Add SPDX license headers and .containerignore#454
Conversation
Add Apache-2.0 SPDX identifiers and copyright headers to all source files that were missing them (96 Python + 2 shell). Matches the format already used in tests/functional/. Add .containerignore to prevent leaking .git, tests, docs, and caches into the container image (fixes CTR-003 from security audit). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
For team members: test commit |
Codecov Report✅ All modified and coverable lines are covered by tests.
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
owtaylor
left a comment
There was a problem hiding this comment.
Thanks for the contribution!
| *.lock | ||
| .pre-commit-config.yaml | ||
| .secrets.baseline | ||
| __pycache__ |
There was a problem hiding this comment.
This is not recursive - what was probably meant was **/__pycache__
| .github | ||
| tests/ | ||
| eval/ | ||
| docs/ |
There was a problem hiding this comment.
This list seems to exclude a fairly arbitrary set of git-committed files (docs/, *.md, etc.) It also doesn't cover all generated files .venv (!), dist/ coverage/, etc.
Our Containerfile explicitly calls ADD for the files it does want ... that seems more maintainable then trying to exclude everything that might not be wanted.
I think we should just keep this to the things that might be nested inside things we explicitly ADD, and a few things for performance if the context is being copied.
# Toplevel inclusion is controlled by ADD lines in the Containerfile
# Exclude possible nested leftover files
**/__pycache__
**/*.bak
**/*.lock
**/*~
# Exclude large directories from context for performance
.venv/
dist/
mcp-app/node-modules
Something like that.
Containerfile uses explicit ADD for specific paths, so .containerignore only needs to exclude nested leftover files and large directories for context performance. Removes arbitrary exclusions of git-committed files and fixes __pycache__ to use recursive glob pattern. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
For team members: test commit |
Add OBO exchange integration to SSHConnectionManager: when obo_enabled is set, the connection manager acquires a Kerberos ccache via the IPA OBO /kerberos endpoint and connects using GSSAPI instead of SSH keys. New config options: obo_enabled, obo_exchange_url, obo_agent_token_path, obo_target_user, obo_target_service, obo_scope. This enables linux-mcp-server to operate without SSH keys in IdM-managed environments, using OAuth2 delegation rules to control which agents can act as which users on which hosts. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Summary
tests/functional/.containerignoreto exclude.git, tests, docs, and caches from container buildsMotivation
A prodsec security audit (skill-audit) flagged:
.containerignorefileThese are low-risk, high-hygiene improvements. The SPDX headers match the existing format used in
tests/functional/files.Test plan
python -c "import linux_mcp_server"podman build -f Containerfile -t test .grep -rL "SPDX-License-Identifier" --include="*.py" src/ tests/ eval/ scripts/🤖 Generated with Claude Code