Commit 199e5e7
authored
Promote dev to main for v1.1.23 release (xencon#1301) (xencon#1302)
* Fix JSON escaping validation in security test
Replace malformed regex pattern with proper escaped quote detection using grep.
The test now correctly validates that special characters in JSON payloads are
properly escaped by checking for the literal escaped sequence \\\" in the output.
* Fix: Improve JSON escaping validation in security test
The previous validation logic was not correctly checking if special characters
were properly escaped in the JSON payload. Updated the test to:
1. Verify JSON is valid (which implicitly means escaping is correct)
2. Parse the JSON and check the actual values match expectations
3. Remove unreliable grep-based checks
This ensures that injection characters like quotes are properly escaped by
Python's json.dumps() function.
* Fix: Export PAYLOAD environment variable for subprocess access
The test was failing because the PAYLOAD variable was not exported before the Python
subprocess attempted to read it via os.environ.get('PAYLOAD'). Added 'export PAYLOAD'
after the payload is generated to make it available to subprocess calls.
This fixes the JSON escaping test failure where special characters were not being
properly validated."
* Fix JSON escaping validation test - use Python to parse and validate JSON values
* Fix JSON escaping test - use subprocess capture for Python verification
Properly capture Python's validation output and check exit code separately.
The previous heredoc approach was failing to properly pass the result back.
Now the test correctly validates that json.dumps() properly escapes special
characters by parsing the payload and verifying the values are preserved.
* docs: add CI compliance rules for agents and contributors (xencon#1278)
- Document all CI workflow checks and triggers
- Pre-commit checklist for shell, markdown, YAML, compose
- PR creation requirements (title, assignee, labels at creation time)
- Local commands to run full pre-PR check suite
Fixes xencon#1278
* fix: pass profile services to run_compose pull to avoid pulling all images (xencon#1274)
Previously run_compose pull was called without arguments, causing all
services defined in docker-compose.yml to be pulled regardless of the
active profile. This includes large images like vLLM (~4.5GB) and
llama.cpp (~2.8GB) even when using the Ollama engine.
Fixed by passing profile_services array to run_compose pull, matching
the existing behaviour of run_compose up on the following line.
Fixes xencon#1274
* fix: use DOCKER_BIN or active engine detection in is_vault_running (xencon#1275)
Previously is_vault_running() checked for podman binary first regardless
of which engine was actually managing the containers. If Podman was
installed but Docker was running the stack, the function queried
podman ps which returned no results, causing Vault auto-init to fail
with 'Vault container is not running'.
Fix uses DOCKER_BIN if already set by docker_utils.sh, otherwise falls
back to the same detection logic: check podman with podman info to
confirm it is actually running, then docker as fallback.
Fixes xencon#1275
* fix: add ShellCheck version check and installation instructions (xencon#1281)
- Add check_shellcheck() to check-environment.sh to warn when installed
version is below minimum 0.10.0 required for CI parity
- CI uses ShellCheck 0.11.0 via ludeeus/action-shellcheck@2.0.0
- Ubuntu 24.04 apt provides 0.9.0 which misses some warnings
- Add ShellCheck installation instructions to README.md prerequisites
- Direct users to GitHub releases instead of apt package
Fixes xencon#1281
* fix: correct admin@localhost to admin@example.com in security test (xencon#1278)
The test email used admin@localhost which is not a valid example address.
Replaced with admin@example.com to match project conventions and the
email used in stack init.
Fixes xencon#1278
* Stack init auto-configures Podman, alias, DOCKER_HOST and volumes (xencon#1277)
* fix: correct admin@localhost to admin@example.com in security test
The test email used admin@localhost which is not a valid example address.
Replaced with admin@example.com to match project conventions and the
email used in stack init.
Fixes xencon#1278
* feat: stack init auto-configures Podman, alias, DOCKER_HOST and volumes
- Detect container engine during stack init (Podman preferred, Docker fallback)
- If Podman detected, run setup-podman-rootless.sh automatically
- Add docker=podman alias and DOCKER_HOST to ~/.bashrc if not present
- Add GPG_TTY to ~/.bashrc for Vault unseal support
- Move volume initialisation from stack start to stack init
- Add GPG key notice if no signing key configured
- Improve post-init next steps guidance
- Rewrite README Quick Start to reflect 3-step install flow
- Add accurate prerequisites including all required tooling
- Add QEMU/SLIRP MTU workaround note for VM users
- Remove outdated manual Podman setup steps from README
Fixes xencon#1277
Fixes xencon#1279
* ci: trigger recheck after PR title fix
* Fix anonymous volumes from Vault agent containers and token refresh (xencon#1276) (xencon#1288)
* fix: eliminate anonymous volumes from Vault agent containers and fix token refresh
Add tmpfs mounts for /vault/file and /vault/logs to all Vault agent
containers. The Vault image declares these paths as VOLUME in its
Dockerfile, causing Podman/Docker to create anonymous volumes for every
container using the image -- including agent sidecars that do not use
these paths. Using tmpfs satisfies the image VOLUME declaration without
creating persistent anonymous volumes.
Fix token refresh in stack start to handle Podman dependency chain.
The previous run_compose --force-recreate approach failed when containers
had dependents via --requires. New approach explicitly stops and removes
dependent containers before recreating vault agents, then restarts
the dependent services with the new token.
Fixes xencon#1276
* fix: defer bootstrap agents until after vault init and fix prune volume removal (xencon#1276)
- Exclude Vault bootstrap agents from initial run_compose up -d call
- Start bootstrap agents explicitly after vault-init has run and token exists
- Wait for bootstrap secrets before starting dependent services (postgres, grafana etc)
- Replace fragile token-refresh cascade with clean deferred agent start
- Fix utils prune to remove all containers before volumes to prevent Podman volume locks
Fixes xencon#1276
* fix Vault init and stack start reliability fixes (xencon#1289) (xencon#1290)
* fix: recover Vault token by re-running operator init when .security/ is missing
- If load_vault_token fails (no token file in .security/), fall back to
vault_operator_init instead of returning 1
- Prevents hard failure when Vault is initialised but token file is absent
(e.g. after .security/ is deleted or on a fresh clone with existing Vault data)
* fix: platform Vault init and stack start reliability (xencon#6)
- Replace admin@localhost with admin@example.com in vault init and docs
- Remove deprecated vault init scripts (init-vault-api.sh, init-vault.sh)
- Remove stale docker-compose.vault.yml
- vault-init.sh: two-phase init, artefact checks, token stability fixes,
postgres password preserved on warm start, always decrypt token from file
- stack.sh: reliable VAULT_TOKEN delivery via podman run --env, exclude
vault-dependent services from initial compose up, Vault API stability
wait, auto-unseal after init cycle, wait for Vault to settle before
printing final status
* Create CLAUDE.md and .claude/ directory for Claude Code compatibility (xencon#1291) (xencon#1292)
* feat: Create CLAUDE.md and .claude/ directory for Claude Code compatibility
- Add thin CLAUDE.md wrapper that imports AGENTS.md via @AGENTS.md
- Create .claude/rules/ with independent copies of workflow, security,
formatting, and CI-checks rules
- Create .claude/skills/workflow-guard/SKILL.md following Agent Skills standard
- Create .claude/commands/commit-pr.md with disable-model-invocation
- Create .claude/settings.json for permission enforcement
- Reference Agent Skills open standard for cross-tool portability
Fixes xencon#1291
* feat: Add .claude/ directory and fix .gitignore for Claude Code compatibility
- Create .claude/rules/ with workflow, security, formatting, CI checks
- Create .claude/skills/workflow-guard/SKILL.md per Agent Skills standard
- Create .claude/commands/commit-pr.md with disable-model-invocation
- Create .claude/settings.json for permission enforcement
- Fix .gitignore: remove blanket .claude/ ignore, allow project config
- Add specific ignore for .claude/settings.local.json only
- All files are independent copies (not symlinks) for cross-platform safety
Fixes xencon#1291
* fix: Correct dead references to workflow-governance.md in workflow-guard skill (xencon#1297)
- Line 152: Component labels required → source now DEVELOPMENT.md
- Line 153: Assignee required → source now DEVELOPMENT.md
- Verified no other workflow-governance.md references exist in repository
Fixes xencon#1295
* fix: Remove deprecated usr and dev profiles from adding-services.md (xencon#1298)
- Removed usr and dev cases from get_profile_services_for_profile() example
- Updated Profile Selection Guide to only reference bld and sys profiles
- Updated example code to match current lib/cli/profile.sh (adds vault)
- Verified no other usr/dev references remain in the file
Fixes xencon#1294
* docs: Add multi-agent CLI support note to docs/README.md (xencon#1299)
- Documents that AIXCL supports both OpenCode and Claude Code
- Notes that tool-specific configs live in .opencode/ and .claude/
- Confirms both tools share the same governance rules
Fixes xencon#1296
* refactor: Consolidate AGENTS.md to lean canonical contract (~207 lines) (xencon#1300)
- Removed detailed workflow steps now fully in development-workflow.md
- Maintained: principles, hierarchy, invariants, constraints, labels, escalation, override
- Added .claude/rules/ to authority hierarchy
- Version bumped from 1.6 to 2.0
- Verified check-agents.sh passes
Fixes xencon#12931 parent eb92b9a commit 199e5e7
25 files changed
Lines changed: 1410 additions & 1113 deletions
File tree
- .claude
- commands
- rules
- skills/workflow-guard
- .opencode
- rules
- skills/workflow-guard
- docs
- developer
- lib/aixcl/commands
- scripts
- checks
- vault
- services
- tests/security
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
0 commit comments