Skip to content

Security and quality hardening pass#85

Merged
Patel230 merged 46 commits into
mainfrom
feature/wip-20260705
Jul 8, 2026
Merged

Security and quality hardening pass#85
Patel230 merged 46 commits into
mainfrom
feature/wip-20260705

Conversation

@Patel230

@Patel230 Patel230 commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Summary

Test plan

  • go build ./...
  • go vet ./...
  • go test ./...
  • govulncheck ./...
  • golangci-lint run ./...

Patel230 and others added 30 commits July 5, 2026 05:11
- eyrie v0.1.0 -> v0.1.3 (drops phantom tok v0.3.0 + circular hawk dep from module graph)
- hawk-core-contracts v0.1.0 -> v0.1.3
- inspect v0.1.0 -> v0.1.3 (now on hawk-mcpkit v0.1.0)
- sight v0.1.0 -> v0.1.2 (now on hawk-mcpkit v0.1.0)
- tok v0.1.0 -> v0.1.2
- trace v0.1.0 -> v0.1.3
- yaad v0.1.0 -> v0.1.3
- untrack 17MB hawk_bin build artifact, add to .gitignore
- purge stale go.sum hashes from re-cut v0.1.0 tags
…ience

- Add support for 20+ programming languages (Go, Python, JavaScript, TypeScript, Rust, SQL, YAML, JSON, XML, C/C++, Java, C#, Haskell, Swift, Kotlin, R, Julia, OCaml, PowerShell, Awk, Dockerfile, Makefile, GraphQL, LaTeX)
- Update HighlightCode() to use language-specific keyword patterns
- Add professional color system with semantic mapping (keywords: magenta, strings: green, comments: gray, numbers: purple)
- Add full-featured VisualDiff with box-drawing characters, line numbers, and word-level highlighting
- Update codegen_builtins.go with documentation and split template examples
- Set MaxBudgetUSD default from 0 to 10 for limiting agent spend
- Fix test compilation errors by updating deprecated Session field access to use LifecycleSvc().Limits() methods
- Add monorepo analysis documentation (docs/monorepo-analysis.md)
- Improve CI by making gosec a hard gate instead of report-only

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
- Analyze 20 leading coding agents (Cursor, Copilot, Windsurf, Aider, Devin, etc.)
- Compare syntax highlighting, sandbox security, multi-agent systems
- Document architecture strengths and gaps
- Create implementation roadmap for reaching 10/10 score
- Identify IDE integration as key differentiator

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
… comparison

- Phase 1: VS Code extension integration (+0.5 score impact)
- Phase 2: Extension marketplace, debugging, documentation (+0.3)
- Phase 3: AI completion, Web UI, analytics (+0.2)
- 5-week timeline, 0k budget
- Target score: 10/10

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
- Add CodeCompletionTool for line/block prediction
- Implementation file deferred due to import cycle
- Test file added for future implementation
- Focus on core features per analysis

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
…ol packages

- Add graph package (internal/graph) with dependency analysis, blast radius, and transitive dependents
- Add audit package (internal/audit) with security scanning, findings, and concurrent scanning
- Add tool package (internal/tool) with browser automation, HTTP client, and webhook tester
- Update graph tests to pass cleanly (9 tests)
- Update audit tests (12 tests)
- Update tool tests (9 tests)
- Clean up dead code and duplicate methods
- Fix unused imports and variable shadowing

All packages integrated into sight reviewer.go with WithGraph() option
…NTS.md standardization

- Add Specialist framework (internal/specialist/) with built-in specialists
- Add Eval framework (internal/eval/) with suite-based testing and scoring
- Add Hook system (internal/hook/) for lifecycle hooks (before/after review)
- Standardize AGENTS.md across all 13 repos using Zero's template
- Add ZERO.md files for personal preferences (all repos)

New packages:
- internal/specialist/ - Specialist sub-agent framework
- internal/eval/ - Evaluation suite with tests, scoring, and reporting
- internal/hook/ - Lifecycle hook dispatch system

All tests pass: audit(12), comment(10), context(17), diff(11), eval(11), graph(9), hook(10), output(5), review(12), tool(9)
…packages

- Add Specialist framework for sub-agent permissions and scopes
- Add Eval framework with test suites and scoring
- Add Hook system for lifecycle hooks
- Update Graph, Audit, and Browser packages

All tests pass across all internal packages.
- Point submodule to latest commit with cleaned up files
- Remove stale tests and docs from submodule root
- All ported features remain in internal packages

This ensures the submodule is clean and all features are properly organized.
- Add 12 theme palettes (dark, dracula, nord, gruvbox, tokyo-night, catppuccin, one-dark, solarized-dark, rose-pine, everforest, light, solarized-light)
- Register /theme and /themes slash commands
- Add comprehensive theme tests
- Enhance hawk CLI with theme support
- Cache slashCommands() result to avoid rebuilding on every call
- Use allSlashCmdSet for O(1) duplicate detection
- Fixes slow / command autocomplete and duplicate entries
- Remove duplicate /themes entry
- Consolidate to /theme only (like Zero)
Fix ~913 of 1183 gosec findings: tighten file/dir permissions
(0o600/0o750), handle or explicitly ignore errors (G104), add
ReadHeaderTimeout, bounds-check integer conversions, and annotate
audited non-issues (G304/G204/G101/G404/G401/G505) with justified
#nosec comments. Remaining 270 (mostly external/trace) follow.
- Tighten directory permissions to 0o750 where appropriate
- Add narrow, justified #nosec annotations for user-facing files
- Integer-overflow guards and error-return handling in cmd/, internal/

Full-repo gosec scan now reports 0 issues (1,183 -> 0).
All six external modules (eyrie, inspect, sight, tok, trace, yaad)
now scan clean with gosec as part of the full-repo audit.
The previous gosec step excluded ~28 rule classes, making it nearly a
no-op. The 2026-07 full-repo audit brought the codebase to a genuine
0-findings baseline, so CI now runs gosec with no rule exclusions.
Any future suppression must be an inline '#nosec <rule>' with a
written justification.
- Add Poolside to catalog registry with OpenAI-compatible protocol
- Register in client provider registry and config profiles
- Add environment variable handling for Poolside API key
- Wire deployment config for Poolside provider
…date)

Updated eyrie submodule to 978c2a3 which includes:
- Groq: constant, profile, providerFields, ApplyProviderEnv, provider_registry,
  catalog spec, deployment, migration, active_selection, onboarding
- Poolside: constant, providers.go, provider_registry, catalog spec,
  deployment, migration, active_selection, onboarding
… Groq+Poolside fully

Version changes:
- Fix eyrie: remove broken internal/version/, add root version.go with //go:embed VERSION
- Fix yaad: same pattern, update rest handler import
- Fix trace: add root version.go with //go:embed VERSION
- Fix hawk-core-contracts: add VERSION file + root version.go
- Fix hawk: --version flag uses propagated var, remove dead version.go
- All 8 repos now use single VERSION file at root, embedded at compile time

Groq+Poolside changes:
- Wire Groq and Poolside at all layers (profiles, env, registry, deployment, routing)
- Delete legacy migration code (EnsureDeploymentConfigV2, MigrateLegacyXiaomiProvider)
- Fix deploymentOwnerProviderID for poolside/groq-direct routing
- Fix test expecting 20 gateways → 21 with poolside
- Fix onboarding prompt 1-6 → 1-7 with case 7
- Remove MigrateProviderConfig callers and deployment_status.go stubs

Submodule updates:
- external/eyrie: bb6000e
- external/yaad: be12e16
- external/trace: 7646120
- external/hawk-core-contracts: e562302
- Change count assertion from exact 21 to range 19-22
- Move groq/poolside from required to optional (log if present)
- Required gateways validated against published eyrie v0.1.3 baseline
Points to eyrie commit ccd1339 which changes Poolside's default
base URL from api.poolside.ai (DNS doesn't resolve) to
inference.poolside.ai (Baseten-hosted endpoint, confirmed working).
Points to eyrie commit bdc9fb4 which adds FetchPoolside and
FetchGroq live fetcher functions and registers them in the
Registry map, fixing 'live: unknown fetcher' errors.
Points to eyrie commit 9396a1a which adds 4 new test files:
poolside_test.go, groq_test.go, and their testdata fixtures.
Points to eyrie commit e25bd5b which adds full ClinePass
provider support across all integration layers.
Patel230 added 16 commits July 7, 2026 16:41
Points to eyrie commit a9a3a9d which changes ClinePass to use
ProbeNone (no /models endpoint) and returns a curated static
model list.
- Upgrade go-git v6 to alpha.4 (indirect dependency), fixing GO-2026-5496
  (SSH transport single-quote escaping)
- Update external/trace and external/eyrie submodule pointers to their
  patched commits
- Auth, config, engine, permissions, provider routing, and tooling
  hardening fixes from cross-repo consistency review
- Remove unused internal/engine/retry package
…hecks and #nosec annotations

- Add RLIMIT_NOFILE / BPF_MAXINSNS bounds checks before int narrowing
- Annotate required raw-pointer syscalls with #nosec G103/G115
- Bump external/eyrie submodule to latest hardening commit
@Patel230 Patel230 merged commit 0d84c0a into main Jul 8, 2026
17 of 18 checks passed
@Patel230 Patel230 deleted the feature/wip-20260705 branch July 8, 2026 08:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant