dirtydishes/islandflow
1
0
Fork 0
Code Issues 2 Pull requests 4 Projects Releases Packages Wiki Activity Actions 1

merge main into stabilize-live-api-memory to reconcile pr 8

Browse source
This commit is contained in:
dirtydishes 2026-05-23 16:24:01 -04:00
commit 6584f7d154
9 changed files with 559 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

169
docs/turns/2026-05-22-forgejo-primary-agent-workflow.html Normal file
View file

@ -0,0 +1,169 @@
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>2026-05-22 - Forgejo Primary Agent Workflow</title>
<style>
:root {
--bg: #f6f7fb;
--panel: #ffffff;
--text: #19202a;
--muted: #516074;
--border: #d7dfeb;
--accent: #3559e0;
--code-bg: #0f172a;
--code-text: #e2e8f0;
}
* { box-sizing: border-box; }
body {
margin: 0;
font-family: "Inter", "Segoe UI", Roboto, Helvetica, Arial, sans-serif;
background: radial-gradient(circle at top, #eef2ff 0%, var(--bg) 48%);
color: var(--text);
line-height: 1.6;
}
main {
max-width: 960px;
margin: 2rem auto;
padding: 0 1rem 2rem;
}
.card {
background: var(--panel);
border: 1px solid var(--border);
border-radius: 14px;
padding: 1.25rem;
margin-bottom: 1rem;
box-shadow: 0 8px 26px rgba(22, 34, 60, 0.06);
}
h1, h2 { line-height: 1.25; margin: 0 0 0.65rem; }
h1 { font-size: 1.5rem; }
h2 { font-size: 1.1rem; color: var(--accent); }
p { margin: 0.35rem 0; }
ul { margin: 0.4rem 0 0.4rem 1.1rem; padding: 0; }
li { margin: 0.25rem 0; }
.meta { color: var(--muted); font-size: 0.92rem; }
pre {
margin: 0.6rem 0 0;
background: var(--code-bg);
color: var(--code-text);
border-radius: 10px;
border: 1px solid #1e293b;
padding: 0.9rem;
overflow-x: auto;
}
code { font-family: "JetBrains Mono", "SFMono-Regular", Menlo, Consolas, monospace; }
a { color: var(--accent); }
</style>
</head>
<body>
<main>
<section class="card">
<h1>Turn Documentation: Forgejo-First Agent Workflow in AGENTS.md</h1>
<p class="meta"><strong>Date:</strong> 2026-05-22 22:53 EDT</p>
<p class="meta"><strong>Beads Issue:</strong> islandflow-2cj</p>
</section>
<section class="card">
<h2>Summary</h2>
<p>
Updated <code>AGENTS.md</code> so agents explicitly treat Forgejo as the canonical home for this repository,
prioritize the <code>forgejo</code> git remote for pushes, and use the <code>fj</code> CLI for pull request workflows.
</p>
</section>
<section class="card">
<h2>Changes Made</h2>
<ul>
<li>Added a new <code>Forgejo Is Canonical</code> section to <code>AGENTS.md</code>.</li>
<li>Documented canonical repo URL, preferred remote name, and push target.</li>
<li>Added explicit expectations to use <code>fj</code> for PR create/view/update workflows.</li>
<li>Updated session completion and completion-rule text to require <code>git push forgejo &lt;branch&gt;</code>.</li>
</ul>
</section>
<section class="card">
<h2>Context</h2>
<p>
The repository is primarily hosted on Forgejo (<code>git.deltaisland.io</code>) with GitHub also configured.
Without explicit guidance, agents may default to GitHub tooling or ambiguous <code>git push</code> behavior.
This change removes that ambiguity so automation and handoffs consistently target Forgejo first.
</p>
</section>
<section class="card">
<h2>Important Implementation Details</h2>
<ul>
<li>The existing Beads integration block was preserved; only Forgejo preference guidance was added/clarified.</li>
<li>Push instructions now name the remote directly to prevent accidental mirror-only pushes.</li>
<li>PR tooling guidance now references <code>fj</code> to align with the primary Forgejo workflow.</li>
</ul>
</section>
<section class="card">
<h2>Relevant Diff Snippets</h2>
<p>
Snippets below use standard unified diff formatting compatible with tools like
<a href="https://diffs.com/docs">diffs.com</a>.
</p>
<pre><code class="language-diff">+## Forgejo Is Canonical
+
+This repository's primary home is Forgejo:
+
+- URL: `https://git.deltaisland.io/dirtydishes/islandflow`
+- Git remote: `forgejo`
+- Push target: `forgejo` (not GitHub)
+
+Agent expectations:
+
+- Prefer `git push forgejo &lt;branch&gt;` when publishing work.
+- Treat GitHub as a mirror unless explicitly instructed otherwise.
+- Use `fj` for Forgejo pull request workflows (create/view/update PRs).
+- When sharing PR links in handoff, use the Forgejo PR URL.
@@
- git push
- git status # MUST show "up to date with origin"
+ git push forgejo &lt;branch&gt;
+ git status # MUST show "up to date with forgejo/&lt;branch&gt;"
@@
-6. `git push` succeeds
-7. `git status` shows the branch is up to date with origin
+6. `git push forgejo &lt;branch&gt;` succeeds
+7. `git status` shows the branch is up to date with `forgejo/&lt;branch&gt;`</code></pre>
</section>
<section class="card">
<h2>Expected Impact for End-Users</h2>
<p>
End-users should see more consistent agent behavior around publish and review workflows: branches and PRs will be
created against Forgejo by default, reducing mistakes caused by mixed-remote assumptions.
</p>
</section>
<section class="card">
<h2>Validation</h2>
<ul>
<li>Manually reviewed <code>AGENTS.md</code> to confirm Forgejo guidance is explicit and internally consistent.</li>
<li>Confirmed completion-rule steps now specify <code>git push forgejo &lt;branch&gt;</code>.</li>
<li>No runtime/test suite changes were required because this is a documentation/process-only update.</li>
</ul>
</section>
<section class="card">
<h2>Issues, Limitations, and Mitigations</h2>
<ul>
<li>This change relies on agents having <code>fj</code> installed and authenticated; if unavailable, users may need to use web UI fallback.</li>
<li>Existing user habits around GitHub-first workflows may persist; explicit checklist wording mitigates this over time.</li>
</ul>
</section>
<section class="card">
<h2>Follow-up Work</h2>
<ul>
<li>Optionally add a short Forgejo contribution section in <code>README.md</code> with <code>fj</code> quickstart commands.</li>
<li>Optionally add a pre-push script check that warns when pushing to non-Forgejo remotes from feature branches.</li>
</ul>
</section>
</main>
</body>
</html>

315
docs/turns/2026-05-23-address-forgejo-issue-10-security-cves.html Normal file
View file

@ -0,0 +1,315 @@
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Turn Report: Forgejo Issue #10 Security CVE Remediation</title>
<style>
:root {
color-scheme: dark;
--bg: #0c1220;
--panel: #121a2a;
--panel-2: #162238;
--text: #e8eefb;
--muted: #a7b5d6;
--accent: #76d3ff;
--accent-2: #9ecbff;
--border: #27344f;
--ok: #85e1b4;
--warn: #ffd599;
}
* { box-sizing: border-box; }
body {
margin: 0;
font-family: "IBM Plex Sans", system-ui, -apple-system, Segoe UI, sans-serif;
background: radial-gradient(1200px 900px at 10% -10%, #1f2e4d 0%, var(--bg) 55%);
color: var(--text);
line-height: 1.6;
}
main {
max-width: 1100px;
margin: 0 auto;
padding: 2rem 1.2rem 3rem;
}
header {
background: linear-gradient(145deg, #1a2741, #121a2a);
border: 1px solid var(--border);
border-radius: 16px;
padding: 1.3rem 1.2rem;
margin-bottom: 1rem;
}
h1 {
margin: 0 0 0.35rem 0;
font-size: clamp(1.4rem, 2.6vw, 2rem);
letter-spacing: 0.02em;
color: #f1f6ff;
}
.meta {
color: var(--muted);
font-size: 0.95rem;
}
.chips {
display: flex;
gap: 0.5rem;
flex-wrap: wrap;
margin-top: 0.7rem;
}
.chip {
font-size: 0.82rem;
color: #d8e6ff;
border: 1px solid #355286;
background: #172443;
border-radius: 999px;
padding: 0.25rem 0.6rem;
}
.grid {
display: grid;
gap: 1rem;
}
section {
background: color-mix(in oklab, var(--panel) 86%, black);
border: 1px solid var(--border);
border-radius: 14px;
padding: 1rem;
}
h2 {
margin: 0 0 0.7rem 0;
font-size: 1.02rem;
color: #dbe8ff;
letter-spacing: 0.01em;
}
p { margin: 0.35rem 0; }
ul {
margin: 0.4rem 0 0;
padding-left: 1.15rem;
}
li + li { margin-top: 0.3rem; }
code {
font-family: "IBM Plex Mono", ui-monospace, SFMono-Regular, Menlo, Consolas, monospace;
background: #0f1728;
color: #d7e7ff;
padding: 0.08rem 0.3rem;
border-radius: 4px;
border: 1px solid #2b3e63;
}
.callout {
margin-top: 0.7rem;
border: 1px solid #3b5178;
background: #13223a;
border-radius: 10px;
padding: 0.7rem 0.85rem;
color: #cfe1ff;
}
.good { color: var(--ok); }
.diff-grid {
display: grid;
gap: 0.85rem;
}
.diff-shell {
border: 1px solid #334c78;
border-radius: 10px;
overflow: hidden;
background: #0f1a2f;
}
.diff-title {
margin: 0;
padding: 0.55rem 0.7rem;
border-bottom: 1px solid #334c78;
color: #cfe2ff;
font-size: 0.9rem;
font-family: "IBM Plex Mono", ui-monospace, monospace;
background: #13223b;
}
.diff-view { padding: 0.3rem; }
.diff-fallback {
margin: 0;
padding: 0.75rem;
white-space: pre-wrap;
overflow-x: auto;
color: #d4e4ff;
font-family: "IBM Plex Mono", ui-monospace, monospace;
font-size: 0.84rem;
background: #0f1a2f;
border-top: 1px solid #253a60;
}
.diff-shell.rendered .diff-fallback { display: none; }
.note {
margin-top: 0.65rem;
color: var(--muted);
font-size: 0.9rem;
}
</style>
</head>
<body>
<main>
<header>
<h1>Forgejo Issue #10 Security CVE Remediation</h1>
<p class="meta">Created: 2026-05-23 13:08 America/New_York · Repo: <code>islandflow</code></p>
<div class="chips">
<span class="chip">Issue: Forgejo #10</span>
<span class="chip">Beads: islandflow-3o0</span>
<span class="chip">Scope: dependency security updates</span>
</div>
</header>
<div class="grid">
<section>
<h2>Summary</h2>
<p>Addressed Forgejo issue <code>#10</code> by remediating the active dependency CVEs called out in the report. This update moved direct WebSocket dependencies to patched versions and added workspace-level dependency overrides for vulnerable transitive packages. <code>bun audit</code> now reports <span class="good">No vulnerabilities found</span>.</p>
</section>
<section>
<h2>Changes Made</h2>
<ul>
<li>Upgraded <code>ws</code> in ingest services to <code>^8.21.0</code> in:
<code>services/ingest-equities/package.json</code>,
<code>services/ingest-news/package.json</code>, and
<code>services/ingest-options/package.json</code>.</li>
<li>Added workspace-level <code>overrides</code> in root <code>package.json</code> for patched transitive packages:
<code>postcss</code> <code>^8.5.15</code>,
<code>tar</code> <code>^7.5.15</code>, and
<code>tmp</code> <code>^0.2.5</code>.</li>
<li>Regenerated <code>bun.lock</code> via <code>bun install</code> to enforce the resolved secure graph.</li>
</ul>
</section>
<section>
<h2>Context</h2>
<p>Issue #10 documented 9 active advisories across runtime and build-time dependencies: six high-severity <code>tar</code> CVEs in the Electron Forge chain, one <code>ws</code> memory-disclosure advisory affecting ingest services, one <code>postcss</code> advisory in the web toolchain, and one <code>tmp</code> advisory in desktop packaging transitive dependencies.</p>
<div class="callout">This fix intentionally focused on targeted version remediation, not broad framework upgrades, to reduce behavior risk while closing the known CVE set.</div>
</section>
<section>
<h2>Important Implementation Details</h2>
<ul>
<li><code>next@16.2.6</code> still declares <code>postcss@8.4.31</code>, so override pinning was required to force a patched resolver result.</li>
<li>The Electron Forge chain currently references <code>tar@^6.x</code> transitively, so override pinning was used to pull patched <code>tar@7.5.15</code> and clear advisories without waiting for upstream major migration.</li>
<li>Direct <code>ws</code> bumps were applied at each ingest service manifest for explicit runtime dependency hygiene.</li>
</ul>
</section>
<section>
<h2>Relevant Diff Snippets</h2>
<div class="diff-grid">
<div class="diff-shell" id="diff-shell-1">
<p class="diff-title">package.json · security overrides</p>
<div class="diff-view" id="diff-1"></div>
<pre class="diff-fallback"><code>+ "overrides": {
+ "postcss": "^8.5.15",
+ "tar": "^7.5.15",
+ "tmp": "^0.2.5"
+ }</code></pre>
</div>
<div class="diff-shell" id="diff-shell-2">
<p class="diff-title">services/ingest-*/package.json · ws bump</p>
<div class="diff-view" id="diff-2"></div>
<pre class="diff-fallback"><code>- "ws": "^8.18.3"
+ "ws": "^8.21.0"</code></pre>
</div>
</div>
<p class="note">Snippets are rendered client-side with Diffs (diffs.com project) and include inline fallback text for offline viewing.</p>
</section>
<section>
<h2>Expected Impact for End-Users</h2>
<p>No user-facing behavior changes are expected. The impact is operational and security-focused: cleaner dependency posture and reduced known vulnerability exposure across ingest runtime and desktop/web toolchain surfaces.</p>
</section>
<section>
<h2>Validation</h2>
<ul>
<li><code>bun install</code> completed and regenerated <code>bun.lock</code>.</li>
<li><code>bun audit</code> passed with <code>No vulnerabilities found</code>.</li>
<li><code>bun test</code> passed: 246 tests, 0 failures.</li>
<li><code>bun --cwd=apps/web run build</code> passed (Next.js production build).</li>
<li><code>bun --cwd=apps/desktop run typecheck</code> passed.</li>
</ul>
</section>
<section>
<h2>Issues, Limitations, and Mitigations</h2>
<ul>
<li>This remediation relies partly on dependency overrides for transitive CVEs rather than upstream package-chain updates. Mitigation: lockfile is now pinned and validated via audit in CI/local runs.</li>
<li>Override-based mitigation can drift if upstream manifests change unexpectedly. Mitigation: keep <code>bun audit</code> in regular release checks.</li>
<li>This pass did not perform container image package CVE expansion, matching the issue's own stated scope limitation.</li>
</ul>
</section>
<section>
<h2>Follow-up Work</h2>
<ul>
<li>Track Electron Forge and rebuild-chain updates to remove the <code>tar/tmp</code> overrides once upstream dependencies natively resolve patched versions.</li>
<li>If additional image-level CVE coverage is required, run a dedicated Docker image scan in a daemon-enabled environment and file any new issues separately.</li>
<li>No additional Beads issue was created in this turn beyond <code>islandflow-3o0</code>.</li>
</ul>
</section>
</div>
</main>
<script type="module">
const snippets = [
{
shellId: "diff-shell-1",
containerId: "diff-1",
name: "package.json",
oldContents: `{
"devDependencies": {
"typescript-language-server": "^5.1.3"
}
}`,
newContents: `{
"devDependencies": {
"typescript-language-server": "^5.1.3"
},
"overrides": {
"postcss": "^8.5.15",
"tar": "^7.5.15",
"tmp": "^0.2.5"
}
}`
},
{
shellId: "diff-shell-2",
containerId: "diff-2",
name: "services/ingest-news/package.json",
oldContents: `"ws": "^8.18.3"`,
newContents: `"ws": "^8.21.0"`
}
];
try {
const { FileDiff } = await import("https://esm.sh/@pierre/diffs");
for (const snippet of snippets) {
const container = document.getElementById(snippet.containerId);
const shell = document.getElementById(snippet.shellId);
if (!container || !shell) {
continue;
}
const instance = new FileDiff({
theme: { dark: "pierre-dark", light: "pierre-light" },
diffStyle: "split"
});
instance.render({
oldFile: {
name: snippet.name,
contents: snippet.oldContents
},
newFile: {
name: snippet.name,
contents: snippet.newContents
},
containerWrapper: container
});
shell.classList.add("rendered");
}
} catch (error) {
console.warn("Failed to render diff snippets with Diffs.", error);
}
</script>
</body>
</html>