9 releases 9 tags

RSS feed

• v1.19.2 970942f5e7

  Compare

  v1.19.2 — PR Review Hardening Stable

  Gravity Bot released this 2026-02-23 14:58:45 +00:00 | 0 commits to main since this release

  What's Changed

  v1.19.2 addresses all findings from two rounds of automated PR review on the v1.19.1 release. This is a hardening release — no new features, only security fixes, bug fixes, test improvements, and CI enhancements.

  Security

  • SSRF prevention: Validate OIDC issuer URL in all code paths including hot-reload via NATS; block IPv4-mapped IPv6 metadata addresses; reject exotic URL schemes (javascript:, data:)
  • Secret redaction: Strip oidc_client_secret from event log payloads before publishing to outbox
  • Prompt injection: Escape </user_content> closing delimiter in Claude dispatch prompt sanitization
  • Cookie security: Propagate SESSION_SECURE flag to OIDC state/nonce cookies
  • Session hardening: Improve session cookie security defaults (SameSite, HttpOnly, Secure)
  • Request limits: Add 1 MB global request body size limit to event-engine job API
  • Port binding: Bind all Docker services to 127.0.0.1 (was 0.0.0.0 for app/monitoring services)
  • CI supply chain: Pin golangci-lint install script to release tag (was unpinned HEAD)

  Bug Fixes

  • Soft-delete invariant: Add AND deleted_at IS NULL to 3 UpdateXxxTx methods that could update soft-deleted rows
  • Transaction isolation: Fix empty-update fallback reading from pool outside caller's transaction in all Tx methods
  • Transactional reads: Move DeleteProject/PurgeProject project reads inside transaction with FOR UPDATE locking
  • Domain events: PurgeProject now emits ProjectDeleted event with purged: true flag
  • SQL enum cast: Fix PostgreSQL implicit text→enum cast failure in ReapStaleJobs CASE expression
  • Reaper logic: ReapStaleJobs now marks exhausted-retry jobs as dead instead of cycling through failed
  • Atomic retries: Use SQL retries = retries + 1 in processor to prevent race with reaper
  • TOCTOU fix: Construct UpdateAuthSettings response inline from saved settings
  • Graceful shutdown: Add signal-handling graceful shutdown to gravity-pm server
  • Server timeouts: Add ReadHeaderTimeout (10s) and IdleTimeout (120s) to both HTTP servers
  • Deterministic SQL: Sort parameter keys in buildUpdateSets for reproducible query plans
  • Column allowlists: Add per-entity column allowlists to prevent arbitrary column updates
  • Error leakage: Log full stderr from Claude CLI server-side; return generic error to clients

  Refactoring

  • Consolidate NATS JetStream API and connection lifecycle in event-engine
  • Extract sub-functions from event-engine main and processor
  • Standardize slog usage across both service entrypoints
  • Transactional outbox for settings updates

  Testing

  • Coverage gate: Raised CI minimum from 22% to 40%
  • Templ filtering: Exclude generated *_templ.go files from gravity-pm coverage calculation
  • gravity-pm: 21.9% → 49.9% (filtered) — handler 69.1%, auth 46.1%, config 77.3%, event 62.8%
  • event-engine: 27.7% → 62.1% (with DB) — handler 81.2%, store 68.1%, webhook 74.1%, engine 72.9%
  • New tests: 65+ test cases across handler, auth, web, and store packages
  • Flaky test fix: Namespace actor_type per test package to prevent concurrent cleanup collision
  • CI database: PostgreSQL service added to event-engine CI job for integration tests
  • Auth wiring: Route-level middleware tests for all admin-protected endpoints

  Infrastructure

  • Add healthchecks to all Docker Compose services
  • Complete .env.example with all consumed environment variables (empty values with generation instructions)
  • Fix Grafana histogram_quantile queries with proper sum by (le) aggregation

  Work Packages

  46 work packages across 2 epics (OP#1746, OP#1765, OP#1776) — all closed.

  Full PR: #10

  Downloads

  • Source code (ZIP)
    0 downloads
  • Source code (TAR.GZ)
    0 downloads