chore: Repo audit — security/CI hardening, framework fixes, docs consistency + snippet CI guard (2.2)#299
Merged
Merged
Conversation
…ege) - Route attacker-controlled PR fields through env: blocks (script injection) - SHA-pin third-party actions; replace deprecated returntocorp/semgrep-action - Add least-privilege permissions blocks to all workflows - Stagger colliding 02:00 nightly crons; add concurrency guards - Build js-framework-benchmark submodule recursively; drop stray DOTNET_NUGET_AUDIT=false Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- Remove tracked scratch/trace dumps and unreferenced root screenshots - Truncate root beast-mode.agent.md to its intended redirect stub - Ignore rclone binaries and one-off scratch files Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- HandlerRegistry: ConcurrentDictionary to remove server render/event/subscription race - WebSocket: Origin allowlist (AbiesServerOptions.AllowedWebSocketOrigins) blocks CSWSH - HTML host: default security headers + opt-in CSP via AbiesServerOptions - Debugger: warn when active outside Development - Visual harness: missing baseline in CI/strict mode fails instead of silently passing - Enable IsAotCompatible on Server/Browser/UI packable projects Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- Fix namespaces (Picea.Abies.*/Picea), Program member set, HTML DSL names - Fix Commands/Subscriptions/RenderMode/Option usage and signatures in examples - Reconcile ADR-007/013/021/024/026 with the implementation - Migrate testing docs to TUnit; fix broken internal links; align package versions Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- tools/DocSnippetCheck compiles C# fences tagged `compile` against real Abies/Picea assemblies - docs-snippets.yml workflow (opt-in, least-privilege, concurrency-guarded) - Document the convention in CONTRIBUTING Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
MCGPPeters
changed the title
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+348
to
+352
| foreach (var allowed in allowlist) | ||
| { | ||
| if (string.Equals(origin, allowed, StringComparison.OrdinalIgnoreCase)) | ||
| return true; | ||
| } |
Comment on lines
+273
to
+285
| foreach (var variable in StrictModeVariables) | ||
| { | ||
| var value = Environment.GetEnvironmentVariable(variable); | ||
| if (string.IsNullOrWhiteSpace(value)) | ||
| { | ||
| continue; | ||
| } | ||
|
|
||
| if (value is "1" or "true" or "TRUE" or "True") | ||
| { | ||
| return true; | ||
| } | ||
| } |
Comment on lines
+313
to
+314
| ?? Path.Combine( | ||
| Environment.GetFolderPath(Environment.SpecialFolder.UserProfile), ".nuget", "packages"); |
| string nugetRoot = Environment.GetEnvironmentVariable("NUGET_PACKAGES") | ||
| ?? Path.Combine( | ||
| Environment.GetFolderPath(Environment.SpecialFolder.UserProfile), ".nuget", "packages"); | ||
| string piceaDll = Path.Combine(nugetRoot, "picea", piceaVer, "lib", "net10.0", "Picea.dll"); |
| if (have.Add(name)) | ||
| { | ||
| try { refs.Add(MetadataReference.CreateFromFile(dll)); } | ||
| catch { /* skip native/unmanaged */ } |
|
|
||
| private static string ResolvePiceaVersion(string repoRoot) | ||
| { | ||
| string csproj = Path.Combine(repoRoot, "Picea.Abies", "Picea.Abies.csproj"); |
| private static List<string> CollectMarkdownFiles(string repoRoot) | ||
| { | ||
| var files = new List<string>(); | ||
| string docs = Path.Combine(repoRoot, "docs"); |
| string docs = Path.Combine(repoRoot, "docs"); | ||
| if (Directory.Exists(docs)) | ||
| files.AddRange(Directory.EnumerateFiles(docs, "*.md", SearchOption.AllDirectories)); | ||
| string readme = Path.Combine(repoRoot, "README.md"); |
| var dir = new DirectoryInfo(Directory.GetCurrentDirectory()); | ||
| while (dir is not null) | ||
| { | ||
| if (File.Exists(Path.Combine(dir.FullName, "Picea.Abies.sln"))) |
| dir = new DirectoryInfo(AppContext.BaseDirectory); | ||
| while (dir is not null) | ||
| { | ||
| if (File.Exists(Path.Combine(dir.FullName, "Picea.Abies.sln"))) |
…efer Server AOT - dotnet format fixes on Endpoints.cs - Visual harness strict mode now requires ABIES_VISUAL_STRICT (was inferred from CI, which made the baseline-less gate fail by construction) - Revert IsAotCompatible on Picea.Abies.Server (reflection-based JSON in Session.cs) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
MCGPPeters
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Repo-wide audit follow-through, grouped into six focused commits: CI/security hardening, repo hygiene, framework security/correctness fixes, documentation-vs-code consistency fixes, a new documentation-snippet compile CI guard, and the 2.2 release bump.
Why
The audit surfaced a script-injection sink, unpinned actions, a server-side data race, a Cross-Site-WebSocket-Hijacking gap, a visual-regression gate that silently passed, and widespread doc/code drift (wrong namespaces, renamed APIs, stale ADRs). These are correctness/security issues for a framework published to NuGet, so they're fixed here and a CI guard is added so doc drift can't silently return.
Changes
Security / CI hardening
env:returntocorp/semgrep-actionpermissions:on all workflows; concurrency guards; stagger colliding nightly cronsFramework security / correctness
HandlerRegistry→ConcurrentDictionary(removes server render/event/subscription data race)Originallowlist on the WebSocket upgrade (AbiesServerOptions.AllowedWebSocketOrigins)Documentation + CI guard
Programmembers, HTML DSL names, signatures; reconciled ADR-007/013/021/024/026; TUnit migration; broken-link fixestools/DocSnippetCheckcompiles C# fences taggedcompileagainst the real assemblies (docs-snippets.yml); 31 canonical examples taggedHygiene + release
.gitignore; bumpversion.jsonto 2.2 + CHANGELOGTesting
Picea.Abies.Server.Kestrel.Tests54/54 (Debug)DocSnippetCheck: 31 compiled, 0 failed; verified it fails on an injectedinput_/type_drift probe🤖 Generated with Claude Code