feat(connectors): Add terraform-aligned Google constants and idempotent methods#244
Merged
jbdevprimary merged 1 commit intomainfrom Nov 29, 2025
Merged
Conversation
…nt create methods Adds unique contributions from PR #243 to the modular architecture: - constants.py: Terraform-modules aligned scopes, GCP settings, roles, APIs - workspace.py: create_or_update_user, create_or_update_group with idempotent behavior - __init__.py: get_connector_for_user for user impersonation This properly integrates bc-f5391b3e's work with the modular mixin structure that was established via PR #241. Fixes #231 (partial - completes terraform-parity additions)
Contributor
|
⏳ Code review in progress. Analyzing for code quality issues and best practices. You can monitor the review status in the checks section at the bottom of this pull request. Detailed findings will be posted upon completion. Using Amazon Q Developer for GitHubAmazon Q Developer1 is an AI-powered assistant that integrates directly into your GitHub workflow, enhancing your development process with intelligent features for code development, review, and transformation. Slash Commands
FeaturesAgentic Chat Code Review CustomizationYou can create project-specific rules for Amazon Q Developer to follow:
Example rule: FeedbackTo provide feedback on Amazon Q Developer, create an issue in the Amazon Q Developer public repository. For more detailed information, visit the Amazon Q for GitHub documentation. Footnotes
|
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
15 tasks
Contributor
Summary of ChangesHello @jbcom, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request integrates specific, unique features from a previously proposed PR (#243) into the existing modular architecture of the Google connector. The primary goal is to enhance the Google connector's capabilities by introducing Terraform-aligned constants, providing idempotent methods for managing Google Workspace users and groups, and enabling user impersonation for more flexible operations. This approach ensures proper modularity and supersedes the monolithic design of PR #243. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![amazon-q-developer[bot]](https://avatars.githubusercontent.com/in/1220912?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Security Review Summary
This PR adds terraform-aligned Google constants and idempotent methods to the vendor-connectors package. While the functionality is well-implemented, there are critical security vulnerabilities that must be addressed before merge.
🔴 Critical Security Issues (Must Fix)
- Hardcoded sensitive information - Domain names and project IDs are hardcoded, exposing organizational infrastructure details
- Excessive privileges -
roles/ownergrants unnecessary broad access, violating least privilege principle - Password handling vulnerabilities - Generated passwords may be exposed in logs or memory
- Missing input validation - Email parameters lack validation, creating potential injection risks
🟡 Additional Concerns
- Password updates may inadvertently change user credentials during idempotent operations
- Missing proper credential cleanup after use
✅ Positive Aspects
- Good terraform-style idempotent design patterns
- Comprehensive constants for GCP operations
- Proper error handling structure
- Well-documented methods
Recommendation: Address the security vulnerabilities before merging. The core functionality is solid, but the security issues create significant risks for production deployment.
You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.
|
|
||
| from __future__ import annotations | ||
|
|
||
| DEFAULT_DOMAIN = "flipsidecrypto.com" |
Contributor
There was a problem hiding this comment.
🛑 Security Vulnerability: Hardcoded domain name exposes sensitive organizational information and creates security risks1. This domain should be configurable via environment variables or configuration files to prevent exposure in version control and enable environment-specific deployments.
Suggested change
| DEFAULT_DOMAIN = "flipsidecrypto.com" | |
| DEFAULT_DOMAIN = os.getenv("GOOGLE_WORKSPACE_DOMAIN", "example.com") |
Footnotes
-
CWE-200: Information Exposure - https://cwe.mitre.org/data/definitions/200.html ↩
Comment on lines
+7
to
+8
| from __future__ import annotations | ||
|
|
Contributor
There was a problem hiding this comment.
Missing required import for environment variable access. Add import os to support configurable domain and other environment-based configurations.
Suggested change
| from __future__ import annotations | |
| from __future__ import annotations | |
| import os |
|
|
||
| # GCP Security Project defaults | ||
| GCP_SECURITY_PROJECT = { | ||
| "id": "flipside-security-admin", |
Contributor
There was a problem hiding this comment.
🛑 Security Vulnerability: Hardcoded project ID exposes sensitive infrastructure information1. This should be configurable via environment variables to prevent exposure and enable environment-specific deployments.
Suggested change
| "id": "flipside-security-admin", | |
| "id": os.getenv("GCP_SECURITY_PROJECT_ID", "security-admin"), |
Footnotes
-
CWE-200: Information Exposure - https://cwe.mitre.org/data/definitions/200.html ↩
|
|
||
| # Required IAM roles for organization-level operations | ||
| GCP_REQUIRED_ORGANIZATION_ROLES = [ | ||
| "roles/owner", |
Contributor
There was a problem hiding this comment.
🛑 Security Vulnerability: The roles/owner role grants excessive privileges and violates the principle of least privilege1. This role provides full administrative access to all resources and should be replaced with more specific, limited roles based on actual requirements.
Suggested change
| "roles/owner", | |
| # "roles/owner", # Too broad - use specific roles instead | |
| "roles/resourcemanager.organizationAdmin", |
Footnotes
-
CWE-269: Improper Privilege Management - https://cwe.mitre.org/data/definitions/269.html ↩
Comment on lines
+451
to
+452
| if not password: | ||
| password = secrets.token_urlsafe(16) |
Contributor
There was a problem hiding this comment.
🛑 Security Vulnerability: Generated password is logged or potentially exposed in memory1. The password should be handled more securely and cleared from memory after use to prevent credential exposure.
Suggested change
| if not password: | |
| password = secrets.token_urlsafe(16) | |
| if not password: | |
| password = secrets.token_urlsafe(16) | |
| # Clear password from memory after use |
Footnotes
-
CWE-532: Information Exposure Through Log Files - https://cwe.mitre.org/data/definitions/532.html ↩
Comment on lines
+460
to
+464
| "password": password, | ||
| "changePasswordAtNextLogin": change_password_at_next_login, | ||
| "orgUnitPath": org_unit_path, | ||
| **additional_fields, | ||
| } |
Contributor
There was a problem hiding this comment.
🛑 Security Vulnerability: Password is included in request body that may be logged or cached1. Consider using a separate secure method for password transmission or ensure the password is cleared from the body after the request.
Suggested change
| "password": password, | |
| "changePasswordAtNextLogin": change_password_at_next_login, | |
| "orgUnitPath": org_unit_path, | |
| **additional_fields, | |
| } | |
| user_body: dict[str, Any] = { | |
| "primaryEmail": primary_email, | |
| "name": { | |
| "givenName": given_name, | |
| "familyName": family_name, | |
| }, | |
| "password": password, # TODO: Clear after request | |
| "changePasswordAtNextLogin": change_password_at_next_login, | |
| "orgUnitPath": org_unit_path, | |
| **additional_fields, | |
| } |
Footnotes
-
CWE-532: Information Exposure Through Log Files - https://cwe.mitre.org/data/definitions/532.html ↩
| existing = service.users().get(userKey=primary_email).execute() | ||
| if update_if_exists: | ||
| # Update existing user | ||
| result = service.users().update(userKey=primary_email, body=user_body).execute() |
Contributor
There was a problem hiding this comment.
Password update vulnerability: When updating existing users, the password field should not be included unless explicitly intended. This could inadvertently change user passwords during updates.
Suggested change
| result = service.users().update(userKey=primary_email, body=user_body).execute() | |
| if update_if_exists: | |
| # Update existing user - exclude password unless explicitly updating it | |
| update_body = {k: v for k, v in user_body.items() if k != "password"} | |
| result = service.users().update(userKey=primary_email, body=update_body).execute() |
| Returns: | ||
| A new GoogleConnector instance configured to impersonate the user. | ||
| """ | ||
| return GoogleConnector( |
Contributor
There was a problem hiding this comment.
Missing input validation for email parameter. The primary_email should be validated to ensure it's a properly formatted email address to prevent injection attacks or malformed requests.
Suggested change
| return GoogleConnector( | |
| import re | |
| # Validate email format | |
| email_pattern = r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$' | |
| if not re.match(email_pattern, primary_email): | |
| raise ValueError(f"Invalid email format: {primary_email}") | |
| return GoogleConnector( |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request does a good job of integrating new features into the existing modular structure of the Google connector. The addition of Terraform-aligned constants and idempotent create_or_update methods for users and groups is a valuable enhancement. I've identified a few issues, including a critical bug that could cause unintended password resets, some hardcoded configuration values that affect reusability, and a couple of style/correctness improvements. Please see my detailed comments below.
Comment on lines
+469
to
+473
| if update_if_exists: | ||
| # Update existing user | ||
| result = service.users().update(userKey=primary_email, body=user_body).execute() | ||
| self.logger.info(f"Updated existing user: {primary_email}") | ||
| return result |
Contributor
There was a problem hiding this comment.
This logic has a critical side effect: it will reset the user's password on every update. The user_body includes the password field, and a new random password is generated if none is provided. When update_if_exists is true, this user_body is used for the update call, which will overwrite the existing user's password. Password updates should be explicit. I suggest removing the password from the update payload unless it was intentionally supplied for a reset.
Suggested change
| if update_if_exists: | |
| # Update existing user | |
| result = service.users().update(userKey=primary_email, body=user_body).execute() | |
| self.logger.info(f"Updated existing user: {primary_email}") | |
| return result | |
| if update_if_exists: | |
| # Update existing user | |
| update_body = user_body.copy() | |
| # Do not reset password on update unless a new one is explicitly provided. | |
| if password is None: | |
| update_body.pop("password", None) | |
| result = service.users().update(userKey=primary_email, body=update_body).execute() | |
| self.logger.info(f"Updated existing user: {primary_email}") | |
| return result |
Comment on lines
+524
to
+528
| if update_if_exists: | ||
| # Update existing group | ||
| result = service.groups().update(groupKey=email, body=group_body).execute() | ||
| self.logger.info(f"Updated existing group: {email}") | ||
| return result |
Contributor
There was a problem hiding this comment.
The group_body for the update operation includes the email field. According to the Google Admin SDK documentation, the group's email is its primary key and is a read-only field for update operations. While the API will likely ignore this field, it's incorrect to include it in the update payload and can lead to confusion. The body for an update should only contain mutable fields.
Suggested change
| if update_if_exists: | |
| # Update existing group | |
| result = service.groups().update(groupKey=email, body=group_body).execute() | |
| self.logger.info(f"Updated existing group: {email}") | |
| return result | |
| if update_if_exists: | |
| # Update existing group | |
| update_body = group_body.copy() | |
| # The 'email' field is the group key and cannot be updated. | |
| update_body.pop("email", None) | |
| result = service.groups().update(groupKey=email, body=update_body).execute() | |
| self.logger.info(f"Updated existing group: {email}") | |
| return result |
Comment on lines
+9
to
+60
| DEFAULT_DOMAIN = "flipsidecrypto.com" | ||
|
|
||
| # Full OAuth scopes matching terraform-modules for maximum compatibility | ||
| DEFAULT_SCOPES = [ | ||
| "https://mail.google.com/", | ||
| "https://www.googleapis.com/auth/apps.alerts", | ||
| "https://www.googleapis.com/auth/calendar", | ||
| "https://www.googleapis.com/auth/cloud-identity", | ||
| "https://www.googleapis.com/auth/drive", | ||
| "https://www.googleapis.com/auth/drive.activity", | ||
| "https://www.googleapis.com/auth/gmail.settings.basic", | ||
| "https://www.googleapis.com/auth/gmail.settings.sharing", | ||
| "https://www.googleapis.com/auth/spreadsheets", | ||
| "https://www.googleapis.com/auth/userinfo.email", | ||
| "https://www.googleapis.com/auth/admin.directory.user", | ||
| "https://www.googleapis.com/auth/admin.directory.user.readonly", | ||
| "https://www.googleapis.com/auth/admin.directory.userschema", | ||
| "https://www.googleapis.com/auth/admin.directory.group", | ||
| "https://www.googleapis.com/auth/admin.directory.orgunit", | ||
| "https://www.googleapis.com/auth/apps.groups.settings", | ||
| "https://www.googleapis.com/auth/apps.licensing", | ||
| "https://www.googleapis.com/auth/cloud-platform", | ||
| "https://www.googleapis.com/auth/cloud-billing", | ||
| "https://www.googleapis.com/auth/bigquery", | ||
| "https://www.googleapis.com/auth/iam", | ||
| "https://www.googleapis.com/auth/compute", | ||
| "https://www.googleapis.com/auth/cloudkms", | ||
| "https://www.googleapis.com/auth/logging.admin", | ||
| "https://www.googleapis.com/auth/monitoring", | ||
| "https://www.googleapis.com/auth/sqlservice.admin", | ||
| "https://www.googleapis.com/auth/devstorage.full_control", | ||
| "https://www.googleapis.com/auth/pubsub", | ||
| "https://www.googleapis.com/auth/service.management", | ||
| ] | ||
|
|
||
| # GCP Security Project defaults | ||
| GCP_SECURITY_PROJECT = { | ||
| "id": "flipside-security-admin", | ||
| "name": "Security Administration", | ||
| "resource_labels": { | ||
| "managed-by": "terraform", | ||
| "environment": "global", | ||
| "team": "security", | ||
| }, | ||
| } | ||
|
|
||
| # KMS configuration for terraform secrets | ||
| GCP_KMS = { | ||
| "keyring_name": "terraform-secrets", | ||
| "key_name": "terraform-key", | ||
| "key_rotation_period": "7776000s", # 90 days | ||
| } |
Contributor
There was a problem hiding this comment.
Several constants in this file, such as DEFAULT_DOMAIN, GCP_SECURITY_PROJECT, and GCP_KMS, are hardcoded with organization-specific values (e.g., flipsidecrypto.com). This tightly couples the connector to a specific environment and reduces its reusability. Consider making these values configurable, for example, by removing these defaults and requiring them as parameters during connector initialization or in the methods that use them. This would make the connector more generic and easier to adopt across different projects.
| ] | ||
|
|
||
| # Default OUs for user filtering | ||
| DEFAULT_USER_OUS = ["/Users", "Users/2FANotEnforced", "/Contract"] |
Contributor
There was a problem hiding this comment.
The organizational unit path Users/2FANotEnforced in DEFAULT_USER_OUS is inconsistent with the other paths, which start with a leading slash (/). While the normalization logic in the connector might handle this, defining constants consistently improves readability and reduces the risk of errors if the normalization is ever bypassed or changed. For better maintainability, all OU paths should follow the same format.
Suggested change
| DEFAULT_USER_OUS = ["/Users", "Users/2FANotEnforced", "/Contract"] | |
| DEFAULT_USER_OUS = ["/Users", "/Users/2FANotEnforced", "/Contract"] |
Comment on lines
+445
to
+447
| import secrets | ||
|
|
||
| from googleapiclient.errors import HttpError |
Contributor
There was a problem hiding this comment.
According to PEP 8, imports should be at the top of the file. Placing import secrets and from googleapiclient.errors import HttpError inside the function reduces readability and is against standard Python conventions. This also applies to the HttpError import in create_or_update_group. Please move these imports to the top of the workspace.py file.
| Returns: | ||
| Created or updated group dictionary. | ||
| """ | ||
| from googleapiclient.errors import HttpError |
Contributor
There was a problem hiding this comment.
Similar to the create_or_update_user function, the import from googleapiclient.errors import HttpError should be moved to the top of the file to adhere to PEP 8 guidelines and improve code readability.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| ] | ||
|
|
||
| # Default OUs for user filtering | ||
| DEFAULT_USER_OUS = ["/Users", "Users/2FANotEnforced", "/Contract"] |
Contributor
There was a problem hiding this comment.
Bug: Missing leading slash in OU path constant
The DEFAULT_USER_OUS list has inconsistent path formatting: "Users/2FANotEnforced" is missing its leading / while the other entries ("/Users", "/Contract") have it. This appears to be a typo since Google Workspace OU paths consistently use leading slashes. While the _normalize_org_unit_path helper can correct this, code that uses this constant directly for string comparison or passes it to external systems would fail to match properly.
| existing = service.users().get(userKey=primary_email).execute() | ||
| if update_if_exists: | ||
| # Update existing user | ||
| result = service.users().update(userKey=primary_email, body=user_body).execute() |
Contributor
There was a problem hiding this comment.
Bug: User password reset unexpectedly on updates
When create_or_update_user is called with update_if_exists=True on an existing user, the method generates a random password (if none provided) and includes it in the update request body. The Google Admin API will reset the user's password to this random value, effectively locking them out of their account. The password auto-generation and inclusion in user_body happens before checking whether the user exists, so updates intended to change only name or org unit will unexpectedly reset passwords.
| inputs=self.inputs, | ||
| from_environment=False, | ||
| from_stdin=False, | ||
| ) |
Contributor
There was a problem hiding this comment.
Bug: Subclass mixin functionality lost in user connector factory
The get_connector_for_user method hardcodes GoogleConnector as the return type instead of preserving the actual class type. When called on a GoogleConnectorFull instance, it returns a plain GoogleConnector that lacks mixin functionality. This defeats the method's stated purpose of enabling "terraform-style operations" since create_or_update_user and create_or_update_group are defined in GoogleWorkspaceMixin and would be unavailable on the returned connector.
3 tasks
jbdevprimary
added a commit
that referenced
this pull request
Dec 23, 2025
…nt create methods (#244) Adds unique contributions from PR #243 to the modular architecture: - constants.py: Terraform-modules aligned scopes, GCP settings, roles, APIs - workspace.py: create_or_update_user, create_or_update_group with idempotent behavior - __init__.py: get_connector_for_user for user impersonation This properly integrates bc-f5391b3e's work with the modular mixin structure that was established via PR #241. Fixes #231 (partial - completes terraform-parity additions) Co-authored-by: Cursor Agent <cursoragent@cursor.com>
jbdevprimary
added a commit
that referenced
this pull request
Dec 23, 2025
* feat: Complete agentic architecture - Claude Code, cycles, wiki (#190)
* feat: Integrate anthropics/claude-code-action for AI-driven workflows
Add comprehensive Claude Code integration for GitHub automation:
## New Workflows
- claude.yml: Interactive @claude mentions in issues/PRs/comments
- claude-pr-review.yml: Automatic PR code review with inline comments
- claude-issue-triage.yml: Auto-label and categorize new issues
- claude-ci-fix.yml: Auto-fix CI failures and create fix PRs
## Custom Commands (.claude/commands/)
- label-issue.md: Issue triage and labeling
- review-pr.md: Comprehensive PR review checklist
- fix-ci.md: CI failure diagnosis and fix
- ecosystem-sync.md: Cross-repo health check
## Configuration
- CLAUDE.md: Project context for Claude Code
- Updated .gitignore to allow CLAUDE.md
## Key Features
- Progress tracking with visual checkboxes
- Inline code comments on PRs
- AI-to-AI collaboration (allows bot interactions)
- Custom system prompts with project context
- Restricted tool access per workflow
## Authentication
Requires ANTHROPIC_API_KEY secret to be set.
Existing CURSOR_API_KEY kept for fallback workflows.
The agent-*.yml workflows remain as simpler gh CLI fallbacks.
* feat: Add agentic cycle orchestration architecture
Implements distributed agent coordination between control plane and repos:
## Architecture (docs/AGENTIC-ORCHESTRATION.md)
- Control plane decomposes cycles to repo-specific tasks
- Repos work independently with Claude Code tooling
- Bidirectional communication via GitHub Issues
- Aggregation and completion tracking
## New Workflows
- agentic-cycle.yml: Orchestrates decompose/aggregate/complete phases
- sync-claude-tooling.yml: Push standardized tooling to managed repos
## Templates (templates/claude/)
- CLAUDE.md.template: Project context for managed repos
- Workflow templates for repos
- Upstream notify workflow for feedback to control plane
## Issue Template
- agentic-cycle.yml: Easy creation of new cycles
## Key Concepts
- Agentic Cycles replace holding PRs open
- Each repo has its own Claude Code setup
- Station-to-station coordination via issue links
- Control plane aggregates and tracks progress
* docs: Update progress log with orchestration session
* feat: Add wiki-based documentation system
Implements GitHub Wiki as the central documentation hub:
## New Tools
- wiki-cli: Read/write/migrate wiki content
- wiki-read action: Read wiki pages in workflows
- wiki-write action: Write wiki pages in workflows
## Workflows
- wiki-manage.yml: Initialize, migrate, and cleanup
## Architecture (docs/WIKI-ARCHITECTURE.md)
- Wiki structure for Memory Bank, Agentic Rules, Documentation
- Cross-repo access patterns
- Migration plan from repo files to wiki
## Templates
- Minimal AGENTS.md pointing to wiki
- Minimal cursor rules pointing to wiki
## Benefits
- Single source of truth (wiki)
- Cross-repo accessible
- No more ruler concatenation
- Clean repo structure
- Live updates via wiki API
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* fix: Use JBCOM_TOKEN secret (GitHub disallows GITHUB_ prefix) (#191)
- Updated agentic-cycle.yml
- Updated sync-claude-tooling.yml
- Updated claude-upstream-notify.yml template
- Added JBCOM_TOKEN secret to repo
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* refactor: Migrate documentation to GitHub Wiki (#193)
All documentation now lives in the wiki: https://github.com/jbcom/jbcom-control-center/wiki
Changes:
- Migrated memory-bank/, docs/, .ruler/ to wiki pages
- Minimal AGENTS.md, CLAUDE.md, copilot-instructions.md pointing to wiki
- Single .cursor/rules/00-wiki.mdc Cursor rule
- Updated wiki-cli for programmatic access
- Fixed Claude PR review to allow cursor bot
* feat: Add wiki/ folder with github-wiki-action (#194)
Proper flat wiki structure per github-wiki-action docs.
- 26 wiki pages with actual content
- README.md → Home (via preprocess)
- Sidebar navigation
- All original content from memory-bank/, .ruler/, docs/
Wiki will sync on push to main.
* perf: Optimize PR review with correct claude-code-action settings (#195)
Based on official docs:
- use_sticky_comment: true (avoid comment spam)
- --max-turns 10 in claude_args (not timeout_minutes)
- Correct tool names (mcp__github_inline_comment__create_inline_comment)
- Skip wiki/docs only PRs
- Job timeout-minutes: 10 (GitHub Actions level)
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* fix: Add missing Claude command templates for repo sync (#196)
- ecosystem-sync.md
- fix-ci.md
- review-pr.md
- Updated label-issue.md
- Updated claude.yml workflow template
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* fix: Use pipe delimiter in sed to handle repo paths with slashes (#197)
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* fix: Detect new untracked files in Claude sync workflow (#198)
git diff only shows changes in tracked files. Need to stage first
with git add -A to detect new files like CLAUDE.md and .claude/commands/
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* fix: Remove invalid YAML workflows (#199)
Removed workflows with multiline string YAML parsing issues:
- agent-issue-triage.yml
- agent-post-merge.yml
- agent-project-management.yml
- agentic-cycle.yml
These workflows had heredoc/multiline strings that caused YAML
parsing failures (content at column 1 interpreted as YAML keys).
Keeping working workflows:
- CI (main workflow)
- claude-*.yml (Claude Code automation)
- sync-claude-tooling.yml (cross-repo sync)
- publish-wiki.yml
- reusable-*.yml
Will recreate the removed workflows with proper YAML formatting
in a follow-up PR.
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* 🚀 Cycle 001: Control Plane Activation
* cycle: 001 - Control Plane Activation
Comprehensive cycle documentation for activating the jbcom control plane
and cascading management to personal and enterprise repositories.
## Completed
- CI/CD pipeline
- Wiki documentation (28 pages)
- Claude Code integration
- Cross-repo sync
- All 4 packages on PyPI
## In Progress
- Enterprise integration (FlipsideCrypto)
- Expanded automation workflows
## Next
- Inventory enterprise repos
- Update terraform-modules
- Recreate valid YAML workflows
* docs: Add Active Cycle page and update wiki navigation
- New Active-Cycle.md with current cycle status
- Updated _Sidebar.md with Active Cycle link at top
- Updated README.md (Home) with cycle status
Links to PR #200 for tracking.
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* cycle: Update Phase 1 progress - terraform-modules PR created (#201)
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* cycle: Complete Phase 1 - Enterprise Integration (#202)
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* chore(deps)(deps): Bump the github-actions-all group with 4 updates (#207)
Bumps the github-actions-all group with 4 updates: [actions/checkout](https://github.com/actions/checkout), [actions/setup-node](https://github.com/actions/setup-node), [actions/github-script](https://github.com/actions/github-script) and [Andrew-Chen-Wang/github-wiki-action](https://github.com/andrew-chen-wang/github-wiki-action).
Updates `actions/checkout` from 4 to 6
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v6)
Updates `actions/setup-node` from 4 to 6
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v4...v6)
Updates `actions/github-script` from 7 to 8
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](https://github.com/actions/github-script/compare/v7...v8)
Updates `Andrew-Chen-Wang/github-wiki-action` from 4 to 5
- [Release notes](https://github.com/andrew-chen-wang/github-wiki-action/releases)
- [Commits](https://github.com/andrew-chen-wang/github-wiki-action/compare/v4...v5)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
dependency-group: github-actions-all
- dependency-name: actions/setup-node
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
dependency-group: github-actions-all
- dependency-name: actions/github-script
dependency-version: '8'
dependency-type: direct:production
update-type: version-update:semver-major
dependency-group: github-actions-all
- dependency-name: Andrew-Chen-Wang/github-wiki-action
dependency-version: '5'
dependency-type: direct:production
update-type: version-update:semver-major
dependency-group: github-actions-all
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* feat: Add file operations to EDT and exit_run to lifecyclelogging
## Summary
Adds foundational capabilities to enable terraform-modules (and other consumers) to fully adopt the jbcom ecosystem.
### Extended Data Types (`extended-data-types`)
- File operations: `read_file`, `write_file`, `decode_file`, `delete_file`
- URL validation using `validators` library
- String transformations exported
### Lifecyclelogging (`lifecyclelogging`)
- `exit_run` method with key transforms, prefixing, base64 encoding, sorting
- Fixed bug: prefix transformation now properly handles nested lists of dicts
- `log_results` method for writing to log files
- `ExitRunError` exception and `KeyTransform` type alias
### Infrastructure
- UV workspace configuration for all packages
- Tox configuration with tox-uv and tox-gh plugins
- Updated CI workflows for proper workspace support
- Comprehensive linting fixes (ruff, mypy)
All 18 review comments addressed and resolved.
* docs: Add recovery summary for agent bc-7d1997bf (#203)
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* chore: Add VS Code MCP configuration (#205)
* feat: Add file operations to EDT and exit_run to lifecyclelogging (#209)
* feat: Add file operations to EDT and exit_run to lifecyclelogging
Extended Data Types:
- Add read_file, write_file, decode_file, delete_file for unified file I/O
- Add resolve_local_path for path resolution relative to TLD
- Add is_url helper for URL detection
- Export string transformation functions (to_snake_case, to_camel_case, etc.)
- Full test coverage for all new file operations
Lifecyclelogging:
- Add exit_run method for formatted output and clean exit
- Add log_results for writing results to log files
- Add ExitRunError exception for formatting errors
- Support key_transform parameter with built-in transforms:
- "snake_case", "camel_case", "pascal_case", "kebab_case"
- Custom callable transforms
- Recursive key transformation for nested dicts/lists
- Full test coverage including all transform variants
This enables terraform-modules to:
- Replace local utils.py file operations with EDT imports
- Replace local exit_run with lifecyclelogging.Logging.exit_run
- Use extended-data-types as the canonical source for data transformations
* Fix: Handle duplicate values when sorting by field
Co-authored-by: jon <jon@jonbogaty.com>
* Update packages/lifecyclelogging/src/lifecyclelogging/logging.py
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Update packages/extended-data-types/src/extended_data_types/file_data_type.py
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Update packages/extended-data-types/src/extended_data_types/file_data_type.py
Co-authored-by: amazon-q-developer[bot] <208079219+amazon-q-developer[bot]@users.noreply.github.com>
* Update packages/extended-data-types/src/extended_data_types/file_data_type.py
Co-authored-by: amazon-q-developer[bot] <208079219+amazon-q-developer[bot]@users.noreply.github.com>
* Update packages/lifecyclelogging/src/lifecyclelogging/logging.py
Co-authored-by: amazon-q-developer[bot] <208079219+amazon-q-developer[bot]@users.noreply.github.com>
* Update packages/lifecyclelogging/src/lifecyclelogging/logging.py
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* Refactor logging and exit_run, improve type hints and error handling
Co-authored-by: jon <jon@jonbogaty.com>
* Remove noxfile.py configuration
Co-authored-by: jon <jon@jonbogaty.com>
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* Refactor: Use uv for workspace dependency management
Co-authored-by: jon <jon@jonbogaty.com>
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* Refactor CI to use tox for linting and testing
Co-authored-by: jon <jon@jonbogaty.com>
* Refactor file_data_type: improve error handling and documentation
Co-authored-by: jon <jon@jonbogaty.com>
* Initial plan
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: jon <jon@jonbogaty.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: amazon-q-developer[bot] <208079219+amazon-q-developer[bot]@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
* feat!: Migrate from pycalver to python-semantic-release (#213)
feat!: Migrate from pycalver to python-semantic-release
## Summary
- Replace pycalver with python-semantic-release (PSR) for per-package versioning
- Add monorepo commit parser for scoped version bumps
- Update all documentation for new versioning approach
- Version format: YYYYMM.MINOR.PATCH (e.g., 202511.3.0)
## Changes
- scripts/psr/monorepo_parser.py - Custom commit parser
- packages/*/pyproject.toml - PSR configuration per package
- .github/workflows/ci.yml - Consolidated release workflow
- Documentation updates across README, CONTRIBUTING, wiki, agent configs
## Commit Scopes
- edt → extended-data-types
- logging → lifecyclelogging
- dic → directed-inputs-class
- connectors → vendor-connectors
Fixes #212
BREAKING CHANGE: Requires conventional commits for version bumps
* fix(ci): Use uv tool install instead of --system for externally managed Python (#216)
Fix CI failure for externally managed Python on Ubuntu 24.04
* fix(connectors): Trigger initial 202511.3.0 release to PyPI (#217)
The version was set to 202511.3.0 by the SemVer migration (PR #213) but was never
published to PyPI due to CI failures. This commit triggers the release.
Downstream: terraform-modules PR #203 requires vendor-connectors>=202511.3
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* fix(ci): Fix syntax error in monorepo commit parser (#218)
The commit_body_components_separator function had malformed code:
- Missing 'if match := self.issue_selector.match(text):' conditional
- Orphaned 'has_number.search,' line that was a copy-paste artifact
This was causing semantic-release to fail with:
unexpected indent (monorepo_parser.py, line 256)
Without this fix, no packages can be released because semantic-release
cannot parse commit messages.
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* feat(connectors): Trigger vendor-connectors 202511.4.0 release
Unblocks downstream:
- terraform-modules PR #203 (vendor-connectors>=202511.3)
- terraform-modules PR #209 (depends on #203)
* chore(connectors-release): release vendor-connectors v202511.4.0 [skip ci]
Automatically generated by python-semantic-release
* fix(connectors): Disable GitHub release creation for vendor-connectors
The CI token doesn't have permission to create releases. This disables
VCS release creation since we only need PyPI publishing.
* chore(connectors-release): release vendor-connectors v202511.4.1 [skip ci]
Automatically generated by python-semantic-release
* fix(ci): Pass GH_TOKEN to semantic-release and skip VCS release
- Add GH_TOKEN env var to Bump version step
- Add --no-vcs-release flag to skip GitHub release creation
* feat(connectors): Force new release to sync with PyPI
PyPI has 202511.2 but repo has 202511.4.1. This commit triggers a new
version bump to ensure PyPI gets the latest code.
* chore(connectors-release): release vendor-connectors v202511.5.0 [skip ci]
Automatically generated by python-semantic-release
* fix(ci): Use PYPI_API_TOKEN for PyPI publishing
Trusted Publishing (OIDC) isn't configured for all packages. Fall back
to API token authentication.
* feat(connectors): Trigger release with PYPI_API_TOKEN configured
Previous release attempts failed due to Trusted Publishing not being
configured. Now using PYPI_API_TOKEN for authentication.
* style(connectors): Fix formatting
* chore(connectors-release): release vendor-connectors v202511.6.0 [skip ci]
Automatically generated by python-semantic-release
* fix(connectors): Use correct PYPI_TOKEN secret for PyPI publishing
The workflow was using PYPI_API_TOKEN but the secret is named PYPI_TOKEN.
This fix enables PyPI publishing for vendor-connectors.
Unblocks:
- terraform-modules PR #203 (requires vendor-connectors>=202511.3)
- terraform-modules PR #209 (depends on #203)
* chore(connectors-release): release vendor-connectors v202511.6.1 [skip ci]
Automatically generated by python-semantic-release
* feat: add FSC fleet coordination support
Merge PR #221
* chore(edt-release): release extended-data-types v202511.4.0 [skip ci]
Automatically generated by python-semantic-release
* feat(connectors): add list_secrets to AWS and Vault connectors (#223)
## Summary
Add list_secrets methods to AWS and Vault connectors:
- AWS: Support name prefix filtering, optional value fetching, skip empty secrets
- Vault: Recursive KV v2 listing with max depth control
- Security: Input validation for path traversal prevention
- CI: Fixed tox cache key to include package source files
## Test Plan
- [x] All tests pass including new security validation tests
- [x] CI cache invalidation working correctly
* chore(logging-release): release lifecyclelogging v202511.4.0 [skip ci]
Automatically generated by python-semantic-release
* fix(ci): remove automatic AI review from CI (#224)
Remove automatic AI review - use manual triggers (@cursor review, /q review, etc.) when needed
* chore(dic-release): release directed-inputs-class v202511.4.0 [skip ci]
Automatically generated by python-semantic-release
* docs(rules): add manual AI QA engagement protocol (#225)
Add manual AI QA engagement rule for agents
* chore(connectors-release): release vendor-connectors v202511.7.0 [skip ci]
Automatically generated by python-semantic-release
* feat(vendor-connectors): Add cloud API call param utilities (#226)
* feat(vendor-connectors): Add cloud API call param utilities
Add utilities for building properly formatted parameter dictionaries
for cloud provider APIs:
- get_cloud_call_params(): Base function with key casing options
- get_aws_call_params(): AWS-specific (PascalCase, default 100 results)
- get_google_call_params(): Google-specific (camelCase, default 200 results)
These functions help standardize API calls across different cloud providers
by handling common patterns like pagination limits and key transformations.
Migrated from terraform-modules utils.py as part of ecosystem consolidation.
* fix(vendor-connectors): Address review feedback
- Fix max_results=0 edge case (use 'is not None' instead of truthiness check)
- Revert manual version change (let semantic-release handle it)
- Fix docstring example to match actual behavior
- Add test for max_results=0 edge case
* style: Fix lint issues in test_cloud_params.py
* style: Format cloud_params.py
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* fix(vendor-connectors): Improve cloud_params module docstring (#227)
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* feat(connectors): Add cloud_params module with API parameter utilities (#228)
Add get_cloud_call_params, get_aws_call_params, and get_google_call_params
functions for building properly formatted parameter dicts for cloud APIs.
This was added in #226 but needs a properly scoped commit for release.
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* chore(connectors-release): release vendor-connectors v202511.8.0 [skip ci]
Automatically generated by python-semantic-release
* feat: Add AWS Secrets Manager create, update, delete operations (#236)
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* feat: Add Slack usergroup and conversation listing (#237)
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* feat: Add Vault AWS IAM role helpers (#239)
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* Bump directed-inputs-class and vendor-connectors versions (#240)
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* feat: Add filtering and transformation to Google user/group listing (#241)
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* chore(edt-release): release extended-data-types v202511.5.0 [skip ci]
Automatically generated by python-semantic-release
* Migrate aws codedeploy to new module (#238)
* feat: Add AWS CodeDeploy vendor connector
Co-authored-by: jon <jon@jonbogaty.com>
* fix: Resolve lint errors (E402, C416) in CodeDeploy module
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* chore(logging-release): release lifecyclelogging v202511.5.0 [skip ci]
Automatically generated by python-semantic-release
* docs: add FSC Control Center counterparty awareness (#220)
Addresses review feedback from Amazon Q and Gemini - CalVer version format and broken link fixes.
* chore(dic-release): release directed-inputs-class v202511.5.0 [skip ci]
Automatically generated by python-semantic-release
* feat(packages): add @jbcom/cursor-fleet for unified agent management (#222)
Adds cursor-fleet package for unified agent management. Resolves merge conflicts with main.
* Replay agent activity for terraform-modules migration (#229)
## terraform-modules Migration Integration
### Summary
Complete migration of cloud-specific Python code from terraform-modules to vendor-connectors using modular mixin architecture.
### Added AWS Submodules
- `organizations.py` - AWS Organizations & Control Tower account management
- `s3.py` - S3 bucket & object operations with JSON/YAML support
- `sso.py` - IAM Identity Center (SSO) operations
### Added Google Submodules
- `billing.py` - Billing account management
- `cloud.py` - Resource Manager, IAM, Compute, Container, Storage
- `services.py` - Service usage management
- `workspace.py` - Google Workspace Admin Directory
### GitHub Enhancements
- Organization members, repositories, teams management
- GraphQL query support
### Architecture
- Mixin-based composition for flexible connector assembly
- All 74 tests passing
- AI reviews addressed (Amazon Q, Gemini)
5,027 lines of migrated code from terraform-modules.
* docs: update orchestration with completion status
- All PRs merged: #220, #222, #229
- Spawned verification agent in terraform-modules
- Document migration statistics (5,027+ lines migrated)
* feat(connectors): Add terraform-aligned Google constants and idempotent create methods (#244)
Adds unique contributions from PR #243 to the modular architecture:
- constants.py: Terraform-modules aligned scopes, GCP settings, roles, APIs
- workspace.py: create_or_update_user, create_or_update_group with idempotent behavior
- __init__.py: get_connector_for_user for user impersonation
This properly integrates bc-f5391b3e's work with the modular mixin structure
that was established via PR #241.
Fixes #231 (partial - completes terraform-parity additions)
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* chore(connectors-release): release vendor-connectors v202511.9.0 [skip ci]
Automatically generated by python-semantic-release
* docs: Update wiki and orchestration for architectural evolution
* docs: Update wiki and orchestration for architectural evolution
Update documentation to reflect the decorator-based refactoring work:
- wiki/Active-Context.md: Current architectural state and PR plan
- wiki/Progress.md: Session history with completed work
- ORCHESTRATION.md: Full migration context and handoff instructions
- PR_PLAN.md: Dependency chain for focused PRs
This PR should merge FIRST to establish context for subsequent PRs:
1. PR #2: directed-inputs-class decorator API
2. PR #3: python-terraform-bridge package
3. PR #4: vendor-connectors migration
* docs: Update PR_PLAN.md with actual PR numbers
Added PR links and URLs:
- PR #246: Documentation & Wiki Update
- PR #247: directed-inputs-class Decorator API
- PR #248: python-terraform-bridge Package
- PR #249: vendor-connectors Migration Functions
* docs: Address Gemini review feedback
- Fix 'label_account' → 'label_aws_account' in ORCHESTRATION.md
- Consolidate PR Plan sections to reference PR_PLAN.md as single source of truth
- Fix '11 remaining' → '4 remaining' in Progress.md
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* docs: Update PR_PLAN with agent fleet assignments
- Added active fleet section with agent IDs
- Updated PR chain to reflect #246 merged, #249 closed
- Agents spawned for PRs #245, #247, #248
- Control manager coordinating via cursor-fleet
* feat: Add python-terraform-bridge package (#248)
New OSS package for Terraform ↔ Python bridging with decorator-based
method registration.
## Components
- `TerraformModuleParameter`: Type-inferred Terraform variable definitions
- `TerraformModuleResources`: Module generation from Python methods
- `TerraformRegistry`: Decorator-based method registration
- `runtime.py`: External data provider runtime execution
- `cli.py`: CLI tool (terraform-bridge generate/list/run)
## Key Features
- `@registry.data_source()` decorator for external data sources
- `@registry.null_resource()` decorator for null resources
- Automatic parameter inference from type hints
- Docstring-based configuration (legacy support)
- Module generation to Terraform JSON
## Tests
- 50 tests passing
- Covers parameter, module_resources, registry
## Usage
```python
from python_terraform_bridge import TerraformRegistry
registry = TerraformRegistry()
@registry.data_source(key="users", module_class="github")
def list_users(org: str | None = None) -> dict:
return {...}
registry.generate_modules("./terraform-modules")
```
Part of terraform-modules migration.
Depends on: PR #246 (docs), PR #247 (directed-inputs-class)
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* chore(edt-release): release extended-data-types v202511.6.0 [skip ci]
Automatically generated by python-semantic-release
* 🤖 Fleet Coordination Channel (HOLD OPEN) (#251)
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* feat(fleet): Add bidirectional coordination channel
- Add FLEET_COORDINATION.md for coordination protocol docs
- Add coordinator.ts for bidirectional event loop
- OUTBOUND: Fan-out status checks to sub-agents
- INBOUND: Poll coordination PR for @cursor mentions
- Add fleet-coordinator to process-compose.yml
- Creates GitHub as message bus for agent coordination
Implements the pattern where:
1. Control manager periodically checks sub-agents (outbound)
2. Sub-agents report status via PR comments (inbound)
3. @cursor mentions trigger automated dispatch
* feat(fleet): Add bidirectional coordination to Fleet class
- Add coordinate() method for bidirectional event loop
- OUTBOUND: Fan-out status checks to sub-agents
- INBOUND: Poll coordination PR for @cursor mentions
- Add fetchPRComments() and postPRComment() for GitHub integration
- Add 'coordinate' CLI command
- Add fleet-coordinator to process-compose.yml
- Add FLEET_COORDINATION.md docs
Uses GitHub as message bus:
1. Control manager periodically checks sub-agents (outbound)
2. Sub-agents report status via PR comments (inbound)
3. @cursor mentions trigger automated dispatch
* Refactor fleet to handle COMPLETED status and improve GitHub API calls
Co-authored-by: jon <jon@jonbogaty.com>
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* feat(ruler): Restore .ruler/ structure + add fleet coordination
Restores .ruler/ directory that was migrated to wiki in PR #193.
Core agent rules MUST be in-repo for bootstrap (chicken-egg problem).
Added:
- .ruler/fleet-coordination.md - cursor-fleet usage and coordination protocol
Restored from 6d0c81d:
- AGENTS.md, README.md, copilot.md, cursor.md, ecosystem.md
- agent-self-sufficiency.md, environment-setup.md, ruler.toml
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* refactor: Remove wiki, use GitHub Issues for session tracking
- Delete wiki/ directory (redundant sync to GitHub wiki)
- Delete publish-wiki.yml workflow
- Remove wiki references from .cursor/rules/
- Update .ruler/AGENTS.md to use GitHub Issues for session context
- cursor-fleet for agent coordination instead of wiki pages
GitHub Issues + Projects replace wiki for:
- Session context tracking
- Progress updates
- Blockers
- Agent coordination
* chore: Regenerate agent configs with ruler apply
- Updated AGENTS.md, CLAUDE.md with new session tracking approach
- Regenerated all agent-specific instruction files
- Updated .gitignore with ruler-managed paths
- Updated MCP configs
All agent rules now sourced from .ruler/ directory.
Session tracking now via GitHub Issues (not wiki).
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* chore(logging-release): release lifecyclelogging v202511.6.0 [skip ci]
Automatically generated by python-semantic-release
* feat(connectors): Complete terraform-modules migration gaps - 100% feature parity (#245)
* feat(connectors): complete terraform-modules migration gaps
## Summary
Implements all missing functions identified in issue #220 to achieve 100%
feature parity with terraform-modules.
## AWS Additions (~67% → 100%)
- `label_account`: Apply labels/tags to AWS accounts
- `classify_accounts`: Classify accounts by OU/tags (prod, staging, dev, etc)
- `preprocess_organization`: Preprocess org data for terraform consumption
- `get_bucket_sizes`: Get S3 bucket sizes via CloudWatch metrics
## Google Additions (~72% → 100%)
- `get_project_iam_users`: Get IAM users with roles for a project
- `get_pubsub_resources_for_project`: Aggregate Pub/Sub topics and subscriptions
- `find_inactive_projects`: Find projects without resources or non-ACTIVE state
- `list_available_licenses`: List Google Workspace license assignments
- `get_license_summary`: Summarize license usage by product/SKU
- `get_bigquery_billing_dataset`: Get billing export dataset configuration
- `setup_billing_export`: Set up BigQuery billing export
## GitHub Additions (~75% → 100%)
- `get_users_with_verified_emails`: Get verified domain emails via GraphQL
- `build_workflow`: Build GitHub Actions workflow structure
- `build_workflow_job`: Build workflow job configuration
- `build_workflow_step`: Build workflow step configuration
- `create_python_ci_workflow`: Create standard Python CI workflow
Closes migration gaps from bc-e4aa4260 verification agent findings.
* test(connectors): cover aws org + google billing mixins
Add regression tests for org classification/labeling and billing pagination to satisfy the package coverage gate.
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* chore(dic-release): release directed-inputs-class v202511.6.0 [skip ci]
Automatically generated by python-semantic-release
* feat(dic): Add decorator-based input handling API (#247)
* feat(dic): Add decorator-based input handling API
Add @directed_inputs class decorator and @input_config method decorator
as modern alternatives to DirectedInputsClass inheritance.
## New Features
- `@directed_inputs` class decorator for automatic input loading
- `@input_config` method decorator for per-parameter configuration
- Automatic type coercion (bool, int, float, Path, datetime, dict, list)
- Case-insensitive key lookup
- Full backward compatibility with legacy DirectedInputsClass API
## Components
- `decorators.py`: New decorator implementations
- `InputContext`: Runtime input storage and lookup
- `InputConfig`: Per-parameter configuration dataclass
## Tests
- 23 new tests for decorator API
- 39 total tests passing (16 legacy + 23 new)
Part of terraform-modules migration architectural refactor.
Depends on: PR #246 (docs/wiki-orchestration-update)
* fix(dic): Address AI review feedback for decorator API
Fixes:
- Python 3.9 compatibility: types.UnionType check now uses hasattr
- Security: Stdin limited to 1MB to prevent DoS (CWE-400)
- Bug: Positional arguments now correctly override env values
- Import: Fixed docstring import path to directed_inputs_class
- Bug: Fixed decode_yaml self-reference in _decode_value
Added test for positional argument override behavior.
Addresses feedback from Amazon Q, Gemini, Copilot, and Cursor reviews.
* fix(dic): Add type coercion error handling and update README link
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* chore(dic-release): release directed-inputs-class v202511.7.0 [skip ci]
Automatically generated by python-semantic-release
* Fix critical issues in python-terraform-bridge (#253)
* feat: Add decorator support for DirectedInputsClass
Co-authored-by: jon <jon@jonbogaty.com>
* fix(lint): Fix all linting errors in directed-inputs-class and python-terraform-bridge
- Move Mapping/MutableMapping imports to TYPE_CHECKING block
- Extract error message strings to module-level constants
- Remove dead code after return statement in _format_public_error
- Fix sorted(list()) to just sorted()
- Add noqa comment for intentional private attribute access in decorator
* fix(bridge): Complete truncated _print_help method
The _print_help method was truncated and missing the actual help output.
Added data source and null resource listing back.
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* chore(connectors-release): release vendor-connectors v202511.10.0 [skip ci]
Automatically generated by python-semantic-release
* fix(ci): Add python-terraform-bridge to CI release matrix (#255)
* Bump directed-inputs-class to 202511.7.0
Co-authored-by: jon <jon@jonbogaty.com>
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* fix(ci): add python-terraform-bridge to CI release matrix
Also fixes .ruler/AGENTS.md documentation to accurately describe the
actual release workflow (PSR + CalVer), not the non-existent CalVer +
GitHub run number workflow that was confusing agents.
Changes:
- Add python-terraform-bridge to build, test, release, and docs matrices
- Rewrite .ruler/AGENTS.md to document actual PSR-based workflow
- Document conventional commit scopes for all packages
* fix(ci): add python-terraform-bridge to tox.ini
* fix(ci): exclude python-terraform-bridge from Python 3.9 tests
PTB requires Python 3.10+ per its pyproject.toml requires-python setting.
* fix(bridge): restore Python 3.9 compatibility
- Remove misguided CI exclusion for Python 3.9 tests
- Fix requires-python back to >=3.9
- Code already uses 'from __future__ import annotations' so union syntax works
* fix(ci): use correct test extra name for python-terraform-bridge
PTB uses [test] not [tests] as the optional dependency name.
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* chore(ptb-release): release python-terraform-bridge v1.0.0 [skip ci]
Automatically generated by python-semantic-release
* feat(fleet): Add direct CursorAPI client for bidirectional coordination (#261)
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* fix(fleet): Address AI review security and validation feedback
Addresses critical issues from Amazon Q and Gemini code review:
Security Fixes:
- Add sanitizeError() to prevent API key/token leakage in errors
- Redact Bearer tokens and API keys from error messages
Input Validation:
- Add validateAgentId() with pattern matching (alphanumeric + hyphens)
- Add validatePromptText() with length limits
- Add validateRepository() with format validation
- All user inputs now validated before API calls
Reliability Fixes:
- Move clearTimeout to finally block for proper cleanup
- Handle empty responses (204 No Content)
- Handle non-JSON responses gracefully
- Catch JSON parsing errors with proper error message
Configuration:
- Make base URL configurable via options or CURSOR_API_BASE_URL env
- Add CursorAPIOptions interface for cleaner configuration
- Add static create() for backwards compatibility
- URL-encode agent IDs in all endpoints
Refs: #256
* feat(fleet): Add conversation splitter for large conversation analysis
Implements conversation splitting for easier analysis of agent sessions:
- splitConversation() - splits into batches and individual files
- quickSplit() - minimal options for rapid splitting
- Creates both JSON and readable text versions
- Organizes into /messages, /batches, and summary files
- Preserves original conversation JSON
- Handles Message type with text/type fields
Exports SplitOptions and SplitResult interfaces.
Refs: #256
* feat(fleet): Integrate CursorAPI and add split command
Major updates to cursor-fleet package:
CursorAPI Integration:
- All operations now prefer direct API when CURSOR_API_KEY is set
- Falls back to MCP client when API key not available
- Better performance and reliability for large conversations
New Features:
- split command: Split conversation into readable batches and files
- Creates /messages, /batches directories with JSON and TXT versions
- Integrates conversation-splitter module
API Methods Updated:
- list() - uses CursorAPI when available
- status() - uses CursorAPI when available
- spawn() - uses CursorAPI when available
- followup() - uses CursorAPI when available
- conversation() - uses CursorAPI when available (important for large convos)
- repositories() - uses CursorAPI when available
- split() - new method wrapping conversation-splitter
Refs: #256
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* feat(fleet): Add AI-powered analysis with Vercel AI SDK + Claude
Major addition: AIAnalyzer module using @ai-sdk/anthropic for:
- Conversation analysis (completed/outstanding tasks, blockers)
- Code review with structured output
- Quick triage of text input
- Auto-generation of GitHub issues from analysis
New CLI Commands:
- cursor-fleet analyze <agent-id> --create-issues --dry-run
- cursor-fleet triage <text>
- cursor-fleet review --base main --head HEAD
Uses Claude claude-sonnet-4-20250514 by default for balance of speed/quality.
Zod schemas for structured output ensure type safety.
Also fixes:
- Add DEBUG logging for CursorAPI fallback (addresses AI review feedback)
This enables intelligent self-assessment before pushing:
- Analyze agent conversations automatically
- Create GitHub issues from outstanding work
- Review code changes with AI before push
Refs: #256
* docs(fleet): Add AI analysis documentation to README
* feat(fleet): Add Copilot integration for auto-PR creation from issues
Enhances AI analyzer to create Copilot-ready issues:
- Issues automatically get `copilot` label for auto-pickup
- Priority labels (`priority:critical`, `priority:high`) added
- Issue body includes clear acceptance criteria
- Context section guides AI agents to .ruler documentation
CLI updates:
- `--no-copilot` flag to skip copilot label if not wanted
Documentation:
- Comprehensive rewrite of .ruler/copilot.md
- Includes workflow for auto-generated issues
- Code patterns, testing requirements, security rules
- PR creation guidelines and commit message format
Labels created:
- `copilot` - Issues for Copilot auto-PR
- `priority:critical` - Critical priority
- `priority:high` - High priority
This creates a pipeline:
1. `cursor-fleet analyze` identifies outstanding tasks
2. Creates GitHub issues with `copilot` label
3. GitHub Copilot auto-creates PRs
4. CI validates, humans review and merge
Refs: #256
* feat(fleet): Add station-to-station handoff protocol
Enables seamless agent continuity across sessions:
Handoff Flow:
1. Predecessor completes SOW, identifies outstanding tasks
2. Predecessor initiates handoff, spawning successor
3. Successor confirms health back to predecessor
4. Successor retrieves predecessor's full conversation
5. Successor merges predecessor's PR (closes them out)
6. Successor creates own PR and continues work
New Components:
- HandoffManager class for managing handoff lifecycle
- HandoffContext for preserving state between agents
- Health check protocol (successor confirms to predecessor)
CLI Commands:
- cursor-fleet handoff initiate <id> --pr --branch --tasks
- cursor-fleet handoff confirm <predecessor-id>
- cursor-fleet handoff takeover <predecessor-id> <pr> <new-branch>
- cursor-fleet handoff status <id>
What Gets Preserved:
- Full conversation history (split into readable files)
- AI-analyzed completed work summary
- Outstanding tasks for successor
- Key decisions made
- PR and branch information
This solves the "agent discontinuity" problem where each agent
starts fresh. Instead, we have a chain of custody with proper
handoff and context preservation.
Refs: #256
* fix(fleet): Correct API endpoints and add self-identification
Fixes:
- Changed /background-agents to /agents (correct Cursor API endpoint)
- Fixed type definitions for AgentTarget (added prUrl, autoCreatePr, etc.)
- Handle both array and {agents: []} response formats
New Features:
- cursor-fleet self - Identify current running agent
- Matches by branch name or repository
Now agents can find themselves using their own tooling.
Refs: #256
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* docs: align instructions with SemVer (#263)
Completing docs/SemVer alignment from agent bc-57463b64 - Issue #257
* feat(connectors): migrate remaining terraform helpers (#264)
Completing terraform migrations from agent bc-57463b64 - Issue #258
* fix(fleet): correct API response parsing for list endpoints (#265)
Bug fix for cursor-fleet API response parsing - enables fleet list/repos commands to work correctly
* chore(connectors-release): release vendor-connectors v202511.11.0 [skip ci]
Automatically generated by python-semantic-release
* docs(agents): add MANDATORY AI QA review protocol before merge (#266)
* docs(agents): add MANDATORY AI QA review protocol before merge
BREAKING CHANGE: Agents must now engage AI reviewers before any merge.
Changes:
- Updated .cursor/rules/15-ai-qa-engagement.mdc with comprehensive mandatory protocol
- Added AI QA review section to .ruler/AGENTS.md
- Added review commands: /gemini review, /q review, @copilot review, @cursor review
- Added merge checklist requiring AI review completion
- Added feedback addressing requirements (fix or justify, never ignore)
This ensures quality by requiring peer review from AI agents on all PRs.
* fix(agents): address Amazon Q feedback on QA protocol
Fixes based on AI review feedback:
1. Clarified scope - explicit 'Required' vs 'Optional' sections
2. Fixed example to use conventional commit with scope
3. Added specific enforcement criteria
4. Added AI-to-AI conflict resolution process
5. Made checklists consistent between both files
6. Added audit trail and revert policy to enforcement
* fix(agents): address ALL inline feedback from Amazon Q and Gemini
Addressed feedback items:
From Amazon Q:
- Clarified 'ALWAYS Request Review For' to be specific items not 'any code changes'
- Added escalation path for cross-agent conflicts
- Updated example to use project-specific scope (dic)
- Specified all listed commands are valid QA agents
- Added detection mechanism for enforcement
- Clarified checklist item to require review 'completed'
- Added team lead escalation for revert policy
From Gemini:
- Changed 'MUST fix' to 'MUST be resolved' (allows false positive handling)
- Clarified 'Out of scope' not valid for critical/high items
- Added Thread Resolution section defining when thread is resolved
- Made checklists identical between both files
- Added severity-based feedback section to AGENTS.md
- Changed 'fixed' to 'resolved' in all checklists
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* fix(agents): address Copilot/Gemini feedback + add auto AI review settings
Addressed feedback:
- Copilot: Added GITHUB_JBCOM_TOKEN to example workflow
- Copilot: Added --delete-branch flag to merge command
- Copilot: Added scope explanations in comments
- Gemini: Clarified 'dic' scope with full list of scopes
- Gemini: Made optional scope description consistent between files
New section:
- Added 'Repository Settings for Automatic AI Review' with instructions
for enabling Copilot code review, rulesets, and CODEOWNERS config
* fix(agents): clarify which AI reviewers are comment-triggered vs automatic
- /gemini review, /q review, @coderabbitai review -> Comment-triggered
- Copilot -> Automatic via repo settings OR manual assignment
- Cursor Bugbot -> Automatic on all PRs
This explains why '@copilot review' comment didn't work - Copilot needs
to be enabled in repo settings or manually added as reviewer.
* fix(agents): address final Gemini feedback
- Added specific false positive reporting process (create issue with ai-review-feedback label)
- Added 'automated' to Dependabot exception for consistency
- Formatted AI conflict resolution as bulleted list for readability
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* fix(agents): address 5 Gemini feedback items
1. Added @copilot review and @cursor review to comment-triggered list
2. Fixed focused review syntax examples (Copilot uses natural language)
3. Fixed Copilot settings path: 'Code security and analysis'
4. Changed 'Optional' to 'Not Required' for clarity
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* feat(ai-triage): add AI-powered PR triage package
New package providing automated PR triage capabilities:
- GitHubClient: Fetch PR data, CI status, feedback
- Analyzer: AI-powered analysis using Claude via Vercel AI SDK
- Resolver: Auto-resolve feedback and blockers
- Triage: Orchestrate full triage workflows
CLI commands:
- ai-triage analyze <pr> - Full triage report
- ai-triage status <pr> - Quick status check
- ai-triage plan <pr> - Resolution plan without execution
- ai-triage resolve <pr> - Auto-resolve issues
- ai-triage run <pr> - Full workflow until ready
Built to address the manual triage burden demonstrated in PR #266.
* fix(agents): add 'severity' to medium items checklist
Address Gemini feedback for consistency with main protocol document.
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* feat(ai-triage): complete AI-powered PR triage package with MCP integration (#270)
* docs(agents): add MANDATORY AI QA review protocol before merge
BREAKING CHANGE: Agents must now engage AI reviewers before any merge.
Changes:
- Updated .cursor/rules/15-ai-qa-engagement.mdc with comprehensive mandatory protocol
- Added AI QA review section to .ruler/AGENTS.md
- Added review commands: /gemini review, /q review, @copilot review, @cursor review
- Added merge checklist requiring AI review completion
- Added feedback addressing requirements (fix or justify, never ignore)
This ensures quality by requiring peer review from AI agents on all PRs.
* fix(agents): address Amazon Q feedback on QA protocol
Fixes based on AI review feedback:
1. Clarified scope - explicit 'Required' vs 'Optional' sections
2. Fixed example to use conventional commit with scope
3. Added specific enforcement criteria
4. Added AI-to-AI conflict resolution process
5. Made checklists consistent between both files
6. Added audit trail and revert policy to enforcement
* fix(agents): address ALL inline feedback from Amazon Q and Gemini
Addressed feedback items:
From Amazon Q:
- Clarified 'ALWAYS Request Review For' to be specific items not 'any code changes'
- Added escalation path for cross-agent conflicts
- Updated example to use project-specific scope (dic)
- Specified all listed commands are valid QA agents
- Added detection mechanism for enforcement
- Clarified checklist item to require review 'completed'
- Added team lead escalation for revert policy
From Gemini:
- Changed 'MUST fix' to 'MUST be resolved' (allows false positive handling)
- Clarified 'Out of scope' not valid for critical/high items
- Added Thread Resolution section defining when thread is resolved
- Made checklists identical between both files
- Added severity-based feedback section to AGENTS.md
- Changed 'fixed' to 'resolved' in all checklists
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* fix(agents): address Copilot/Gemini feedback + add auto AI review settings
Addressed feedback:
- Copilot: Added GITHUB_JBCOM_TOKEN to example workflow
- Copilot: Added --delete-branch flag to merge command
- Copilot: Added scope explanations in comments
- Gemini: Clarified 'dic' scope with full list of scopes
- Gemini: Made optional scope description consistent between files
New section:
- Added 'Repository Settings for Automatic AI Review' with instructions
for enabling Copilot code review, rulesets, and CODEOWNERS config
* fix(agents): clarify which AI reviewers are comment-triggered vs automatic
- /gemini review, /q review, @coderabbitai review -> Comment-triggered
- Copilot -> Automatic via repo settings OR manual assignment
- Cursor Bugbot -> Automatic on all PRs
This explains why '@copilot review' comment didn't work - Copilot needs
to be enabled in repo settings or manually added as reviewer.
* fix(agents): address final Gemini feedback
- Added specific false positive reporting process (create issue with ai-review-feedback label)
- Added 'automated' to Dependabot exception for consistency
- Formatted AI conflict resolution as bulleted list for readability
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* fix(agents): address 5 Gemini feedback items
1. Added @copilot review and @cursor review to comment-triggered list
2. Fixed focused review syntax examples (Copilot uses natural language)
3. Fixed Copilot settings path: 'Code security and analysis'
4. Changed 'Optional' to 'Not Required' for clarity
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* feat: Upgrade AI SDK and add EnhancedAgent
This commit upgrades the AI SDK to v5/v6, introducing the new EnhancedAgent class. This agent provides advanced capabilities like reasoning, web search, and tool approval, along with improved MCP integration. The CLI and package exports have been updated to reflect these changes.
Co-authored-by: jon <jon@jonbogaty.com>
* fix(ai-triage): address critical security feedback from AI reviewers
Security improvements:
- Add path traversal protection (validatePath utility)
- Add filename sanitization for shell commands
- Fix git diff command injection vulnerability
- Fix delete_file path traversal vulnerability
- Fix process.env type assertion in MCP clients
Addresses Amazon Q and Gemini critical/high severity feedback.
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* feat(fleet): station-to-station handoff context bc-3248f18e → bc-c34f7797 (#272)
* feat(fleet): add station-to-station handoff context
Handoff from bc-3248f18e to bc-c34f7797:
- Predecessor context saved for successor
- Active coordination with terraform agent bc-d25d79d9
- All completed work documented
* fix(fleet): align handoff context.json with HandoffContext interface
- Rename keyDecisions → decisions (matches interface)
- Add predecessorPr: 272 (required by CLI)
- Add predecessorBranch (required by CLI)
Fixes JSON schema mismatch that would cause TypeError when
running `cursor-fleet handoff status bc-3248f18e...`.
Re: Gemini's structured outstandingTasks suggestion - deferred
to a separate PR as it requires interface changes in handoff.ts.
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* docs: fix test instructions + repository health audit (#275)
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* docs: fix test instructions to use tox instead of uv run pytest
The agent documentation incorrectly stated tests should be run with
`uv run pytest`. The actual testing infrastructure uses tox with
tox-uv for CI-consistent isolated testing.
Updated:
- .ruler/AGENTS.md - Local development section
- .ruler/environment-setup.md - Running tests and quick reference sections
Regenerated all agent configs via `ruler apply`:
- AGENTS.md, CLAUDE.md, .github/copilot-instructions.md
- .codex/rules, .roo/rules
* docs: use $HOME instead of /root for portable path
Address Gemini review feedback - hardcoded /root/.local/bin assumes
root user, $HOME/.local/bin works for any user.
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* feat(fleet): Document agent-to-agent communication pattern and add COPILOT_MCP_* env support (#276)
* Initial plan
* Initial investigation: Assess Cursor API followup limitation
Co-authored-by: jbcom <2650679+jbcom@users.noreply.github.com>
* Add COPILOT_MCP_ environment variable support for testing
Co-authored-by: jbcom <2650679+jbcom@users.noreply.github.com>
* Prioritize COPILOT_MCP_* environment variables across all packages
Co-authored-by: jbcom <2650679+jbcom@users.noreply.github.com>
* Add Context7 API key and finalize COPILOT_MCP_* support
Co-authored-by: jbcom <2650679+jbcom@users.noreply.github.com>
* Fix code review feedback: correct paths and remove unimplemented auto-gen docs
Co-authored-by: jbcom <2650679+jbcom@users.noreply.github.com>
* Update packages/cursor-fleet/docs/FOLLOWUP_INVESTIGATION.md
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Final cleanup: fix date, require TEST_REPO for safety
Co-authored-by: jbcom <2650679+jbcom@users.noreply.github.com>
* Reframe as working-as-designed: PR comments are the correct pattern for agent coordination
Co-authored-by: jbcom <2650679+jbcom@users.noreply.github.com>
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* Refactor status command to use envVars array
Co-authored-by: jon <jon@jonbogaty.com>
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* Refactor MCP client configuration and environment variable handling
Co-authored-by: jon <jon@jonbogaty.com>
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: jbcom <2650679+jbcom@users.noreply.github.com>
Co-authored-by: Jon Bogaty <jon@jonbogaty.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* fix(ci): Replace manual version parsing and git operations with PSR and official GitHub Actions (#279)
* Initial plan
* fix(ci): Replace hacky version parsing with PSR, add GitHub release action
Co-authored-by: jbcom <2650679+jbcom@users.noreply.github.com>
* fix(ci): Replace grep/sed version parsing in docs step with Python tomllib
Co-authored-by: jbcom <2650679+jbcom@users.noreply.github.com>
* feat(ci): Replace all hacky scripts with proper GitHub Actions for sync and docs
Co-authored-by: jbcom <2650679+jbcom@users.noreply.github.com>
* fix(ci): Address code review feedback - add skip-existing and fix terminology
Co-authored-by: jbcom <2650679+jbcom@users.noreply.github.com>
* docs: Add before/after comparison document
Co-authored-by: jbcom <2650679+jbcom@users.noreply.github.com>
* Update CI to ignore new cache dirs and use latest actions
Co-authored-by: jon <jon@jonbogaty.com>
* Update .github/sync/extended-data-types.yml
Co-authored-by: amazon-q-developer[bot] <208079219+amazon-q-developer[bot]@users.noreply.github.com>
* Update .github/workflows/ci.yml
Co-authored-by: amazon-q-developer[bot] <208079219+amazon-q-developer[bot]@users.noreply.github.com>
* fix(ci): Use PSR for version detection in docs job, remove manual parsing
- Replace hacky Python tomllib parsing with `semantic-release version --print-last-released`
- Add fetch-depth: 0 for git history access
- Fix corrupted extended-data-types.yml sync config
- Remove 2>/dev/null suppressions
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: jbcom <2650679+jbcom@users.noreply.github.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: jon <jon@jonbogaty.com>
Co-authored-by: amazon-q-developer[bot] <208079219+amazon-q-developer[bot]@users.noreply.github.com>
* fix(ci): correct repo-file-sync-action version to v1.21.1 (#280)
The version v1.22.0 does not exist. Latest available is v1.21.1.
This was causing all release jobs to fail during "Set up job" phase.
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* fix(ci): remove invalid --skip-existing flag from semantic-release (#281)
The --skip-existing flag doesn't exist in python-semantic-release.
The "Check if release needed" step already handles this logic.
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* Revert "fix(ci): correct repo-file-sync-action version to v1.21.1" (#282)
* Revert "fix(ci): correct repo-file-sync-action version to v1.21.1 (#280)"
This reverts commit 8548ef167113f5ace90618fb1b5a182fb61f4648.
* Update GitHub Actions checkout and other action versions
Co-authored-by: jon <jon@jonbogaty.com>
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* fix(ci): pin all GitHub Actions to commit SHAs with latest versions
Updated ALL workflow files with SHA-pinned actions fetched from GitHub releases API:
ci.yml:
- actions/checkout: v6.0.0 (1af3b93b6815bc44a9784bd300feb67ff0d1eeb3)
- hynek/build-and-inspect-python-package: v2.14.0 (efb823f52190ad02594531168b7a2d5790e66516)
- actions/setup-python: v6.1.0 (83679a892e2d95755f2dac6acb0bfd1e9ac5d548)
- hynek/setup-cached-uv: v2.3.0 (757bedc3f972eb7227a1aa657651f15a8527c817)
- actions/cache: v4.3.0 (0057852bfaa89a56745cba8c7296529d2fc39830)
- re-actors/alls-green: v1.2.2 (05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe)
- actions/download-artifact: v6.0.0 (018cc2cf5baa6db3ef3c5f8a56943fffe632ef53)
- pypa/gh-action-pypi-publish: v1.13.0 (ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e)
- softprops/action-gh-release: v2.4.2 (5be0e66d93ac7ed76da52eca8bb058f665c3a5fe)
- BetaHuhn/repo-file-sync-action: v1.21.1 (8b92be3375cf1d1b0cd579af488a9255572e4619)
- peaceiris/actions-gh-pages: v4.0.0 (4f9cc6602d3f66b9c108549d475ec49e8ef4d45e)
Other workflows:
- dependabot/fetch-metadata: v2.4.0 (08eff52bf64351f401fb50d4972fa95b9f2c2d1b)
- actions/github-script: v8 (ed597411d8f924073f98dfc5c65a23a2325f34cd)
- anthropics/claude-code-action: v1 (a7e4c51380c42dd89b127f5e5f9be7b54020bc6b)
All SHAs verified by fetching latest releases from GitHub API and resolving
annotated tags to their underlying commit SHAs.
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* Check pypi token config for trusted publishing (#283)
* Fix: Remove unnecessary PyPI token permissions
Co-authored-by: jon <jon@jonbogaty.com>
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* Fix: Update mypy dependencies to use specific type stubs
Co-authored-by: jon <jon@jonbogaty.com>
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* Update .ruler/environment-setup.md
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* Refactor: Clarify tool usage rules for agents
Co-authored-by: jon <jon@jonbogaty.com>
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* feat: Unified agentic-control package with intelligent multi-org token switching (#285)
* feat: add unified agentic-control package with intelligent token switching
Introduces agentic-control - a new public npm package that unifies all agent
tooling under one product-grade package with:
Core Features:
- Intelligent token switching (GITHUB_FSC_TOKEN for FlipsideCrypto,
GITHUB_JBCOM_TOKEN for jbcom, consistent PR review identity)
- Fleet management (spawn, monitor, coordinate Cursor Background Agents)
- AI-powered triage (conversation analysis, code review)
- Station-to-station handoff protocol
- Token-aware GitHub operations
Package Structure:
- packages/agentic-control/src/core/ - Types, tokens, config
- packages/agentic-control/src/fleet/ - Cursor agent management
- packages/agentic-control/src/triage/ - AI analysis
- packages/agentic-control/src/github/ - Multi-org GitHub client
- packages/agentic-control/src/handoff/ - Agent handoff protocols
- packages/agentic-control/src/cli.ts - Unified CLI
Also updates Dockerfile to include:
- @intellectronica/ruler (globally installed)
- @anthropic-ai/claude-code (globally installed)
- Verification step for all tools
Tests: 19 passing tests for token management
* fix(agentic-control): address all security issues and make fully configurable
Security fixes:
- Fix command injection vulnerabilities using spawnSync instead of execSync
- Fix ReDoS vulnerability in extractOrg regex
- Fix SSRF vulnerability by removing env var override for baseUrl
- Fix token leakage in git clone by using stdio: pipe
- Add input validation for git refs, branch names, PR numbers
Configuration improvements:
- Remove ALL hardcoded organization names and tokens
- Make package fully configurable via agentic.config.json
- Add environment variable patterns for dynamic org configuration
- Require explicit repo configuration for issue creation
Other improvements:
- Add LICENSE file (MIT)
- Set version to 0.0.0 for semantic-release
- Use crypto.randomUUID() for unique IDs
- Add proper try-catch to all CLI handlers
- Add parseInt validation for CLI options
- Update Dockerfile with version pinning and consistent pnpm usage
- Update tests to work with configurable token system (27 tests passing)
- Update README with generic examples instead of hardcoded orgs
This makes agentic-control a proper OSS package ready for public release.
* Refactor: Update dependencies and fix build issues
Co-authored-by: jon <jon@jonbogaty.com>
* feat(agentic-control): add workspace configuration for dog-fooding
Add the actual configuration that we use internally:
- agentic.config.json: Configure jbcom and FlipsideCrypto organizations
with their respective tokens and PR review settings
- .env.example: Document all required environment variables
- .ruler/cursor.md: Update agent rules to reference agentic-control CLI
This completes the transition from hardcoded values in the package
to user-provided configuration. We now dog-food our own package.
* Checkpoint before follow-up message
Co-authored-by: jon <jon@jonbogaty.com>
* fix: address Gemini review feedback
- Combine Docker RUN commands for global tools
- Fix existsSync import (use ES module import, remove require)
- Remove unused _owner/_repo params from outboundLoop
- Add APPROX_CHARS_PER_MESSAGE constant for clarity
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* chore(edt-release): release extended-data-types v202511.7.0 [skip ci]
Automatically generated by python-semantic-release
* fix: update default model to claude-4-opus for Cursor compatibility (#290)
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
* chore(edt-release): release extended-data-types v202511.7.1 [skip ci]
Automatically generated by python-semantic-rele…
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR properly integrates the unique contributions from PR #243 (agent bc-f5391b3e-5208-4c16-94f8-ee24601f04be) into the established modular architecture.
Background
What's Added
google/constants.py- Terraform-modules aligned configurations:DEFAULT_DOMAIN- Default workspace domainDEFAULT_SCOPES- Full OAuth scope list matching terraform-modulesGCP_SECURITY_PROJECT,GCP_KMS- Security configurationsGCP_REQUIRED_APIS,GCP_REQUIRED_ROLES- Setup requirementsDEFAULT_USER_OUS- User organizational unit defaultsgoogle/workspace.py- Idempotent create methods:create_or_update_user()- Create user or update if existscreate_or_update_group()- Create group or update if existsgoogle/__init__.py- User impersonation:get_connector_for_user()- Get a connector impersonating a specific userSupersedes
Test plan
from vendor_connectors.google import GoogleConnector, DEFAULT_DOMAIN, GCP_REQUIRED_APISFixes #231 (partial - completes terraform-parity additions)
Note
Introduces terraform-aligned Google constants, adds idempotent user/group create-or-update methods, and a user-impersonating connector; updates exports and workspace config.
vendor_connectors/google/constants.py): Add terraform-aligned defaults (DEFAULT_DOMAIN,DEFAULT_SCOPES,GCP_SECURITY_PROJECT,GCP_KMS,GCP_REQUIRED_APIS,GCP_REQUIRED_ORGANIZATION_ROLES,GCP_REQUIRED_ROLES,DEFAULT_USER_OUS).vendor_connectors/google/workspace.py): Addcreate_or_update_user()andcreate_or_update_group()for idempotent management.vendor_connectors/google/__init__.py): Addget_connector_for_user()to create a connector impersonating a given user.__init__.py.pyproject.tomlUV workspace members to explicit package list.Written by Cursor Bugbot for commit 3799737. This will update automatically on new commits. Configure here.