feat: add veans CLI for Vkunja agent integration

.github/workflows/test.yml

@@ -78,6 +78,39 @@ jobs:
         with:
           version: v2.10.1
 
+  veans-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+        with:
+          go-version: stable
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9
+        with:
+          version: v2.10.1
+          working-directory: veans
+
+  veans-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+        with:
+          go-version: stable
+      - name: Install mage
+        # The cached mage-static artifact has the parent magefile compiled
+        # in — we need a generic mage binary to pick up veans/magefile.go.
+        run: go install github.com/magefile/mage@v1.17.2
+      - name: Run unit tests
+        # `mage test` is the Aliases entry for Test.All which passes
+        # `-short` — the e2e package's TestMain skips under -short,
+        # mirroring the parent monorepo's pkg/webtests convention. The
+        # heavier test-veans-e2e job runs the full suite against the
+        # api-build artifact.
+        working-directory: veans
+        run: mage test
+
   check-translations:
     runs-on: ubuntu-latest
     needs: mage
@@ -404,6 +437,76 @@ jobs:
           name: frontend_dist
           path: ./frontend/dist
 
+  test-veans-e2e:
+    runs-on: ubuntu-latest
+    needs:
+      - api-build
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+      - name: Download Vikunja Binary
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
+        with:
+          name: vikunja_bin
+      - name: Set up Go
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+        with:
+          go-version: stable
+      - name: Install mage
+        # The cached mage-static artifact has the parent magefile compiled
+        # in — we need a generic mage binary to pick up veans/magefile.go.
+        run: go install github.com/magefile/mage@v1.17.2
+      - run: chmod +x ./vikunja
+      - name: Run veans e2e against ephemeral Vikunja
+        env:
+          VIKUNJA_SERVICE_INTERFACE: ":3456"
+          VIKUNJA_SERVICE_PUBLICURL: "http://127.0.0.1:3456/"
+          VIKUNJA_SERVICE_JWTSECRET: "veans-e2e-jwt-secret-do-not-use-in-production"
+          # Enables PATCH /api/v1/test/{table} — the e2e suite seeds its
+          # own admin via this endpoint (see veans/e2e/helpers.go), same
+          # mechanism the playwright suite uses.
+          VIKUNJA_SERVICE_TESTINGTOKEN: averyLongSecretToSe33dtheDB
+          VIKUNJA_DATABASE_TYPE: sqlite
+          VIKUNJA_DATABASE_PATH: memory
+          VIKUNJA_LOG_LEVEL: WARNING
+          VIKUNJA_MAILER_ENABLED: "false"
+          VIKUNJA_REDIS_ENABLED: "false"
+          VIKUNJA_RATELIMIT_NOAUTHLIMIT: "1000"
+          VEANS_E2E_API_URL: http://127.0.0.1:3456
+          # Same value as VIKUNJA_SERVICE_TESTINGTOKEN above — pass-through
+          # so the test harness can authenticate against /api/v1/test/.
+          VEANS_E2E_TESTING_TOKEN: averyLongSecretToSe33dtheDB
+        run: |
+          set -e
+          # Boot the prebuilt API and tests in one shell — backgrounded
+          # processes don't survive step boundaries on GH runners.
+          nohup ./vikunja web > /tmp/vikunja.log 2>&1 &
+          API_PID=$!
+          trap "kill $API_PID 2>/dev/null || true" EXIT
+          for i in $(seq 1 60); do
+            if curl -sf http://127.0.0.1:3456/api/v1/info >/dev/null 2>&1; then
+              echo "API ready after ${i}s"
+              break
+            fi
+            sleep 1
+          done
+          if ! curl -sf http://127.0.0.1:3456/api/v1/info >/dev/null; then
+            echo "::error::API failed to start; log:"
+            cat /tmp/vikunja.log
+            exit 1
+          fi
+          # `mage test:e2e` builds the binary once and exports VEANS_BINARY
+          # so each subtest reuses it (plain `mage test` would rebuild per
+          # test via buildOrLocate()). The suite seeds its own admin
+          # internally — no curl seeding here.
+          (cd veans && mage test:e2e)
+      - name: Upload API log on failure
+        if: failure()
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+        with:
+          name: veans-e2e-vikunja-log
+          path: /tmp/vikunja.log
+          retention-days: 7
+
   test-frontend-e2e-playwright:
     runs-on: ubuntu-latest
     needs:

veans/.gitignore

@@ -0,0 +1,2 @@
+/veans
+/veans.exe

veans/.golangci.yml

@@ -0,0 +1,106 @@
+version: "2"
+run:
+  tests: true
+  build-tags:
+    - mage
+linters:
+  enable:
+    - asasalint
+    - asciicheck
+    - bidichk
+    - bodyclose
+    - contextcheck
+    - err113
+    - errchkjson
+    - errorlint
+    - exhaustive
+    - gocheckcompilerdirectives
+    - gochecksumtype
+    - gocritic
+    - gocyclo
+    - goheader
+    - gosec
+    - gosmopolitan
+    - loggercheck
+    - makezero
+    - misspell
+    - nilerr
+    - nilnesserr
+    - noctx
+    - protogetter
+    - reassign
+    - recvcheck
+    - revive
+    - rowserrcheck
+    - testifylint
+    - unparam
+  disable:
+    - durationcheck
+    - goconst
+    - musttag
+  settings:
+    goheader:
+      template-path: code-header-template.txt
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    rules:
+      # Tests compose dynamic error messages and exercise edge cases — let
+      # them. Mirrors the parent repo's _test.go carve-outs.
+      - linters:
+          - err113
+          - errorlint
+          - gocyclo
+        path: _test\.go
+      - linters:
+          - gocritic
+        text: 'commentFormatting: put a space between `//` and comment text'
+      # The veans CLI uses fmt.Errorf and output.New/Wrap intentionally —
+      # err113's "no dynamic errors" rule isn't a fit for user-facing CLI
+      # errors that are routinely templated with parameters.
+      - linters:
+          - err113
+        path: ".*"
+        text: 'do not define dynamic errors, use wrapped static errors instead:'
+      # mage build tooling is internal — gosec subprocess flags don't apply.
+      - linters:
+          - err113
+          - gosec
+        path: magefile.go
+      # term.ReadPassword takes int(*os.File.Fd()) — canonical Go idiom.
+      - linters:
+          - gosec
+        text: 'G115: integer overflow conversion uintptr -> int'
+      # Password / AccessToken / RefreshToken are intentional API model
+      # fields, mirroring the parent repo's exclusion.
+      - linters:
+          - gosec
+        text: 'G117:'
+      # veans is an HTTP CLI: G704 (SSRF) and G705 (XSS via Fprintf to a
+      # terminal) are categorically false positives for this codebase.
+      - linters:
+          - gosec
+        text: 'G70[45]:'
+      # E2E helpers run subprocesses with controlled inputs (git, the
+      # built veans binary). G204 (subprocess) and G703 (path traversal)
+      # don't apply to test infrastructure.
+      - linters:
+          - gosec
+        path: e2e/
+        text: 'G(204|306|703):'
+      # .veans.yml + agent hook config files are committed to the repo
+      # and intentionally world-readable; 0o644 is correct.
+      - linters:
+          - gosec
+        path: internal/(config|bootstrap)/.*\.go
+        text: 'G306:'
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  exclusions:
+    generated: lax