989b7e1e65
* feat(cli): wire release command and add installer scripts
- Wire up `core build release` subcommand (was orphaned)
- Wire up `core monitor` command (missing import in full variant)
- Add installer scripts for Unix (.sh) and Windows (.bat)
- setup: Interactive with variant selection
- ci: Minimal for CI/CD environments
- dev: Full development variant
- go/php/agent: Targeted development variants
- All scripts include security hardening:
- Secure temp directories (mktemp -d)
- Architecture validation
- Version validation after GitHub API call
- Proper cleanup on exit
- PowerShell PATH updates on Windows (avoids setx truncation)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(build): add tar.xz support and unified installer scripts
- Add tar.xz archive support using Borg's compress package
- ArchiveXZ() and ArchiveWithFormat() for configurable compression
- Better compression ratio than gzip for release artifacts
- Consolidate 12 installer scripts into 2 unified scripts
- install.sh and install.bat with BunnyCDN edge variable support
- Subdomains: setup.core.help, ci.core.help, dev.core.help, etc.
- MODE and VARIANT transformed at edge based on subdomain
- Installers prefer tar.xz with automatic fallback to tar.gz
- Fixed CodeRabbit issues: HTTP status patterns, tar error handling,
verify_install params, VARIANT validation, CI PATH persistence
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* chore: add build and release config files
- .core/build.yaml - cross-platform build configuration
- .core/release.yaml - release workflow configuration
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* chore: move plans from docs/ to tasks/
Consolidate planning documents in tasks/plans/ directory.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(install): address CodeRabbit review feedback
- Add curl timeout (--max-time) to prevent hanging on slow networks
- Rename TMPDIR to WORK_DIR to avoid clobbering system env var
- Add chmod +x to ensure binary has execute permissions
- Add error propagation after subroutine calls in batch file
- Remove System32 install attempt in CI mode (use consistent INSTALL_DIR)
- Fix HTTP status regex for HTTP/2 compatibility
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(rag): add Go RAG implementation with Qdrant + Ollama
Add RAG (Retrieval Augmented Generation) tools for storing documentation
in Qdrant vector database and querying with semantic search. This replaces
the Python tools/rag implementation with a native Go solution.
New commands:
- core rag ingest [directory] - Ingest markdown files into Qdrant
- core rag query [question] - Query vector database with semantic search
- core rag collections - List and manage Qdrant collections
Features:
- Markdown chunking by sections and paragraphs with overlap
- UTF-8 safe text handling for international content
- Automatic category detection from file paths
- Multiple output formats: text, JSON, LLM context injection
- Environment variable support for host configuration
Dependencies:
- github.com/qdrant/go-client (gRPC client)
- github.com/ollama/ollama/api (embeddings API)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(deploy): add pure-Go Ansible executor and Coolify API integration
Implement infrastructure deployment system with:
- pkg/ansible: Pure Go Ansible executor
- Playbook/inventory parsing (types.go, parser.go)
- Full execution engine with variable templating, loops, blocks,
conditionals, handlers, and fact gathering (executor.go)
- SSH client with key/password auth and privilege escalation (ssh.go)
- 35+ module implementations: shell, command, copy, template, file,
apt, service, systemd, user, group, git, docker_compose, etc. (modules.go)
- pkg/deploy/coolify: Coolify API client wrapping Python swagger client
- List/get servers, projects, applications, databases, services
- Generic Call() for any OpenAPI operation
- pkg/deploy/python: Embedded Python runtime for swagger client integration
- internal/cmd/deploy: CLI commands
- core deploy servers/projects/apps/databases/services/team
- core deploy call <operation> [params-json]
This enables Docker-free infrastructure deployment with Ansible-compatible
playbooks executed natively in Go.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(deploy): address linter warnings and build errors
- Fix fmt.Sprintf format verb error in ssh.go (remove unused stat command)
- Fix errcheck warnings by explicitly ignoring best-effort operations
- Fix ineffassign warning in cmd_ansible.go
All golangci-lint checks now pass for deploy packages.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* style(deploy): fix gofmt formatting
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(deploy): use known_hosts for SSH host key verification
Address CodeQL security alert by using the user's known_hosts file
for SSH host key verification when available. Falls back to accepting
any key only when known_hosts doesn't exist (common in containerized
or ephemeral environments).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(ai,security,ide): add agentic MVP, security jobs, and Core IDE desktop app
Wire up AI infrastructure with unified pkg/ai package (metrics JSONL,
RAG integration), move RAG under `core ai rag`, add `core ai metrics`
command, and enrich task context with Qdrant documentation.
Add `--target` flag to all security commands for external repo scanning,
`core security jobs` for distributing findings as GitHub Issues, and
consistent error logging across scan/deps/alerts/secrets commands.
Add Core IDE Wails v3 desktop app with Angular 20 frontend, MCP bridge
(loopback-only HTTP server), WebSocket hub, and Claude Code bridge.
Production-ready with Lethean CIC branding, macOS code signing support,
and security hardening (origin validation, body size limits, URL scheme
checks, memory leak prevention, XSS mitigation).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: address PR review comments from CodeRabbit, Copilot, and Gemini
Fixes across 25 files addressing 46+ review comments:
- pkg/ai/metrics.go: handle error from Close() on writable file handle
- pkg/ansible: restore loop vars after loop, restore become settings,
fix Upload with become=true and no password (use sudo -n), honour
SSH timeout config, use E() helper for contextual errors, quote git
refs in checkout commands
- pkg/rag: validate chunk config, guard negative-to-uint64 conversion,
use E() helper for errors, add context timeout to Ollama HTTP calls
- pkg/deploy/python: fix exec.ExitError type assertion (was os.PathError),
handle os.UserHomeDir() error
- pkg/build/buildcmd: use cmd.Context() instead of context.Background()
for proper Ctrl+C cancellation
- install.bat: add curl timeouts, CRLF line endings, use --connect-timeout
for archive downloads
- install.sh: use absolute path for version check in CI mode
- tools/rag: fix broken ingest.py function def, escape HTML in query.py,
pin qdrant-client version, add markdown code block languages
- internal/cmd/rag: add chunk size validation, env override handling
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(build): make release dry-run by default and remove darwin/amd64 target
Replace --dry-run (default false) with --we-are-go-for-launch (default
false) so `core build release` is safe by default. Remove darwin/amd64
from default build targets (arm64 only for macOS). Fix cmd_project.go
to use command context instead of context.Background().
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
340 lines
9 KiB
Go
340 lines
9 KiB
Go
package security
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
|
|
"github.com/host-uk/core/pkg/cli"
|
|
"github.com/host-uk/core/pkg/i18n"
|
|
)
|
|
|
|
func addAlertsCommand(parent *cli.Command) {
|
|
cmd := &cli.Command{
|
|
Use: "alerts",
|
|
Short: i18n.T("cmd.security.alerts.short"),
|
|
Long: i18n.T("cmd.security.alerts.long"),
|
|
RunE: func(c *cli.Command, args []string) error {
|
|
return runAlerts()
|
|
},
|
|
}
|
|
|
|
cmd.Flags().StringVar(&securityRegistryPath, "registry", "", i18n.T("common.flag.registry"))
|
|
cmd.Flags().StringVar(&securityRepo, "repo", "", i18n.T("cmd.security.flag.repo"))
|
|
cmd.Flags().StringVar(&securitySeverity, "severity", "", i18n.T("cmd.security.flag.severity"))
|
|
cmd.Flags().BoolVar(&securityJSON, "json", false, i18n.T("common.flag.json"))
|
|
cmd.Flags().StringVar(&securityTarget, "target", "", i18n.T("cmd.security.flag.target"))
|
|
|
|
parent.AddCommand(cmd)
|
|
}
|
|
|
|
// AlertOutput represents a unified alert for output.
|
|
type AlertOutput struct {
|
|
Repo string `json:"repo"`
|
|
Severity string `json:"severity"`
|
|
ID string `json:"id"`
|
|
Package string `json:"package,omitempty"`
|
|
Version string `json:"version,omitempty"`
|
|
Location string `json:"location,omitempty"`
|
|
Type string `json:"type"`
|
|
Message string `json:"message"`
|
|
}
|
|
|
|
func runAlerts() error {
|
|
if err := checkGH(); err != nil {
|
|
return err
|
|
}
|
|
|
|
// External target mode: bypass registry entirely
|
|
if securityTarget != "" {
|
|
return runAlertsForTarget(securityTarget)
|
|
}
|
|
|
|
reg, err := loadRegistry(securityRegistryPath)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
repoList := getReposToCheck(reg, securityRepo)
|
|
if len(repoList) == 0 {
|
|
return cli.Err("repo not found: %s", securityRepo)
|
|
}
|
|
|
|
var allAlerts []AlertOutput
|
|
summary := &AlertSummary{}
|
|
|
|
for _, repo := range repoList {
|
|
repoFullName := fmt.Sprintf("%s/%s", reg.Org, repo.Name)
|
|
|
|
// Fetch Dependabot alerts
|
|
depAlerts, err := fetchDependabotAlerts(repoFullName)
|
|
if err == nil {
|
|
for _, alert := range depAlerts {
|
|
if alert.State != "open" {
|
|
continue
|
|
}
|
|
severity := alert.Advisory.Severity
|
|
if !filterBySeverity(severity, securitySeverity) {
|
|
continue
|
|
}
|
|
summary.Add(severity)
|
|
allAlerts = append(allAlerts, AlertOutput{
|
|
Repo: repo.Name,
|
|
Severity: severity,
|
|
ID: alert.Advisory.CVEID,
|
|
Package: alert.Dependency.Package.Name,
|
|
Version: alert.SecurityVulnerability.VulnerableVersionRange,
|
|
Type: "dependabot",
|
|
Message: alert.Advisory.Summary,
|
|
})
|
|
}
|
|
}
|
|
|
|
// Fetch code scanning alerts
|
|
codeAlerts, err := fetchCodeScanningAlerts(repoFullName)
|
|
if err == nil {
|
|
for _, alert := range codeAlerts {
|
|
if alert.State != "open" {
|
|
continue
|
|
}
|
|
severity := alert.Rule.Severity
|
|
if !filterBySeverity(severity, securitySeverity) {
|
|
continue
|
|
}
|
|
summary.Add(severity)
|
|
location := fmt.Sprintf("%s:%d", alert.MostRecentInstance.Location.Path, alert.MostRecentInstance.Location.StartLine)
|
|
allAlerts = append(allAlerts, AlertOutput{
|
|
Repo: repo.Name,
|
|
Severity: severity,
|
|
ID: alert.Rule.ID,
|
|
Location: location,
|
|
Type: alert.Tool.Name,
|
|
Message: alert.Rule.Description,
|
|
})
|
|
}
|
|
}
|
|
|
|
// Fetch secret scanning alerts
|
|
secretAlerts, err := fetchSecretScanningAlerts(repoFullName)
|
|
if err == nil {
|
|
for _, alert := range secretAlerts {
|
|
if alert.State != "open" {
|
|
continue
|
|
}
|
|
if !filterBySeverity("high", securitySeverity) {
|
|
continue
|
|
}
|
|
summary.Add("high") // Secrets are always high severity
|
|
allAlerts = append(allAlerts, AlertOutput{
|
|
Repo: repo.Name,
|
|
Severity: "high",
|
|
ID: fmt.Sprintf("secret-%d", alert.Number),
|
|
Type: "secret-scanning",
|
|
Message: alert.SecretType,
|
|
})
|
|
}
|
|
}
|
|
}
|
|
|
|
if securityJSON {
|
|
output, err := json.MarshalIndent(allAlerts, "", " ")
|
|
if err != nil {
|
|
return cli.Wrap(err, "marshal JSON output")
|
|
}
|
|
cli.Text(string(output))
|
|
return nil
|
|
}
|
|
|
|
// Print summary
|
|
cli.Blank()
|
|
cli.Print("%s %s\n", cli.DimStyle.Render("Alerts:"), summary.String())
|
|
cli.Blank()
|
|
|
|
if len(allAlerts) == 0 {
|
|
return nil
|
|
}
|
|
|
|
// Print table
|
|
for _, alert := range allAlerts {
|
|
sevStyle := severityStyle(alert.Severity)
|
|
|
|
// Format: repo SEVERITY ID package/location type
|
|
location := alert.Package
|
|
if location == "" {
|
|
location = alert.Location
|
|
}
|
|
if alert.Version != "" {
|
|
location = fmt.Sprintf("%s %s", location, cli.DimStyle.Render(alert.Version))
|
|
}
|
|
|
|
cli.Print("%-20s %s %-16s %-40s %s\n",
|
|
cli.ValueStyle.Render(alert.Repo),
|
|
sevStyle.Render(fmt.Sprintf("%-8s", alert.Severity)),
|
|
alert.ID,
|
|
location,
|
|
cli.DimStyle.Render(alert.Type),
|
|
)
|
|
}
|
|
cli.Blank()
|
|
|
|
return nil
|
|
}
|
|
|
|
// runAlertsForTarget runs unified alert checks against an external repo target.
|
|
func runAlertsForTarget(target string) error {
|
|
repo, fullName := buildTargetRepo(target)
|
|
if repo == nil {
|
|
return cli.Err("invalid target format: use owner/repo (e.g. wailsapp/wails)")
|
|
}
|
|
|
|
var allAlerts []AlertOutput
|
|
summary := &AlertSummary{}
|
|
|
|
// Fetch Dependabot alerts
|
|
depAlerts, err := fetchDependabotAlerts(fullName)
|
|
if err == nil {
|
|
for _, alert := range depAlerts {
|
|
if alert.State != "open" {
|
|
continue
|
|
}
|
|
severity := alert.Advisory.Severity
|
|
if !filterBySeverity(severity, securitySeverity) {
|
|
continue
|
|
}
|
|
summary.Add(severity)
|
|
allAlerts = append(allAlerts, AlertOutput{
|
|
Repo: repo.Name,
|
|
Severity: severity,
|
|
ID: alert.Advisory.CVEID,
|
|
Package: alert.Dependency.Package.Name,
|
|
Version: alert.SecurityVulnerability.VulnerableVersionRange,
|
|
Type: "dependabot",
|
|
Message: alert.Advisory.Summary,
|
|
})
|
|
}
|
|
}
|
|
|
|
// Fetch code scanning alerts
|
|
codeAlerts, err := fetchCodeScanningAlerts(fullName)
|
|
if err == nil {
|
|
for _, alert := range codeAlerts {
|
|
if alert.State != "open" {
|
|
continue
|
|
}
|
|
severity := alert.Rule.Severity
|
|
if !filterBySeverity(severity, securitySeverity) {
|
|
continue
|
|
}
|
|
summary.Add(severity)
|
|
location := fmt.Sprintf("%s:%d", alert.MostRecentInstance.Location.Path, alert.MostRecentInstance.Location.StartLine)
|
|
allAlerts = append(allAlerts, AlertOutput{
|
|
Repo: repo.Name,
|
|
Severity: severity,
|
|
ID: alert.Rule.ID,
|
|
Location: location,
|
|
Type: alert.Tool.Name,
|
|
Message: alert.Rule.Description,
|
|
})
|
|
}
|
|
}
|
|
|
|
// Fetch secret scanning alerts
|
|
secretAlerts, err := fetchSecretScanningAlerts(fullName)
|
|
if err == nil {
|
|
for _, alert := range secretAlerts {
|
|
if alert.State != "open" {
|
|
continue
|
|
}
|
|
if !filterBySeverity("high", securitySeverity) {
|
|
continue
|
|
}
|
|
summary.Add("high")
|
|
allAlerts = append(allAlerts, AlertOutput{
|
|
Repo: repo.Name,
|
|
Severity: "high",
|
|
ID: fmt.Sprintf("secret-%d", alert.Number),
|
|
Type: "secret-scanning",
|
|
Message: alert.SecretType,
|
|
})
|
|
}
|
|
}
|
|
|
|
if securityJSON {
|
|
output, err := json.MarshalIndent(allAlerts, "", " ")
|
|
if err != nil {
|
|
return cli.Wrap(err, "marshal JSON output")
|
|
}
|
|
cli.Text(string(output))
|
|
return nil
|
|
}
|
|
|
|
cli.Blank()
|
|
cli.Print("%s %s\n", cli.DimStyle.Render("Alerts ("+fullName+"):"), summary.String())
|
|
cli.Blank()
|
|
|
|
if len(allAlerts) == 0 {
|
|
return nil
|
|
}
|
|
|
|
for _, alert := range allAlerts {
|
|
sevStyle := severityStyle(alert.Severity)
|
|
location := alert.Package
|
|
if location == "" {
|
|
location = alert.Location
|
|
}
|
|
if alert.Version != "" {
|
|
location = fmt.Sprintf("%s %s", location, cli.DimStyle.Render(alert.Version))
|
|
}
|
|
cli.Print("%-20s %s %-16s %-40s %s\n",
|
|
cli.ValueStyle.Render(alert.Repo),
|
|
sevStyle.Render(fmt.Sprintf("%-8s", alert.Severity)),
|
|
alert.ID,
|
|
location,
|
|
cli.DimStyle.Render(alert.Type),
|
|
)
|
|
}
|
|
cli.Blank()
|
|
|
|
return nil
|
|
}
|
|
|
|
func fetchDependabotAlerts(repoFullName string) ([]DependabotAlert, error) {
|
|
endpoint := fmt.Sprintf("repos/%s/dependabot/alerts?state=open", repoFullName)
|
|
output, err := runGHAPI(endpoint)
|
|
if err != nil {
|
|
return nil, cli.Wrap(err, fmt.Sprintf("fetch dependabot alerts for %s", repoFullName))
|
|
}
|
|
|
|
var alerts []DependabotAlert
|
|
if err := json.Unmarshal(output, &alerts); err != nil {
|
|
return nil, cli.Wrap(err, fmt.Sprintf("parse dependabot alerts for %s", repoFullName))
|
|
}
|
|
return alerts, nil
|
|
}
|
|
|
|
func fetchCodeScanningAlerts(repoFullName string) ([]CodeScanningAlert, error) {
|
|
endpoint := fmt.Sprintf("repos/%s/code-scanning/alerts?state=open", repoFullName)
|
|
output, err := runGHAPI(endpoint)
|
|
if err != nil {
|
|
return nil, cli.Wrap(err, fmt.Sprintf("fetch code-scanning alerts for %s", repoFullName))
|
|
}
|
|
|
|
var alerts []CodeScanningAlert
|
|
if err := json.Unmarshal(output, &alerts); err != nil {
|
|
return nil, cli.Wrap(err, fmt.Sprintf("parse code-scanning alerts for %s", repoFullName))
|
|
}
|
|
return alerts, nil
|
|
}
|
|
|
|
func fetchSecretScanningAlerts(repoFullName string) ([]SecretScanningAlert, error) {
|
|
endpoint := fmt.Sprintf("repos/%s/secret-scanning/alerts?state=open", repoFullName)
|
|
output, err := runGHAPI(endpoint)
|
|
if err != nil {
|
|
return nil, cli.Wrap(err, fmt.Sprintf("fetch secret-scanning alerts for %s", repoFullName))
|
|
}
|
|
|
|
var alerts []SecretScanningAlert
|
|
if err := json.Unmarshal(output, &alerts); err != nil {
|
|
return nil, cli.Wrap(err, fmt.Sprintf("parse secret-scanning alerts for %s", repoFullName))
|
|
}
|
|
return alerts, nil
|
|
}
|