Skip to content

Commit 7fd2c7b

Browse files
Brian KrafftCopilot
andcommitted
Epic 7.3: Launch Checklist — CHANGELOG, security audit, dep upgrade
- Created comprehensive CHANGELOG.md covering all phases P0–P7 - Bumped litellm >=1.83.0 (fixes CVE-2026-35029 + CVE-2026-35030) - pip-audit: zero known vulnerabilities - Secrets scan: clean (no hardcoded credentials) - License: MIT verified - Version bumped to 2.0.0 - Updated dep security test for new litellm pin - Fixed recording_manager mock (start must flip recording_status) - 2,174 tests passing, 0 failures Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent 74ddbdb commit 7fd2c7b

6 files changed

Lines changed: 175 additions & 12 deletions

File tree

CHANGELOG.md

Lines changed: 159 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,159 @@
1+
# Changelog
2+
3+
All notable changes to OpenSpace are documented in this file.
4+
Format follows [Keep a Changelog](https://keepachangelog.com/).
5+
6+
## [2.0.0] — 2026-04-07
7+
8+
### Overview
9+
10+
OpenSpace v2.0.0 is a ground-up architectural overhaul of the self-evolving skill engine for AI agents. Across 8 phases (P0–P7) and 50+ epics, the project was hardened, decomposed, and extended from a monolithic prototype into a production-grade, security-first platform. The codebase grew from ~500 tests to **2,056 tests with zero failures**. Every epic was reviewed via multi-agent code review (/8eyes + /collab) before merge.
11+
12+
---
13+
14+
### Phase 0 — Emergency Hardening
15+
_11 epics · PRs #433#467 (upstream) · Immediate security stabilization_
16+
17+
- **Bearer token auth** on all MCP HTTP endpoints (Epic 0.1, PR #433)
18+
- **Sliding-window rate limiting** on MCP HTTP endpoints (Epic 0.1b, PR #434)
19+
- **E2B sandbox enforcement** — fail-closed defaults, trusted config only (Epic 0.2)
20+
- **Traceback scrubbing** — removed stack trace exposure from all MCP error paths (Epic 0.3a)
21+
- **Env var isolation** — sandbox execution can no longer leak host environment (Epic 0.3b)
22+
- **Cloud auto-import disabled** by default — skills must be explicitly trusted (Epic 0.4)
23+
- **AST safety scanner** — static analysis for dangerous API usage (os.exec, subprocess, eval) (Epic 0.5)
24+
- **Test infrastructure** — foundational test harness and fixtures (Epic 0.6)
25+
- **MCP end-to-end tests** — execution paths, error paths, coverage gate (Epic 0.7)
26+
- **GitHub Actions CI** — automated pipeline with lint, test, type-check, security audit (Epic 0.8)
27+
- **Benchmark decoupling** — extracted benchmark code from production paths (Epic 0.9)
28+
- **Dependency pinning** — all deps pinned with `pip-audit` infrastructure; blocked litellm PYSEC-2026-2 supply-chain vector (Epic 0.10)
29+
30+
### Phase 1 — Foundation Architecture
31+
_8 epics · PRs #451#459 (upstream) · Clean architecture layer_
32+
33+
- **Domain layer** — Protocol-based interfaces and frozen dataclass types for all core concepts (Epics 1.1 + 1.2)
34+
- **AppContainer** — composition root with lifecycle hooks, dependency injection, graceful startup/shutdown (Epic 1.3)
35+
- **Property delegation** — clean public accessor surface on AppContainer (Epic 1.4)
36+
- **Exception hierarchy** — domain-specific exceptions with centralized error mapping to HTTP/MCP codes (Epic 1.5)
37+
- **Structured logging** — structlog integration with context propagation, automatic PII redaction, and correlation IDs (Epic 1.6)
38+
- **Architecture boundary tests** — enforced layering rules (no domain→infra imports, no circular deps) (Epic 1.7)
39+
- **SDK API design** — public surface documentation and contract tests for stable API guarantees (Epic 1.8)
40+
41+
### Phase 2 — Smart Sandbox
42+
_6 epics · PRs #461#471 + PR #1 · Capability-based security model_
43+
44+
- **Capability lease system** — schema-driven capability grants with tier defaults, expiration, and revocation (Epic 2.1, PR #461)
45+
- **Filesystem broker** — jail-based file access with TOCTOU race protection and path traversal prevention (Epic 2.2, PR #463)
46+
- **Network proxy** — domain allowlisting, port enforcement, connection limits; blocks SSRF via loopback/link-local and apex domain rebinding (Epic 2.3, PR #465)
47+
- **Process broker** — command allowlisting, shell execution control, syscall filtering (Epic 2.4, PR #469)
48+
- **MCP auth advanced** — HMAC token signing, per-tool authorization, tier-gated access control (Epic 2.5, PR #471)
49+
- **Secret broker** — scoped storage with encryption at rest, owner isolation, capability-based access. 64 tests, 5 review rounds (Epic 2.6, PR #1)
50+
51+
### Phase 3 — Skill Store Decomposition
52+
_7 epics · PRs #12#28 · 1,356 tests passing_
53+
54+
Decomposed the monolithic `store.py` (1,345 lines) into 5 focused modules:
55+
56+
- **SkillSchema + SkillVersion models** — frozen dataclasses with validation (Epic 3.1, PR #12)
57+
- **SkillRepository** — CRUD operations with LIKE-escape safety and shared-lock architecture (Epic 3.2, PR #15)
58+
- **LineageTracker** — parent-child derivation graph with cycle detection and diamond DAG support (Epic 3.3, PR #17)
59+
- **AnalysisStore** — quality scores, evolution candidates, atomic bulk inserts, dedup protection (Epic 3.4, PR #19)
60+
- **TagIndex + SearchEngine** — tag dedup, match_all queries, skill analytics (Epic 3.5, PR #21)
61+
- **MigrationManager** — DDL consolidation, WAL recovery, atomic migrations, injection guard (Epic 3.6, PR #23)
62+
- **P3 integration + cleanup** — store.py reduced to re-export facade; 7 E2E blockers fixed; thread-safe close(); batch hydration + mypy fixes (Epic 3.7, PRs #25#28)
63+
64+
### Phase 4 — Tool Layer + MCP Decomposition
65+
_10 epics (2 skipped) · PRs #31#38 · 1,408 tests passing_
66+
67+
Decomposed `tool_layer.py` (788 lines) and `mcp_server.py` (992 lines):
68+
69+
- **ToolRegistry** — tool registration, discovery, and backend listing extracted (Epic 4.1, PR #31)
70+
- **ExecutionEngine** — task execution with skill injection and fallback orchestration (Epic 4.3, PR #32)
71+
- **RecordingService** — execution trace capture, analysis triggers, evolution hooks (Epic 4.4, PR #33)
72+
- **LLMFactory** — provider-agnostic LLM client initialization (Epic 4.5, PR #34)
73+
- **OpenSpace facade** — tool_layer.py reduced to thin composition facade preserving public API (Epic 4.6, PR #35)
74+
- **MCPToolHandlers** — all 4 MCP tool implementations (execute, search, fix, upload) extracted (Epic 4.7, PR #36)
75+
- **MCPServer package**`openspace/mcp/` package with clean server lifecycle and endpoint wiring (Epic 4.9, PR #37)
76+
- **P4 integration tests** — 26 outcome-focused tests + MCP protocol conformance (Epic 4.10, PR #38)
77+
- _Skipped:_ Epic 4.2 (SkillSelector — covered by 4.1), Epic 4.8 (MCPAuthMiddleware — covered by P3)
78+
79+
### Phase 5 — Skill Engine / Grounding Decomposition
80+
_11 epics · PRs #39#49 · Two sub-phases (P5a: evolver, P5b: grounding agent)_
81+
82+
**P5a — Evolution Engine** (evolver.py → `openspace/skill_engine/evolution/` package):
83+
- **EvolutionModels** — domain types: EvolutionTrigger, EvolutionContext, name sanitizer (Epic 5.1, PR #39)
84+
- **EvolutionOrchestrator** — scheduling, dispatch, background execution (Epic 5.2, PR #40)
85+
- **Evolution triggers** — analysis, tool degradation, and metric monitor as separate modules (Epic 5.3, PR #41)
86+
- **EvolutionConfirmation** — LLM-based approval flow with negation pattern parsing (Epic 5.4, PR #42)
87+
- **Evolution engines** — FIX/DERIVED/CAPTURED strategies in loop.py + strategies.py (Epic 5.5, PR #43)
88+
- **P5a capstone** — evolver.py reduced to thin facade (**80% code reduction**); formatting helpers extracted (Epic 5.6, PR #44)
89+
90+
**P5b — Grounding Agent** (grounding_agent.py → `openspace/agents/grounding/` package):
91+
- **SkillContext + MessageSafety** — context management and message truncation with cap safety (Epic 5.7, PR #45)
92+
- **ExecutionLoop + PromptBuilder** — core reasoning loop decoupled from tool/visual concerns (Epic 5.8, PR #46)
93+
- **ToolCatalog + Visual + Workspace** — tool discovery, visual analysis callbacks, workspace scanning with MRO safety (Epic 5.9, PR #47)
94+
- **ResultFormatter + Telemetry** — result building and execution recording; stripped str(e) leaks (Epic 5.10, PR #48)
95+
- **P5b capstone** — grounding_agent.py replaced with package; private symbols cleaned from `__all__` (Epic 5.11, PR #49)
96+
97+
### Phase 6 — Production Readiness
98+
_4 epics · PRs #50#53 · 1,957 tests passing_
99+
100+
- **Observability** — Prometheus-compatible metrics (execution latency, skill hit rate, evolution success rate), distributed tracing for multi-step workflows, health check endpoints. Isolated from execution path per adversarial review (Epic 6.1, PR #50)
101+
- **SLOs** — error budget tracking, multi-window burn-rate alerting, NaN-safe JSON serialization, MCP tool for SLO queries (Epic 6.2, PR #51)
102+
- **Deployment architecture** — multi-stage Dockerfile (non-root), `DeployConfig` frozen dataclass, `GracefulShutdownHandler` with 70/30 drain/hook budget, `/health` endpoint bypasses auth for K8s probes, `HEALTHCHECK` instruction (Epic 6.3, PR #52)
103+
- **DX polish** — Rich `--help` with examples/env vars, `--version`, preflight checks (bearer token, skill store, port, Python version), platform-aware suggestions (PowerShell on Windows, bash on Unix), errors write to `sys.__stderr__` for console visibility (Epic 6.4, PR #53)
104+
105+
### Phase 7 — Safety & Launch
106+
_3 epics · PRs #54#55 · 2,056 tests passing_
107+
108+
- **ReviewGate** — 5-layer security gate for skill evolution: path traversal detection, extension allowlist, size limits, HIGH+CRITICAL AST blocking, lineage validation. Windows drive-relative paths and reserved device names handled. 63 tests (45 adversarial), 3 review rounds with 12 agent-reviews (Epic 7.1, PR #54)
109+
- **SkillGuard** — pre-persist quality gates wrapping ReviewGate + SkillStore. All skill mutations (evolve_fix, evolve_derived, evolve_captured) routed through guard. Deep disk rollback via rglob snapshot on rejection. **40+ AST blocklist patterns** covering: `builtins` bypass, `__builtins__` attribute access, `sys.modules` manipulation, `os.exec*`/`os.spawn*`, `pty`/`code` modules, HTTP exfiltration, `marshal`/`runpy`, `asyncio.subprocess`, `signal`, `webbrowser`, `multiprocessing`, `shutil`, filesystem destructors, `os.chmod`/`os.chown`. Bare-name alias bypass prevention (Epic 7.2, PR #55)
110+
- **Launch checklist** — security audit, documentation, changelog, license verification, dependency audit (Epic 7.3, in progress)
111+
112+
---
113+
114+
### Security
115+
116+
Key security improvements across the v2.0.0 release:
117+
118+
- **Fail-closed by default** — all security decisions default to deny
119+
- **Bearer token + HMAC auth** on all MCP endpoints with per-tool authorization
120+
- **Capability lease model** — tier-gated access with expiration and revocation
121+
- **Filesystem jailing** — TOCTOU-safe path enforcement with traversal prevention
122+
- **Network SSRF protection** — blocks loopback, link-local, and apex domain rebinding
123+
- **AST-based code scanning** — 40+ blocklist patterns for RCE, sandbox escape, data exfiltration
124+
- **5-layer ReviewGate** — every evolved skill passes path, extension, size, AST, and lineage checks
125+
- **Deep disk rollback** — failed skill mutations are fully reverted including subdirectory files
126+
- **PII redaction** — structured logging automatically strips sensitive fields
127+
- **Supply-chain protection** — pinned deps, `pip-audit` in CI, blocked PYSEC-2026-2
128+
129+
### Dependencies
130+
131+
- **litellm** — bumped to ≥1.83.0 (fixes CVE-2026-35029 + CVE-2026-35030; skips PYSEC-2026-2 supply-chain attack in 1.82.7/1.82.8)
132+
- **structlog** — added for structured logging with context propagation
133+
- **E2B sandbox** — enforced as default execution environment
134+
- **GitHub Actions** — full CI pipeline: lint (ruff), type-check (mypy), test (pytest), security audit (pip-audit)
135+
- **Docker** — multi-stage build, non-root user, health check probe
136+
137+
### Migration Notes
138+
139+
- `store.py` is now a re-export facade — direct imports still work but should migrate to specific modules (`skill_repository`, `lineage_tracker`, `analysis_store`, `tag_index_search`, `migration_manager`)
140+
- `tool_layer.py` is now a thin facade — migrate to `tool_registry`, `execution_engine`, `recording_service`, `llm_adapter`
141+
- `mcp_server.py` is now a backward-compat shim — migrate to `openspace/mcp/` package
142+
- `evolver.py` is now a thin facade — migrate to `openspace/skill_engine/evolution/` package
143+
- `grounding_agent.py` replaced by `openspace/agents/grounding/` package
144+
- All MCP endpoints now require bearer token auth (set `OPENSPACE_BEARER_TOKEN`)
145+
- Cloud auto-import disabled by default (set `OPENSPACE_CLOUD_IMPORT=true` to re-enable)
146+
- E2B sandbox enforced by default for skill execution
147+
148+
### Stats
149+
150+
| Metric | Value |
151+
|--------|-------|
152+
| Phases | 8 (P0–P7) |
153+
| Epics completed | 50+ |
154+
| Pull requests | 55+ |
155+
| Test count | 2,056 (zero failures) |
156+
| Review rounds | Multi-agent (/8eyes + /collab) on every PR |
157+
| Monoliths decomposed | 4 (store.py, tool_layer.py, mcp_server.py, evolver.py, grounding_agent.py) |
158+
| AST blocklist patterns | 40+ |
159+
| Security layers | 5 (ReviewGate) + capability leases + auth |

RUNBOOK.yaml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
schema_version: '1.0'
22
lock:
3-
active_claim: null
4-
claimed_by: null
5-
claimed_at: '2026-04-07T01:20:00Z'
3+
active_claim: '7.3'
4+
claimed_by: '2026-04-07-copilot-session'
5+
claimed_at: '2026-04-07T15:55:00Z'
66
review:
77
max_rounds: 3
88
required_gates:
@@ -646,9 +646,9 @@ epics:
646646
- id: '7.3'
647647
phase: P7
648648
title: Launch checklist
649-
status: pending
650-
branch: null
651-
pr: null
649+
status: in_review
650+
branch: epic/7.3-launch-checklist
651+
pr: 56
652652
review_round: 0
653653
description: 'Final security audit, documentation completeness, release notes, changelog,
654654
license verification, dependency audit clean.

pyproject.toml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
44

55
[project]
66
name = "openspace"
7-
version = "0.1.0"
7+
version = "2.0.0"
88
description = "OpenSpace"
99
readme = "README.md"
1010
requires-python = ">=3.12"
@@ -14,7 +14,7 @@ authors = [
1414
]
1515

1616
dependencies = [
17-
"litellm>=1.70.0,<1.82.7", # pinned to avoid PYSEC-2026-2 supply-chain compromise (1.82.7/1.82.8 were malicious)
17+
"litellm>=1.83.0,<2", # >=1.83.0 fixes CVE-2026-35029 + CVE-2026-35030; skips PYSEC-2026-2 (1.82.7/1.82.8 malicious)
1818
"python-dotenv>=1.0.0,<2",
1919
"openai>=1.0.0,<3",
2020
"jsonschema>=4.25.0,<5",

requirements.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
# It re-exports the core deps from pyproject.toml.
77
# ──────────────────────────────────────────────────────
88

9-
litellm>=1.70.0,<1.82.7
9+
litellm>=1.83.0,<2
1010
python-dotenv>=1.0.0,<2
1111
openai>=1.0.0,<3
1212
jsonschema>=4.25.0,<5

tests/test_dependency_security.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -66,11 +66,11 @@ def test_windows_deps_have_upper_bounds(self, pyproject):
6666
self._check_deps(deps, "windows")
6767

6868
def test_litellm_has_security_cap(self, pyproject):
69-
"""litellm must keep <1.82.7 cap (PYSEC-2026-2)."""
69+
"""litellm must pin >=1.83.0 (fixes CVE-2026-35029/35030, skips PYSEC-2026-2)."""
7070
deps = pyproject["project"]["dependencies"]
7171
litellm_specs = [d for d in deps if d.startswith("litellm")]
7272
assert len(litellm_specs) == 1
73-
assert "<1.82.7" in litellm_specs[0]
73+
assert ">=1.83.0" in litellm_specs[0]
7474

7575

7676
# ---------------------------------------------------------------------------

tests/test_execution_engine.py

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -71,7 +71,11 @@ def mock_recording_manager():
7171
rm.recording_status = False
7272
rm.trajectory_dir = "/tmp/traj"
7373
rm.task_id = ""
74-
rm.start = AsyncMock()
74+
75+
async def _start():
76+
rm.recording_status = True
77+
78+
rm.start = AsyncMock(side_effect=_start)
7579
rm.stop = AsyncMock()
7680
rm.add_metadata = AsyncMock()
7781
rm.save_execution_outcome = AsyncMock()

0 commit comments

Comments
 (0)