete(path)
-	if err != nil {
-		if os.IsNotExist(err) {
-			return nil
-		}
-		return errors.E("cache.Delete", "failed to delete cache file", err)
+	if os.IsNotExist(err) {
+		return nil
 	}
-	return nil
+	return err
 }
 
 // Clear removes all cached items.
 func (c *Cache) Clear() error {
-	if err := io.Local.DeleteAll(c.baseDir); err != nil {
-		return errors.E("cache.Clear", "failed to clear cache directory", err)
-	}
-	return nil
+	return io.Local.DeleteAll(c.baseDir)
 }
 
 // Age returns how old a cached item is, or -1 if not cached.

pkg/cli/daemon.go

@@ -89,14 +89,9 @@ func (p *PIDFile) Acquire() error {
 	p.mu.Lock()
 	defer p.mu.Unlock()
 
-	absPath, err := filepath.Abs(p.path)
-	if err != nil {
-		return fmt.Errorf("failed to resolve PID file path: %w", err)
-	}
-
 	// Check if PID file exists
-	if content, err := io.Local.Read(absPath); err == nil {
-		pid, err := strconv.Atoi(content)
+	if data, err := io.Local.Read(p.path); err == nil {
+		pid, err := strconv.Atoi(data)
 		if err == nil && pid > 0 {
 			// Check if process is still running
 			if process, err := os.FindProcess(pid); err == nil {
@@ -106,12 +101,19 @@ func (p *PIDFile) Acquire() error {
 			}
 		}
 		// Stale PID file, remove it
-		_ = io.Local.Delete(absPath)
+		_ = io.Local.Delete(p.path)
 	}
 
-	// Write current PID (io.Local.Write creates parent directories automatically)
+	// Ensure directory exists
+	if dir := filepath.Dir(p.path); dir != "." {
+		if err := io.Local.EnsureDir(dir); err != nil {
+			return fmt.Errorf("failed to create PID directory: %w", err)
+		}
+	}
+
+	// Write current PID
 	pid := os.Getpid()
-	if err := io.Local.Write(absPath, strconv.Itoa(pid)); err != nil {
+	if err := io.Local.Write(p.path, strconv.Itoa(pid)); err != nil {
 		return fmt.Errorf("failed to write PID file: %w", err)
 	}
 
@@ -122,14 +124,7 @@ func (p *PIDFile) Acquire() error {
 func (p *PIDFile) Release() error {
 	p.mu.Lock()
 	defer p.mu.Unlock()
-	absPath, err := filepath.Abs(p.path)
-	if err != nil {
-		return fmt.Errorf("failed to resolve PID file path: %w", err)
-	}
-	if err := io.Local.Delete(absPath); err != nil {
-		return fmt.Errorf("failed to delete PID file: %w", err)
-	}
-	return nil
+	return io.Local.Delete(p.path)
 }
 
 // Path returns the PID file path.

pkg/container/state.go

@@ -6,7 +6,6 @@ import (
 	"path/filepath"
 	"sync"
 
-	"github.com/host-uk/core/pkg/errors"
 	"github.com/host-uk/core/pkg/io"
 )
 
@@ -61,7 +60,7 @@ func LoadState(filePath string) (*State, error) {
 
 	absPath, err := filepath.Abs(filePath)
 	if err != nil {
-		return nil, errors.E("container.LoadState", "failed to resolve state file path", err)
+		return nil, err
 	}
 
 	content, err := io.Local.Read(absPath)
@@ -69,11 +68,11 @@ func LoadState(filePath string) (*State, error) {
 		if os.IsNotExist(err) {
 			return state, nil
 		}
-		return nil, errors.E("container.LoadState", "failed to read state file", err)
+		return nil, err
 	}
 
 	if err := json.Unmarshal([]byte(content), state); err != nil {
-		return nil, errors.E("container.LoadState", "failed to parse state file", err)
+		return nil, err
 	}
 
 	return state, nil
@@ -86,19 +85,16 @@ func (s *State) SaveState() error {
 
 	absPath, err := filepath.Abs(s.filePath)
 	if err != nil {
-		return errors.E("container.SaveState", "failed to resolve state file path", err)
+		return err
 	}
 
 	data, err := json.MarshalIndent(s, "", "  ")
 	if err != nil {
-		return errors.E("container.SaveState", "failed to marshal state", err)
+		return err
 	}
 
 	// io.Local.Write creates parent directories automatically
-	if err := io.Local.Write(absPath, string(data)); err != nil {
-		return errors.E("container.SaveState", "failed to write state file", err)
-	}
-	return nil
+	return io.Local.Write(absPath, string(data))
 }
 
 // Add adds a container to the state and persists it.

pkg/container/templates.go

@@ -8,7 +8,6 @@ import (
 	"regexp"
 	"strings"
 
-	"github.com/host-uk/core/pkg/errors"
 	"github.com/host-uk/core/pkg/io"
 )
 
@@ -64,7 +63,7 @@ func GetTemplate(name string) (string, error) {
 		if t.Name == name {
 			content, err := embeddedTemplates.ReadFile(t.Path)
 			if err != nil {
-				return "", errors.E("container.GetTemplate", "failed to read embedded template", err)
+				return "", fmt.Errorf("failed to read embedded template %s: %w", name, err)
 			}
 			return string(content), nil
 		}
@@ -77,13 +76,13 @@ func GetTemplate(name string) (string, error) {
 		if io.Local.IsFile(templatePath) {
 			content, err := io.Local.Read(templatePath)
 			if err != nil {
-				return "", errors.E("container.GetTemplate", "failed to read user template", err)
+				return "", fmt.Errorf("failed to read user template %s: %w", name, err)
 			}
 			return content, nil
 		}
 	}
 
-	return "", errors.E("container.GetTemplate", "template not found: "+name, nil)
+	return "", fmt.Errorf("template not found: %s", name)
 }
 
 // ApplyTemplate applies variable substitution to a template.

pkg/devops/config.go

@@ -4,7 +4,6 @@ import (
 	"os"
 	"path/filepath"
 
-	"github.com/host-uk/core/pkg/errors"
 	"github.com/host-uk/core/pkg/io"
 	"gopkg.in/yaml.v3"
 )
@@ -76,12 +75,12 @@ func LoadConfig() (*Config, error) {
 		if os.IsNotExist(err) {
 			return DefaultConfig(), nil
 		}
-		return nil, errors.E("devops.LoadConfig", "failed to read config", err)
+		return nil, err
 	}
 
 	cfg := DefaultConfig()
 	if err := yaml.Unmarshal([]byte(content), cfg); err != nil {
-		return nil, errors.E("devops.LoadConfig", "failed to parse config", err)
+		return nil, err
 	}
 
 	return cfg, nil

pkg/devops/images.go

@@ -9,7 +9,6 @@ import (
 	"time"
 
 	"github.com/host-uk/core/pkg/devops/sources"
-	"github.com/host-uk/core/pkg/errors"
 	"github.com/host-uk/core/pkg/io"
 )
 
@@ -43,7 +42,7 @@ func NewImageManager(cfg *Config) (*ImageManager, error) {
 
 	// Ensure images directory exists
 	if err := io.Local.EnsureDir(imagesDir); err != nil {
-		return nil, errors.E("devops.NewImageManager", "failed to create images directory", err)
+		return nil, err
 	}
 
 	// Load or create manifest
@@ -173,11 +172,11 @@ func loadManifest(path string) (*Manifest, error) {
 		if os.IsNotExist(err) {
 			return m, nil
 		}
-		return nil, errors.E("devops.loadManifest", "failed to read manifest", err)
+		return nil, err
 	}
 
 	if err := json.Unmarshal([]byte(content), m); err != nil {
-		return nil, errors.E("devops.loadManifest", "failed to parse manifest", err)
+		return nil, err
 	}
 	m.path = path
 
@@ -188,10 +187,7 @@ func loadManifest(path string) (*Manifest, error) {
 func (m *Manifest) Save() error {
 	data, err := json.MarshalIndent(m, "", "  ")
 	if err != nil {
-		return errors.E("devops.Manifest.Save", "failed to marshal manifest", err)
+		return err
 	}
-	if err := io.Local.Write(m.path, string(data)); err != nil {
-		return errors.E("devops.Manifest.Save", "failed to write manifest", err)
-	}
-	return nil
+	return io.Local.Write(m.path, string(data))
 }

pkg/devops/test.go

@@ -7,7 +7,6 @@ import (
 	"path/filepath"
 	"strings"
 
-	"github.com/host-uk/core/pkg/errors"
 	"github.com/host-uk/core/pkg/io"
 	"gopkg.in/yaml.v3"
 )
@@ -117,17 +116,17 @@ func LoadTestConfig(projectDir string) (*TestConfig, error) {
 	path := filepath.Join(projectDir, ".core", "test.yaml")
 	absPath, err := filepath.Abs(path)
 	if err != nil {
-		return nil, errors.E("devops.LoadTestConfig", "failed to resolve path", err)
+		return nil, err
 	}
 
 	content, err := io.Local.Read(absPath)
 	if err != nil {
-		return nil, errors.E("devops.LoadTestConfig", "failed to read test config", err)
+		return nil, err
 	}
 
 	var cfg TestConfig
 	if err := yaml.Unmarshal([]byte(content), &cfg); err != nil {
-		return nil, errors.E("devops.LoadTestConfig", "failed to parse test config", err)
+		return nil, err
 	}
 
 	return &cfg, nil