Skip to content

Commit 0354f5c

Browse files
authored
Merge pull request #917 from Wikid82/nightly
Weekly: Promote nightly to main (2026-04-06)
2 parents c70c873 + 241c0d1 commit 0354f5c

174 files changed

Lines changed: 7792 additions & 2535 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.docker/docker-entrypoint.sh

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -310,23 +310,23 @@ ACQUIS_EOF
310310
echo "✗ WARNING: LAPI port configuration may be incorrect"
311311
fi
312312

313-
# Update hub index to ensure CrowdSec can start
314-
if [ ! -f "/etc/crowdsec/hub/.index.json" ]; then
315-
echo "Updating CrowdSec hub index..."
316-
timeout 60s cscli hub update 2>/dev/null || echo "⚠️ Hub update timed out or failed, continuing..."
313+
# Always refresh hub index on startup (stale index causes hash mismatch errors on collection install)
314+
echo "Updating CrowdSec hub index..."
315+
if ! timeout 60s cscli hub update 2>&1; then
316+
echo "⚠️ Hub index update failed (network issue?). Collections may fail to install."
317+
echo " CrowdSec will still start with whatever index is cached."
317318
fi
318319

319320
# Ensure local machine is registered (auto-heal for volume/config mismatch)
320321
# We force registration because we just restored configuration (and likely credentials)
321322
echo "Registering local machine..."
322323
cscli machines add -a --force 2>/dev/null || echo "Warning: Machine registration may have failed"
323324

324-
# Install hub items (parsers, scenarios, collections) if local mode enabled
325-
if [ "$SECURITY_CROWDSEC_MODE" = "local" ]; then
326-
echo "Installing CrowdSec hub items..."
327-
if [ -x /usr/local/bin/install_hub_items.sh ]; then
328-
/usr/local/bin/install_hub_items.sh 2>/dev/null || echo "Warning: Some hub items may not have installed"
329-
fi
325+
# Always ensure required collections are present (idempotent — already-installed items are skipped).
326+
# Collections are just config files with zero runtime cost when CrowdSec is disabled.
327+
echo "Ensuring CrowdSec hub items are installed..."
328+
if [ -x /usr/local/bin/install_hub_items.sh ]; then
329+
/usr/local/bin/install_hub_items.sh || echo "⚠️ Some hub items may not have installed. CrowdSec can still start."
330330
fi
331331

332332
# Fix ownership AFTER cscli commands (they run as root and create root-owned files)

.github/agents/Management.agent.md

Lines changed: 11 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -167,23 +167,27 @@ The task is not complete until ALL of the following pass with zero issues:
167167
- **Base URL**: Uses `PLAYWRIGHT_BASE_URL` or default from `playwright.config.js`
168168
- All E2E tests must pass before proceeding to unit tests
169169
170-
2. **Local Patch Coverage Preflight (MANDATORY - Before Unit/Coverage Tests)**:
171-
- Ensure the local patch report is run first via VS Code task `Test: Local Patch Report` or `bash scripts/local-patch-report.sh`.
172-
- Verify both artifacts exist: `test-results/local-patch-report.md` and `test-results/local-patch-report.json`.
173-
- Use this report to identify changed files needing coverage before running backend/frontend coverage suites.
174-
175-
3. **Coverage Tests (MANDATORY - Verify Explicitly)**:
170+
2. **Coverage Tests (MANDATORY - Verify Explicitly)**:
176171
- **Backend**: Ensure `Backend_Dev` ran VS Code task "Test: Backend with Coverage" or `scripts/go-test-coverage.sh`
177172
- **Frontend**: Ensure `Frontend_Dev` ran VS Code task "Test: Frontend with Coverage" or `scripts/frontend-test-coverage.sh`
178173
- **Why**: These are in manual stage of pre-commit for performance. Subagents MUST run them via VS Code tasks or scripts.
179174
- Minimum coverage: 85% for both backend and frontend.
180175
- All tests must pass with zero failures.
176+
- **Outputs**: `backend/coverage.txt` and `frontend/coverage/lcov.info` — these are required inputs for step 3.
177+
178+
3. **Local Patch Coverage Report (MANDATORY - After Coverage Tests)**:
179+
- **Purpose**: Identify uncovered lines in files modified by this task so missing tests are written before declaring Done. This is the bridge between "overall coverage is fine" and "the actual lines I changed are tested."
180+
- **Prerequisites**: `backend/coverage.txt` and `frontend/coverage/lcov.info` must exist (generated by step 2). If missing, run coverage tests first.
181+
- **Run**: VS Code task `Test: Local Patch Report` or `bash scripts/local-patch-report.sh`.
182+
- **Verify artifacts**: Both `test-results/local-patch-report.md` and `test-results/local-patch-report.json` must exist with non-empty results.
183+
- **Act on findings**: If patch coverage for any changed file is below **90%**, delegate to the responsible agent (`Backend_Dev` or `Frontend_Dev`) to add targeted tests covering the uncovered lines. Re-run coverage (step 2) and this report until the threshold is met.
184+
- **Blocking gate**: 90% overall patch coverage. Do not proceed to pre-commit or security scans until resolved or explicitly waived by the user.
181185
182186
4. **Type Safety (Frontend)**:
183187
- Ensure `Frontend_Dev` ran VS Code task "Lint: TypeScript Check" or `npm run type-check`
184188
- **Why**: This check is in manual stage of pre-commit for performance. Subagents MUST run it explicitly.
185189
186-
5. **Pre-commit Hooks**: Ensure `QA_Security` ran `pre-commit run --all-files` (fast hooks only; coverage was verified in step 3)
190+
5. **Pre-commit Hooks**: Ensure `QA_Security` ran `pre-commit run --all-files` (fast hooks only; coverage was verified in step 2)
187191
188192
6. **Security Scans**: Ensure `QA_Security` ran the following with zero Critical or High severity issues:
189193
- **Trivy Filesystem Scan**: Fast scan of source code and dependencies

.github/instructions/testing.instructions.md

Lines changed: 17 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -12,9 +12,19 @@ instruction files take precedence over agent files and operator documentation.
1212

1313
**MANDATORY**: Before running unit tests, verify the application UI/UX functions correctly end-to-end.
1414

15-
## 0.5 Local Patch Coverage Preflight (Before Unit Tests)
15+
## 0.5 Local Patch Coverage Report (After Coverage Tests)
1616

17-
**MANDATORY**: After E2E and before backend/frontend unit coverage runs, generate a local patch report so uncovered changed lines are visible early.
17+
**MANDATORY**: After running backend and frontend coverage tests (which generate
18+
`backend/coverage.txt` and `frontend/coverage/lcov.info`), run the local patch
19+
report to identify uncovered lines in changed files.
20+
21+
**Purpose**: Overall coverage can be healthy while the specific lines you changed
22+
are untested. This step catches that gap. If uncovered lines are found in
23+
feature code, add targeted tests before completing the task.
24+
25+
**Prerequisites**: Coverage artifacts must exist before running the report:
26+
- `backend/coverage.txt` — generated by `scripts/go-test-coverage.sh`
27+
- `frontend/coverage/lcov.info` — generated by `scripts/frontend-test-coverage.sh`
1828

1929
Run one of the following from `/projects/Charon`:
2030

@@ -26,11 +36,14 @@ Test: Local Patch Report
2636
bash scripts/local-patch-report.sh
2737
```
2838

29-
Required artifacts:
39+
Required output artifacts:
3040
- `test-results/local-patch-report.md`
3141
- `test-results/local-patch-report.json`
3242

33-
This preflight is advisory for thresholds during rollout, but artifact generation is required in DoD.
43+
**Action on results**: If patch coverage for any changed file is below 90%, add
44+
tests targeting the uncovered changed lines. Re-run coverage and this report to
45+
verify improvement. Artifact generation is required for DoD regardless of
46+
threshold results.
3447

3548
### PREREQUISITE: Start E2E Environment
3649

.github/renovate.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@
1111
"development"
1212

1313
],
14+
"postUpdateOptions": ["npmDedupe"],
1415
"timezone": "America/New_York",
1516
"dependencyDashboard": true,
1617
"dependencyDashboardApproval": true,

.github/skills/security-scan-docker-image-scripts/run.sh

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -139,7 +139,10 @@ log_info "This may take 30-60 seconds on first run (database download)"
139139

140140
# Run Grype against the SBOM (generated from image, not filesystem)
141141
# This matches exactly what CI does in supply-chain-pr.yml
142+
# --config ensures .grype.yaml ignore rules are applied, separating
143+
# ignored matches from actionable ones in the JSON output
142144
if grype sbom:sbom.cyclonedx.json \
145+
--config .grype.yaml \
143146
--output json \
144147
--file grype-results.json; then
145148
log_success "Vulnerability scan complete"
@@ -149,6 +152,7 @@ fi
149152

150153
# Generate SARIF output for GitHub Security (matches CI)
151154
grype sbom:sbom.cyclonedx.json \
155+
--config .grype.yaml \
152156
--output sarif \
153157
--file grype-results.sarif 2>/dev/null || true
154158

.github/workflows/auto-add-to-project.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,9 @@ concurrency:
88
group: ${{ github.workflow }}-${{ github.event.issue.number || github.event.pull_request.number }}
99
cancel-in-progress: false
1010

11+
permissions:
12+
contents: read
13+
1114
jobs:
1215
add-to-project:
1316
runs-on: ubuntu-latest

.github/workflows/auto-changelog.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,9 @@ concurrency:
1212
group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.workflow_run.head_branch || github.head_ref || github.ref_name }}
1313
cancel-in-progress: true
1414

15+
permissions:
16+
contents: write
17+
1518
jobs:
1619
update-draft:
1720
runs-on: ubuntu-latest

.github/workflows/auto-label-issues.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,9 @@ concurrency:
88
group: ${{ github.workflow }}-${{ github.event.issue.number }}
99
cancel-in-progress: true
1010

11+
permissions:
12+
contents: read
13+
1114
jobs:
1215
auto-label:
1316
runs-on: ubuntu-latest

.github/workflows/benchmark.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ jobs:
3535
ref: ${{ github.event.workflow_run.head_sha || github.sha }}
3636

3737
- name: Set up Go
38-
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
38+
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
3939
with:
4040
go-version: ${{ env.GO_VERSION }}
4141

.github/workflows/cerberus-integration.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,9 @@ concurrency:
2020
group: ${{ github.workflow }}-${{ github.event.workflow_run.event || github.event_name }}-${{ github.event.workflow_run.head_branch || github.ref }}
2121
cancel-in-progress: true
2222

23+
permissions:
24+
contents: read
25+
2326
jobs:
2427
cerberus-integration:
2528
name: Cerberus Security Stack Integration

0 commit comments

Comments
 (0)