Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
46 commits
Select commit Hold shift + click to select a range
02254f7
chore: re-pin GrayCodeAI deps to v0.1.x release wave, untrack hawk_bin
Patel230 Jul 4, 2026
75fbd17
chore: commit wip changes on feature/wip-20260705
Patel230 Jul 5, 2026
0502686
feat: add 20+ language syntax highlighting and improve terminal exper…
Patel230 Jul 5, 2026
1fd8b47
docs: add comprehensive comparison with top 20 coding agents
Patel230 Jul 5, 2026
a47abd7
docs: add comprehensive implementation roadmap based on top 20 agents…
Patel230 Jul 5, 2026
f63ed79
feat: add code completion tool implementation (deferred)
Patel230 Jul 5, 2026
b68535d
feat: add structural dependency graph, security audit, and browser to…
Patel230 Jul 6, 2026
bdc4d34
feat: adopt Zero's patterns - specialists, eval framework, hooks, AGE…
Patel230 Jul 6, 2026
34cab3d
fix: update external/sight submodule with new specialist, eval, hook …
Patel230 Jul 6, 2026
3660fbb
fix: update external/sight submodule reference
Patel230 Jul 6, 2026
7a5a578
feat: port Zero's theme system with 12 palettes and slash commands
Patel230 Jul 6, 2026
37be639
perf: cache slash commands to avoid rebuild and fix duplicates
Patel230 Jul 6, 2026
8646efe
fix: use single /theme command matching Zero's pattern
Patel230 Jul 6, 2026
37d555c
fix(perf): fast startup, concurrent keychain reads, cache load
Patel230 Jul 6, 2026
86d4bed
security: harden gosec findings across repo (checkpoint 1/2)
Patel230 Jul 7, 2026
ecea0f2
security: harden remaining gosec findings (checkpoint 2/2)
Patel230 Jul 7, 2026
e88f069
chore: bump submodule pointers to security-hardened commits
Patel230 Jul 7, 2026
f744965
ci: enforce full-strength gosec scan with zero exclusions
Patel230 Jul 7, 2026
150d128
feat: add Poolside as provider
Patel230 Jul 7, 2026
8d6e1d7
feat: add Poolside provider (eyrie submodule update)
Patel230 Jul 7, 2026
925e316
feat: wire Groq and Poolside providers end-to-end (eyrie submodule up…
Patel230 Jul 7, 2026
fbdc1e1
feat: add Poolside to onboarding, fix duplicate Groq entry
Patel230 Jul 7, 2026
02dd744
refactor: consolidate version into single VERSION file per repo, wire…
Patel230 Jul 7, 2026
2563efa
chore: update yaad (0.1.3) and trace (0.1.3) submodule pointers
Patel230 Jul 7, 2026
ac579c2
chore: update inspect (0.1.3), sight (0.1.2), tok (0.1.2) submodule p…
Patel230 Jul 7, 2026
9b91862
fix: make gateway count test work with both GOWORK=on and GOWORK=off
Patel230 Jul 7, 2026
0bccb83
fix(eyrie): update submodule for Poolside base URL fix
Patel230 Jul 7, 2026
f1e1faf
fix(eyrie): update submodule for live fetcher fix
Patel230 Jul 7, 2026
5b56608
fix(eyrie): update submodule for Poolside/Groq live fetcher tests
Patel230 Jul 7, 2026
ead8229
feat(eyrie): update submodule for ClinePass provider
Patel230 Jul 7, 2026
0ee98b8
fix(eyrie): update submodule for ClinePass probe/fetcher fix
Patel230 Jul 7, 2026
004dd09
fix(eyrie): update submodule for ClinePass model list update
Patel230 Jul 7, 2026
c08e88d
feat: update eyrie submodule — ClinePass nominal pricing
Patel230 Jul 7, 2026
40e2f0f
feat: update eyrie submodule — ClinePass OpenRouter pricing
Patel230 Jul 7, 2026
ecbe7f4
feat: update eyrie submodule — ClinePass reference pricing
Patel230 Jul 7, 2026
679ba86
feat: update eyrie submodule — fix ClinePass test assertion
Patel230 Jul 7, 2026
7f163d8
fix: refresh stale catalog prices in TUI for providers with live fetc…
Patel230 Jul 7, 2026
cbf6176
feat: update eyrie submodule — fix ClinePass deployment routing
Patel230 Jul 7, 2026
7c3edc8
Security and quality hardening pass
Patel230 Jul 7, 2026
b7bd82d
Apply gofumpt formatting and strip hard tabs to satisfy CI format/mar…
Patel230 Jul 8, 2026
1ffe799
Update external/sight, external/tok, external/yaad submodule pointers…
Patel230 Jul 8, 2026
6ac5fc7
Update external/tok submodule pointer to fuzz-test fix commit
Patel230 Jul 8, 2026
b8949f8
Update external/sight submodule pointer to bugfix/coverage commit
Patel230 Jul 8, 2026
e2112fa
Update external/sight submodule pointer to lint-fix commit
Patel230 Jul 8, 2026
d7a5dc7
fix: satisfy gosec findings in sandbox landlock/seccomp with bounds c…
Patel230 Jul 8, 2026
f425029
ci: raise test-race per-package timeout to 300s to avoid load-induced…
Patel230 Jul 8, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
4 changes: 4 additions & 0 deletions .dockerignore
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,7 @@ coverage.out
coverage.html
go.work
go.work.sum
.env
.envrc
*.pem
*.key
8 changes: 6 additions & 2 deletions .github/actions/checkout-eyrie/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@ runs:
steps:
- name: Clone ecosystem repos
shell: bash
env:
# Passed via env (not ${{ }} interpolation into the script) so an
# attacker-controlled ref (e.g. a fork branch name) cannot inject shell.
INPUT_REF: ${{ inputs.ref }}
run: |
set -euo pipefail
mkdir -p "${GITHUB_WORKSPACE}/external"
Expand All @@ -31,7 +35,7 @@ runs:
git clone "https://github.com/GrayCodeAI/${repo}.git" "$dest"
if ! (cd "$dest" && git checkout --quiet "$commit" 2>/dev/null); then
echo "Submodule commit $commit not reachable, falling back to ref"
ref="${{ inputs.ref }}"
ref="$INPUT_REF"
if [ "$ref" = "main" ]; then
rm -rf "$dest"
git clone --depth=1 --branch main \
Expand All @@ -41,7 +45,7 @@ runs:
fi
fi
else
ref="${{ inputs.ref }}"
ref="$INPUT_REF"
# Fall back to main if the branch doesn't exist on the dependency repo.
if ! git ls-remote --heads "https://github.com/GrayCodeAI/${repo}.git" "$ref" | grep -q .; then
echo "Branch '$ref' not found on $repo, falling back to main"
Expand Down
8 changes: 5 additions & 3 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -232,11 +232,13 @@ jobs:
run: |
go install golang.org/x/vuln/cmd/govulncheck@v1.1.4
govulncheck ./...
- name: gosec (report only)
continue-on-error: true
- name: gosec
run: |
go install github.com/securego/gosec/v2/cmd/gosec@v2.22.4
gosec -exclude=G104,G703,G704,G101,G107,G112,G114,G115,G201,G202,G203,G204,G301,G302,G304,G305,G306,G307,G401,G402,G403,G404,G501,G502,G503,G504,G505,G601,G602 -confidence=medium -severity=high ./...
# Full-strength scan: no rule exclusions. The repo reached a
# 0-findings baseline (2026-07 full-repo audit); keep it that way.
# Suppressions must be inline `#nosec <rule> -- <justification>`.
gosec -quiet ./...

# -------------------------------------------------------------------------
# 7. Secret scan — detect leaked API keys, tokens, credentials.
Expand Down
33 changes: 33 additions & 0 deletions .github/workflows/compatibility-matrix.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# Cross-repo compatibility matrix check.
# Source of truth: .shared-templates/workflows/compatibility-test.yml.tmpl
# See docs/compatibility.md for what this validates and why.

name: compatibility-matrix

on:
push:
branches: [main]
paths:
- "testdata/compatibility-matrix.json"
- "testdata/compatibility-matrix.schema.json"
schedule:
- cron: "0 6 * * *" # nightly
workflow_dispatch: {}

permissions:
contents: read

jobs:
validate:
name: validate compatibility matrix
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version: "1.26.4"
cache: true
- name: Structural validation (schema + version pins)
run: make compat-check
- name: Report 'next' matrix
run: make compat-test
33 changes: 25 additions & 8 deletions .github/workflows/docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -56,14 +56,16 @@ jobs:
type=semver,pattern={{major}}.{{minor}}
type=sha,prefix=sha-,format=long

- name: Build and push
# Build a single-platform image locally first so Trivy can gate the push:
# CRITICAL/HIGH findings fail this job before anything reaches GHCR.
- name: Build image for scan
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
with:
context: .
platforms: linux/amd64,linux/arm64
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64
push: false
load: true
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:scan
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
Expand All @@ -72,14 +74,29 @@ jobs:
BUILD_DATE=${{ github.event.head_commit.timestamp }}

- name: Scan image with Trivy
if: github.event_name != 'pull_request'
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:scan
format: sarif
output: trivy-image.sarif
severity: CRITICAL,HIGH
exit-code: '0'
ignore-unfixed: true
exit-code: '1'

- name: Build and push
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
with:
context: .
platforms: linux/amd64,linux/arm64
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
VERSION=${{ github.ref_name }}
COMMIT=${{ github.sha }}
BUILD_DATE=${{ github.event.head_commit.timestamp }}

- name: Upload Trivy image scan results
if: github.event_name != 'pull_request' && always()
Expand Down
9 changes: 9 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
# Binaries
hawk
hawk_bin
*.exe
*.dll
*.so
Expand Down Expand Up @@ -27,7 +28,15 @@ hawk

# Test artifacts
coverage.out
coverage.html
CODE_REVIEW_REPORT.md
review_report.md

# Workspace checksum file — regenerated by `make setup` / `go work sync`;
# deleted and regenerated by the Dockerfile and flake.nix builds.
go.work.sum

# Lefthook-generated git hook wrappers
.githooks/
__pycache__/
hawk_bin
30 changes: 30 additions & 0 deletions .golangci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,39 @@ linters:
- bodyclose
- unconvert
- whitespace
- gosec
settings:
errcheck:
check-type-assertions: true
check-blank: false
gosec:
# Scoped to high-signal rules (2026-07 baseline: 0 findings in
# production code with this set). Deliberately excluded floods:
# G104 — unhandled errors, already covered by errcheck
# G301/G306 — 0755/0644 perms are intentional for user-visible files
# G304 — hawk reads user-supplied file paths by design (CLI agent)
includes:
- G101 # hardcoded credentials
- G102 # bind to all interfaces
- G106 # ssh InsecureIgnoreHostKey
- G107 # url from variable in http request
- G110 # decompression bomb
- G111 # http dir traversal
- G112 # slowloris (missing ReadHeaderTimeout)
- G201 # sql format string
- G202 # sql string concat
- G203 # unescaped template data
- G204 # subprocess with variable
- G401 # weak crypto (md5/sha1/des/rc4)
- G402 # bad TLS settings
- G403 # weak RSA key
- G404 # weak random for security use
- G501 # crypto/md5 import
- G502 # crypto/des import
- G503 # crypto/rc4 import
- G504 # net/http/cgi import
- G505 # crypto/sha1 import
- G601 # implicit memory aliasing in range
govet:
enable-all: true
disable:
Expand Down Expand Up @@ -57,6 +86,7 @@ linters:
- bodyclose
- errcheck
- unused
- gosec
- path: cmd/
linters:
- noctx
Expand Down
142 changes: 142 additions & 0 deletions .shared-templates/.goreleaser.yml.tmpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,142 @@
# Canonical GrayCodeAI goreleaser config for Go binary repos.
# Source of truth: .shared-templates/.goreleaser.yml.tmpl
#
# Placeholders rendered per repo (ALL-CAPS, distinct from goreleaser's own
# `{{.Version}}`-style Go template fields, which are left as-is below):
# {{NAME}} — short repo name (e.g. hawk, yaad, trace)
# {{MAIN_PKG}} — main package path (e.g. ./ or ./cmd/yaad)
# {{DESCRIPTION}} — short single-line description for brew/nfpms
# {{VERSION_PKG}} — Go package path holding Version vars
# (e.g. main or github.com/GrayCodeAI/hawk/internal/version)
#
# Repos with PRO/special features (e.g. trace's macOS notarization, tok's
# nfpms) extend this template with extra sections instead of replacing it.

version: 2
project_name: {{NAME}}

# ---------------------------------------------------------------------------
# Pre-build hooks — keep go.mod tidy and verified.
# ---------------------------------------------------------------------------
before:
hooks:
- go mod verify

# ---------------------------------------------------------------------------
# Builds — three OS × two arch (no Windows/arm64).
# Reproducible: `mod_timestamp` ties the binary timestamp to the commit time
# rather than the build host's clock.
# ---------------------------------------------------------------------------
builds:
- id: {{NAME}}
main: {{MAIN_PKG}}
binary: {{NAME}}
env:
- CGO_ENABLED=0
goos:
- linux
- darwin
- windows
goarch:
- amd64
- arm64
ignore:
- goos: windows
goarch: arm64
ldflags:
- -s -w
- -X {{VERSION_PKG}}.Version={{.Version}}
- -X {{VERSION_PKG}}.Commit={{.ShortCommit}}
- -X {{VERSION_PKG}}.BuildDate={{.Date}}
mod_timestamp: "{{ .CommitTimestamp }}"

# ---------------------------------------------------------------------------
# Archives — tar.gz on Unix, zip on Windows. Includes README + LICENSE.
# ---------------------------------------------------------------------------
archives:
- id: default
formats: [tar.gz]
format_overrides:
- goos: windows
formats: [zip]
name_template: >-
{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}
files:
- README.md
- LICENSE
- CHANGELOG.md

# ---------------------------------------------------------------------------
# Source archive — published alongside binaries for downstream packagers.
# ---------------------------------------------------------------------------
source:
enabled: true
name_template: "{{ .ProjectName }}_{{ .Version }}_source"

# ---------------------------------------------------------------------------
# Checksums — SHA-256, single file per release.
# ---------------------------------------------------------------------------
checksum:
name_template: checksums.txt
algorithm: sha256

# ---------------------------------------------------------------------------
# Snapshot — unreleased dev builds get a clear synthetic version.
# ---------------------------------------------------------------------------
snapshot:
version_template: "{{ incpatch .Version }}-next"

# ---------------------------------------------------------------------------
# Changelog — Conventional-Commit grouped, hidden noise.
# ---------------------------------------------------------------------------
changelog:
sort: asc
use: github
filters:
exclude:
- "^chore:"
- "^ci:"
- "^test:"
- "^style:"
- "^build:"
- "Merge pull request"
- "Merge branch"
groups:
- title: "Features"
regexp: '^.*?feat(\([[:word:]]+\))??!?:.+$'
order: 0
- title: "Bug Fixes"
regexp: '^.*?fix(\([[:word:]]+\))??!?:.+$'
order: 1
- title: "Performance"
regexp: '^.*?perf(\([[:word:]]+\))??!?:.+$'
order: 2
- title: "Refactoring"
regexp: '^.*?refactor(\([[:word:]]+\))??!?:.+$'
order: 3
- title: "Documentation"
regexp: '^.*?docs(\([[:word:]]+\))??!?:.+$'
order: 4
- title: "Other"
order: 999

# ---------------------------------------------------------------------------
# SBOM + release — auto-detect prereleases (rc/beta tags). Created on the
# repo itself (not a separate release repo).
# ---------------------------------------------------------------------------
sboms:
- artifacts: archive
documents:
- "${artifact}.spdx.sbom.json"

release:
draft: false
prerelease: auto
name_template: "v{{ .Version }}"
header: |
## {{NAME}} v{{.Version}}

{{DESCRIPTION}}
footer: |

**Full changelog:** https://github.com/GrayCodeAI/{{NAME}}/compare/{{.PreviousTag}}...{{.Tag}}
Loading
Loading