dev → main: v0.1.0 governance hardening, Phase 2 daemon, e2e showcase, dependabot bumps#17
Open
gnanirahulnutakki wants to merge 92 commits into
Open
dev → main: v0.1.0 governance hardening, Phase 2 daemon, e2e showcase, dependabot bumps#17gnanirahulnutakki wants to merge 92 commits into
gnanirahulnutakki wants to merge 92 commits into
Conversation
Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.23.3 to 0.24.0. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](kubernetes-sigs/controller-runtime@v0.23.3...v0.24.0) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-version: 0.24.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Document that live external-API tests must be opt-in, locally approved, environment-backed, and non-persistent. Refresh the source-backed Hugo mirrors for the changed guidance.
Documents that `.github/workflows/tests.yml` already covers the offline examples smoke via `python/tests/test_examples_smoke.py`. Removes the stale "no examples smoke CI yet" claim from examples/docs. Adds an offline/no-key examples-smoke regression test for checked-in mission fixtures. The live-provider framework quickstarts remain opt-in/manual. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Validate ARDUR_TRACE_ID against safe regex before using as path component (prevents path traversal via env-controlled trace-id directory name) - Add read deadline (10s) and 64 KiB line-size limit to daemon Unix socket reader (prevents DoS via unbounded read and goroutine leak on slow client) - Pin all Python dependencies with compatible upper bounds to prevent silent pull of breaking-change or vulnerable releases Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Validate ARDUR_HOOK_CC basename against known compiler set - Validate passthrough daemon hook input has required fields - Add post-write permission verification warning for private key files - Mark child_receipt_summary with integrity=unverified flag - Rename pathWithin to lexicalPathWithin with explicit "do not use for production path enforcement" doc comment - Add cross-references between known-limitations.md and security-model.md to prevent conformance-profile documentation drift - Clarify insufficient_evidence/unknown taxonomy link to coverage-map.md - Add custom gitleaks rule for EC private key PEM detection with expanded allowlist for test fixtures, caches, and state dirs Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Automated Ardur Hugo docs hygiene: regenerate source-backed mirrors from dev and verify sync/local quick gates.
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.5.0 to 6.4.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@d35c59a...4a36011) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.6.0 to 6.2.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@a26af69...a309ff8) --- updated-dependencies: - dependency-name: actions/setup-python dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps python from 3.13-slim to 3.14-slim. --- updated-dependencies: - dependency-name: python dependency-version: 3.14-slim dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps python from 3.13-slim to 3.14-slim. --- updated-dependencies: - dependency-name: python dependency-version: 3.14-slim dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@34e1148...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
…setup-python-6.2.0 ci(deps): bump actions/setup-python from 5.6.0 to 6.2.0
…-quickstart/python-3.14-slim deps(docker)(deps): bump python from 3.13-slim to 3.14-slim in /examples/autogen-quickstart
…in-quickstart/python-3.14-slim deps(docker)(deps): bump python from 3.13-slim to 3.14-slim in /examples/langchain-quickstart
…checkout-6.0.2 ci(deps): bump actions/checkout from 4.3.1 to 6.0.2
…cache-5.0.5 ci(deps): bump actions/cache from 4.3.0 to 5.0.5
…ient-go-0.36.1 deps(go)(deps): bump k8s.io/client-go from 0.35.0 to 0.36.1 in /go
…m/cilium/ebpf-0.21.0 deps(go)(deps): bump github.com/cilium/ebpf from 0.16.0 to 0.21.0 in /go
…codeql-action-4.35.4 ci(deps): bump github/codeql-action from 3.35.2 to 4.35.4
…n-quickstart/spiffe/spire-agent-1.15.0 deps(docker)(deps): bump spiffe/spire-agent from 1.14.2 to 1.15.0 in /examples/autogen-quickstart
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…, 7 layers) Adds test_e2e_showcase.py with 28 tests covering every Ardur governance capability using real Ollama (no mocks). Includes CI job in tests.yml that runs on workflow_dispatch and pushes to main. Layers: HTTP Security, Session & Passport, Delegation, Receipts, MIC Conformance, Policy Backends, Advanced Features. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| import json | ||
| import os | ||
| import socket |
| import time | ||
| import urllib.error | ||
| import urllib.request | ||
| import uuid |
|
|
||
| import pytest | ||
|
|
||
| import vibap.mission as mission_module |
| import pytest | ||
|
|
||
| import vibap.mission as mission_module | ||
| from vibap.denial import DenialReason |
|
|
||
| import vibap.mission as mission_module | ||
| from vibap.denial import DenialReason | ||
| from vibap.passport import ALGORITHM, MissionPassport, issue_passport, verify_passport |
| import vibap.mission as mission_module | ||
| from vibap.denial import DenialReason | ||
| from vibap.passport import ALGORITHM, MissionPassport, issue_passport, verify_passport | ||
| from vibap.proxy import Decision, GovernanceProxy, serve_proxy |
| from vibap.proxy import Decision, GovernanceProxy, serve_proxy | ||
| from vibap.receipt import verify_chain | ||
|
|
||
| from tests.conftest import v01_required_md_extras |
| ) | ||
|
|
||
| def test_rate_limiting(self, http_proxy, monkeypatch): | ||
| base, _proxy = http_proxy |
| ) | ||
|
|
||
| def test_rate_limiting(self, http_proxy, monkeypatch): | ||
| base, _proxy = http_proxy |
…mon, Claude Code/Gemini hooks, posture detector, and all enhancements. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
gnanirahulnutakki
changed the title
| @contextmanager | ||
| def _locked(state: ChainState): | ||
| state.lock_file.parent.mkdir(parents=True, exist_ok=True) | ||
| fd = open(state.lock_file, "a+b") |
| @contextmanager | ||
| def _locked(state: ChainState): | ||
| state.lock_file.parent.mkdir(parents=True, exist_ok=True) | ||
| fd = open(state.lock_file, "a+b") |
| if fd is not None: | ||
| try: | ||
| os.close(fd) | ||
| except OSError: |
| path.write_text(content, encoding="utf-8") | ||
| try: | ||
| path.chmod(0o600) | ||
| except OSError: |
| path.write_text(content, encoding="utf-8") | ||
| try: | ||
| path.chmod(0o600) | ||
| except OSError: |
|
|
||
| keys_dir = tmp_path / "keys" | ||
| chain_file = tmp_path / "chain" / "tampered" / CHAIN_FILENAME | ||
| _token, _public_key = _issue_gemini_passport(keys_dir) |
| assert summary.get("agent") == "demo-agent" | ||
|
|
||
| def test_delegation_parent_child_independent(self, proxy, keypair): | ||
| private_key, _public_key = keypair |
| assert summary.get("agent") == "demo-agent" | ||
|
|
||
| def test_delegation_parent_child_independent(self, proxy, keypair): | ||
| private_key, _public_key = keypair |
… and eBPF kernel capture - Content safety plugin: regex-based PII/credential detection (credit cards, SSNs, emails, API keys) with deny/redact/warn modes - OPA/Rego policy backend: subprocess-based Rego evaluation following the existing cedar.py backend pattern with graceful degradation - MCP gateway: JSON-RPC 2.0 stdio transport intercepting tools/call for policy evaluation and content safety scanning - NIST AI RMF mapping: self-assessment across all 4 RMF functions with OWASP Agentic Top 10 crosswalk - eBPF kernel capture: Go SessionRegistry + protocol handler dispatching health/register/end/status; Python KernelCaptureClient with Unix socket JSON-line protocol; proxy session lifecycle hooks Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…gateway, kernel capture, and NIST RMF mapping - New docs: content-safety.md, opa-backend.md, mcp-gateway.md, kernel-capture.md, compliance/README.md - Updated STATUS.md, ROADMAP.md, README.md, docs/README.md, coverage-map.md, reference/README.md, and reference/cli.md to reflect all 5 new features - Coverage map now notes v0.5 kernel capture progress with implementation status - CLI reference documents the new mcp-gateway subcommand - Integrations table updated: OPA backend moved from pending to shipped Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
… (high-impact idea #1)
Add Gemini CLI 0.44.1 BeforeTool fixture parsing/report coverage and regenerate source-backed docs mirrors for the updated CLI contract.
Track the source-doc reports section index so fresh CI clones satisfy the generated Hugo mirror check.
Redacts internal-only runtime surfaces, refreshes public docs/site mirrors, adds proxy unit coverage, repairs Go 1.26 CI, and introduces ratcheted Python/Go lint gates. Merged after all current GitHub Actions check-runs on 4f2d5ee completed successfully; admin merge used because dev branch protection still required stale aggregate status contexts that are no longer emitted by Actions.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Promotes
devtomainwith 81 commits. This is the full v0.1.0 hardening cycle that brings all governance features from development into the release branch.Governance & Policy Engine
Proxy Surface
/metricsendpointPhase 2 Daemon
Claude Code & Gemini Integration
Testing
Dependabot bumps
Test plan
🤖 Generated with Claude Code