feat: autonomous epic cycle infrastructure — AGENTS.md, RUNBOOK.yaml, branch protection#2
Closed
Deepfreezechill wants to merge 35 commits intomainfrom
Closed
feat: autonomous epic cycle infrastructure — AGENTS.md, RUNBOOK.yaml, branch protection#2Deepfreezechill wants to merge 35 commits intomainfrom
Deepfreezechill wants to merge 35 commits intomainfrom
Conversation
- Auto-close issues on PR merge (.github/workflows/auto-close.yml) - Phase gate monitoring (.github/workflows/phase-gates.yml) - Progress dashboard Mon/Thu (.github/workflows/progress-dashboard.yml) - Stale issue detection Tue/Fri (.github/workflows/stale-check.yml) - PR template with phase/track/risk fields - ADR framework with template (docs/adr/) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- phase-config.yml: Phase dependency graph (source of truth) - phase-enforce.yml: 5-layer enforcement engine with retry/backoff - bypass-audit.yml: Emergency bypass audit trail - ARCHITECTURE.md: Full threat model and decision matrix - configure-branch-protection.sh: One-shot setup script - Updated PR template with bypass reason section Pattern lineage: eight-eyes/circuit_breaker → squad-audit/label-enforce Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Fix #1 (HIGH): Checkout base branch SHA, not PR branch, preventing self-modification of phase-config.yml or workflow files - Fix #2 (MEDIUM): Add actor allowlist to bypass — only configured users can invoke emergency:bypass - Fix #3 (LOW): Strip HTML comments before matching bypass reason pattern, preventing template placeholder from satisfying check - Bump min bypass reason length from 10 to 30 chars - Add CODEOWNERS requiring admin review for .github/** changes - Update bypass heading to use⚠️ emoji prefix /8eyes verdicts: Security 0.92, Skeptic 0.90, Verifier 0.85 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Merges upstream HKUDS/OpenSpace (2,775 stars) into the upgrade repo. All existing infrastructure (.github/, docs/) preserved. Source code brought in: openspace/, frontend/, gdpval_bench/, showcase/ Upstream: https://github.com/HKUDS/OpenSpace Fork: https://github.com/Deepfreezechill/OpenSpace License: MIT Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
feat: merge HKUDS/OpenSpace upstream source (MIT)
Implements shared-secret bearer token authentication for the MCP server when using HTTP transports (SSE, streamable-http). This is the first Phase 0 emergency hardening task. Changes: - New openspace/auth/bearer.py: ASGI middleware with timing-safe token comparison (hmac.compare_digest), 401 JSON responses - Modified run_mcp_server(): fail-closed design — refuses to start HTTP transports without OPENSPACE_MCP_BEARER_TOKEN env var - Minimum token length enforced (32 chars) - stdio transport unchanged (local process IPC, inherently trusted) - .env.example updated with new env var documentation - 17 tests covering: valid/invalid/missing tokens, fail-closed startup, token strength validation, non-HTTP passthrough, WWW-Authenticate header Security properties: - Fail-closed: no token → server refuses to start (exit 1) - Timing-safe: hmac.compare_digest prevents timing attacks - Minimum entropy: 32-char minimum prevents weak tokens Closes #1 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
feat(security): add bearer token auth on all MCP HTTP endpoints
…s (#434) Implements per-IP and per-identity sliding-window rate limiting for all MCP HTTP transports (SSE, streamable-http). Changes: - New openspace/auth/rate_limit.py: ASGI middleware with sliding-window algorithm, per-IP and per-identity (IP:token composite) buckets - Middleware chain: Request → BearerAuth → RateLimit → MCP app (auth first: prevents memory DoS via fake tokens) - X-Forwarded-For NOT trusted (prevents IP spoofing bypass) - Max bucket count (10K) — new keys rejected at capacity, active clients never evicted (prevents quota-reset attack via key churn) - Rate limit headers report governing limit correctly - Configurable via env vars with sensible defaults - 16 tests covering all scenarios /collab + /8eyes review (2 rounds, 7 agents): Round 1: 5 findings (2 BLOCKING, 2 HIGH, 1 MEDIUM) — all addressed Round 2: 1 MEDIUM (eviction quota reset) — addressed Final: GPT-5.4 /collab APPROVE (0.94) Closes #2 Co-authored-by: Brian Krafft <bkrafft@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
End-to-end tests exercising the full middleware chain: - Valid token → 200, missing/wrong → 401, exceeded → 429 - Auth rejects don't consume rate limit budget (middleware order) - Rate limit headers present on success, retry-after on 429 - Per-IP independent rate limiting + window recovery 13 integration tests, 47 total passing. Closes #3 Co-authored-by: Brian Krafft <bkrafft@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
SHA-pinned actions, py313-aligned ruff, pinned tool versions. Closes #33
…C 1.1 + 1.2] 13 Protocol interfaces, 16 frozen dataclasses, 7 new enums, _deep_freeze helper. 43 tests.
…EPIC 1.5] OpenSpaceError base + 11 exceptions, map_to_mcp_error_code wired end-to-end, client-safe messaging, range-based retryable. 55 tests.
… redaction [EPIC 1.6] (#451) EPIC 1.6 Structured Logging — 5 review rounds, 2/3 APPROVE gate passed (GPT-5.4 /8eyes + Sonnet 4 /8eyes). 31 tests, 406 total pass.
…3] (#453) EPIC 1.3 AppContainer — 2 review rounds, 2/3 APPROVE gate passed (GPT-5.4 /8eyes + Sonnet 4 /8eyes). 25 tests, 431 total pass.
… 1.4] (#455) EPIC 1.4 — OpenSpace Delegation (Issues HKUDS#68-71): - OpenSpace.__init__ accepts optional container=AppContainer parameter - OpenSpace.from_container() classmethod for container-based creation - Public property accessors: llm_client, grounding_client, grounding_config, skill_registry, skill_store, skill_evolver, container - EXPLICIT CONTRACT: Phase 1 stores container for property access only. initialize() still constructs services internally. Phase 4 wires initialize() to resolve from container. Docstrings warn clearly. - Full backward compatibility — OpenSpace(config=...) unchanged 21 delegation tests, 431 total pass, zero regressions. Closes HKUDS#68, Closes HKUDS#69, Closes HKUDS#70, Closes HKUDS#71 Co-authored-by: Brian Krafft <bkrafft@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- HKUDS#80: Domain import purity (AST-based, allowlist for known tech debt) - HKUDS#81: MCP handler private-field guard (AST-based, allowlist for known) - #82: File size guard (15KB, warning-only in Phase 1, enforce Phase 7) - #83: CI integration (tests in tests/ = CI Tier 1) 11 tests, known violations documented with count guards. Closes HKUDS#80, closes HKUDS#81, closes #82, closes #83, closes #366 Co-authored-by: Brian Krafft <bkrafft@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
….8] (#459) - #56: REST API spec (docs/sdk-api-spec.md) — /api/v2/ endpoints - HKUDS#57: Public API surface (docs/sdk-public-surface.md) — operations, auth, rate limits - HKUDS#58: Contract tests (tests/test_sdk_contract.py) — 26 tests, test-first for Phase 6 Envelope, error codes, request/response types, type consistency guards. Closes #56, closes HKUDS#57, closes HKUDS#58, closes #360 Co-authored-by: Brian Krafft <bkrafft@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
… resolver [EPIC 2.1] (#461) - #84: LeaseSchema Pydantic model (filesystem, network, process, resources, secrets) - #85: parse_lease/validate_lease with strict validation - #86: TIER_DEFAULTS T0-T4 with monotonic permissiveness - #87: InMemoryLeaseResolver implementing CapabilityLeaseResolverPort - #88: 42 tests covering schema, tiers, parser, resolver, policy conversion Security: T0 enforces no network/shell/secrets, denied_paths/blocked_domains non-empty invariants, cloud metadata always blocked, lease_to_sandbox_policy conversion. Closes #84, closes #85, closes #86, closes #87, closes #88, closes #367 Co-authored-by: Brian Krafft <bkrafft@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ion [EPIC 2.2] (#463) - #89: Virtual path resolution (skills://current/** → jailed real path) - #90: Read/write/deny enforcement with max bytes, pattern matching, temp-dir restriction - #91: Chroot-style jailing with symlink/traversal escape prevention - #92: TOCTOU protection via O_NOFOLLOW, post-open /proc/self/fd verification - #93: Property-based tests (11 traversal payloads, null bytes, chained symlinks) - #94: Concurrent symlink-creation race tests (POSIX only) 53 tests (7 skipped on Windows due to symlink constraints). FilesystemBrokerPort added to domain/ports.py. Closes #89, closes #90, closes #91, closes #92, closes #93, closes #94, closes #368 Co-authored-by: Brian Krafft <bkrafft@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…] (#465) - NetworkProxyConfig from NetworkCapability with outbound gate - Domain allow/deny with glob matching (deny-before-allow) - Port filtering with range validation - ConnectionTracker with async lock and configurable limit - NetworkProxy: full lifecycle (check, connect, disconnect, shutdown) - Fix EPIC 2.1 R5 deferred: outbound=False clears allowed_domains - Fix T0/T1 LeaseSchema validation: reject non-empty allowed_domains - NetworkProxyPort protocol in domain/ports.py - 49 tests covering all 4 issues (#95-#98) Issues: #95, #96, #97, #98 Epic: #369 Co-authored-by: Brian Krafft <bkrafft@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Add bare domain entries for all DNS rebinding services (nip.io, sslip.io, etc.)
- Add _BLOCKED_IP_NETWORKS covering loopback, link-local, ULA, unspecified
- Add _is_blocked_ip() check in check_domain_blocked() before pattern matching
- 15 regression tests for R2 /8eyes findings
- 74 net proxy tests, 677 total suite, 0 failures
Resolves /8eyes R2 findings on PR #465:
- Apex DNS rebinding bypass (localtest.me without subdomain)
- Loopback SSRF via 127.0.0.1/::1 with allowed_domains=('*',)
Co-authored-by: Brian Krafft <bkrafft@microsoft.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…] (#469) - ProcessBrokerPort protocol in ports.py - ProcessBrokerConfig.from_capability pattern (follows 2.2/2.3) - Command allow/deny with REQUIRED_BLOCKED_COMMANDS safety invariant - Shell invocation control: 19 shell binaries + 14 shell wrappers (env/busybox/sudo) - Args inspection catches wrapper-mediated shell bypass (env bash, busybox sh) - .exe extension stripping for cross-platform matching (rm.exe → rm) - Quoted path stripping in _extract_basename - Dangerous syscall restriction (12 syscalls: link/symlink/rename/mount/chroot/mknod) - Link command blocking (ln/mklink/mount/fusermount/mknod) - ProcessTracker: thread-safe concurrency limits + execution timeout - Atomic check_and_track() prevents TOCTOU between validation and reservation - list_processes() returns defensive copies (prevents internal state mutation) - 122 tests across 16 test classes, 799 total suite, 0 failures R1 fixes: shell wrapper bypass, .exe extension bypass, quoted path bypass, mutable record leak, TOCTOU race, missing shells (ash/rbash/rksh) Closes #99, Closes #100, Closes #101, Closes #102, Closes #103 Co-authored-by: Brian Krafft <bkrafft@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
… [EPIC 2.5] (#471) - HMAC-SHA256 signed tokens with claims (subject, scopes, trust tier, expiry) - TokenScope enum: 7 scopes (tool:execute, tool:search, tool:admin, secret:read/write, lease:acquire/admin) - Per-tool authorization: scope + tier + subject block/allow enforcement - Trust-tier gating: caller tier ceiling prevents privilege escalation - Token lifecycle: create, validate, revoke, expire with bounded FIFO registry - AuthProvider: concrete AuthPort with full validation pipeline - Default policies for 4 built-in MCP tools (execute_task, search_skills, fix_skill, upload_skill) - Unknown tools require TOOL_ADMIN + T3 by default (deny-before-allow) - 73 tests across 15 test classes Closes #51 Co-authored-by: Brian Krafft <bkrafft@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ty-based access [EPIC 2.6] - SecretStore: thread-safe, encrypted, scoped storage (task/session/global) - SecretBroker: concrete SecretBrokerPort with lease-based access control - At-rest encryption via HMAC-derived XOR cipher (no external deps) - 5-layer access control: capability → scope → key → count → encryption - SecretCapability integration: allowed_scopes, allowed_keys, max_secrets - Lazy expiry on get/list, bounded storage per scope (1000 max) - Key validation: charset whitelist, length limits - 53 tests across 8 test classes Closes #52 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
… branch protection Implements the autonomous development loop for P3-P7 execution: - AGENTS.md: Prime directive with epic cycle, 3-round review cap, safety rails - RUNBOOK.yaml: Structured YAML state tracker with 35 epics, session locking - CODEOWNERS: AGENTS.md + RUNBOOK.yaml require admin review - CI: pip-audit now blocks merge (removed continue-on-error) - Branch protection: 1 human approval, CODEOWNERS enforced, 4 required checks - session-init: Extended with RUNBOOK detection + auto-resume logic Reviewed by /8eyes (4 roles) + /collab across GPT-5.4 and Claude Opus 4.6. Security audit: 9/10 findings resolved, approved with minor follow-ups. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
VonkraLLC
approved these changes
Apr 2, 2026
VonkraLLC
left a comment
VonkraLLC
left a comment
There was a problem hiding this comment.
Approved: Autonomous loop infrastructure — RUNBOOK.yaml, AGENTS.md, session-init, CODEOWNERS.
Owner
Author
|
Replaced by clean-rebased branch |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements the autonomous development loop for continuous P3-P7 execution.
Artifacts
Review History
Branch Protection (already applied)
Phase: Infrastructure (cross-phase)