feat(tok): add hawk tok command + production-readiness hardening#13
Merged
Conversation
Expose the embedded tok library through the hawk CLI so token compression, estimation, and secret scanning work via `hawk tok` with no standalone tok binary — matching how every other ecosystem tool is surfaced (hawk yaad, hawk models, hawk inspect/sight/trace). - compress: prose/prompt compression (--intensity lite/full/ultra) or token-budget pipeline (--budget), with optional --stats - estimate: token count + per-model cost (--model) - scan: detect secrets (non-zero exit for CI gating) or --redact - input via --input <file>, trailing arg, or stdin; --format text|json Wraps existing tok.* functions directly (no bridge package needed — hawk already imports tok in internal/engine/token). Makes the "provided via Hawk" references in tok's docs accurate. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
CI/CD, container, and release hardening for the hawk repo:
- ci.yml: pin govulncheck, drop --disable=noctx, raise coverage to 60%,
add fuzz job
- docker.yml: SHA-pin all docker actions, add QEMU + multi-arch build,
Trivy image scan
- release.yml: pin goreleaser version
- scorecard.yml: add OSSF Scorecard workflow
- .goreleaser.yml: add SBOM (spdx) generation
- Dockerfile: alpine:3.21, replace go.mod mutation with `go work init`
- cmd/{inspect,sight}.go: os.Exit -> return error (RunE)
- cmd/errors.go: document intentional os.Exit sites
- go.mod: go 1.26.3 -> 1.26.4
Pin external/* submodules to their current origin/main SHAs (all
published, fast-forwarded from stale local checkouts).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The pinned SHAs for gosec / trivy-action / docker-* actions were invalid (not reachable refs), breaking CI. Repin to the exact commits behind their release tags (gosec v2.22.4, trivy v0.28.0, metadata v5.7.0, buildx v3.10.0, qemu v3.6.0). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
v0.28.0 pulled a yanked setup-trivy@v0.2.1, breaking the image scan. v0.36.0 pins a valid setup-trivy. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
hawk tokso token compression/estimation/secret-scanning works through the hawk CLI (no standalone tok binary), plus production-readiness hardening.Changes
hawk tok compress(prose/prompt or--budgetpipeline),hawk tok estimate(tokens + cost),hawk tok scan(detect/--redactsecrets). Input via--input/arg/stdin,--format text|json. Wraps the embedded tok library directly.--disable=noctx, coverage 60%, add fuzz.go work init.os.Exit→ return error. cmd/errors.go: document intentionalos.Exitsites. go.mod: go 1.26.4.mainSHAs.Verification
build ✓ · vet ✓ · golangci-lint 0 issues ✓ ·
go test ./cmd/...green ✓ ·hawk toksmoke-tested against upstream tok.🤖 Generated with Claude Code