dev → main: v0.1.0 governance hardening, Phase 2 daemon, e2e showcase, dependabot bumps#17
Open
gnanirahulnutakki wants to merge 219 commits into
Open
dev → main: v0.1.0 governance hardening, Phase 2 daemon, e2e showcase, dependabot bumps#17gnanirahulnutakki wants to merge 219 commits into
gnanirahulnutakki wants to merge 219 commits into
Conversation
Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.23.3 to 0.24.0. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](kubernetes-sigs/controller-runtime@v0.23.3...v0.24.0) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-version: 0.24.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Document that live external-API tests must be opt-in, locally approved, environment-backed, and non-persistent. Refresh the source-backed Hugo mirrors for the changed guidance.
Documents that `.github/workflows/tests.yml` already covers the offline examples smoke via `python/tests/test_examples_smoke.py`. Removes the stale "no examples smoke CI yet" claim from examples/docs. Adds an offline/no-key examples-smoke regression test for checked-in mission fixtures. The live-provider framework quickstarts remain opt-in/manual. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Validate ARDUR_TRACE_ID against safe regex before using as path component (prevents path traversal via env-controlled trace-id directory name) - Add read deadline (10s) and 64 KiB line-size limit to daemon Unix socket reader (prevents DoS via unbounded read and goroutine leak on slow client) - Pin all Python dependencies with compatible upper bounds to prevent silent pull of breaking-change or vulnerable releases Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Validate ARDUR_HOOK_CC basename against known compiler set - Validate passthrough daemon hook input has required fields - Add post-write permission verification warning for private key files - Mark child_receipt_summary with integrity=unverified flag - Rename pathWithin to lexicalPathWithin with explicit "do not use for production path enforcement" doc comment - Add cross-references between known-limitations.md and security-model.md to prevent conformance-profile documentation drift - Clarify insufficient_evidence/unknown taxonomy link to coverage-map.md - Add custom gitleaks rule for EC private key PEM detection with expanded allowlist for test fixtures, caches, and state dirs Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Automated Ardur Hugo docs hygiene: regenerate source-backed mirrors from dev and verify sync/local quick gates.
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.5.0 to 6.4.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@d35c59a...4a36011) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.6.0 to 6.2.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@a26af69...a309ff8) --- updated-dependencies: - dependency-name: actions/setup-python dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps python from 3.13-slim to 3.14-slim. --- updated-dependencies: - dependency-name: python dependency-version: 3.14-slim dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps python from 3.13-slim to 3.14-slim. --- updated-dependencies: - dependency-name: python dependency-version: 3.14-slim dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@34e1148...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
This was referenced Jun 23, 2026
3 tasks
* fix: correct hook p95 latency claim from <10ms to per-platform reality Measured on Apple Silicon macOS, the full native daemon-client path (binary exec + Unix-socket round-trip) runs at p95 ~15-17ms, not <10ms. The <10ms claim is only valid for the in-process compute path (no IPC overhead). - Raise the native daemon-client release gate from p95<10ms to p95<20ms, which brackets the measured Apple Silicon baseline while still catching regressions - Update test_claude_code_native_daemon_client_latency_target docstring to state the per-platform measured numbers and clarify which claim boundary each test defends - Add explicit docstring to test_claude_code_daemon_hot_path_latency_target explaining the <10ms gate applies to in-process compute only - Update plugins/claude-code/README.md "Claim boundary" section with split per-path numbers (in-process <10ms, full client path <20ms) - Mirror the README change to site/content/source/ Closes #37 for docs/test scope; full re-measurement on a wider platform matrix should remain in the issue for tracking. * fix: regenerate Hugo mirror for plugins/claude-code/README.md The site/content/source/ mirror must be regenerated via sync_source_docs.py rather than edited by hand. The previous commit wrote the correct content body but left the source_sha256 frontmatter stale. Running the sync script updates the SHA256 to match the new plugins/claude-code/README.md.
Add a go-cve job to tests.yml that installs govulncheck@v1.1.4 and runs it against the Go module. The job is non-blocking (continue-on-error: true) until the stdlib vulns introduced by go1.26.0 are patched (requires bumping go/go.mod past go1.26.4 and golang.org/x/net@v0.55.0). Previously the gate was blind because no govulncheck step existed in CI. The CI already used go-version: 1.26.0 matching go/go.mod so no toolchain directive change was needed. govulncheck@latest (v1.4.0) was pinned to v1.1.4 to avoid a panic in x/tools@v0.46.0 on generic types. Local run result: 18 real CVEs found in go1.26 stdlib (GO-2026-4599 through GO-2026-5039) plus golang.org/x/net@v0.53.0 (GO-2026-5026). Gate is active and reporting real findings. Closes SAFE/govulncheck part of #45.
Implements the three previously-unguarded policy categories in mission_compile.py: - effect_policies: emits effect_limit(class, limit) facts + a single check if budget_delta($c,$d), effect_limit($c,$l), $d <= $l check. Validates class enum, non-negative limit, no duplicate classes. - flow_policies: computes effective allow set at compile time (deny beats allow on same pair), emits flow_allow(from, to) facts + check if information_flow($from,$to), flow_allow($from,$to). Default-deny: any asserted flow without a matching allow is rejected. - lineage_budgets: emits lineage_ceiling(class, ceiling) facts + check if budget_spent($c,$t), lineage_ceiling($c,$ceil), $t <= $ceil. Validates reserved <= ceiling at compile time per spec invariant. Signature changed from Sequence[dict] to dict|None to match MissionDeclaration.lineage_budgets type. All three lower to Biscuit parameter-binding API (not f-strings). Tests: 53 total (31 new), covering happy-path emission, validation errors, deny-beats-allow semantics, zero limits, and special-char parameter binding safety.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Promotes
devtomainwith 81 commits. This is the full v0.1.0 hardening cycle that brings all governance features from development into the release branch.Governance & Policy Engine
Proxy Surface
/metricsendpointPhase 2 Daemon
Claude Code & Gemini Integration
Testing
Dependabot bumps
Test plan
🤖 Generated with Claude Code