Skip to content

Tags: Cloudymap1e/ironclaw

Tags

ironclaw-v0.26.0

Toggle ironclaw-v0.26.0's commit message

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode 
fix(release): include sandbox_daemon in MSI (nearai#2774)

ironclaw_skills-v0.2.0

Toggle ironclaw_skills-v0.2.0's commit message 
chore: Release package ironclaw_skills version 0.2.0

ironclaw_common-v0.3.0

Toggle ironclaw_common-v0.3.0's commit message 
chore: Release package ironclaw_common version 0.3.0

staging-tested

Toggle staging-tested's commit message

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode 
ci(gateway): enforce platform/feature boundaries — ironclaw#2599 stag…

…e 5 (nearai#2647)

* refactor(gateway): relocate auth / sse / ws into platform/ — ironclaw#2599 stage 3

Third increment of the ironclaw#2599 platform/feature split (follow-up
to nearai#2628 and nearai#2643). Moves the three transport / framing modules into
the platform/ subtree so the platform layer now contains the full set
of cross-cutting infrastructure (state, router, static_files, auth,
sse, ws).

Changes:

- src/channels/web/auth.rs  -> src/channels/web/platform/auth.rs
- src/channels/web/sse.rs   -> src/channels/web/platform/sse.rs
- src/channels/web/ws.rs    -> src/channels/web/platform/ws.rs
- platform/mod.rs declares the three new submodules.
- channels/web/mod.rs adds backward-compat re-exports
  (`pub use platform::{auth, sse, ws};`) so every existing
  `crate::channels::web::{auth,sse,ws}::...` call site - roughly 40
  files across handlers, tests, integration tests, and sibling
  modules - continues to resolve without edits. Follow-up PRs will
  migrate call sites to the canonical `platform::` path incrementally.
- platform/mod.rs doc comment now describes the platform layer as
  having auth / SSE / WS (no longer "in later stages of nearai#2599").
- CLAUDE.md file map points at the new paths and notes the re-exports.

Pure move + re-export. No behavior change. Module contents are
byte-identical to pre-move.

Verified: cargo fmt --all; cargo clippy --all --benches --tests
--examples --all-features clean; python3 scripts/check_no_panics.py
clean; cargo check --all-features --all-targets clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* refactor(gateway): extract OAuth / relay callbacks into features/oauth/ — ironclaw#2599 stage 4a

Fourth increment of the ironclaw#2599 platform/feature split. Opens
the `features/` subtree with the OAuth feature slice — the first
vertical slice to move out of server.rs into its own module under
the ironclaw#2599 target layout.

Slice contents:

- `features/oauth/mod.rs` owns the three public gateway routes
  that receive OAuth-style callbacks:
  * `oauth_callback_handler` — generic OAuth callback for
    installable extensions (CSRF lookup, token exchange, storage,
    optional auto-activation).
  * `relay_events_handler` — HMAC-signed webhook from channel-relay.
  * `slack_relay_oauth_callback_handler` — Slack-specific relay
    completion flow.
- Slice-private helpers `oauth_error_page` and
  `redact_oauth_state_for_logs` move with the slice (they have no
  other callers).

Wiring:

- `platform/router.rs` imports the three handlers from
  `features::oauth` instead of `server`; no route-table change.
- `channels/web/mod.rs` registers `pub(crate) mod features;`.
- `server.rs` loses the three handlers and their helpers, plus the
  imports they owned (`Sha256`, `Digest`, `HeaderMap`,
  `DEFAULT_RELAY_NAME`, `extension_name_candidates`,
  `SecretConsumeResult`). The test module re-imports the ones it
  still uses for the integration-level OAuth callback tests.

Pure move. No behavior change. Each handler body is byte-identical
to its pre-move counterpart. Every test in `server.rs` that exercises
the OAuth callbacks (`test_oauth_callback_missing_params`, etc.)
continues to pass against the re-imported handlers.

Stats: server.rs 6973 → 6248 lines (−725); new `features/oauth/mod.rs`
is 775 lines; new `features/mod.rs` 14 lines. The +30 delta is
comment headers documenting the slice boundary.

Verified: `cargo fmt --all`;
`cargo clippy --all --benches --tests --examples --all-features`
clean; `python3 scripts/check_no_panics.py` clean;
`cargo test --lib` 5069 passed (one more than stage 3 — the new
`css_handler_returns_base_in_multi_tenant_mode` test from staging
lands green), same 2 pre-existing failures carried over (fixture
and test-infra issues unrelated to gateway layout).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci(gateway): enforce platform/feature boundaries — ironclaw#2599 stage 5

Adds `scripts/check_gateway_boundaries.py` and wires it into the
`code_style` CI workflow as a required check. The script enforces the
ironclaw#2599 layering rule: every file under `src/channels/web/platform/`
except `router.rs` must not import from `handlers/` or `features/`.

How it works:

- Walks `src/channels/web/platform/*.rs`, skipping `router.rs` (the
  intentional composition point) and test modules.
- Strips line comments, block comments, and string / raw-string / char
  literals so references inside docstrings and explanatory text don't
  trigger false positives.
- Matches six forbidden import shapes:
  `crate::channels::web::{handlers,features}::`,
  `super::{handlers,features}::`,
  `super::super::{handlers,features}::`.
- Prints diagnostics with file:line and the matched pattern for every
  violation; exits non-zero on any.
- Carries unit tests behind a `test` subcommand
  (`python3 scripts/check_gateway_boundaries.py test`) that the CI
  job runs alongside the check itself.

Simultaneous fix: one pre-existing back-edge that the check surfaced
was the OIDC `check_email_domain()` helper living in
`handlers/auth.rs` but called from `platform/auth.rs`. The helper is
platform-level (it gates JWT validation before any handler runs), so
it moves into `platform::auth` along with its five unit tests; the
handler call site in `handlers::auth::handle_callback` now imports
from the new home. No behavior change.

The second pre-existing back-edge is the frontend bundle assembly
path: `platform/static_files::build_frontend_html` calls
`read_layout_config` and `load_resolved_widgets`, both still in
`handlers/frontend.rs`. Migrating them requires also moving
`read_widget_manifest` and the widget-size constants, which touches
`load_widget_manifests` (used by `/api/frontend/widgets` and the
engine-v2 widget endpoint). That's a separate focused PR — tracked
via a narrow allowlist entry in the script with a follow-up comment.
The allowlist is explicitly documented as "must not grow without
reviewer sign-off".

CLAUDE.md's "Platform vs. feature layering" section now names the
script as the enforcement point.

Verified: `python3 scripts/check_gateway_boundaries.py test` — 9
tests pass; `python3 scripts/check_gateway_boundaries.py` — clean;
`cargo fmt --all`; `cargo clippy --all --benches --tests --examples
--all-features` clean; `python3 scripts/check_no_panics.py` clean;
`cargo test --lib channels::web` — 425 passed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci(gateway): close boundary-checker bypasses — PR nearai#2647 review

Four issues raised on PR nearai#2647's review are addressed:

- Grouped `use crate::channels::web::{ handlers::... }` imports escape
  the per-line scan because the forbidden segment lands on a
  continuation line. Adds a multiline GROUPED_FORBIDDEN_PATTERN that
  matches across newlines and reports the line where `handlers::`,
  `features::`, or `server::` actually appears.
- `use crate::channels::web::server::...` routes through the
  `server.rs` compatibility shim and still creates a platform →
  feature back-edge. Adds `server::` (and its `super::` variants) to
  FORBIDDEN_PATTERNS. Existing pre-existing shim usage in
  `platform/ws.rs` is captured as a tracked allowlist entry — the
  allowlist shrinks as individual types migrate out of `server.rs`.
- `#[cfg(test)] mod ...` and `mod tests { ... }` bodies are now
  actually blanked before pattern matching, matching the docstring's
  stated exemption. Caller-level regression tests in platform files
  can import handler/feature modules without tripping the check.
- `gateway-boundaries` is no longer gated solely on `has_code`. A new
  `has_boundary_check` output on the `changes` job fires when the
  checker script or this workflow itself changes, so PRs that only
  edit `scripts/check_gateway_boundaries.py` or
  `.github/workflows/code_style.yml` still run the guardrail.

Also picks up a small perf nit: `text.splitlines()` is now computed
once outside the loop instead of per-violation.

Regression tests cover each case (grouped crate-web import, grouped
super import, server-shim back-edge, cfg(test)/mod tests skip, and a
sanity check that the test-module skip doesn't blanket-ignore the
rest of the file).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci(gateway): brace-aware grouped scan + narrower ws.rs allowlist — PR nearai#2647 Copilot review

Two issues raised by Copilot on the round-1 fixes:

- `GROUPED_FORBIDDEN_PATTERN` used `[^{}]*?` and so could not match
  grouped imports that contain *nested* braces — e.g.
  `use crate::channels::web::{ platform::{state::GatewayState},
  handlers::auth::login_handler };` produced zero violations even
  though the forbidden segment is plainly inside the web::{...}
  group. Replaced the regex with a depth-tracking walk: find each
  `crate::channels::web::{` / `super::{` / `super::super::{` header,
  find the matching `}` by counting braces (`{` / `}` only; string
  and comment contents are already blanked), then scan the body for
  `(handlers|features|server)::`. Report line numbers off absolute
  offsets so the reported line is where the forbidden segment lives,
  not where the header's `{` is.

- `ws.rs`'s allowlist entry whitelisted the whole
  `crate::channels::web::server::` prefix, which would let any *new*
  accidental server-shim import in ws.rs silently pass. Narrowed to
  seven per-symbol entries covering the current pre-existing uses
  (GatewayState, PerUserRateLimiter, RateLimiter,
  ActiveConfigSnapshot, images_to_attachments, and the two
  handle_legacy_auth_* helpers). Future accidental shim imports fail
  the check and require explicit reviewer sign-off to add.

Added `test_detects_nested_brace_grouped_import` as the regression
test for the brace-aware scanner.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

ironclaw-v0.25.0

Toggle ironclaw-v0.25.0's commit message 
chore: Release package ironclaw version 0.25.0

ironclaw_safety-v0.2.1

Toggle ironclaw_safety-v0.2.1's commit message 
chore: Release package ironclaw_safety version 0.2.1

ironclaw_common-v0.2.0

Toggle ironclaw_common-v0.2.0's commit message 
chore: Release package ironclaw_common version 0.2.0

ironclaw_tui-v0.1.0

Toggle ironclaw_tui-v0.1.0's commit message 
chore: Release package ironclaw_tui version 0.1.0

ironclaw_skills-v0.1.0

Toggle ironclaw_skills-v0.1.0's commit message 
chore: Release package ironclaw_skills version 0.1.0

ironclaw_gateway-v0.1.0

Toggle ironclaw_gateway-v0.1.0's commit message 
chore: Release package ironclaw_gateway version 0.1.0