Skip to content

Add SPDX license headers and .containerignore#454

Open
Amy-Ra-lph wants to merge 3 commits into
rhel-lightspeed:mainfrom
Amy-Ra-lph:security/spdx-headers-and-containerignore
Open

Add SPDX license headers and .containerignore#454
Amy-Ra-lph wants to merge 3 commits into
rhel-lightspeed:mainfrom
Amy-Ra-lph:security/spdx-headers-and-containerignore

Conversation

@Amy-Ra-lph

Copy link
Copy Markdown

Summary

  • Add Apache-2.0 SPDX license identifiers and copyright headers to all 98 source files that were missing them (96 Python + 2 shell scripts), matching the format already used in tests/functional/
  • Add .containerignore to exclude .git, tests, docs, and caches from container builds

Motivation

A prodsec security audit (skill-audit) flagged:

  • LIC-002: 96 source files missing SPDX headers
  • LIC-005: No copyright notices in source files
  • CTR-003: No .containerignore file

These are low-risk, high-hygiene improvements. The SPDX headers match the existing format used in tests/functional/ files.

Test plan

  • Verify headers don't break imports: python -c "import linux_mcp_server"
  • Verify container builds: podman build -f Containerfile -t test .
  • Verify no source files missed: grep -rL "SPDX-License-Identifier" --include="*.py" src/ tests/ eval/ scripts/

🤖 Generated with Claude Code

Add Apache-2.0 SPDX identifiers and copyright headers to all source
files that were missing them (96 Python + 2 shell). Matches the format
already used in tests/functional/.

Add .containerignore to prevent leaking .git, tests, docs, and caches
into the container image (fixes CTR-003 from security audit).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Amy-Ra-lph Amy-Ra-lph requested a review from a team as a code owner May 8, 2026 19:36
@github-actions

github-actions Bot commented May 8, 2026

Copy link
Copy Markdown

For team members: test commit 7538bbf in internal GitLab

@codecov

codecov Bot commented May 8, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag Coverage Δ
unittests 96.54% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
src/linux_mcp_server/__init__.py 100.00% <ø> (ø)
src/linux_mcp_server/__main__.py 100.00% <ø> (ø)
src/linux_mcp_server/_vendor/__init__.py 100.00% <ø> (ø)
src/linux_mcp_server/audit.py 96.26% <ø> (ø)
src/linux_mcp_server/auth.py 94.28% <ø> (ø)
src/linux_mcp_server/auth_policy.py 79.83% <ø> (ø)
src/linux_mcp_server/commands.py 89.47% <ø> (ø)
src/linux_mcp_server/config.py 100.00% <ø> (ø)
src/linux_mcp_server/connection/ssh.py 93.44% <ø> (ø)
src/linux_mcp_server/formatters.py 95.32% <ø> (ø)
... and 69 more
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@owtaylor owtaylor left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution!

Comment thread .containerignore Outdated
*.lock
.pre-commit-config.yaml
.secrets.baseline
__pycache__

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not recursive - what was probably meant was **/__pycache__

Comment thread .containerignore Outdated
.github
tests/
eval/
docs/

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This list seems to exclude a fairly arbitrary set of git-committed files (docs/, *.md, etc.) It also doesn't cover all generated files .venv (!), dist/ coverage/, etc.

Our Containerfile explicitly calls ADD for the files it does want ... that seems more maintainable then trying to exclude everything that might not be wanted.

I think we should just keep this to the things that might be nested inside things we explicitly ADD, and a few things for performance if the context is being copied.

# Toplevel inclusion is controlled by ADD lines in the Containerfile
# Exclude possible nested leftover files
**/__pycache__
**/*.bak
**/*.lock
**/*~
# Exclude large directories from context for performance
.venv/
dist/
mcp-app/node-modules

Something like that.

Containerfile uses explicit ADD for specific paths, so .containerignore
only needs to exclude nested leftover files and large directories for
context performance. Removes arbitrary exclusions of git-committed files
and fixes __pycache__ to use recursive glob pattern.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions

Copy link
Copy Markdown

For team members: test commit d36fd5e in internal GitLab

Add OBO exchange integration to SSHConnectionManager: when obo_enabled
is set, the connection manager acquires a Kerberos ccache via the IPA
OBO /kerberos endpoint and connects using GSSAPI instead of SSH keys.

New config options: obo_enabled, obo_exchange_url, obo_agent_token_path,
obo_target_user, obo_target_service, obo_scope.

This enables linux-mcp-server to operate without SSH keys in IdM-managed
environments, using OAuth2 delegation rules to control which agents can
act as which users on which hosts.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants