Add ADR-0028 for GitLab support architecture#601
Conversation
Site previewPreview: https://133649fa-site.fullsend-ai.workers.dev Commit: |
Review: #601Head SHA: 9c54514 SummaryThis is a well-crafted documentation PR that adds ADR-0028 (GitLab Support Architecture) and a companion problem document for implementation details. The ADR correctly identifies the key architectural gaps between GitHub and GitLab (no FindingsMedium
Info
FooterOutcome: approve Previous runReview: #601Head SHA: 3a0b2fe SummaryThis PR adds ADR-0028 (GitLab Support Architecture) and a companion problem document ( FindingsCriticalNone. HighNone. MediumNone. Low
Info
FooterOutcome: approve Previous run (2)Review: #601Head SHA: 4c61f37 SummaryThis is a well-structured documentation PR that adds ADR-0028 for GitLab support architecture alongside a companion problem document. The design is thorough, security-conscious (protected variables, hardcoded ref=main, webhook token validation), and properly references existing ADRs. The claims about the current FindingsMedium
Low
Info
FooterOutcome: comment-only Previous run (3)Review: #601Head SHA: da14129 SummaryThis PR adds ADR-0028 and a companion problem document for GitLab support architecture. The change is documentation-only — no executable code is modified. The ADR number (0028) is the next available, all cross-referenced ADRs (0005, 0007, 0008, 0009) exist, and the README link is correctly placed. The design documents are thorough, with well-reasoned security analysis covering protected branches, protected CI/CD variables, webhook validation with timing-safe comparison, YAML injection prevention via base64 encoding, and an explicit rejection of multi-project pipelines. Open questions are honestly documented with clear trade-off analysis. The PR follows CLAUDE.md conventions (problem doc in docs/problems/, linked from README, ADR in docs/ADRs/). FindingsCritical(none) High(none) Medium(none) Low
Info
FooterOutcome: approve Previous run (4)Review: #601Head SHA: 1ab346d SummaryThis is a well-structured documentation PR adding ADR-0028 (GitLab support architecture) and a companion problem document ( FindingsMedium
Low
Info
FooterOutcome: comment-only Previous run (5)Review: #601Head SHA: 96a05fe SummaryThis PR adds a well-structured ADR and companion problem document for GitLab support architecture. The documents are thorough, with strong security analysis (webhook-based dispatch, protected variables, constant-time token comparison) and honest treatment of open questions. However, the PR has a critical ADR numbering collision: it creates FindingsCritical
Medium
Low
Info
FooterOutcome: request-changes Previous run (6)Review: #601Head SHA: aaf10c9 SummaryThis is a well-structured documentation PR adding ADR-0027 (GitLab Support Architecture) and a companion problem document ( FindingsMedium
Low
Info
FooterOutcome: comment-only Previous run (7)Review: #601Head SHA: 491cae4 SummaryThis documentation-only PR adds ADR-0027 (GitLab Support Architecture) and a companion implementation problem document, with a README index entry. The ADR is well-structured, correctly numbered (follows ADR-0026), and follows established conventions. The architectural proposal is thorough: it accurately characterizes the existing FindingsInfo
FooterOutcome: approve Previous run (8)Review: #601Head SHA: af0b94a SummaryThis PR adds a well-structured ADR-0027 and companion problem document proposing GitLab support architecture. The design is thorough — the security analysis of webhook-vs-shim trade-offs, the forge-neutral interface evolution, and the honest acknowledgment of open questions are all strong. However, the new problem document FindingsHigh
Medium
Low
Info
FooterOutcome: request-changes Previous run (9)Review: #601Head SHA: SummaryThis ADR proposes a comprehensive architecture for extending fullsend to support GitLab alongside GitHub. The design is well-researched: cross-references to ADRs 0005, 0007, 0008, and 0009 are accurate (verified against source), the FindingsMedium
Low
Info
FooterOutcome: comment-only Previous run (10)Review: #601Head SHA: 22019d9 SummaryThis ADR proposes a comprehensive architecture for GitLab support, covering CI/CD mapping, authentication via Project Access Tokens, webhook-based security (replacing FindingsMedium
Low
Info
FooterOutcome: comment-only Previous run (11)Review: #601Head SHA: ebb934f SummaryThis ADR proposes a well-researched architecture for GitLab support, correctly identifying the key challenges (no FindingsMedium
Low
Info
FooterOutcome: comment-only Previous run (12)Review: #601Head SHA: 98bd17e SummaryThis ADR proposes a comprehensive GitLab support architecture that correctly maps GitHub primitives to GitLab equivalents. The security analysis is thorough — particularly the honest assessment of the FindingsMedium
Low
Info
FooterOutcome: comment-only Previous run (13)Review: #601Head SHA: 2f6e5a4 SummaryThis PR adds a well-structured ADR proposing GitLab support architecture. The design is thorough, correctly identifies the key mapping challenges between GitHub and GitLab primitives, and proposes reasonable solutions. No critical or high issues found. Two medium findings relate to a webhook-to-pipeline API incompatibility that undermines a core assumption of the proposed architecture, and a potential gap in the dispatch token security model. These are design-level concerns appropriate for feedback on a "Proposed" ADR. FindingsMedium
Low
Info
FooterOutcome: comment-only Previous run (14)Review: #601Head SHA: 82114c0 SummaryWell-structured ADR proposing GitLab support architecture that demonstrates strong security awareness (webhook validation, protected branch requirements, payload encoding). The design closely follows ADR-0005's forge abstraction principles and proposes reasonable forge-neutral interface additions. Three technical issues in the illustrative YAML snippets are worth addressing before the ADR is accepted, though none are blocking for a "Proposed" status document. FindingsMedium
Low
Info
FooterOutcome: comment-only Previous run (15)Review: #601Head SHA: SummaryThis is a well-structured design ADR proposing GitLab support architecture. The document demonstrates strong security awareness — it identifies timing-safe comparison gaps, variable name collisions, regex validation limitations, and YAML injection risks, annotating each with FindingsMedium
Low
Info
FooterOutcome: comment-only |
ralphbean
left a comment
There was a problem hiding this comment.
ADR-0026 Review: GitLab Support Architecture
The direction is sound — GitLab support is well-motivated (issue #322), builds on the forge abstraction (ADR-0005), and the ADR covers a lot of ground. However, there are critical gaps in the security model and event-handling architecture that need to be addressed before this can be accepted.
Key concerns
-
Security model relies on
workflow:rules+CI_COMMIT_REF_PROTECTED, but GitLab MR pipelines run the source branch's CI config. An attacker can remove these checks from their branch. The real mitigation is protected CI/CD variables (not just masked), which GitLab only exposes to pipelines on protected branches. The ADR says "masked" but never says "protected." -
GitLab CI cannot natively trigger on issue events, issue comments, or MR comments.
CI_PIPELINE_SOURCEhas 15 valid values — none for issues or notes. The event mapping table says "Webhook → shim pipeline" but doesn't explain how, because no native mechanism exists. This has significant architectural implications (external webhook receiver needed?) that conflict with compute-platform agnosticism. -
Sandbox/compute architecture is missing. How does OpenShell run on GitLab CI runners? Which executor types are compatible? This should be discussed or explicitly scoped out with a reference to a future ADR.
-
Forge abstraction needs discussion. ADR-0005 promises "no changes to layers, CLI, or app setup code" for new forges, but this ADR lists modifications to
admin.go,workflows.go,enrollment.go,appsetup/, andconfig.go. The ADR should propose forge-neutral interface additions and flag existing GitHub-specific methods (ListOrgInstallations,GetAppClientID) that need generalization.
d135b32 to
d158a0a
Compare
|
/review |
|
I don't see Multi-Pipelines mentioned: https://docs.gitlab.com/ci/pipelines/downstream_pipelines/?tab=Multi-project+pipeline. For the security concern to be true the attacker needs to modify the target repo dispatch to target a .fullsend ref that is not main, where this attacker introduced a branch that exfiltrates secrets. If the secrets are just scoped to the main branch, then the attacker can't exfiltrate anything even if it lands a branch in the .fullsend repository. |
Address security concerns raised by rh-hemartin in PR fullsend-ai#601: 1. **Protected CI/CD Variables (Defense-in-Depth)** Add new required security control: all secrets in .fullsend project MUST be marked as protected variables. This restricts them to pipelines running on protected branches only. Threat model: GitLab's trigger API accepts a 'ref' parameter with no documented restrictions - anyone with the trigger token can specify any branch. Protected variables defend against: - Webhook intermediary compromise/bugs triggering on ref=malicious-branch - Insider threats (write access to .fullsend but can't bypass main protection) - Misconfiguration of trigger API calls Even if dispatch pipeline runs on unprotected branch, secrets won't be exposed. 2. **Webhook Intermediary Security Requirements** Add explicit requirements for translation service: - MUST hardcode ref=main when calling .fullsend trigger API - MUST NOT derive ref from webhook payload - MUST validate webhook secret token - MUST use least-privilege credentials Rationale: Intermediary controls which branch dispatch runs on. If it accepts attacker-controlled ref values, insider with .fullsend write could exfiltrate secrets via malicious branch (mitigated by protected variables). 3. **Multi-Project Pipelines Consideration** Document why GitLab's multi-project pipeline feature is not suitable: - Would run MR code with potential secret access (violates security model) - GitLab warns against passing masked variables to multi-project pipelines - Parent-child pipelines within .fullsend provide better security guarantees 4. **Update Dispatch Token Security Section** Correct statement that protected variables don't apply to chosen architecture. Protected variables are defense-in-depth control that applies to ALL architectures and provides critical protection against ref manipulation. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
Thanks for raising these points! You're absolutely right on both counts. I've investigated and updated the implementation doc: Multi-Project PipelinesGood catch - I hadn't explicitly considered GitLab's multi-project pipelines. I've now documented why they're not suitable for fullsend's security model:
See the new Multi-Project Pipelines section in the implementation doc. Protected Variables Defense-in-DepthYour security analysis is spot-on. The threat is real but requires insider-level access or intermediary compromise: Attack vector: The webhook translation intermediary calls GitLab's trigger API with
Then the dispatch pipeline could run on an unprotected branch. Your point about protected variables is correct: GitLab's protected variables are only exposed to pipelines running on protected branches. This provides critical defense-in-depth. I've updated the doc to make protected variables a required security control (not optional):
Thanks for the careful review - this strengthens the security model significantly. |
Medium findings addressed: 1. GitLab CI/CD variable naming constraint: Variable names must match [A-Za-z_][A-Za-z0-9_]* (no hyphens allowed). Updated sanitization scheme to replace both / → __ and - → _H_. Added collision analysis noting pathological cases (e.g., "foo_H_bar/baz" collides with "foo-bar/baz") and recommending SHA256 hash for collision-free guarantee if needed. Updated examples throughout. 2. Bash syntax in alpine image: Section 5 used [[ regex ]] bashism but alpine:latest defaults to ash (/bin/sh). Wrapped script in bash <<'BASH' heredoc (matching Section 4 pattern) and added bash to apk install. 3. envsubst variable restriction: envsubst without arguments substitutes ALL environment variables. Added '$pipeline_file' argument to restrict substitution to only the intended variable, preventing unintended substitution of CI-injected vars like $CI_PROJECT_PATH. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
…sure) Medium findings addressed: 1. Webhook-to-trigger API incompatibility: GitLab webhooks send JSON payloads but the trigger API expects form-encoded parameters. They are not wire-compatible - direct webhook→trigger doesn't work. Added section documenting this gap and three options for translation: - GitLab CI/CD webhook integration (keeps everything in GitLab CI/CD) - GitLab serverless functions (requires Premium/Ultimate tier) - Minimal bridge service (reintroduces hosted receiver concern) Recommended option 1 for initial implementation with documented residual risk and comparison to ADR-0009. 2. Dispatch token exposure risk: FULLSEND_DISPATCH_TOKEN is group-level and visible to all enrolled repos. Malicious MR could exfiltrate and use to trigger arbitrary pipelines. Added security consideration section documenting attack surface, comparing to GitHub (ADR-0008), and proposing mitigations (protected variables, webhook secret auth). Low findings addressed: - SOURCE_PROJECT regex: Added expanded regex for production use (^[a-zA-Z0-9._-]+(/[a-zA-Z0-9._-]+)+$) supporting dots and nested groups, with note about bracket notation for yq queries. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Medium findings: - Clarify webhook-to-trigger incompatibility: option 1 (CI/CD webhook integration) cannot enforce protected-branch-only without blocking MR reactions entirely. Document as open question instead of recommending a non-working solution. - Fix enrollment setup contradiction: webhook URL requires translation intermediary (serverless/bridge), cannot point directly to trigger API. - Add backward compatibility strategy for forge.Client interface: deprecation phase, extension interfaces for forge-specific methods, breaking change timeline. Low findings: - Use SHA256 hashing as primary recommendation for collision-free webhook token variable naming (not character sanitization). - Add Open Questions section acknowledging ADR length (650+ lines) and suggesting implementation details move to separate design doc. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Low finding: enrollment section referenced underscore-sanitized variable names (WEBHOOK_TOKEN_myorg__myrepo) while dispatch and security sections use SHA256 hashing (WEBHOOK_TOKEN_<sha256(project_path)>). Remove the contradictory examples to maintain consistency with the chosen SHA256 approach for collision-free token identification. Medium finding (acknowledged): ADR length (668 lines) already documented in Open Questions section. No action needed beyond existing acknowledgment. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Medium finding - config lookup collision: Fix enrollment check to use full project path (group/subgroup/project) instead of basename extraction which caused collisions. Convert slashes to dots for config.yaml key lookup (repos."group.subgroup.project".enabled). This maintains consistency with webhook token validation which uses full path SHA256 hashing. Low finding - dispatch token clarity: Clarify that the webhook-based architecture (chosen approach) avoids dispatch token exposure to enrolled repos entirely. Webhook secret tokens authenticate enrolled repos, and dispatch token remains internal to .fullsend. Move the exposure concern to "alternative architecture note" since it only applies to non-chosen approaches (in-repo shim workflows). Low finding - envsubst restriction: Already fixed in previous commit (line 354 uses envsubst '$pipeline_file'). Medium finding - ADR length: Already acknowledged in "Open Questions > ADR Scope and Structure" section. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Medium finding - duplicated validation logic: Add implementation note to Section 5 stating that validation logic (SOURCE_PROJECT format check, enrollment check, token validation) appears in both Section 4 and Section 5 snippets for clarity in the design document, but should be extracted into a shared script or bash function during implementation to avoid maintenance drift. Low finding - detectForge subdomain matching: Add security note to detectForge function that HasSuffix for subdomain matching is illustrative only. Production implementations should use an allowlist (github.com, ghe.example.com) or DNS-based validation to prevent attacker-controlled domains like evil.github.com from being detected as GitHub. Medium finding - ADR length: Already acknowledged in "Open Questions > ADR Scope and Structure" section. Low finding - envsubst complexity: Minor readability concern for illustrative code, no action needed. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Address review feedback about ADR length (676 lines → 217 lines, 68% reduction). Extract implementation details to docs/problems/gitlab-implementation.md per CLAUDE.md guidance that problem-oriented documents handle evolving design while ADRs record decisions. Moved to implementation doc: - Shim pipeline security (webhook architecture, validation snippets) - Cross-repo dispatch mechanism (child pipelines, YAML templates) - Stage markers, event mapping, state machine primitives - Implementation phases (5-phase rollout plan) - Forge interface evolution (CreateRoleCredential, TriggerPipeline, etc.) - CLI changes (forge detection, install command, config schema) - Security considerations (protected branches, token scoping) ADR now focuses on: - Context (why GitLab support is needed) - Options (rejected alternatives and rationale) - Decision (high-level architecture: directory structure, CI/CD patterns, authentication model) - Consequences (positive/negative/risks/mitigations) - Open questions (webhook translation architecture) The implementation doc is structured for iterative evolution as GitLab support progresses from design to production. Both documents cross-reference each other. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
High findings:
- Add required "## Open questions" section to gitlab-implementation.md per
CLAUDE.md convention (all 18 existing problem documents include this).
Consolidated inline open questions: webhook-to-trigger translation
architecture and forge interface design details.
- Add gitlab-implementation.md to README.md problem document list (inserted
after Agent Infrastructure, before Autonomy Spectrum).
Medium finding:
- Fix timing side-channel vulnerability in webhook token comparison code
sample. Replace string equality (vulnerable to timing attacks) with
constant-time comparison using SHA256 hashes. Changed from:
if [ "$WEBHOOK_TOKEN" != "$EXPECTED_TOKEN" ]
to:
WEBHOOK_HASH=$(echo -n "$WEBHOOK_TOKEN" | openssl dgst -sha256 -hex | cut -d' ' -f2)
EXPECTED_HASH=$(echo -n "$EXPECTED_TOKEN" | openssl dgst -sha256 -hex | cut -d' ' -f2)
if [ "$WEBHOOK_HASH" != "$EXPECTED_HASH" ]
Low finding:
- Clarify GitHub App key expiration comparison. Changed from "GitHub App
keys don't expire" to "GitHub App private keys never expire, though
installation tokens have 1-hour TTL and auto-refresh". Makes clear that
GitLab PAT rotation is mandatory while GitHub App key rotation is optional.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Address security concerns raised by rh-hemartin in PR fullsend-ai#601: 1. **Protected CI/CD Variables (Defense-in-Depth)** Add new required security control: all secrets in .fullsend project MUST be marked as protected variables. This restricts them to pipelines running on protected branches only. Threat model: GitLab's trigger API accepts a 'ref' parameter with no documented restrictions - anyone with the trigger token can specify any branch. Protected variables defend against: - Webhook intermediary compromise/bugs triggering on ref=malicious-branch - Insider threats (write access to .fullsend but can't bypass main protection) - Misconfiguration of trigger API calls Even if dispatch pipeline runs on unprotected branch, secrets won't be exposed. 2. **Webhook Intermediary Security Requirements** Add explicit requirements for translation service: - MUST hardcode ref=main when calling .fullsend trigger API - MUST NOT derive ref from webhook payload - MUST validate webhook secret token - MUST use least-privilege credentials Rationale: Intermediary controls which branch dispatch runs on. If it accepts attacker-controlled ref values, insider with .fullsend write could exfiltrate secrets via malicious branch (mitigated by protected variables). 3. **Multi-Project Pipelines Consideration** Document why GitLab's multi-project pipeline feature is not suitable: - Would run MR code with potential secret access (violates security model) - GitLab warns against passing masked variables to multi-project pipelines - Parent-child pipelines within .fullsend provide better security guarantees 4. **Update Dispatch Token Security Section** Correct statement that protected variables don't apply to chosen architecture. Protected variables are defense-in-depth control that applies to ALL architectures and provides critical protection against ref manipulation. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add section to gitlab-implementation.md clarifying that agent execution environment (runner configuration, executor types, isolation model, OpenShell integration) is beyond the scope of this document. These details should be documented in Agent Infrastructure design docs or implementation PRs. Addresses review finding about sandbox architecture discussion. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Rename 0027-gitlab-support.md to 0028-gitlab-support.md (ADR 0027 already exists on main as allowed-and-disallowed-tools-for-agents.md) - Update all references to ADR-0027 in both ADR and gitlab-implementation.md - Add TODO(implementation) markers on SOURCE_PROJECT regex lines to prevent copy-paste bugs during implementation - Clarify hash comparison comment - it mitigates timing attacks but bash [ ] is not truly constant-time (compares hash bytes, not token bytes) - Add comment explaining two-step heredoc + envsubst pattern to prevent accidental variable expansion - Move GitLab Implementation entry to end of README problem doc list to preserve existing curated ordering Addresses review findings from fullsend-ai-review. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Replace HasSuffix subdomain matching with explicit allowlist of known forge domains to prevent subdomain spoofing (e.g., evil.github.com). The allowlist approach is more secure and was already recommended in the original comment. Addresses low finding from review: showing the safer pattern directly in the code example prevents copy-paste security issues during implementation. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Resolves four critical issues identified by ralphbean: 1. Security Model: Add CRITICAL SECURITY REQUIREMENT emphasizing that all CI/CD variables must be marked as "protected" in GitLab, not just "masked". This is the primary defense-in-depth control preventing secret exfiltration via non-protected branch execution. 2. Event Handling: Add section 4 documenting GitLab's lack of native issue/ comment event support and the required webhook-to-trigger translation intermediary. Clarifies architectural gap and three implementation options. 3. Sandbox/Compute: Add section 5 explicitly scoping out agent execution environment details (runner types, OpenShell integration) to future ADR. 4. Forge Abstraction: Add section 6 documenting compliance strategy with ADR-0005 promise via forge-neutral interface methods (CreateRoleCredential, TriggerPipeline) that minimize layer/CLI/appsetup changes. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Addresses 6 moderate-severity review findings: 1. Fix broken ADR cross-references (0005-forge-abstraction.md → 0005-forge-abstraction-layer.md, 0009-pull-request-target.md → 0009-pull-request-target-in-shim-workflows.md) 2. Remove invalid CI_PIPELINE_SOURCE == "webhook" reference - GitLab has no "webhook" pipeline source value. Clarify that there's no native mechanism to trigger pipelines from webhooks. 3. Correct FULLSEND_DISPATCH_TOKEN storage: project-level (not group-level) since webhook architecture means enrolled repos never see this token. 4. Fix GitLab labels API endpoint: PUT /projects/:id/merge_requests/:iid with labels/add_labels/remove_labels params (not dedicated /labels endpoint). 5. Clarify event filtering must use EVENT_PAYLOAD_B64, not CI_MERGE_REQUEST_EVENT_TYPE (unavailable in trigger API pipelines). 6. Expand pull_request_review.submitted mapping to acknowledge need for multiple GitLab event types (approvals + Notes). Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
3a0b2fe to
9c54514
Compare
ralphbean
left a comment
There was a problem hiding this comment.
Thorough ADR and implementation doc for GitLab support. The webhook-based dispatch architecture is well-motivated, the defense-in-depth security model is sound, and the forge-neutral interface evolution respects ADR-0005.
This has been through extensive review (25+ commits addressing feedback). One remaining inconsistency noted in existing thread (dispatch token scope in ADR line 148 still says group-level while impl doc correctly says project-level), otherwise LGTM.
+1'd existing comments on timing-safe comparison, ADR template section, and webhook translation language strength.
Change FULLSEND_DISPATCH_TOKEN from group-level to project-level to match the implementation doc. The webhook-based architecture stores this token at project-level in .fullsend, scoped to .fullsend only—enrolled repos never see this token. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
@ralphbean Fixed in 38c13f8 - changed |
Addresses the open question from GitLab implementation (PR fullsend-ai#601) about how agents execute on GitLab runners vs GitHub Actions. Key decisions: - Shared container image (ghcr.io/fullsend-ai/agent-sandbox) for both GitHub Actions and GitLab CI - OpenShell as PID 1 with nested sandboxes for individual agents - Docker and Kubernetes executors supported (shell executor excluded) - Privileged container requirement for OpenShell network namespace manipulation - Resource limits and timeout enforcement per platform - Image signing with Sigstore for supply chain integrity The ADR explores four options: 1. Shared container image, Docker-first (chosen) 2. Platform-specific images (rejected: maintenance burden, inconsistent security) 3. Kubernetes-native with CRDs (rejected: poor fit for ephemeral task execution) 4. Minimal sandbox + dynamic tools (rejected: violates zero-trust execution) Implementation details moved to docs/problems/agent-execution-environment.md: - Container image build pipeline and Dockerfile structure - OpenShell gateway configuration and sandbox creation flow - L7 policy and provider configuration examples - Platform-specific considerations (GitHub Actions VMs, GitLab Docker/K8s executors) - Host-side REST server lifecycle in containerized environments - Image signing, verification, upgrade, and rollback procedures Open questions documented: - Rootless OpenShell support (user namespaces, eBPF alternatives) - Image build and distribution strategy (public vs per-org registry) - Builder services for Docker-in-Docker use cases (external Kaniko vs prohibit) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Lint fixes: - Remove gitlab-implementation from ADR frontmatter relates_to (doesn't exist yet) - Update references to ADR-0028 and gitlab-implementation.md to note they are pending in PR fullsend-ai#601 Review findings (Medium): - Add builder stage to Dockerfile example (was missing, would fail to build) - Remove Docker socket mount from GitLab runner registration (security violation - bypasses sandbox isolation) - Update all references to pending GitLab support work (PR fullsend-ai#601 instead of ADR-0028) Review findings (Low): - Remove placeholder OpenShell issue link, describe as upstream feature request instead - Replace non-existent docker/run@v1 action with standard docker run command - Add comment explaining docker login in GitLab job (for pulling additional images, not the base image) All changes address findings from fullsend-ai-review comment-only review. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Replace markdown link to non-existent ADR-0028 file with plain text noting it is pending in PR fullsend-ai#601. This prevents broken link if this PR merges before fullsend-ai#601. Addresses review finding about broken link in References section. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
**Medium:** - Add docs/plans/ section to README for proper categorization - Update stale ADR-0028 reference in implementation doc (was "pending in PR fullsend-ai#601") **Low:** - Update ADR context to reflect GitLab support is decided (ADR-0028), not "under development" - Update all references from "PR fullsend-ai#601" to ADR-0028 throughout **Other:** - Remove agent-execution-environment from ADR frontmatter relates_to (now in plans, not problems) - Fix agent-infrastructure.md link path in implementation doc references Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Summary
Proposes comprehensive architecture for extending fullsend to support GitLab alongside GitHub.
Key Design Decisions
.gitlab/ci/*.ymlparallel to.github/workflows/pull_request_targetequivalent)workflow_dispatch)# fullsend-stage:marker pattern for stage discoveryContents
The ADR covers:
Status
Proposed - seeking feedback on the design before implementation.
Related
🤖 Generated with Claude Code