Skip to content

Commit 508af8e

Browse files
authored
Merge pull request #718 from Wikid82/nightly
Weekly: Promote nightly to main (2026-02-18)
2 parents fa23446 + 06dd510 commit 508af8e

612 files changed

Lines changed: 74870 additions & 15436 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.codecov.yml

Lines changed: 0 additions & 135 deletions
This file was deleted.

.docker/README.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -95,6 +95,11 @@ Configure the application via `docker-compose.yml`:
9595
| `CHARON_HTTP_PORT` | `8080` | Port for the Web UI (`CPM_HTTP_PORT` supported for backward compatibility). |
9696
| `CHARON_DB_PATH` | `/app/data/charon.db` | Path to the SQLite database (`CPM_DB_PATH` supported for backward compatibility). |
9797
| `CHARON_CADDY_ADMIN_API` | `http://localhost:2019` | Internal URL for Caddy API (`CPM_CADDY_ADMIN_API` supported for backward compatibility). |
98+
| `CHARON_CADDY_CONFIG_ROOT` | `/config` | Path to Caddy autosave configuration directory. |
99+
| `CHARON_CADDY_LOG_DIR` | `/var/log/caddy` | Directory for Caddy access logs. |
100+
| `CHARON_CROWDSEC_LOG_DIR` | `/var/log/crowdsec` | Directory for CrowdSec logs. |
101+
| `CHARON_PLUGINS_DIR` | `/app/plugins` | Directory for DNS provider plugins. |
102+
| `CHARON_SINGLE_CONTAINER_MODE` | `true` | Enables permission repair endpoints for single-container deployments. |
98103

99104
## NAS Deployment Guides
100105

.docker/compose/docker-compose.playwright-ci.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ services:
2727
# Charon Application - Core E2E Testing Service
2828
# =============================================================================
2929
charon-app:
30-
# CI provides CHARON_E2E_IMAGE_TAG=charon:e2e-test (locally built image)
30+
# CI provides CHARON_E2E_IMAGE_TAG=charon:e2e-test (retagged from shared digest)
3131
# Local development uses the default fallback value
3232
image: ${CHARON_E2E_IMAGE_TAG:-charon:e2e-test}
3333
container_name: charon-playwright

.docker/docker-entrypoint.sh

Lines changed: 86 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,42 @@ run_as_charon() {
1818
fi
1919
}
2020

21+
get_group_by_gid() {
22+
if command -v getent >/dev/null 2>&1; then
23+
getent group "$1" 2>/dev/null || true
24+
else
25+
awk -F: -v gid="$1" '$3==gid {print $0}' /etc/group 2>/dev/null || true
26+
fi
27+
}
28+
29+
create_group_with_gid() {
30+
local gid="$1"
31+
local name="$2"
32+
33+
if command -v addgroup >/dev/null 2>&1; then
34+
addgroup -g "$gid" "$name" 2>/dev/null || true
35+
return
36+
fi
37+
38+
if command -v groupadd >/dev/null 2>&1; then
39+
groupadd -g "$gid" "$name" 2>/dev/null || true
40+
fi
41+
}
42+
43+
add_user_to_group() {
44+
local user="$1"
45+
local group="$2"
46+
47+
if command -v addgroup >/dev/null 2>&1; then
48+
addgroup "$user" "$group" 2>/dev/null || true
49+
return
50+
fi
51+
52+
if command -v usermod >/dev/null 2>&1; then
53+
usermod -aG "$group" "$user" 2>/dev/null || true
54+
fi
55+
}
56+
2157
# ============================================================================
2258
# Volume Permission Handling for Non-Root User
2359
# ============================================================================
@@ -89,18 +125,19 @@ if [ -S "/var/run/docker.sock" ] && is_root; then
89125
DOCKER_SOCK_GID=$(stat -c '%g' /var/run/docker.sock 2>/dev/null || echo "")
90126
if [ -n "$DOCKER_SOCK_GID" ] && [ "$DOCKER_SOCK_GID" != "0" ]; then
91127
# Check if a group with this GID exists
92-
if ! getent group "$DOCKER_SOCK_GID" >/dev/null 2>&1; then
128+
GROUP_ENTRY=$(get_group_by_gid "$DOCKER_SOCK_GID")
129+
if [ -z "$GROUP_ENTRY" ]; then
93130
echo "Docker socket detected (gid=$DOCKER_SOCK_GID) - creating docker group and adding charon user..."
94131
# Create docker group with the socket's GID
95-
groupadd -g "$DOCKER_SOCK_GID" docker 2>/dev/null || true
132+
create_group_with_gid "$DOCKER_SOCK_GID" docker
96133
# Add charon user to the docker group
97-
usermod -aG docker charon 2>/dev/null || true
134+
add_user_to_group charon docker
98135
echo "Docker integration enabled for charon user"
99136
else
100137
# Group exists, just add charon to it
101-
GROUP_NAME=$(getent group "$DOCKER_SOCK_GID" | cut -d: -f1)
138+
GROUP_NAME=$(echo "$GROUP_ENTRY" | cut -d: -f1)
102139
echo "Docker socket detected (gid=$DOCKER_SOCK_GID, group=$GROUP_NAME) - adding charon user..."
103-
usermod -aG "$GROUP_NAME" charon 2>/dev/null || true
140+
add_user_to_group charon "$GROUP_NAME"
104141
echo "Docker integration enabled for charon user"
105142
fi
106143
fi
@@ -152,33 +189,67 @@ if command -v cscli >/dev/null; then
152189
# Initialize persistent config if key files are missing
153190
if [ ! -f "$CS_CONFIG_DIR/config.yaml" ]; then
154191
echo "Initializing persistent CrowdSec configuration..."
192+
193+
# Check if .dist has content
155194
if [ -d "/etc/crowdsec.dist" ] && [ -n "$(ls -A /etc/crowdsec.dist 2>/dev/null)" ]; then
156-
cp -r /etc/crowdsec.dist/* "$CS_CONFIG_DIR/" || {
195+
echo "Copying config from /etc/crowdsec.dist..."
196+
if ! cp -r /etc/crowdsec.dist/* "$CS_CONFIG_DIR/"; then
157197
echo "ERROR: Failed to copy config from /etc/crowdsec.dist"
198+
echo "DEBUG: Contents of /etc/crowdsec.dist:"
199+
ls -la /etc/crowdsec.dist/
158200
exit 1
159-
}
160-
echo "Successfully initialized config from .dist directory"
201+
fi
202+
203+
# Verify critical files were copied
204+
if [ ! -f "$CS_CONFIG_DIR/config.yaml" ]; then
205+
echo "ERROR: config.yaml was not copied to $CS_CONFIG_DIR"
206+
echo "DEBUG: Contents of $CS_CONFIG_DIR after copy:"
207+
ls -la "$CS_CONFIG_DIR/"
208+
exit 1
209+
fi
210+
echo "✓ Successfully initialized config from .dist directory"
161211
elif [ -d "/etc/crowdsec" ] && [ ! -L "/etc/crowdsec" ] && [ -n "$(ls -A /etc/crowdsec 2>/dev/null)" ]; then
162-
cp -r /etc/crowdsec/* "$CS_CONFIG_DIR/" || {
163-
echo "ERROR: Failed to copy config from /etc/crowdsec"
212+
echo "Copying config from /etc/crowdsec (fallback)..."
213+
if ! cp -r /etc/crowdsec/* "$CS_CONFIG_DIR/"; then
214+
echo "ERROR: Failed to copy config from /etc/crowdsec (fallback)"
164215
exit 1
165-
}
166-
echo "Successfully initialized config from /etc/crowdsec"
216+
fi
217+
echo "Successfully initialized config from /etc/crowdsec"
167218
else
168-
echo "ERROR: No config source found (neither .dist nor /etc/crowdsec available)"
219+
echo "ERROR: No config source found!"
220+
echo "DEBUG: /etc/crowdsec.dist contents:"
221+
ls -la /etc/crowdsec.dist/ 2>/dev/null || echo " (directory not found or empty)"
222+
echo "DEBUG: /etc/crowdsec contents:"
223+
ls -la /etc/crowdsec 2>/dev/null || echo " (directory not found or empty)"
169224
exit 1
170225
fi
226+
else
227+
echo "✓ Persistent config already exists: $CS_CONFIG_DIR/config.yaml"
171228
fi
172229

173230
# Verify symlink exists (created at build time)
174231
# Note: Symlink is created in Dockerfile as root before switching to non-root user
175232
# Non-root users cannot create symlinks in /etc, so this must be done at build time
176233
if [ -L "/etc/crowdsec" ]; then
177234
echo "CrowdSec config symlink verified: /etc/crowdsec -> $CS_CONFIG_DIR"
235+
236+
# Verify the symlink target is accessible and has config.yaml
237+
if [ ! -f "/etc/crowdsec/config.yaml" ]; then
238+
echo "ERROR: /etc/crowdsec/config.yaml is not accessible via symlink"
239+
echo "DEBUG: Symlink target verification:"
240+
ls -la /etc/crowdsec 2>/dev/null || echo " (symlink broken or missing)"
241+
echo "DEBUG: Directory contents:"
242+
ls -la "$CS_CONFIG_DIR/" 2>/dev/null | head -10 || echo " (directory not found)"
243+
exit 1
244+
fi
245+
echo "✓ /etc/crowdsec/config.yaml is accessible via symlink"
178246
else
179-
echo "WARNING: /etc/crowdsec symlink not found. This may indicate a build issue."
247+
echo "ERROR: /etc/crowdsec symlink not found"
180248
echo "Expected: /etc/crowdsec -> /app/data/crowdsec/config"
181-
# Try to continue anyway - config may still work if CrowdSec uses CFG env var
249+
echo "This indicates a critical build-time issue. Symlink must be created at build time as root."
250+
echo "DEBUG: Directory check:"
251+
ls -la /etc/ | grep crowdsec || echo " (no crowdsec entry found)"
252+
exit 1
182253
fi
183254

184255
# Create/update acquisition config for Caddy logs

.dockerignore

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
.gitignore
1111
.github/
1212
.pre-commit-config.yaml
13-
.codecov.yml
13+
codecov.yml
1414
.goreleaser.yaml
1515
.sourcery.yml
1616

@@ -80,7 +80,6 @@ backend/node_modules/
8080
backend/internal/api/tests/data/
8181
backend/lint*.txt
8282
backend/fix_*.sh
83-
backend/codeql-db-*/
8483

8584
# Backend data (created at runtime)
8685
backend/data/
@@ -185,8 +184,6 @@ codeql-db/
185184
codeql-db-*/
186185
codeql-agent-results/
187186
codeql-custom-queries-*/
188-
codeql-*.sarif
189-
codeql-results*.sarif
190187
.codeql/
191188

192189
# -----------------------------------------------------------------------------
@@ -208,7 +205,6 @@ playwright.config.js
208205
# -----------------------------------------------------------------------------
209206
# Root-level artifacts
210207
# -----------------------------------------------------------------------------
211-
coverage/
212208
coverage.txt
213209
provenance*.json
214210
trivy-*.txt

.github/agents/Backend_Dev.agent.md

Lines changed: 12 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -2,18 +2,24 @@
22
name: 'Backend Dev'
33
description: 'Senior Go Engineer focused on high-performance, secure backend implementation.'
44
argument-hint: 'The specific backend task from the Plan (e.g., "Implement ProxyHost CRUD endpoints")'
5-
tools:
6-
['execute', 'read', 'agent', 'edit/createDirectory', 'edit/createFile', 'edit/editFiles', 'edit/editNotebook', 'search', 'todo']
7-
model: 'Cloaude Sonnet 4.5'
5+
tools: vscode/extensions, vscode/getProjectSetupInfo, vscode/installExtension, vscode/memory, vscode/openSimpleBrowser, vscode/runCommand, vscode/askQuestions, vscode/vscodeAPI, execute, read, agent, 'github/*', 'github/*', 'io.github.goreleaser/mcp/*', 'trivy-mcp/*', edit, search, web, 'github/*', 'playwright/*', 'pylance-mcp-server/*', todo, vscode.mermaid-chat-features/renderMermaidDiagram, github.vscode-pull-request-github/issue_fetch, github.vscode-pull-request-github/labels_fetch, github.vscode-pull-request-github/notification_fetch, github.vscode-pull-request-github/doSearch, github.vscode-pull-request-github/activePullRequest, github.vscode-pull-request-github/openPullRequest, ms-azuretools.vscode-containers/containerToolsConfig, ms-python.python/getPythonEnvironmentInfo, ms-python.python/getPythonExecutableCommand, ms-python.python/installPythonPackage, ms-python.python/configurePythonEnvironment, 'gopls/*'
6+
7+
model: GPT-5.3-Codex (copilot)
8+
target: vscode
9+
user-invocable: true
10+
disable-model-invocation: false
11+
812
---
913
You are a SENIOR GO BACKEND ENGINEER specializing in Gin, GORM, and System Architecture.
1014
Your priority is writing code that is clean, tested, and secure by default.
1115

1216
<context>
17+
1318
- **MANDATORY**: Read all relevant instructions in `.github/instructions/` for the specific task before starting.
1419
- **Project**: Charon (Self-hosted Reverse Proxy)
1520
- **Stack**: Go 1.22+, Gin, GORM, SQLite.
1621
- **Rules**: You MUST follow `.github/copilot-instructions.md` explicitly.
22+
- **References**: Use `gopls` mcp server for Go code understanding and generation.
1723
</context>
1824

1925
<workflow>
@@ -43,6 +49,9 @@ Your priority is writing code that is clean, tested, and secure by default.
4349
- Run `go mod tidy`.
4450
- Run `go fmt ./...`.
4551
- Run `go test ./...` to ensure no regressions.
52+
- **Local Patch Coverage Preflight (MANDATORY)**: Run VS Code task `Test: Local Patch Report` or `bash scripts/local-patch-report.sh` before backend coverage runs.
53+
- Ensure artifacts exist: `test-results/local-patch-report.md` and `test-results/local-patch-report.json`.
54+
- Use the file-level coverage gap list to target tests before final coverage validation.
4655
- **Coverage (MANDATORY)**: Run the coverage task/script explicitly and confirm Codecov Patch view is green for modified lines.
4756
- **MANDATORY**: Patch coverage must cover 100% of new/modified code. This prevents CodeCov Report failing CI.
4857
- **VS Code Task**: Use "Test: Backend with Coverage" (recommended)
@@ -65,5 +74,3 @@ Your priority is writing code that is clean, tested, and secure by default.
6574
- **NO CONVERSATION**: If the task is done, output "DONE". If you need info, ask the specific question.
6675
- **USE DIFFS**: When updating large files (>100 lines), use `sed` or `replace_string_in_file` tools if available. If re-writing the file, output ONLY the modified functions/blocks.
6776
</constraints>
68-
69-
```

0 commit comments

Comments
 (0)