8 commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Vi
|
d2ae87b108
|
fix: restore packages accidentally deleted during PR #313 rebase (#333)
Some checks failed
Release: Tag Push / build (amd64, windows, windows-latest) (push) Waiting to run
Release: Tag Push / build (arm64, darwin, macos-latest) (push) Waiting to run
Release: Tag Push / release (push) Blocked by required conditions
Release: Tag Push / build (amd64, linux, ubuntu-latest) (push) Failing after 1s
Release: Tag Push / build (arm64, linux, ubuntu-latest) (push) Failing after 1s
During conflict resolution for PR #313 (streaming API), the agent incorrectly assumed that modify/delete conflicts meant the PR intended to remove these packages. This was wrong - PR #313 was only about adding streaming API to pkg/io. Restored packages: - pkg/workspace - workspace management service - pkg/unifi - UniFi controller client - pkg/gitea - Gitea API client - pkg/crypt/openpgp - OpenPGP encryption service - internal/cmd/gitea - Gitea CLI commands - internal/cmd/unifi - UniFi CLI commands Also restored: - Various test files (bench_test.go, integration_test.go, etc.) - pkg/framework/core/interfaces.go (Workspace/Crypt interfaces) - pkg/log/errors.go (error helpers) - Documentation (faq.md, user-guide.md) This allows PR #297 (MCP daemon mode) to proceed as it depends on pkg/workspace. Co-authored-by: Claude <developers@lethean.io> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> |
||
|
Snider
|
bfa5353205
|
Add streaming API to pkg/io and optimize agentic context gathering (#313)
Some checks failed
Release: Tag Push / build (arm64, darwin, macos-latest) (push) Waiting to run
Release: Tag Push / build (amd64, windows, windows-latest) (push) Waiting to run
Release: Tag Push / release (push) Blocked by required conditions
Release: Tag Push / build (amd64, linux, ubuntu-latest) (push) Failing after 1s
Release: Tag Push / build (arm64, linux, ubuntu-latest) (push) Failing after 1s
* feat(io): add streaming API to Medium interface and optimize agentic context - Added ReadStream and WriteStream to io.Medium interface. - Implemented streaming methods in local and mock mediums. - Updated pkg/agentic/context.go to use streaming I/O with LimitReader. - Added 5000-byte truncation limit for all AI context file reads to reduce memory usage. - Documented when to use streaming vs full-file APIs in io.Medium. * feat(io): optimize streaming API and fix PR feedback - Fixed resource leak in agentic context by using defer for closing file streams. - Improved truncation logic in agentic context to handle multibyte characters correctly by checking byte length before string conversion. - Added comprehensive documentation to ReadStream and WriteStream in local medium. - Added unit tests for ReadStream and WriteStream in local medium. - Applied formatting and fixed auto-merge CI configuration. * feat(io): add streaming API and fix CI failures (syntax fix) - Introduced ReadStream and WriteStream to io.Medium interface. - Implemented streaming methods in local and mock mediums. - Optimized agentic context with streaming reads and truncation logic. - Fixed syntax error in local client tests by overwriting the file. - Fixed auto-merge CI by adding checkout and repository context. - Applied formatting fixes. |
||
|
Snider
|
f6bd5d0c7b
|
Add configuration documentation to README (#304)
* docs: add configuration documentation to README Added a new 'Configuration' section to README.md as per the Documentation Audit Report (PR #209). Included: - Default configuration file location (~/.core/config.yaml) - Configuration file format (YAML) with examples - Layered configuration resolution order - Environment variable mapping for config overrides (CORE_CONFIG_*) - Common environment variables (CORE_DAEMON, NO_COLOR, MCP_ADDR, etc.) * docs: add configuration documentation and fix CI/CD auto-merge README.md: - Added comprehensive 'Configuration' section as per audit report #209. - Documented file format, location, and layered resolution order. - Provided environment variable mapping rules and common examples. .github/workflows/auto-merge.yml: - Replaced broken reusable workflow with a local implementation. - Added actions/checkout step to provide necessary Git context. - Fixed 'not a git repository' error by providing explicit repo context to the 'gh' CLI via the -R flag. - Maintained existing bot trust and author association logic. pkg/io/local/client.go: - Fixed code formatting to ensure QA checks pass. * docs: update environment variable description and fix merge conflict - Refined the description of environment variable mapping to be more accurate, clarifying that the prefix is stripped before conversion. - Resolved merge conflict in .github/workflows/auto-merge.yml. - Maintained the local auto-merge implementation to ensure Git context for the 'gh' CLI. * docs: configuration documentation, security fixes, and CI improvements README.md: - Added comprehensive 'Configuration' section as per audit report #209. - Documented file format, location, and layered resolution order. - Provided environment variable mapping rules and common examples. - Added documentation for UniFi configuration options. .github/workflows/auto-merge.yml: - Replaced broken reusable workflow with a local implementation. - Added actions/checkout step to provide necessary Git context. - Fixed 'not a git repository' error by providing explicit repo context to the 'gh' CLI via the -R flag. pkg/unifi: - Fixed security vulnerability (CodeQL) by making TLS verification configurable instead of always skipped. - Added 'unifi.insecure' config key and UNIFI_INSECURE env var. - Updated New and NewFromConfig signatures to handle insecure flag. internal/cmd/unifi: - Added --insecure flag to 'config' command to skip TLS verification. - Updated all UniFi subcommands to support the new configuration logic. pkg/io/local/client.go: - Fixed code formatting to ensure QA checks pass. * docs: configuration documentation, tests, and CI/CD fixes README.md: - Added comprehensive 'Configuration' section as per audit report #209. - Documented file format, location, and layered resolution order. - Provided environment variable mapping rules and common examples. - Documented UniFi configuration options. pkg/unifi: - Fixed security vulnerability by making TLS verification configurable. - Added pkg/unifi/config_test.go and pkg/unifi/client_test.go to provide unit test coverage for new and existing logic (satisfying Codecov). .github/workflows/auto-merge.yml: - Added actions/checkout@v4 to provide the required Git context for the 'gh' CLI, fixing 'not a git repository' errors. pkg/framework/core/core.go: - Fixed compilation errors in Workspace() and Crypt() methods due to upstream changes in MustServiceFor() return signature. - Added necessary error handling to pkg/workspace/service.go. These changes ensure that the project documentation is up-to-date and that the CI/CD pipeline is stable and secure. |
||
|
Snider
|
b819b9432a
|
Add logging for security events (authentication, access) (#320)
* feat(log): add security events logging for authentication and access control - Added `Security` method to `log.Logger` with `[SEC]` prefix at `LevelWarn`. - Added `SecurityStyle` (purple) to `pkg/cli` and `LogSecurity` helper. - Added security logging for GitHub CLI authentication checks. - Added security logging for Agentic configuration loading and token validation. - Added security logging for sandbox escape detection in `local.Medium`. - Updated MCP service to support logger injection and log tool executions and connections. - Ensured all security logs include `user` context for better auditability. * feat(log): add security events logging for authentication and access control - Added `Security` method to `log.Logger` with `[SEC]` prefix at `LevelWarn`. - Added `SecurityStyle` (purple) to `pkg/cli` and `LogSecurity` helper. - Added security logging for GitHub CLI authentication checks. - Added security logging for Agentic configuration loading and token validation. - Added security logging for sandbox escape detection in `local.Medium`. - Updated MCP service to support logger injection and log tool executions and connections. - Ensured all security logs include `user` context for better auditability. - Fixed code formatting issues identified by CI. * feat(log): refine security logging and fix auto-merge CI - Moved `Security` log level to `LevelError` for better visibility. - Added robust `log.Username()` helper using `os/user`. - Differentiated high-risk (Security) and low-risk (Info) MCP tool executions. - Ensured consistent `user` context in all security-related logs. - Fixed merge conflict and missing repository context in `auto-merge` CI. - Fixed comment positioning in `pkg/mcp/mcp.go`. - Downgraded MCP TCP accept errors to standard `Error` log level. - Fixed code formatting in `internal/cmd/setup/cmd_github.go`. * feat(log): finalize security logging and address CI/CodeQL alerts - Refined `Security` logging: moved to `LevelError` and consistently include `user` context using `os/user`. - Differentiated MCP tool executions: write/delete are `Security` level, others are `Info`. - Fixed CodeQL alert: made UniFi TLS verification configurable (defaults to verify). - Updated UniFi CLI with `--verify-tls` flag and config support. - Fixed `auto-merge` CI failure by setting `GH_REPO` env var. - Fixed formatting and unused imports. - Added tests for UniFi config resolution. * fix: handle MustServiceFor return values correctly MustServiceFor returns (T, error), not just T. This was causing build failures after the rebase. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude <developers@lethean.io> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> |
||
|
Snider
|
d96cf1123d
|
Update README.md to reflect actual configuration management implementation (#310)
* docs: update README.md to reflect actual configuration implementation This commit updates the README.md to accurately describe the project's decentralized YAML-based configuration management system, as identified in the Architecture & Design Pattern Audit (PR #208). Key changes: - Refactored 'Architecture' section to match actual directory structure (e.g., pkg/framework/core, pkg/repos, pkg/agentic, pkg/mcp). - Removed outdated and non-existent references to pkg/config (JSON), pkg/display, and pkg/workspace. - Added a new 'Configuration Management' section documenting YAML file locations (.core/build.yaml, ~/.core/config.yaml, repos.yaml, etc.). - Updated 'Quick Start' example to use the correct package path and handle errors. - Updated 'Current State' table and 'Package Deep Dives' to match present packages. - Cleaned up broken links and references to external repos (core-gui). * docs: update README.md to reflect actual configuration implementation This commit updates the README.md to accurately describe the project's decentralized YAML-based configuration management system, as identified in the Architecture & Design Pattern Audit (PR #208). Key changes: - Refactored 'Architecture' section to match actual directory structure (e.g., pkg/framework/core, pkg/repos, pkg/agentic, pkg/mcp). - Removed outdated and non-existent references to pkg/config (JSON), pkg/display, and pkg/workspace. - Added a new 'Configuration Management' section documenting YAML file locations (.core/build.yaml, ~/.core/config.yaml, repos.yaml, etc.). - Updated 'Quick Start' example to use the correct package path and handle errors. - Updated 'Current State' table and 'Package Deep Dives' to match present packages. - Cleaned up broken links and references to external repos (core-gui). - Fixed formatting in pkg/io/local/client.go to satisfy CI. * docs: update README and fix auto-merge CI This commit completes the README update to reflect the actual configuration implementation and also fixes a CI failure in the auto-merge workflow. Changes: - README.md: Updated to document the decentralized YAML-based configuration system and current project structure. - pkg/io/local/client.go: Fixed minor formatting to satisfy CI. - .github/workflows/auto-merge.yml: Replaced the broken reusable workflow call with a local implementation that includes the '--repo' flag for the 'gh' command. This avoids the 'fatal: not a git repository' error in environments without a '.git' directory. * chore: fix merge conflict and address PR comments - Merged origin/dev into the current branch. - Resolved merge conflict in .github/workflows/auto-merge.yml. - Updated auto-merge.yml with the local implementation to avoid git repository requirement in CI. * docs: update README, fix auto-merge CI, and fix security vulnerability - README.md: Updated to document decentralized YAML configuration. - .github/workflows/auto-merge.yml: Fixed CI by implementing auto-merge locally. - pkg/unifi/client.go: Fixed CodeQL security alert by making TLS verification configurable. - pkg/unifi/config.go: Added 'unifi.insecure' config support. - internal/cmd/unifi/: Added '--insecure' flag to CLI commands. - pkg/io/local/client.go: Minor formatting fix. * fix: address code review comments - Document centralized pkg/config service as primary configuration mechanism - Add pkg/config entry back to package status table - Document repos.yaml auto-discovery locations (cwd, parents, home paths) - Clarify pkg/crypt/openpgp subpackage provides asymmetric encryption - Add ChaCha20-Poly1305 to symmetric encryption list - Fix InsecureSkipVerify: only use custom HTTP client when insecure=true - Add security warnings and #nosec annotation for intentional usage Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude <developers@lethean.io> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> |
||
|
Snider
|
5af736a155
|
Remove StrictHostKeyChecking=no from SSH commands (#315)
* Remove StrictHostKeyChecking=no and implement proper host key verification This commit addresses security concerns from the OWASP audit by enforcing strict host key verification for all SSH and SCP commands. Key changes: - Replaced StrictHostKeyChecking=accept-new with yes in pkg/container and pkg/devops. - Removed insecure host key verification from pkg/ansible SSH client. - Implemented a synchronous host key discovery mechanism during VM boot using ssh-keyscan to populate ~/.core/known_hosts. - Updated the devops Boot lifecycle to wait until the host key is verified. - Ensured pkg/ansible correctly handles missing known_hosts files. - Refactored hardcoded SSH port 2222 to a package constant DefaultSSHPort. - Added CORE_SKIP_SSH_SCAN environment variable for test environments. * Remove StrictHostKeyChecking=no and implement proper host key verification Addresses security concerns from OWASP audit by enforcing strict host key verification. Changes: - Replaced StrictHostKeyChecking=accept-new with yes in pkg/container and devops. - Removed insecure host key verification from pkg/ansible. - Added synchronous host key discovery using ssh-keyscan during VM boot. - Updated Boot lifecycle to wait for host key verification. - Handled missing known_hosts file in pkg/ansible. - Refactored hardcoded SSH port to DefaultSSHPort constant. - Fixed formatting issues identified by QA check. * Secure SSH commands and fix auto-merge CI failure Addresses OWASP security audit by enforcing strict host key verification and fixes a CI failure in the auto-merge workflow. Key changes: - Replaced StrictHostKeyChecking=accept-new with yes in pkg/container and pkg/devops. - Removed insecure host key verification from pkg/ansible. - Implemented synchronous host key discovery using ssh-keyscan during VM boot. - Handled missing known_hosts file in pkg/ansible. - Refactored hardcoded SSH port to DefaultSSHPort constant. - Added pkg/ansible/ssh_test.go to verify SSH client initialization. - Fixed formatting in pkg/io/local/client.go. - Fixed auto-merge.yml by inlining the script and providing repository context to 'gh' command, resolving the "not a git repository" error in CI. * Secure SSH, fix CI auto-merge, and resolve merge conflicts This commit addresses the OWASP security audit by enforcing strict host key verification and resolves persistent CI issues. Security Changes: - Replaced StrictHostKeyChecking=accept-new with yes in pkg/container and devops. - Removed insecure host key verification from pkg/ansible. - Implemented synchronous host key discovery using ssh-keyscan during VM boot. - Updated Boot lifecycle to wait for host key verification. - Handled missing known_hosts file in pkg/ansible. - Refactored hardcoded SSH port to DefaultSSHPort constant. CI and Maintenance: - Fixed auto-merge.yml by inlining the script and adding repository context to 'gh' command, resolving the "not a git repository" error in CI. - Resolved merge conflicts in .github/workflows/auto-merge.yml with dev branch. - Added pkg/ansible/ssh_test.go for SSH client verification. - Fixed formatting in pkg/io/local/client.go to pass QA checks. * Secure SSH and TLS connections, and fix CI issues Addresses security concerns from OWASP audit and CodeQL by enforcing strict host key verification and TLS certificate verification. Security Changes: - Enforced strict SSH host key checking in pkg/container and devops. - Removed insecure SSH host key verification from pkg/ansible. - Added synchronous host key discovery during VM boot using ssh-keyscan. - Updated UniFi client to enforce TLS certificate verification by default. - Added --insecure flag and config option for UniFi to allow opt-in to skipping TLS verification for self-signed certificates. CI and Maintenance: - Fixed auto-merge workflow by providing repository context to 'gh' command. - Resolved merge conflicts in .github/workflows/auto-merge.yml. - Added unit tests for secured Ansible SSH client. - Fixed formatting issues identified by QA checks. * fix: gofmt alignment in cmd_config.go Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * Secure connections, fix CI auto-merge, and resolve formatting Addresses OWASP security audit and CodeQL security alerts by enforcing secure defaults for SSH and TLS connections. Key changes: - Enforced strict SSH host key checking (StrictHostKeyChecking=yes). - Implemented synchronous host key verification during VM boot using ssh-keyscan. - Updated UniFi client to enforce TLS certificate verification by default. - Added --insecure flag and config option for UniFi to allow opt-in to skipping TLS verification. - Fixed auto-merge workflow by providing repository context to 'gh' command. - Resolved merge conflicts in .github/workflows/auto-merge.yml. - Fixed formatting in internal/cmd/unifi/cmd_config.go and pkg/io/local/client.go. - Added unit tests for secured Ansible SSH client. --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: Claude <developers@lethean.io> |
||
|
Snider
|
76332b0f02
|
Add User Documentation (User Guide, FAQ, Troubleshooting) (#307)
* docs: add user guide, faq, and enhance troubleshooting - Created docs/user-guide.md with key concepts and workflows. - Created docs/faq.md with common questions and answers. - Enhanced docs/troubleshooting.md with AI/Agentic issues. - Updated README.md with CLI Quick Start and Getting Help sections. - Refactored mkdocs.yml to reflect actual file structure and include new docs. * docs: add user documentation and fix mkdocs navigation - Created docs/user-guide.md and docs/faq.md. - Enhanced docs/troubleshooting.md with AI/Agentic issues. - Updated README.md with CLI Quick Start and Help links. - Restored original mkdocs.yml navigation and added new user documentation sections. - Fixed formatting in pkg/io/local/client.go to ensure CI passes. * docs: add user documentation and fix auto-merge workflow - Created docs/user-guide.md and docs/faq.md with user-focused content. - Enhanced docs/troubleshooting.md with AI/Agentic issue solutions. - Updated README.md with CLI Quick Start and organized help links. - Refactored mkdocs.yml to include new documentation while preserving technical sections. - Fixed .github/workflows/auto-merge.yml by inlining the logic and adding git repository context (checkout and -R flag) to resolve CI failures. - Verified that docs/workflows.md is present in the repository. * docs: add user documentation and resolve merge conflict - Created docs/user-guide.md and docs/faq.md. - Enhanced docs/troubleshooting.md with AI/Agentic issue solutions. - Updated README.md with CLI Quick Start and Help sections. - Merged latest base branch changes and resolved conflict in .github/workflows/auto-merge.yml. - Verified and organized mkdocs.yml navigation. * docs: add user documentation and fix UniFi security issue - Created docs/user-guide.md and docs/faq.md. - Enhanced docs/troubleshooting.md. - Updated README.md with CLI Quick Start. - Fixed UniFi security vulnerability (CodeQL alert) by making TLS verification configurable. - Added --insecure flag to UniFi CLI commands. - Verified all documentation links and navigation. * docs: add user documentation and fix formatting/security - Created docs/user-guide.md and docs/faq.md. - Enhanced docs/troubleshooting.md. - Updated README.md with CLI Quick Start. - Fixed UniFi security vulnerability by making TLS verification configurable. - Added --insecure flag to UniFi CLI commands. - Fixed formatting in internal/cmd/unifi/cmd_config.go. - Verified all documentation links and navigation. --------- Co-authored-by: Claude <developers@lethean.io> |
||
|
Snider
|
1cb30d2b69
|
feat(release): add Homebrew tap support and fix artifact naming (#325)
Some checks failed
Release: Tag Push / release (push) Blocked by required conditions
Release: Tag Push / build (amd64, windows, windows-latest) (push) Waiting to run
Release: Tag Push / build (arm64, darwin, macos-latest) (push) Waiting to run
Release: Tag Push / build (amd64, linux, ubuntu-latest) (push) Failing after 1s
Release: Tag Push / build (arm64, linux, ubuntu-latest) (push) Failing after 1s
* feat(release): add Homebrew tap support and fix artifact naming
- Fix platform naming: binaries now named core-{os}-{arch} instead of
just 'core', preventing collision when artifacts merge
- Add tar.gz archives for non-Windows builds (Homebrew requirement)
- Add update-tap job to alpha-release workflow that auto-updates
host-uk/homebrew-tap with checksums on each alpha release
- Add homebrew publisher to .core/release.yaml for formal releases
- Update install instructions to include brew install
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(unifi): add UniFi Go SDK integration and CLI commands
- Add pkg/unifi SDK wrapping unpoller/unifi with TLS, config resolution,
and typed accessors for sites, clients, devices, networks, and routes
- Add CLI commands: unifi sites, clients, devices, networks, routes, config
- Register unifi commands in full variant build
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(release): set AppVersion ldflags, git config, and tap token
- Set -X pkg/cli.AppVersion in ldflags so core --version reports the
correct version instead of "dev"
- Add git config user.name/email in update-tap job so commit succeeds
- Use HOMEBREW_TAP_TOKEN secret instead of GITHUB_TOKEN for cross-repo
push to host-uk/homebrew-tap
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix(unifi): address CodeRabbit review feedback
- Reject conflicting --wired and --wireless flags in clients command
- Complete --type flag help text with bgp and ospf route types
- URL-escape site name in routes API path
- Wrap all command errors with log.E for contextual diagnostics
- Set TLS MinVersion to 1.2 on UniFi client
- Simplify redundant fmt.Sprintf in Print calls
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
|