Skip to content

Add --reset-config / --reset-secrets#3240

Merged
liquidsec merged 4 commits into
devfrom
reset-config
Jun 25, 2026
Merged

Add --reset-config / --reset-secrets#3240
liquidsec merged 4 commits into
devfrom
reset-config

Conversation

@liquidsec

@liquidsec liquidsec commented Jun 24, 2026

Copy link
Copy Markdown
Collaborator

Summary

BBOT writes a fully-commented snapshot of the defaults into ~/.config/bbot/bbot.yml and ~/.config/bbot/secrets.yml on first install (ensure_config_files), guarded by if not exists. Across upgrades these freeze at install time, so old installs carry commented options that no longer exist, and a config can reference options that have since been renamed or removed.

This adds an opt-in way to regenerate those files, plus a targeted hint when an actually-invalid option is found.

  • Separate, independent resets: --reset-config regenerates bbot.yml only; --reset-secrets regenerates secrets.yml only (combine the two to do both). Refreshing the bbot.yml template never disturbs the API keys in secrets.yml. Each requires confirmation (y/N, or --yes; refuses in a non-tty without --yes) and backs up existing files non-clobbering (.bak, .bak.1, ...).
  • Secrets are written securely (_write_secret_text): secrets.yml is created owner-only (0600) atomically via a private temp file + rename, so it never exists world/group-readable even briefly; an existing file's hardened perms (e.g. 0400) are preserved; if owner-only perms can't be guaranteed, the secret is not written. Backups preserve the source file's permissions.
  • Validation-driven reset hint (bbot/cli.py): when config validation rejects an option, and that option actually lives in one of the generated config files, BBOT points the user at the matching reset flag. This rides on the existing pydantic validation (which only flags options the user is actually using), so it never fires on a config that is fine, and it does not fire for a -c CLI typo.
  • Test isolation (bbot/core/config/files.py): under BBOT_TESTING, config_dir resolves to a fresh per-run mkdtemp (shared across child processes via BBOT_TEST_CONFIG_DIR, cleaned at exit) instead of the real ~/.config/bbot. Fixes a pre-existing leak where the suite read/wrote the user's actual config, and is safe against previous/concurrent runs.

Notes

An earlier revision stamped each file with a structural option-set hash and warned on every run when the hash no longer matched. That nag false-flagged hand-written and minimal configs as stale on every run (an unstamped file is indistinguishable from one generated by an old version) and duplicated what preset validation already does precisely. It was dropped in favor of the validation-driven hint above.

Tests

  • test_presets.py: config-dir isolation; independent reset (resetting config leaves secrets untouched, and vice versa); reset both; secret-file permissions (create 0600, preserve hardened 0400, tighten loose 0644); refusal to write secrets when perms can't be secured.
  • test_cli.py: --reset-config / --reset-secrets end-to-end (non-tty refusal without --yes, regeneration + backup, secrets untouched on a config reset); the reset hint fires when a bad option lives in bbot.yml, and does not fire for a -c CLI typo.

Stamp generated config files with a hash of the option set; warn when a
config predates or no longer matches it. `bbot --reset-config` regenerates
from current defaults (confirmation required, backs up to .bak).

Also isolate the config dir under a temp dir during tests so the suite
never touches the user's real ~/.config/bbot.
Per-file hash stamps and staleness detection; --reset-secrets regenerates
secrets.yml on its own so --reset-config never disturbs API keys. Secrets
are written owner-only atomically, preserving any hardened perms, and refused
if owner-only can't be guaranteed.
@github-actions

github-actions Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

📊 Performance Benchmark Report

Comparing dev (baseline) vs reset-config (current)

📈 Detailed Results (All Benchmarks)

📋 Complete results for all benchmarks - includes both significant and insignificant changes

🧪 Test Name 📏 Base 📏 Current 📈 Change 🎯 Status
Bloom Filter Dns Mutation Tracking Performance 3.83ms 3.92ms +2.3%
Bloom Filter Large Scale Dns Brute Force 17.03ms 18.16ms +6.6%
Large Closest Match Lookup 342.16ms 324.92ms -5.0%
Realistic Closest Match Workload 177.42ms 177.80ms +0.2%
Event Memory Medium Scan 1403 B/event 1403 B/event +0.0%
Event Memory Large Scan 1527 B/event 1527 B/event +0.0%
Event Validation Full Scan Startup Small Batch 379.54ms 388.17ms +2.3%
Event Validation Full Scan Startup Large Batch 491.41ms 505.71ms +2.9%
Make Event Autodetection Small 21.20ms 20.95ms -1.2%
Make Event Autodetection Large 214.30ms 214.14ms -0.1%
Make Event Explicit Types 9.17ms 9.18ms +0.1%
Excavate Single Thread Small 3.689s 3.524s -4.5%
Excavate Single Thread Large 9.785s 9.681s -1.1%
Excavate Parallel Tasks Small 3.825s 3.746s -2.1%
Excavate Parallel Tasks Large 6.351s 6.133s -3.4%
Intercept Throughput Small 841.76ms 870.78ms +3.4%
Intercept Throughput Medium 843.72ms 848.04ms +0.5%
Dns Throughput Quiet 2.366s 2.345s -0.9%
Dns Throughput Loaded 1.592s 1.595s +0.2%
Dns Throughput Inherited 2.271s 2.215s -2.5%
Is Ip Performance 1.98ms 1.98ms +0.0%
Make Ip Type Performance 172.10µs 170.26µs -1.1%
Mixed Ip Operations 2.05ms 2.05ms +0.0%
Memory Use Web Crawl 1.0 MB 1.0 MB +0.0%
Memory Use Subdomain Enum 28.3 MB 28.3 MB +0.0%
Memory Use Deep Chain 5.0 MB 5.0 MB +0.0%
Memory Use Parallel Chains 10.2 MB 12.2 MB +20.2% 🔴🔴🔴 ⚠️
Scan Throughput 100 2.577s 2.552s -1.0%
Scan Throughput 1000 18.170s 17.262s -5.0%
Typical Queue Shuffle 4.90µs 4.92µs +0.2%
Priority Queue Shuffle 23.28µs 23.23µs -0.2%

🎯 Performance Summary

! 1 regression ⚠️
  30 unchanged ✅

🔍 Significant Changes (>10%)

  • Memory Use Parallel Chains: 20.2% 🐌 more memory

🐍 Python Version 3.11.15

@codecov

codecov Bot commented Jun 24, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 95.50562% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 90%. Comparing base (3bc8e9c) to head (5f29c5b).
⚠️ Report is 13 commits behind head on dev.

Files with missing lines Patch % Lines
bbot/cli.py 77% 10 Missing ⚠️
bbot/core/config/files.py 90% 2 Missing ⚠️
Additional details and impacted files
@@          Coverage Diff           @@
##             dev   #3240    +/-   ##
======================================
+ Coverage     90%     90%    +1%     
======================================
  Files        453     451     -2     
  Lines      46304   46488   +184     
======================================
+ Hits       41411   41618   +207     
+ Misses      4893    4870    -23     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

The per-run hash nag false-flagged hand-written/minimal configs as stale
on every run, since an unstamped file is indistinguishable from an old one.
Drop the hash machinery; keep --reset-config/--reset-secrets. On a real
validation failure, hint at the reset flag only when the bad option actually
lives in a generated config file (not a -c CLI typo).
@liquidsec liquidsec changed the title Add --reset-config and stale-config detection Add --reset-config / --reset-secrets with a validation-driven reset hint Jun 24, 2026
@liquidsec liquidsec changed the title Add --reset-config / --reset-secrets with a validation-driven reset hint Add --reset-config / --reset-secrets Jun 24, 2026
@ausmaster ausmaster added this to the BBOT 3.0 - blazed_elijah milestone Jun 25, 2026
@ausmaster ausmaster self-requested a review June 25, 2026 17:48
@liquidsec liquidsec merged commit 983a672 into dev Jun 25, 2026
17 checks passed
@liquidsec liquidsec deleted the reset-config branch June 25, 2026 19:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants