Skip to content

Script Runner version history#3411

Merged
jmthomas merged 17 commits into
sr-updatesfrom
sr_git_versions
Jul 11, 2026
Merged

Script Runner version history#3411
jmthomas merged 17 commits into
sr-updatesfrom
sr_git_versions

Conversation

@jmthomas

@jmthomas jmthomas commented May 27, 2026

Copy link
Copy Markdown
Member

This implementation utilizes git in a new script-runner-api volume to do the history tracking

Differs from #3382 which uses bucket history

closes #2389

jmthomas and others added 3 commits May 27, 2026 13:37
Carve Version History routes and actions out of ScriptsController so the
real implementation can ship in the openc3-enterprise gem. Adds a stub
ScriptVersionController that requires the gem version (notebooks
pattern), guards body/create/destroy hooks behind defined?, gates the
ScriptRunner menu item on the /openc3-api/info enterprise flag, and
threads responseType through the Api wrapper for the git bundle
download.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
Version History dialog now uses monaco.editor.createDiffEditor with
markRaw to escape Vue 3 proxy traversal that previously froze the page,
an inlined editor.worker (?worker&inline) to dodge microfrontend path
resolution failures, and unique inmemory URIs on both models so diff
decorations actually render. Monaco is loaded via defineAsyncComponent
so the ~3 MB chunk only downloads when the Enterprise menu item is
opened.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@ryanmelt

Copy link
Copy Markdown
Member

No new volumes. I still need to review, but do whatever under /gems/scripts or something.

@codecov

codecov Bot commented May 27, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 84.80000% with 19 lines in your changes missing coverage. Please review.
✅ Project coverage is 79.34%. Comparing base (d173634) to head (5acad24).

Files with missing lines Patch % Lines
openc3/lib/openc3/models/target_model.rb 84.74% 9 Missing ⚠️
...t-runner-api/app/controllers/scripts_controller.rb 44.44% 5 Missing ⚠️
openc3/lib/openc3/models/plugin_model.rb 90.00% 3 Missing ⚠️
...-cmd-tlm-api/app/controllers/plugins_controller.rb 88.23% 2 Missing ⚠️
Additional details and impacted files
@@             Coverage Diff              @@
##           sr-updates    #3411    +/-   ##
============================================
  Coverage       79.33%   79.34%            
============================================
  Files             691      692     +1     
  Lines           57712    57820   +108     
  Branches          728      728            
============================================
+ Hits            45788    45877    +89     
- Misses          11846    11865    +19     
  Partials           78       78            
Flag Coverage Δ
python 80.31% <ø> (ø)
ruby-api 81.46% <80.55%> (-0.04%) ⬇️
ruby-backend 83.20% <86.51%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@jmthomas

jmthomas commented May 27, 2026

Copy link
Copy Markdown
Member Author

No new volumes. I still need to review, but do whatever under /gems/scripts or something.

That volume is read-only. Making it read / write comes with some trade-offs:

  • ✓ One fewer volume to manage/back up/migrate.
  • ✗ Any user script run via Script Runner can now write anywhere under /gems — overwrite installed gem files, plant Trojan code in gems/openc3-*/lib/.... Today the :ro flag is the OS-level guarantee against that.
  • ✗ Data co-tenancy. Backing up scripts history means backing up the whole gems volume (multi-GB).
  • ✗ Permission model: /gems is owned openc3:openc3 (1001), gemfile dirs have specific perms. Script Runner runtime UID is the host UID (501 on your Mac, baked elsewhere). Adding /gems/script-versions with 1777 keeps versions writable but the surrounding gem tree's perms still allow SR-API process writes via its UID — same security concern.

@ryanmelt

Copy link
Copy Markdown
Member

Ok. I guess it is only needed by ScriptRunner. Will talk architecture tomorrow.

jmthomas and others added 4 commits May 28, 2026 08:58
…IONS_DIR

Make the Enterprise Version History feature opt-in via the
OPENC3_SCRIPT_VERSIONS_DIR env var. ScriptRunner now shows the Version
History menu only when /openc3-api/info reports script_versions enabled,
so no git calls or volume are needed when the dir is unset. Includes the
supporting plugin version label work that annotates version commits.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@jmthomas jmthomas requested review from clayandgen and ryanmelt June 15, 2026 23:47
@jmthomas jmthomas marked this pull request as ready for review June 16, 2026 19:32
@socket-security

socket-security Bot commented Jun 16, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm marked is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: openc3-cosmos-init/plugins/pnpm-lock.yamlnpm/monaco-editor@0.54.0npm/marked@14.0.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/marked@14.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm monaco-editor is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: openc3-cosmos-init/plugins/packages/openc3-vue-common/package.jsonnpm/monaco-editor@0.54.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/monaco-editor@0.54.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@sonarqubecloud

Copy link
Copy Markdown

@jmthomas

Copy link
Copy Markdown
Member Author

Ok. I guess it is only needed by ScriptRunner. Will talk architecture tomorrow.

Now also used by cmd-tlm-server so it can handle upgrades

Move script Version History export/import from per-file (ScriptVersionHistoryDialog)
to per-plugin actions on the admin Plugins tab. Repos are keyed by version-stripped
plugin base name so history survives version upgrades and is dropped only on uninstall.

- routes: add /scripts/plugin/:plugin/history-{import,export}; drop per-file export
- TargetModel: add plugin_name_version, plugin_base_name, destroy_script_versions
- openc3cli: destroy plugin Version History repo on uninstall (no-op in Core)
- admin Plugins tab: gate Export/Import History on /openc3-api/info script_versions

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@jmthomas jmthomas changed the base branch from main to sr-updates June 30, 2026 16:16
Comment thread openc3/lib/openc3/models/target_model.rb Fixed

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

15 Open source vulnerabilities detected - medium severity
Aikido detected 15 vulnerabilities across 1 package, it includes 14 medium and 1 low vulnerabilities.

Details

Remediation Aikido suggests bumping the vulnerable packages to a safe version.

Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info

@ryanmelt

ryanmelt commented Jul 1, 2026

Copy link
Copy Markdown
Member

Seems like I had to do Ctrl-S a twice to get saves to complete in quick testing on this. Also was confused by the PR name as this is only an Enterprise feature.

@ryanmelt ryanmelt left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ScriptVersionHistory, etc, should just be versionHistory to also cover other files.

@jmthomas jmthomas changed the base branch from sr-updates to main July 2, 2026 18:37
@jmthomas jmthomas changed the base branch from main to sr-updates July 2, 2026 18:37
@jmthomas jmthomas requested a review from ryanmelt July 7, 2026 23:05
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addednpm/​monaco-editor@​0.54.0881001009790

View full report

@sonarqubecloud

sonarqubecloud Bot commented Jul 9, 2026

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
3.3% Duplication on New Code (required ≤ 3%)
MAJOR Code Smells Severity on New Code (required < MAJOR)
MAJOR Bugs Severity on New Code (required < MINOR)

See analysis details on SonarQube Cloud

@clayandgen clayandgen left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor SonarQube findings, but that can be addressed in the final PR (sr-updates -> main), if necessary.

@jmthomas jmthomas merged commit 9361c4f into sr-updates Jul 11, 2026
50 of 53 checks passed
@jmthomas jmthomas deleted the sr_git_versions branch July 11, 2026 19:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Version Control on Scripts

4 participants