chore(deps): bump actions/checkout from 4 to 6#2
Merged
Conversation
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
force-pushed
the
dependabot/github_actions/actions/checkout-6
branch
from
f4b1277 to
c52eca2
Compare
bb-connor
approved these changes
Feb 4, 2026
dependabot
bot
deleted the
dependabot/github_actions/actions/checkout-6
branch
bb-connor
added a commit
that referenced
this pull request
Mar 1, 2026
Add Feature #2 (async generator streaming via NATS) and Feature #10 (export adapters for Webhook, Splunk HEC, Elasticsearch, STIX 2.1, CSV) in both TypeScript and Python. Update barrel exports in both languages. All 10 planned features now implemented: - TS: 295 tests passing (19 test files) - Python: 314 tests passing (18 test files) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
bb-connor
added a commit
that referenced
this pull request
Mar 14, 2026
…, findings, routing, fleet fixture - Guard fetchLiveApprovals clear with isLiveData check so demo data is not wiped when the user is viewing demo mode (comment #2) - Add comment explaining control-api port 8090 choice in fleet-fixture (comment #6) Comments #1, #3, #4, #5 were already addressed in the current code: - #1: panelParam useEffect already depends on the primitive string value - #3: ALL_STATUSES already includes "archived" - #4: FindingsIntelPage doesn't wire onAddAnnotation (correctly handled in FindingDetailPage which constructs full Annotation objects) - #5: Navigate elements already use object form for query params Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
bb-connor
added a commit
that referenced
this pull request
Mar 14, 2026
…on set (#190) * feat(workbench): enhanced sidebar, delegation, hierarchy, simulator, hunt lab, and control-api Workbench UI improvements: - Redesigned desktop sidebar with grouped nav sections, accent colors, collapsible state, and live approval badge polling - Delegation page with improved layout and demo data - Hierarchy page with fleet sync (push/pull), drag-drop reparenting, rename, validation panel, and backend CRUD integration - Simulator overhaul: fleet testing panel, red team panel, scenario list with expanded capabilities, observe panel - New Hunt Lab pages and engine - New Guards management UI - Enhanced fleet dashboard and connection handling Control API (Rust): - Hierarchy CRUD endpoints with tree traversal and validation - Agent routes expansion with runtime hierarchy support - Database migrations for endpoint runtime hierarchy - Integration test coverage Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: address PR #187 review comments and CI failures - Regenerate package-lock.json with all platform-specific deps (tailwindcss/oxide, lightningcss) to fix npm ci failures - Fix useless initial assignment to `sig` in baselines.tsx (CodeQL) - Remove unused import IconClock in investigation.tsx (CodeQL) - Scope runtime node cleanup to exact endpoint via agent ID join instead of non-unique name match (Codex P1) - Make runtime hierarchy insertion idempotent using external_id with ON CONFLICT upsert on the partial unique index (Codex P1) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(workbench): resolve hierarchy and runtime review findings * fix(workbench): clear PR 187 review and CI blockers * fix: address remaining PR 187 review feedback * fix(workbench): address PR 187 CI follow-ups * fix(workbench): pause hunt polling when stream is paused * fix(workbench): tighten delegation and hunt follow-ups * feat(workbench): sentinel swarm UI with system heartbeat sigil and custom icon set Adds the Sentinel Swarm feature UI: sentinel management, findings/intel, swarm coordination, signal pipeline, speakeasy bridge, and trust graph visualization. Reorganizes sidebar from 6 sections to 3 (Detect & Respond, Author & Test, Platform), merges related pages (Intel→Findings tab, Hunt+Simulate→Lab, Delegation+Hierarchy→Topology, Guards+Compare→Editor panels). Replaces Home button with an animated System Heartbeat sigil (SVG diamond with segmented health ring, radar sweep, and posture-derived breathing). Introduces a bespoke 13-icon SVG set replacing Tabler icons. Fixes OriginEditor crash, findings-list type errors, reputation-tracker division-by-zero, and trust-graph O(n²) guard. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(workbench): address PR 190 review and CodeQL findings - Update sidebar test to match new nav structure (3 sections, 12 items) - Wire emergingFindingsCount to FindingProvider store (was hardcoded 0) - Use useId() for SVG filter IDs to prevent collisions across instances - Add searchParams to PolicyEditor useEffect dependency array - Remove useless isOpen conditionals in speakeasy-panel (always true after guard) - Remove unused imports: Link (intel-page), IntelDetail (sentinel-swarm-pages), useMemo/IconPlus/IconTrash (sentinel-detail), IconBrain/IconDownload/IconPlus (swarm-detail) - Remove unused variables: navigate (SentinelDetailPage), ModeIcon (sentinel-detail), formatUptime (sentinel-list) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(control-api): move endpoint lookup into runtime registration transaction The endpoint SELECT now runs inside the transaction with FOR UPDATE, serializing against concurrent DELETE operations that could otherwise leave orphaned runtime records tied to a deleted endpoint. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(workbench): address PR review and code-quality findings * fix(workbench): address new PR review findings * feat(workbench): operator identity system with Ed25519 crypto, invitations, and IdP federation Introduces a local-first operator identity system replacing hardcoded "workbench-user" strings with real Ed25519 keypairs. Operators generate cryptographic identities that enable signed invitation tokens, sentinel ownership proofs, and verifiable attribution across swarms. Core additions: - operator-crypto.ts: Ed25519 keygen, signing, verification, canonical JSON, PBKDF2+AES-256-GCM key export/import, ownership proofs - operator-types.ts: OperatorIdentity, InvitationClaims, SignedInvitation, role hierarchy (observer < contributor < admin), capability system - invitation-manager.ts: create/validate/accept invitations with role attenuation, depth limiting, structural validation, base64url serialization - operator-store.tsx: React context with localStorage + secureStore persistence - reputation-store.tsx: per-operator reputation event tracking with dedup - idp-federation.ts: OIDC Authorization Code + PKCE flow (disabled in UI) UI components: - identity-prompt.tsx: first-launch modal for keypair generation - identity-settings.tsx: identity management (sigil, fingerprint, key export) - swarm-invite.tsx: two-tab create/accept invitation flow - Sidebar operator indicator with Unicode sigil glyph Wiring: - sentinel-create.tsx: operator fingerprint as owner, ownership proof generation - approval-queue.tsx: operator fingerprint for decision attribution - fleet-client.ts: parameterized decidedBy in approval resolution - speakeasy-bridge.ts: real Ed25519 signing, operator identity converter - swarm-store.tsx: invitation tracking (active/used/revoked) - sentinel-manager.ts: real Ed25519 keygen for sentinel identities Bug fixes applied from security audit: - Break circular import (operator-crypto ↔ sentinel-manager) - importKeyAction reconstructs identity from imported public key - Sidebar renders Unicode glyph instead of raw sigil type string - currentOperator + getSecretKey in sentinel-create useCallback deps - Sentinel creation passes operatorPublicKey/operatorSecretKey - IdentityPrompt catches and displays keygen errors - Non-members blocked from generating invitations - handlePaste race condition guarded with sequence ref - deserializeInvitation validates structure before casting Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * feat(sentinel-swarm): land federated swarm hub foundation Deliver the workbench, hushd, and dogfood pieces needed to move mission evidence through a fail-closed federated publish, replay, and verification path instead of local-only swarm scaffolding. Made-with: Cursor * fix(dogfood): complete end-to-end federation dogfood (Task #9) Fix three bugs in the mission-control dogfood script that prevented the full federation publish/replay flow from completing: 1. `log()` wrote to stdout — when functions were called inside $(), log messages contaminated return values (e.g., intel ID became "[dogfood] Promoting...\nint_xxx"). Redirect to stderr. 2. `click_text "Swarm"` used includes() matching, hitting the sidebar "Swarms" link before the shareability "Swarm" button. Switch to click_text_exact for strict equality. 3. Summary Python heredoc interpolated multiline shell variables ($claude_launch_state contained full page body text), breaking Python syntax. Pass all variables via env vars with quoted heredoc. Also make the post-share browser eval captures failure-tolerant so the summary.json is always generated even if the Playwright session closes after the share flow completes. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(dogfood): address code review findings in mission-control dogfood - Replace vacuous `wait_for_text "Blocked"` with `wait_for_launch_state "blocked"` so launch posture is actually validated (the mission title contained "blocked", making the substring check always pass). - Navigate back to missions/findings pages before capturing `claude_launch_state` and `openclaw_finding_links` so the summary reads the correct page state instead of the intel detail page. - Use `click_text_exact` for "Launch Mission" and "Trusted" to avoid matching "Launch Blocked Mission" or "Trusted Members" via includes(). - Move `capture_page "finding-promoted"` after `wait_for_first_local_intel_id` so the screenshot reflects the actual post-promotion state. - Add 2s sleep after `clear_browser_state` to let `window.location.reload()` settle before checking for text that was already present. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(workbench): add publish concurrency guard and error feedback to Share to Swarm Address federation code review findings: - Add `isPublishing` state guard to prevent double-click/concurrent publish of the same finding envelope to hushd. The Share to Swarm button is disabled and shows "Publishing…" during the async operation. - Surface publish errors to the user instead of silently swallowing them with console.warn. A `publishError` state drives an inline red error message below the share button (e.g., "Publish failed: ..."). - Surface local ingest rejection reasons when `ingestFindingEnvelope` returns `accepted: false` after a successful hushd publish. - Thread `shareStatus` and `shareStatusMessage` props through IntelDetail → ShareabilityControls for consistent UI feedback. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(workbench): address operator audit findings — sign API, revocation types, isRecord fix (H-2, CRIT-1, L) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(workbench): address crypto audit findings (H-1, M-1, L-1, L-4) - H-1: Upgrade sessionStorage fallback warning to console.error with explicit security notice that production must use Tauri Stronghold. - M-1: Consolidate to single canonicalizeJson in operator-crypto.ts. Remove duplicate from intel-forge.ts (re-exports for compatibility). Update speakeasy-bridge.ts to import from operator-crypto.ts. - L-1: Increase PBKDF2 iterations from 100k to 600k per OWASP recommendations for exported key encryption. - L-4: Add 4 random hex chars to generateIntelId() via crypto.getRandomValues to prevent ID collisions on page reload. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(workbench): address trust audit findings — re-evaluate on policy change and reload (H-3, H-4) - H-3: Policy downgrade no longer blindly restores all quarantined records. Each quarantined finding/revocation is individually re-evaluated against the new trust policy. Only passing records are restored; failing records remain quarantined. - H-4: localStorage reload now evaluates each persisted record against its stored trust policy instead of using a blanket permissive filter. Records that fail are quarantined on load. - Add sync trust policy evaluation functions that fail-closed when async crypto would be required (keeps records quarantined until async re-evaluation can occur). - Add security comment noting quarantined data in plaintext localStorage must be treated as untrusted. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(workbench): address network audit findings — redirect blocking, URL validation, OIDC hardening (M1, M3, M5, M6) - M3: Add redirect: "error" to jsonFetch so all authenticated fleet API requests block HTTP redirects that could leak Bearer tokens. - M1: Add URL re-validation at call time in fetchSwarmHubConfig and publishSwarmFinding for defense-in-depth. - M5+M6: Harden OIDC discovery and token exchange: - Validate issuer URL against validateFleetUrl before fetch - Block redirects on discovery, token exchange, and refresh - Add 10s timeout via AbortSignal.timeout - Add 1MB response size limit on discovery responses Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(hushd): address Rust audit findings — error sanitization, CORS, blob limit, zeroization - Sanitize ~30 V1Error::internal responses to use generic messages instead of leaking e.to_string() details. Actual errors logged server-side via tracing::error!. - Make CORS configurable with allowed_origins list instead of Any. When CORS is enabled but no origins configured, block all cross-origin requests (fail-closed) with a startup warning. - Add LIMIT 200 to lookup_swarm_blob_refs SQL query to prevent unbounded result sets from heavily-referenced digests. - Remove manual Keypair::Drop — ed25519-dalek v2.2 SigningKey implements ZeroizeOnDrop automatically. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(workbench): address PR review comments — keyframes, sigil symbols, test providers, unused code Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(workbench): address PR review comments — policy effect, approvals, findings, routing, fleet fixture - Guard fetchLiveApprovals clear with isLiveData check so demo data is not wiped when the user is viewing demo mode (comment #2) - Add comment explaining control-api port 8090 choice in fleet-fixture (comment #6) Comments #1, #3, #4, #5 were already addressed in the current code: - #1: panelParam useEffect already depends on the primitive string value - #3: ALL_STATUSES already includes "archived" - #4: FindingsIntelPage doesn't wire onAddAnnotation (correctly handled in FindingDetailPage which constructs full Annotation objects) - #5: Navigate elements already use object form for query params Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(workbench): address PR review comments — gitignore scratchpad, SVG sanitizer, MCP types, delegation deps Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(workbench): restore Node types in tsconfig and fix dogfood port mismatch - Add "node" to tsconfig types array so Node builtins (process, etc.) are available to files transitively typechecked from the workbench. - Fix port-forward in workbench-live-dogfood.sh: bind local 8090:8080 to match the default control_api_url (http://127.0.0.1:8090). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(workbench): address final PR review comments — severity colors, summary counts, unused code Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * refactor(workbench): extract shared formatRelativeTime utility Deduplicate identical formatRelativeTime implementations from finding-detail.tsx, findings-list.tsx, and enrichment-sidebar.tsx into a single shared format-utils.ts module. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(workbench): address remaining PR review threads — sidebar badge, panel state, identity prompt, back nav - Sidebar badge: remove branch that forced 0 when fleet connected but controlApiUrl absent; now shows demo count consistently with ApprovalQueue - Policy editor: close guards/compare panels when URL ?panel param removed - IdentityPrompt: move inside Suspense boundary so lazy-loaded siblings resolve correctly - Intel back nav: navigate directly to /findings?tab=intel instead of /intel redirect hop - Extract duplicated SEVERITY_COLORS, STATUS_CONFIG, etc. from findings-list.tsx and finding-detail.tsx into shared finding-constants.ts Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(hushd): handle wildcard "*" in allowed_origins without panicking tower-http's AllowOrigin::list panics when passed "*". Route wildcard origins through AllowOrigin::any() instead. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * refactor(hushd): deslopify swarm hub handlers and control_db queries - Remove 10 doc comments that restate route paths already visible in mod.rs - Extract shared issuer/schema trust policy checks into enforce_common_trust_policy - Remove redundant .clone() on feed_id/issuer_id in get_swarm_feed_head and get_swarm_revocation_head (values not used after the DB call) - Remove unnecessary .to_string() on string literals passed to impl Into<String> helpers (invalid_finding, trust_policy_rejection, V1Error::internal) - Simplify has_witness_proofs with is_some_and - Flatten single-expression Conflict match arm in map_swarm_store_error - Remove sloppy doc comment on ControlDbError - Call validate_issuer_id_message directly in validate_hub_trust_policy instead of round-tripping through validate_issuer_id then extracting .message - Remove redundant requested_by.clone() in pin_swarm_blob json serialization Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * refactor(workbench): deslopify swarm protocol, feed store, and fleet modules Remove AI-generated section-separator comment banners, restating JSDoc, and an unused isFiniteNumber helper from fleet-client.ts and swarm-protocol.ts. No behavioral changes. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * refactor(workbench): deslopify desktop sidebar, home, intel, and swarm UI components Remove comment banners and section separators (// -----, // =====, {/* === */}), obvious JSDoc on self-evident props/functions, and an unnecessary fragment wrapper in SystemHeartbeat. Collapse double blank lines left behind by separator removal. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * refactor(workbench): deslopify sentinel-swarm and findings pages Remove ~260 lines of noise: section divider comments, redundant JSX labels, file-level docblocks restating the obvious, unused imports (FindingStatus, Severity in finding-detail), the formatEnrichmentTime alias, and the liveHubTrustHydrationKey/requiresLiveHubTrustHydration intermediate variables in sentinel-swarm-pages. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * refactor(workbench): deslopify store, crypto, and engine modules Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(workbench): address latest PR review comments - Import SEVERITY_COLORS from finding-constants.ts instead of duplicating with wrong `low` color (#6f7f9a vs canonical #6b9b8b). - Filter severity counts to active findings only (emerging + confirmed) so home page breakdown bars don't include dismissed/archived. - Fix stale closure in toggleDataSource: let useEffect trigger fetchLiveApprovals on the next render instead of calling it directly with a stale isLiveData closure. - Sort finding timeline descending (newest first) so analysts see the latest status changes and enrichments at the top. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(hushd): security hardening — field limits, pin dedup, audit logging - Add request body validation bounds: title (512 chars), summary (4096 chars), tags (50 items), blobRefs (100 items), relatedFindingIds (200 items) with descriptive error messages on violation. - Add pin request deduplication: if a pin request for the same (digest, actor) exists within the last hour, return the existing record with status "deduplicated" instead of inserting a duplicate. - Add head hash verification on replay: when a replay reaches the current head, re-compute the head hash from the last envelope and compare against the stored hash, returning SWARM_REPLAY_INTEGRITY_ERROR on mismatch. - Add structured audit logging (tracing::info!) for publish_finding, publish_revocation, and pin_blob operations with operation type, feed/issuer/id fields, and idempotency status. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(workbench): security hardening — input validation, error handling - Add maxLength attributes to all text inputs and textareas in sentinel creation (name, description, goal descriptions, runtime target, policy name, cron schedule), mission launch (title, objective), to prevent unbounded input - Add unmount guards (mountedRef) to async handlers in SentinelCreate, MissionControlPage, and IdentityPrompt to prevent setState calls after component unmount Already verified as clean: - localStorage keys: all prefixed with clawdstrike_ - Error boundary: top-level ErrorBoundary exists in App.tsx - No dangerouslySetInnerHTML usage found - No console.log of sensitive data in production code - Swarm creation form already had maxLength + trim - Identity prompt already had maxLength + trim Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(workbench): robustness hardening — beforeunload flush, ownership proof binding, credential isolation - Add window.addEventListener("beforeunload") handlers to IntelProvider, FindingProvider, and SwarmFeedProvider that synchronously flush pending debounced persistence when the tab closes within the 500ms window. - Strengthen ownership proof binding: signOwnershipProof now includes a timestamp in the signed payload and returns {signature, timestamp}. verifyOwnershipProof rejects proofs older than 24h (OWNERSHIP_PROOF_MAX_AGE_MS) and proofs >60s in the future (clock-skew tolerance). Accepts optional maxAgeMs parameter (pass Infinity for stored proofs). - Isolate fleet credentials from context: introduce FleetConnectionInfo (credential-free projection of FleetConnection) exposed via useFleetConnection context. Credentials are only accessible through getCredentials() and getAuthenticatedConnection() methods. All 27 consumer files updated to use credential accessors instead of reading connection.apiKey directly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(workbench): address PR comments — WebCrypto buffer, UTF-8 btoa, double-submit guard, dead code - Pass Uint8Array directly to WebCrypto digest in deriveFingerprint instead of copying via buf() which can fail across JS realms - UTF-8 encode/decode invitation payloads around btoa/atob to handle non-Latin-1 characters safely - Add submittingRef guard to IdentityPrompt to prevent concurrent keypair generation from rapid Enter/click - Document intentional promoteFinding duplication across component trees - Remove unused IntelPageConnected export and its IntelPage import - Pass emergingFindingsCount as prop to SystemHeartbeat to avoid redundant useFindings() call in the child Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(workbench): remove unused destructured variables from credential isolation refactor Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * refactor: aggressive deslopification — remove all patronizing and restating comments Strip 3000+ lines of AI-generated comment slop across 173 files: - All `// ---` section separator blocks (146 files) - Restating comments ("Debounced persistence", "Derive active", "Action dispatchers", "Structural checks", "Signature verification") - Value-explaining comments ("Port 8090 matches...", "Max 10 hops", "no breathing when offline", "already gone") - DEV-ONLY FALLBACK warning block in secure-store - JSDoc blocks that restate the function name - "NOTE: intentionally duplicated" PR-review-response comments - SVG layer labels (L1-L5) in the heartbeat component - "Fallback:" comments where the fallback is obvious from context No logic changes. TypeScript typecheck and Rust build pass. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(workbench): fix stale useCallback dependency arrays after credential refactor Replace `connection` with `getAuthenticatedConnection` / `getAuthedConn` in dependency arrays where the callback body calls the getter, not the redacted connection object. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
bb-connor
added a commit
that referenced
this pull request
Mar 15, 2026
- Use compile_hushspec() in from_yaml_auto() instead of duplicating parse→validate→compile pipeline (cursor-bot #1, #2) - Add hushspec::validate() to CLI migration path by calling compile_hushspec() instead of raw compile() (cursor-bot #3) - Switch hushspec dependency from path to git URL so the repo is self-contained (codex #4) - Handle YAML document markers (---) in is_hushspec() detection (codex #5) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
bb-connor
added a commit
that referenced
this pull request
Mar 16, 2026
* feat(policy): HushSpec compiler with dual-format loading and CLI migration Add bidirectional HushSpec ↔ Clawdstrike policy compiler, enabling portable security rules to be authored in the HushSpec open spec format and compiled to Clawdstrike's native engine representation. Key changes: - hushspec_compiler.rs: compile() and decompile() mapping all 10 core rules, 3 extensions (posture, origins, detection/spider-sense) - Policy::from_yaml_auto(): auto-detecting loader for both formats - CLI: `hush policy migrate --to hushspec` for format conversion - 46 integration + conformance tests against HushSpec fixtures - Migration guide and docs updates - Ruleset cross-references to HushSpec equivalents The HushSpec spec and reference implementations live in the sibling ../hush repo (github.com/backbay-labs/hush). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(policy): address PR review findings - Use compile_hushspec() in from_yaml_auto() instead of duplicating parse→validate→compile pipeline (cursor-bot #1, #2) - Add hushspec::validate() to CLI migration path by calling compile_hushspec() instead of raw compile() (cursor-bot #3) - Switch hushspec dependency from path to git URL so the repo is self-contained (codex #4) - Handle YAML document markers (---) in is_hushspec() detection (codex #5) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(clawdstrike): finish hushspec integration * fix(clawdstrike): preserve policy-event hushspec threat intel * fix: close remaining hushspec review follow-ups * fix(clawdstrike): align hushspec forbidden path semantics * fix(hushd): serialize test daemon startup * fix(clawdstrike): reject lossy hushspec egress decompile * fix(ci): free space for offline vendored tests * fix(repo): allow vendored hushspec path * fix(clawdstrike): reject lossy hushspec severity decompile --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps actions/checkout from 4 to 6.
Release notes
Sourced from actions/checkout's releases.
... (truncated)
Changelog
Sourced from actions/checkout's changelog.
... (truncated)
Commits
8e8c483Clarify v6 README (#2328)033fa0dAdd worktree support for persist-credentials includeIf (#2327)c2d88d3Update all references from v5 and v4 to v6 (#2314)1af3b93update readme/changelog for v6 (#2311)71cf226v6-beta (#2298)069c695Persist creds to a separate file (#2286)ff7abcdUpdate README to include Node.js 24 support details and requirements (#2248)08c6903Prepare v5.0.0 release (#2238)9f26565Update actions checkout to use node 24 (#2226)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)