Skip to content

Commit 199e5e7

Browse files
authored
Promote dev to main for v1.1.23 release (xencon#1301) (xencon#1302)
* Fix JSON escaping validation in security test Replace malformed regex pattern with proper escaped quote detection using grep. The test now correctly validates that special characters in JSON payloads are properly escaped by checking for the literal escaped sequence \\\" in the output. * Fix: Improve JSON escaping validation in security test The previous validation logic was not correctly checking if special characters were properly escaped in the JSON payload. Updated the test to: 1. Verify JSON is valid (which implicitly means escaping is correct) 2. Parse the JSON and check the actual values match expectations 3. Remove unreliable grep-based checks This ensures that injection characters like quotes are properly escaped by Python's json.dumps() function. * Fix: Export PAYLOAD environment variable for subprocess access The test was failing because the PAYLOAD variable was not exported before the Python subprocess attempted to read it via os.environ.get('PAYLOAD'). Added 'export PAYLOAD' after the payload is generated to make it available to subprocess calls. This fixes the JSON escaping test failure where special characters were not being properly validated." * Fix JSON escaping validation test - use Python to parse and validate JSON values * Fix JSON escaping test - use subprocess capture for Python verification Properly capture Python's validation output and check exit code separately. The previous heredoc approach was failing to properly pass the result back. Now the test correctly validates that json.dumps() properly escapes special characters by parsing the payload and verifying the values are preserved. * docs: add CI compliance rules for agents and contributors (xencon#1278) - Document all CI workflow checks and triggers - Pre-commit checklist for shell, markdown, YAML, compose - PR creation requirements (title, assignee, labels at creation time) - Local commands to run full pre-PR check suite Fixes xencon#1278 * fix: pass profile services to run_compose pull to avoid pulling all images (xencon#1274) Previously run_compose pull was called without arguments, causing all services defined in docker-compose.yml to be pulled regardless of the active profile. This includes large images like vLLM (~4.5GB) and llama.cpp (~2.8GB) even when using the Ollama engine. Fixed by passing profile_services array to run_compose pull, matching the existing behaviour of run_compose up on the following line. Fixes xencon#1274 * fix: use DOCKER_BIN or active engine detection in is_vault_running (xencon#1275) Previously is_vault_running() checked for podman binary first regardless of which engine was actually managing the containers. If Podman was installed but Docker was running the stack, the function queried podman ps which returned no results, causing Vault auto-init to fail with 'Vault container is not running'. Fix uses DOCKER_BIN if already set by docker_utils.sh, otherwise falls back to the same detection logic: check podman with podman info to confirm it is actually running, then docker as fallback. Fixes xencon#1275 * fix: add ShellCheck version check and installation instructions (xencon#1281) - Add check_shellcheck() to check-environment.sh to warn when installed version is below minimum 0.10.0 required for CI parity - CI uses ShellCheck 0.11.0 via ludeeus/action-shellcheck@2.0.0 - Ubuntu 24.04 apt provides 0.9.0 which misses some warnings - Add ShellCheck installation instructions to README.md prerequisites - Direct users to GitHub releases instead of apt package Fixes xencon#1281 * fix: correct admin@localhost to admin@example.com in security test (xencon#1278) The test email used admin@localhost which is not a valid example address. Replaced with admin@example.com to match project conventions and the email used in stack init. Fixes xencon#1278 * Stack init auto-configures Podman, alias, DOCKER_HOST and volumes (xencon#1277) * fix: correct admin@localhost to admin@example.com in security test The test email used admin@localhost which is not a valid example address. Replaced with admin@example.com to match project conventions and the email used in stack init. Fixes xencon#1278 * feat: stack init auto-configures Podman, alias, DOCKER_HOST and volumes - Detect container engine during stack init (Podman preferred, Docker fallback) - If Podman detected, run setup-podman-rootless.sh automatically - Add docker=podman alias and DOCKER_HOST to ~/.bashrc if not present - Add GPG_TTY to ~/.bashrc for Vault unseal support - Move volume initialisation from stack start to stack init - Add GPG key notice if no signing key configured - Improve post-init next steps guidance - Rewrite README Quick Start to reflect 3-step install flow - Add accurate prerequisites including all required tooling - Add QEMU/SLIRP MTU workaround note for VM users - Remove outdated manual Podman setup steps from README Fixes xencon#1277 Fixes xencon#1279 * ci: trigger recheck after PR title fix * Fix anonymous volumes from Vault agent containers and token refresh (xencon#1276) (xencon#1288) * fix: eliminate anonymous volumes from Vault agent containers and fix token refresh Add tmpfs mounts for /vault/file and /vault/logs to all Vault agent containers. The Vault image declares these paths as VOLUME in its Dockerfile, causing Podman/Docker to create anonymous volumes for every container using the image -- including agent sidecars that do not use these paths. Using tmpfs satisfies the image VOLUME declaration without creating persistent anonymous volumes. Fix token refresh in stack start to handle Podman dependency chain. The previous run_compose --force-recreate approach failed when containers had dependents via --requires. New approach explicitly stops and removes dependent containers before recreating vault agents, then restarts the dependent services with the new token. Fixes xencon#1276 * fix: defer bootstrap agents until after vault init and fix prune volume removal (xencon#1276) - Exclude Vault bootstrap agents from initial run_compose up -d call - Start bootstrap agents explicitly after vault-init has run and token exists - Wait for bootstrap secrets before starting dependent services (postgres, grafana etc) - Replace fragile token-refresh cascade with clean deferred agent start - Fix utils prune to remove all containers before volumes to prevent Podman volume locks Fixes xencon#1276 * fix Vault init and stack start reliability fixes (xencon#1289) (xencon#1290) * fix: recover Vault token by re-running operator init when .security/ is missing - If load_vault_token fails (no token file in .security/), fall back to vault_operator_init instead of returning 1 - Prevents hard failure when Vault is initialised but token file is absent (e.g. after .security/ is deleted or on a fresh clone with existing Vault data) * fix: platform Vault init and stack start reliability (xencon#6) - Replace admin@localhost with admin@example.com in vault init and docs - Remove deprecated vault init scripts (init-vault-api.sh, init-vault.sh) - Remove stale docker-compose.vault.yml - vault-init.sh: two-phase init, artefact checks, token stability fixes, postgres password preserved on warm start, always decrypt token from file - stack.sh: reliable VAULT_TOKEN delivery via podman run --env, exclude vault-dependent services from initial compose up, Vault API stability wait, auto-unseal after init cycle, wait for Vault to settle before printing final status * Create CLAUDE.md and .claude/ directory for Claude Code compatibility (xencon#1291) (xencon#1292) * feat: Create CLAUDE.md and .claude/ directory for Claude Code compatibility - Add thin CLAUDE.md wrapper that imports AGENTS.md via @AGENTS.md - Create .claude/rules/ with independent copies of workflow, security, formatting, and CI-checks rules - Create .claude/skills/workflow-guard/SKILL.md following Agent Skills standard - Create .claude/commands/commit-pr.md with disable-model-invocation - Create .claude/settings.json for permission enforcement - Reference Agent Skills open standard for cross-tool portability Fixes xencon#1291 * feat: Add .claude/ directory and fix .gitignore for Claude Code compatibility - Create .claude/rules/ with workflow, security, formatting, CI checks - Create .claude/skills/workflow-guard/SKILL.md per Agent Skills standard - Create .claude/commands/commit-pr.md with disable-model-invocation - Create .claude/settings.json for permission enforcement - Fix .gitignore: remove blanket .claude/ ignore, allow project config - Add specific ignore for .claude/settings.local.json only - All files are independent copies (not symlinks) for cross-platform safety Fixes xencon#1291 * fix: Correct dead references to workflow-governance.md in workflow-guard skill (xencon#1297) - Line 152: Component labels required → source now DEVELOPMENT.md - Line 153: Assignee required → source now DEVELOPMENT.md - Verified no other workflow-governance.md references exist in repository Fixes xencon#1295 * fix: Remove deprecated usr and dev profiles from adding-services.md (xencon#1298) - Removed usr and dev cases from get_profile_services_for_profile() example - Updated Profile Selection Guide to only reference bld and sys profiles - Updated example code to match current lib/cli/profile.sh (adds vault) - Verified no other usr/dev references remain in the file Fixes xencon#1294 * docs: Add multi-agent CLI support note to docs/README.md (xencon#1299) - Documents that AIXCL supports both OpenCode and Claude Code - Notes that tool-specific configs live in .opencode/ and .claude/ - Confirms both tools share the same governance rules Fixes xencon#1296 * refactor: Consolidate AGENTS.md to lean canonical contract (~207 lines) (xencon#1300) - Removed detailed workflow steps now fully in development-workflow.md - Maintained: principles, hierarchy, invariants, constraints, labels, escalation, override - Added .claude/rules/ to authority hierarchy - Version bumped from 1.6 to 2.0 - Verified check-agents.sh passes Fixes xencon#1293
1 parent eb92b9a commit 199e5e7

25 files changed

Lines changed: 1410 additions & 1113 deletions

File tree

.claude/commands/commit-pr.md

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
---
2+
description: Commit changes and create a PR following AIXCL Issue-First workflow
3+
disable-model-invocation: true
4+
allowed-tools: Bash(git add *), Bash(git commit *), Bash(git push *), Bash(gh pr create *)
5+
---
6+
7+
## Context
8+
9+
- Current branch: !`git branch --show-current`
10+
- Current status: !`git status --short`
11+
- Recent commits: !`git log --oneline -5`
12+
13+
## Your Task
14+
15+
Based on the above changes:
16+
17+
1. **Stage all changes** (if not already staged):
18+
```bash
19+
git add .
20+
```
21+
22+
2. **Create a conventional commit**:
23+
- Format: `<type>: <description> (under 72 chars)`
24+
- Reference issue: `Fixes #<issue-number>`
25+
- Use `./scripts/utils/create-pr.sh` wrapper if available, or craft manually
26+
- Example: `feat: Add CLAUDE.md for Claude Code compatibility`
27+
28+
3. **Push the branch to origin**:
29+
```bash
30+
git push -u origin <branch-name>
31+
```
32+
33+
4. **Create a pull request** using `gh pr create` with:
34+
- Title: `<description> (#<issue-number>)` (NO colons)
35+
- Body: `Fixes #<issue-number>`
36+
- Assignee: set at creation time (required by `pr-validation.yml`)
37+
- Label: at least one `component:*` label (required by `pr-validation.yml`)
38+
39+
**IMPORTANT**: Pass `--assignee` and `--label` at creation time. Do NOT create then edit. The PR Validation workflow fires on the `opened` event. If assignee/label are not present at creation, the check will fail permanently.
40+
41+
```bash
42+
gh pr create --title "Description (#999)" --body "Fixes #999" --assignee <username> --label "component:infrastructure"
43+
```
44+
45+
5. **Verify CI**: Monitor GitHub Actions and ensure all checks pass before completing.
46+
47+
## Safety Rules
48+
49+
- `git push --force` is **DENIED**
50+
- `rm -rf` operations require explicit human approval
51+
- Always reference the issue number in commits and PRs
52+
- All CI checks must be green before the task is complete

.claude/rules/ci-checks.md

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
# CI Checks and Compliance
2+
3+
## Pre-Commit Checklist
4+
Before committing any changes, verify locally:
5+
6+
### Shell Scripts
7+
- Run ShellCheck: `shellcheck --severity=warning --exclude=SC1091 <file.sh>`
8+
- Run syntax check: `bash -n <file.sh>`
9+
- Common failures: SC2034 (unused variables), SC2120 (function args), SC2086 (unquoted variables)
10+
11+
### Markdown Files
12+
- No non-ASCII punctuation: no smart quotes, em dashes (--), en dashes (-), ellipsis (...), non-breaking spaces
13+
- Use plain ASCII equivalents: `--` for dashes, `...` for ellipsis, straight quotes
14+
- No CRLF line endings (use LF only)
15+
- No broken relative links (`./` or `../` paths must resolve)
16+
17+
### YAML Files
18+
- Run: `yamllint -c .yamllint.yml <file.yml>`
19+
- Line length limit: 160 characters
20+
21+
### Docker Compose Files
22+
- Run: `docker compose -f services/docker-compose.yml config > /dev/null`
23+
24+
## PR Requirements (ALL must be set at creation time)
25+
```bash
26+
gh pr create \
27+
--title "<description> (#<number>)" \
28+
--body-file /tmp/pr-body.md \
29+
--assignee <username> \
30+
--label "component:<name>"
31+
```
32+
- Title: ends with `(#<number>)`, no colons
33+
- Assignee: required, set at creation (not after)
34+
- Label: at least one `component:*` label, set at creation (not after)
35+
- NEVER use two-step creation -- webhook fires on `opened` event, labels/assignee must be present
36+
37+
## CI Workflows Summary
38+
39+
| Workflow | Trigger | Key Checks |
40+
|----------|---------|------------|
41+
| pr-validation.yml | PR open/edit | Title format, assignee, component label |
42+
| bash-ci.yml | PR + push | check-env, CRLF, ASCII markdown |
43+
| quick-tests.yml | Push to dev (.sh files) | Security tests, bash -n, ./aixcl help |
44+
| security.yml | PR + push | ShellCheck (warning+, no SC1091), dependency review |
45+
| documentation-checks.yml | PR + push | check-paths.sh, check-generated-files.sh, yamllint, compose validate |
46+
| codeql.yml | PR + push | GitHub Actions workflow security (actions language only) |
47+
48+
## Running Checks Locally
49+
```bash
50+
# Full pre-PR check
51+
bash scripts/checks/check-paths.sh
52+
bash scripts/checks/check-generated-files.sh
53+
shellcheck --severity=warning --exclude=SC1091 $(find . -name "*.sh" -not -path "./.git/*")
54+
yamllint -c .yamllint.yml .
55+
./aixcl utils check-env
56+
```

.claude/rules/formatting.md

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
# Formatting and Conventions
2+
3+
## Titles
4+
- **Issues**: `[TYPE] Description` (e.g., `[TASK] Setup agent`, not `[TASK]: Setup agent`)
5+
- **PRs**: `Description (#<number>)` (e.g., `Setup agent template (#42)`, not `Setup: agent template (#42)`)
6+
- NO colons in issue or PR titles
7+
8+
## Text
9+
- Use plain ASCII. No Unicode checkmarks, no emoji.
10+
- **Exception**: Release notes may use `` (green checkmark) for visual checkbox indicators in GitHub release pages, where markdown `- [x]` does not render interactively.
11+
- Use markdown checkboxes: `- [x]` for completed, `- [ ]` for incomplete (for issues, PRs, and documentation)
12+
- Use Unix line endings (LF) -- CRLF is rejected by CI
13+
14+
## Labels
15+
**Issue Types** (select exactly one): `Bug`, `Feature`, `Task`
16+
**Component Labels** (required): `component:runtime-core`, `component:ollama`, `component:persistence`, `component:observability`, `component:ui`, `component:cli`, `component:infrastructure`, `component:testing`
17+
**Priority** (optional): `P1`, `P2`, `P3`
18+
**Profile** (optional): `profile:bld`, `profile:sys`
19+
**Category** (optional): `Fix`, `Enhancement`, `Refactor`, `Maintenance`
20+
21+
## Commits
22+
- Allowed types: `fix`, `feat`, `refactor`, `docs`, `test`, `chore`, `ci`
23+
- Reference issue: `Fixes #<n>` or `Addresses #<n>`
24+
- First line under 72 characters
25+
26+
## Lazy-Loading
27+
Load files on a need-to-know basis:
28+
- Creating an issue → Read `.github/ISSUE_TEMPLATE/task.md` first
29+
- Creating a PR → Read `.github/PULL_REQUEST_TEMPLATE.md` first
30+
- Releasing → Read `CHANGELOG.md` to extract latest version entry

.claude/rules/security.md

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
# Security and Architecture Policy
2+
3+
## Fixed Core Runtime (Non-Negotiable)
4+
- **Inference Engine** (Ollama) -- Docker-managed, always enabled
5+
- **OpenCode** -- AI-powered code assistance (VS Code plugin, client-side), always enabled
6+
- Never remove, replace, or conditionally disable runtime core components
7+
8+
## Runtime vs Operational Services Boundary
9+
- Runtime core must be runnable **without** any operational services
10+
- Operational services may depend on runtime core
11+
- Runtime core must **never** depend on operational services
12+
13+
## Safe Areas for AI Contribution
14+
**You MAY:**
15+
- Modify operational services (monitoring, logging, automation)
16+
- Improve documentation
17+
- Adjust CLI ergonomics (without changing semantics)
18+
- Organize Compose files (if invariants are preserved)
19+
- Add new operational profiles or tooling
20+
21+
**You MUST NOT:**
22+
- Remove/replace/disable runtime core components
23+
- Introduce runtime core → operational service dependencies
24+
- Merge runtime logic with monitoring/admin tooling
25+
- Collapse service boundaries
26+
- Add external libraries, cloud services, telemetry, or analytics without explicit approval
27+
28+
## Escalation
29+
1. If working on an issue → Post clarification as issue comment
30+
2. If no issue exists → Ask human operator directly; do not create issue unilaterally
31+
3. If security concern → Flag with `[SECURITY]` prefix and await explicit approval
32+
4. If authority conflict → Document override request and obtain explicit confirmation

.claude/rules/workflow.md

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
# Issue-First Workflow
2+
3+
## Core Rule
4+
Always create an issue before starting work. Every code change, fix, or feature must be traceable to a GitHub issue.
5+
6+
## Step-by-Step
7+
8+
1. **Create Issue**
9+
- Title format: `[TYPE] Description` (e.g., `[TASK]`, `[BUG]`, `[FEATURE]`)
10+
- NO colons in titles
11+
- Use plain ASCII markdown (`- [x]` checkboxes, not Unicode)
12+
- Add labels: component (required), priority (optional), profile (optional)
13+
- Always assign the issue
14+
15+
2. **Create Branch**
16+
- Format: `issue-<number>/<short-description>`
17+
- Example: `issue-217/fix-encoding-problem`
18+
- Always branch from `dev`
19+
20+
3. **Make Changes**
21+
- Small, reversible steps
22+
- Follow project conventions
23+
- Run lint checks if modifying agent/action files
24+
25+
4. **Commit**
26+
- Format: `<type>: <description>` (under 72 chars)
27+
- Reference issue: `Fixes #<issue-number>`
28+
- Use bullet points for multiple changes
29+
30+
5. **Push and Create PR**
31+
- Title format: `<description> (#<number>)` (no colons)
32+
- PR body must reference issue: `Fixes #<number>`
33+
- Add matching labels to PR
34+
- Always assign the PR
35+
36+
6. **Verify CI**
37+
- Check GitHub Actions status
38+
- All status checks must be green before completing
39+
40+
## Branch Strategy
41+
42+
| Branch | Purpose |
43+
|--------|---------|
44+
| `main` | Production-ready code |
45+
| `dev` | Active development, feature integration |
46+
47+
Correct flow: `Feature Branch -> dev -> main`

.claude/settings.json

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
{
2+
"permissions": {
3+
"edit": "ask",
4+
"bash": {
5+
"allowed": [
6+
"git status*",
7+
"git diff*",
8+
"git log*",
9+
"ls*",
10+
"cat*",
11+
"grep*",
12+
"gh repo*",
13+
"gh issue*",
14+
"./scripts/checks/check-agents.sh*"
15+
],
16+
"ask": [
17+
"git add*",
18+
"git commit*",
19+
"git push*",
20+
"gh pr create*"
21+
],
22+
"denied": [
23+
"rm -rf*",
24+
"git push --force*"
25+
]
26+
},
27+
"webfetch": "ask"
28+
}
29+
}

0 commit comments

Comments
 (0)