Merge branch 'main' into feature/log-config-source

Author: lelia

.claude/commands/bump-version.md

@@ -0,0 +1,35 @@
+Bump the project version. The bump type is: $ARGUMENTS (default to "patch" if empty or not one of: patch, minor, major).
+
+Follow these steps exactly:
+
+1. **Parse bump type**: Use "$ARGUMENTS". If blank or not one of `patch`, `minor`, `major`, default to `patch`.
+
+2. **Read current version**: Read `pyproject.toml` and extract the current version from the `version = "X.Y.Z"` line.
+
+3. **Compute new version**: Given current version `X.Y.Z`:
+   - `patch` → `X.Y.(Z+1)`
+   - `minor` → `X.(Y+1).0`
+   - `major` → `(X+1).0.0`
+
+4. **Update all version files**: Run the following Python command from the project root to invoke the existing hook logic, which updates `pyproject.toml`, `socket_basics/version.py`, and all doc files:
+   ```
+   python3 -c "import importlib.util; spec = importlib.util.spec_from_file_location('version_check', '.hooks/version-check.py'); mod = importlib.util.module_from_spec(spec); spec.loader.exec_module(mod); mod.inject_version('NEW_VERSION')"
+   ```
+   Replace `NEW_VERSION` with the computed version string.
+
+5. **Update `socket_basics/__init__.py`**: This file is NOT handled by the hook. Use the Edit tool to replace the old `__version__ = "OLD"` line with `__version__ = "NEW_VERSION"`.
+
+6. **Regenerate lock file**: Run `uv lock` to update `uv.lock` with the new version.
+
+7. **Verify**: Use grep to confirm no remaining references to the OLD version in these files:
+   - `pyproject.toml`
+   - `socket_basics/version.py`
+   - `socket_basics/__init__.py`
+   - `uv.lock`
+   - `README.md`
+   - `docs/github-action.md`
+   - `docs/pre-commit-hook.md`
+
+8. **Report**: Summarize what version was bumped (OLD → NEW) and list all files that were modified.
+
+Do NOT commit the changes. Just make the edits and report.

.github/CODEOWNERS

@@ -1 +1 @@
-* @SocketDev/eng
+* @SocketDev/customer-engineering

.github/workflows/python-tests.yml

@@ -0,0 +1,50 @@
+name: python-tests
+
+env:
+  PYTHON_VERSION: "3.12"
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "socket_basics/**/*.py"
+      - "tests/**/*.py"
+      - "pyproject.toml"
+      - "uv.lock"
+      - ".github/workflows/python-tests.yml"
+  pull_request:
+    paths:
+      - "socket_basics/**/*.py"
+      - "tests/**/*.py"
+      - "pyproject.toml"
+      - "uv.lock"
+      - ".github/workflows/python-tests.yml"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: python-tests-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  python-tests:
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 1
+          persist-credentials: false
+      - name: 🐍 setup python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+          cache: "pip"
+      - name: 🛠️ install deps
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+      - name: 🧪 run tests
+        run: pytest -q tests/

.github/workflows/smoke-test.yml

@@ -0,0 +1,36 @@
+name: smoke-test
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'Dockerfile'
+      - 'scripts/smoke-test-docker.sh'
+      - '.github/workflows/smoke-test.yml'
+  pull_request:
+    paths:
+      - 'Dockerfile'
+      - 'scripts/smoke-test-docker.sh'
+      - '.github/workflows/smoke-test.yml'
+  schedule:
+    - cron: '0 */12 * * *' # every 12 hours
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: smoke-test-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  smoke-test:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    env:
+      DOCKER_BUILDKIT: "1"
+      SMOKE_TEST_BUILD_PROGRESS: plain
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: 🐳 smoke test
+        run: bash ./scripts/smoke-test-docker.sh --image-tag socket-basics:smoke-test

.gitignore

@@ -1,106 +1,105 @@
-
-.idea
-venv
-.venv
-build
-dist
-*.build
-*.dist
-*.egg-info
-test
-*.env
-run_container.sh
-*.zip
-bin
-scripts/*.py
-*.json
-markdown_overview_temp.md
-markdown_security_temp.md
+# OS files
 .DS_Store
-*.pyc
-test.py
 
-# Note: requirements.txt is no longer needed - using pyproject.toml + uv.lock instead
-# Version files are auto-managed by .hooks/version-check.py
-*.cpython-312.pyc
-file_generator.py
-.env
-*.md
-test_results
-local_tests/
-custom_rules/
+# IDEs and editors
+.idea/
+.vscode/
+*.sublime-workspace
+*.sublime-project
+*.swp
+*~
 
-# Common Python ignores
+# Python
 __pycache__/
 *.py[cod]
 *$py.class
+.python-version
+
+# Virtual environments
+venv/
+.venv/
+env/
+ENV/
+env.bak/
+venv.bak/
+
+# Build and distribution
+build/
+dist/
+*.build
+*.dist
+*.egg-info
+.eggs/
+*.egg
+
+# Testing and coverage
 .pytest_cache/
 .mypy_cache/
 .coverage
 .coverage.*
 htmlcov/
+coverage/
+coverage.xml
+nosetests.xml
+test-results/
+test_results/
+
+# pip
 pip-wheel-metadata/
 pip-log.txt
 pip-delete-this-directory.txt
 
-# Virtual environments
-env/
-ENV/
-env.bak/
-venv.bak/
-
-# IDEs and editors
-.vscode/
-.idea/
-*.sublime-workspace
-*.sublime-project
-*.swp
-*~
-
 # Node
 node_modules/
 npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
 .pnp/
 
-# Build and distribution
-.eggs/
-*.egg
-dist/
-build/
-
-# Coverage and test output
-coverage/
-coverage.xml
-nosetests.xml
-test-results/
+# Jupyter
+.ipynb_checkpoints/
 
 # Logs and runtime files
-logs/
-
+*.log
 *.pid
 *.sock
+logs/
 
-# OS files
-.DS_Store
+# Temporary files
+*.tmp
+*.temp
+*.zip
 
 # Binary and compiled
 *.exe
 *.dll
 *.so
 *.dylib
 
-# Jupyter
-.ipynb_checkpoints/
-
-# Local temporary files
-*.tmp
-*.temp
-# Ignore output logs and generated src files
-*.log
+# Environment and secrets
+*.env
 
-.python-version
+# Data files (generated)
+*.json
 .socket.fact.json
 
-custom_rules/
+# Markdown: ignore all except documentation
+*.md
+!README.md
+!docs/*.md
+!tests/README.md
+
+# Project-specific (local scripts and test files)
+test/
+test.py
+run_container.sh
+bin/
+scripts/*.py
+!scripts/enrich_rules.py
+!scripts/rewrite_messages.py
+!scripts/update_cwe_catalog.py
+!scripts/verify_jira_dashboard_config.py
+!scripts/preview_pr_comments.py
+file_generator.py
+local_tests/
+custom_rules/

Dockerfile

@@ -19,13 +19,16 @@ RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - && \
 RUN npm install -g socket
 
 # Install Trivy
-RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.67.2
+ARG TRIVY_VERSION=v0.69.2
+RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin "${TRIVY_VERSION}"
 
 # Install Trufflehog
-RUN curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
+ARG TRUFFLEHOG_VERSION=v3.93.6
+RUN curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin "${TRUFFLEHOG_VERSION}"
 
 # Install OpenGrep (connector/runtime dependency)
-RUN curl -fsSL https://raw.githubusercontent.com/opengrep/opengrep/main/install.sh | bash
+ARG OPENGREP_VERSION=v1.16.2
+RUN curl -fsSL https://raw.githubusercontent.com/opengrep/opengrep/main/install.sh | bash -s -- -v "${OPENGREP_VERSION}"
 
 # Copy the specific files needed for the project
 COPY socket_basics /socket-basics/socket_basics