Weekly: Promote nightly to main (2026-02-18)

.docker/README.md

@@ -95,6 +95,11 @@ Configure the application via `docker-compose.yml`:
 | `CHARON_HTTP_PORT` | `8080` | Port for the Web UI (`CPM_HTTP_PORT` supported for backward compatibility). |
 | `CHARON_DB_PATH` | `/app/data/charon.db` | Path to the SQLite database (`CPM_DB_PATH` supported for backward compatibility). |
 | `CHARON_CADDY_ADMIN_API` | `http://localhost:2019` | Internal URL for Caddy API (`CPM_CADDY_ADMIN_API` supported for backward compatibility). |
+| `CHARON_CADDY_CONFIG_ROOT` | `/config` | Path to Caddy autosave configuration directory. |
+| `CHARON_CADDY_LOG_DIR` | `/var/log/caddy` | Directory for Caddy access logs. |
+| `CHARON_CROWDSEC_LOG_DIR` | `/var/log/crowdsec` | Directory for CrowdSec logs. |
+| `CHARON_PLUGINS_DIR` | `/app/plugins` | Directory for DNS provider plugins. |
+| `CHARON_SINGLE_CONTAINER_MODE` | `true` | Enables permission repair endpoints for single-container deployments. |
 
 ## NAS Deployment Guides
 

.docker/compose/docker-compose.playwright-ci.yml

@@ -27,7 +27,7 @@ services:
   # Charon Application - Core E2E Testing Service
   # =============================================================================
   charon-app:
-    # CI provides CHARON_E2E_IMAGE_TAG=charon:e2e-test (locally built image)
+    # CI provides CHARON_E2E_IMAGE_TAG=charon:e2e-test (retagged from shared digest)
     # Local development uses the default fallback value
     image: ${CHARON_E2E_IMAGE_TAG:-charon:e2e-test}
     container_name: charon-playwright

.docker/docker-entrypoint.sh

@@ -18,6 +18,42 @@ run_as_charon() {
     fi
 }
 
+get_group_by_gid() {
+    if command -v getent >/dev/null 2>&1; then
+        getent group "$1" 2>/dev/null || true
+    else
+        awk -F: -v gid="$1" '$3==gid {print $0}' /etc/group 2>/dev/null || true
+    fi
+}
+
+create_group_with_gid() {
+    local gid="$1"
+    local name="$2"
+
+    if command -v addgroup >/dev/null 2>&1; then
+        addgroup -g "$gid" "$name" 2>/dev/null || true
+        return
+    fi
+
+    if command -v groupadd >/dev/null 2>&1; then
+        groupadd -g "$gid" "$name" 2>/dev/null || true
+    fi
+}
+
+add_user_to_group() {
+    local user="$1"
+    local group="$2"
+
+    if command -v addgroup >/dev/null 2>&1; then
+        addgroup "$user" "$group" 2>/dev/null || true
+        return
+    fi
+
+    if command -v usermod >/dev/null 2>&1; then
+        usermod -aG "$group" "$user" 2>/dev/null || true
+    fi
+}
+
 # ============================================================================
 # Volume Permission Handling for Non-Root User
 # ============================================================================
@@ -89,18 +125,19 @@ if [ -S "/var/run/docker.sock" ] && is_root; then
     DOCKER_SOCK_GID=$(stat -c '%g' /var/run/docker.sock 2>/dev/null || echo "")
     if [ -n "$DOCKER_SOCK_GID" ] && [ "$DOCKER_SOCK_GID" != "0" ]; then
         # Check if a group with this GID exists
-        if ! getent group "$DOCKER_SOCK_GID" >/dev/null 2>&1; then
+        GROUP_ENTRY=$(get_group_by_gid "$DOCKER_SOCK_GID")
+        if [ -z "$GROUP_ENTRY" ]; then
             echo "Docker socket detected (gid=$DOCKER_SOCK_GID) - creating docker group and adding charon user..."
             # Create docker group with the socket's GID
-            groupadd -g "$DOCKER_SOCK_GID" docker 2>/dev/null || true
+            create_group_with_gid "$DOCKER_SOCK_GID" docker
             # Add charon user to the docker group
-            usermod -aG docker charon 2>/dev/null || true
+            add_user_to_group charon docker
             echo "Docker integration enabled for charon user"
         else
             # Group exists, just add charon to it
-            GROUP_NAME=$(getent group "$DOCKER_SOCK_GID" | cut -d: -f1)
+            GROUP_NAME=$(echo "$GROUP_ENTRY" | cut -d: -f1)
             echo "Docker socket detected (gid=$DOCKER_SOCK_GID, group=$GROUP_NAME) - adding charon user..."
-            usermod -aG "$GROUP_NAME" charon 2>/dev/null || true
+            add_user_to_group charon "$GROUP_NAME"
             echo "Docker integration enabled for charon user"
         fi
     fi
@@ -152,33 +189,67 @@ if command -v cscli >/dev/null; then
     # Initialize persistent config if key files are missing
     if [ ! -f "$CS_CONFIG_DIR/config.yaml" ]; then
         echo "Initializing persistent CrowdSec configuration..."
+
+        # Check if .dist has content
         if [ -d "/etc/crowdsec.dist" ] && [ -n "$(ls -A /etc/crowdsec.dist 2>/dev/null)" ]; then
-            cp -r /etc/crowdsec.dist/* "$CS_CONFIG_DIR/" || {
+            echo "Copying config from /etc/crowdsec.dist..."
+            if ! cp -r /etc/crowdsec.dist/* "$CS_CONFIG_DIR/"; then
                 echo "ERROR: Failed to copy config from /etc/crowdsec.dist"
+                echo "DEBUG: Contents of /etc/crowdsec.dist:"
+                ls -la /etc/crowdsec.dist/
                 exit 1
-            }
-            echo "Successfully initialized config from .dist directory"
+            fi
+
+            # Verify critical files were copied
+            if [ ! -f "$CS_CONFIG_DIR/config.yaml" ]; then
+                echo "ERROR: config.yaml was not copied to $CS_CONFIG_DIR"
+                echo "DEBUG: Contents of $CS_CONFIG_DIR after copy:"
+                ls -la "$CS_CONFIG_DIR/"
+                exit 1
+            fi
+            echo "✓ Successfully initialized config from .dist directory"
         elif [ -d "/etc/crowdsec" ] && [ ! -L "/etc/crowdsec" ] && [ -n "$(ls -A /etc/crowdsec 2>/dev/null)" ]; then
-            cp -r /etc/crowdsec/* "$CS_CONFIG_DIR/" || {
-                echo "ERROR: Failed to copy config from /etc/crowdsec"
+            echo "Copying config from /etc/crowdsec (fallback)..."
+            if ! cp -r /etc/crowdsec/* "$CS_CONFIG_DIR/"; then
+                echo "ERROR: Failed to copy config from /etc/crowdsec (fallback)"
                 exit 1
-            }
-            echo "Successfully initialized config from /etc/crowdsec"
+            fi
+            echo "✓ Successfully initialized config from /etc/crowdsec"
         else
-            echo "ERROR: No config source found (neither .dist nor /etc/crowdsec available)"
+            echo "ERROR: No config source found!"
+            echo "DEBUG: /etc/crowdsec.dist contents:"
+            ls -la /etc/crowdsec.dist/ 2>/dev/null || echo "  (directory not found or empty)"
+            echo "DEBUG: /etc/crowdsec contents:"
+            ls -la /etc/crowdsec 2>/dev/null || echo "  (directory not found or empty)"
             exit 1
         fi
+    else
+        echo "✓ Persistent config already exists: $CS_CONFIG_DIR/config.yaml"
     fi
 
     # Verify symlink exists (created at build time)
     # Note: Symlink is created in Dockerfile as root before switching to non-root user
     # Non-root users cannot create symlinks in /etc, so this must be done at build time
     if [ -L "/etc/crowdsec" ]; then
         echo "CrowdSec config symlink verified: /etc/crowdsec -> $CS_CONFIG_DIR"
+
+        # Verify the symlink target is accessible and has config.yaml
+        if [ ! -f "/etc/crowdsec/config.yaml" ]; then
+            echo "ERROR: /etc/crowdsec/config.yaml is not accessible via symlink"
+            echo "DEBUG: Symlink target verification:"
+            ls -la /etc/crowdsec 2>/dev/null || echo "  (symlink broken or missing)"
+            echo "DEBUG: Directory contents:"
+            ls -la "$CS_CONFIG_DIR/" 2>/dev/null | head -10 || echo "  (directory not found)"
+            exit 1
+        fi
+        echo "✓ /etc/crowdsec/config.yaml is accessible via symlink"
     else
-        echo "WARNING: /etc/crowdsec symlink not found. This may indicate a build issue."
+        echo "ERROR: /etc/crowdsec symlink not found"
         echo "Expected: /etc/crowdsec -> /app/data/crowdsec/config"
-        # Try to continue anyway - config may still work if CrowdSec uses CFG env var
+        echo "This indicates a critical build-time issue. Symlink must be created at build time as root."
+        echo "DEBUG: Directory check:"
+        ls -la /etc/ | grep crowdsec || echo "  (no crowdsec entry found)"
+        exit 1
     fi
 
     # Create/update acquisition config for Caddy logs

.dockerignore

@@ -10,7 +10,7 @@
 .gitignore
 .github/
 .pre-commit-config.yaml
-.codecov.yml
+codecov.yml
 .goreleaser.yaml
 .sourcery.yml
 
@@ -80,7 +80,6 @@ backend/node_modules/
 backend/internal/api/tests/data/
 backend/lint*.txt
 backend/fix_*.sh
-backend/codeql-db-*/
 
 # Backend data (created at runtime)
 backend/data/
@@ -185,8 +184,6 @@ codeql-db/
 codeql-db-*/
 codeql-agent-results/
 codeql-custom-queries-*/
-codeql-*.sarif
-codeql-results*.sarif
 .codeql/
 
 # -----------------------------------------------------------------------------
@@ -208,7 +205,6 @@ playwright.config.js
 # -----------------------------------------------------------------------------
 # Root-level artifacts
 # -----------------------------------------------------------------------------
-coverage/
 coverage.txt
 provenance*.json
 trivy-*.txt

.github/agents/Backend_Dev.agent.md

@@ -2,18 +2,24 @@
 name: 'Backend Dev'
 description: 'Senior Go Engineer focused on high-performance, secure backend implementation.'
 argument-hint: 'The specific backend task from the Plan (e.g., "Implement ProxyHost CRUD endpoints")'
-tools:
-  ['execute', 'read', 'agent', 'edit/createDirectory', 'edit/createFile', 'edit/editFiles', 'edit/editNotebook', 'search', 'todo']
-model: 'Cloaude Sonnet 4.5'
+tools: vscode/extensions, vscode/getProjectSetupInfo, vscode/installExtension, vscode/memory, vscode/openSimpleBrowser, vscode/runCommand, vscode/askQuestions, vscode/vscodeAPI, execute, read, agent, 'github/*', 'github/*', 'io.github.goreleaser/mcp/*', 'trivy-mcp/*', edit, search, web, 'github/*', 'playwright/*', 'pylance-mcp-server/*', todo, vscode.mermaid-chat-features/renderMermaidDiagram, github.vscode-pull-request-github/issue_fetch, github.vscode-pull-request-github/labels_fetch, github.vscode-pull-request-github/notification_fetch, github.vscode-pull-request-github/doSearch, github.vscode-pull-request-github/activePullRequest, github.vscode-pull-request-github/openPullRequest, ms-azuretools.vscode-containers/containerToolsConfig, ms-python.python/getPythonEnvironmentInfo, ms-python.python/getPythonExecutableCommand, ms-python.python/installPythonPackage, ms-python.python/configurePythonEnvironment, 'gopls/*'
+
+model: GPT-5.3-Codex (copilot)
+target: vscode
+user-invocable: true
+disable-model-invocation: false
+
 ---
 You are a SENIOR GO BACKEND ENGINEER specializing in Gin, GORM, and System Architecture.
 Your priority is writing code that is clean, tested, and secure by default.
 
 <context>
+
 - **MANDATORY**: Read all relevant instructions in `.github/instructions/` for the specific task before starting.
 - **Project**: Charon (Self-hosted Reverse Proxy)
 - **Stack**: Go 1.22+, Gin, GORM, SQLite.
 - **Rules**: You MUST follow `.github/copilot-instructions.md` explicitly.
+- **References**: Use `gopls` mcp server for Go code understanding and generation.
 </context>
 
 <workflow>
@@ -43,6 +49,9 @@ Your priority is writing code that is clean, tested, and secure by default.
     - Run `go mod tidy`.
     - Run `go fmt ./...`.
     - Run `go test ./...` to ensure no regressions.
+    - **Local Patch Coverage Preflight (MANDATORY)**: Run VS Code task `Test: Local Patch Report` or `bash scripts/local-patch-report.sh` before backend coverage runs.
+        - Ensure artifacts exist: `test-results/local-patch-report.md` and `test-results/local-patch-report.json`.
+        - Use the file-level coverage gap list to target tests before final coverage validation.
     - **Coverage (MANDATORY)**: Run the coverage task/script explicitly and confirm Codecov Patch view is green for modified lines.
         - **MANDATORY**: Patch coverage must cover 100% of new/modified code. This prevents CodeCov Report failing CI.
         - **VS Code Task**: Use "Test: Backend with Coverage" (recommended)
@@ -65,5 +74,3 @@ Your priority is writing code that is clean, tested, and secure by default.
 - **NO CONVERSATION**: If the task is done, output "DONE". If you need info, ask the specific question.
 - **USE DIFFS**: When updating large files (>100 lines), use `sed` or `replace_string_in_file` tools if available. If re-writing the file, output ONLY the modified functions/blocks.
 </constraints>
-
-```