Skip to content

v2.7.0 release: production stability and multi-runtime hardening #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
flyingrobots merged 2 commits into from
Jan 8, 2026
Merged

v2.7.0 release: production stability and multi-runtime hardening #2

flyingrobots merged 2 commits into from
Jan 8, 2026

Conversation

@flyingrobots
Copy link
Member

@flyingrobots flyingrobots commented Jan 8, 2026
edited by coderabbitai bot
Loading

Summary

This PR finalizes the 2.7.0 release, refactoring the core infrastructure for production stability and cross-runtime compatibility (Node.js, Bun, Deno).

Key Changes

  • Refactored GitStream: Implemented idempotent destruction and memory-efficient collection.
  • Hardened Security: Tightened environment policies and implemented strict command sanitization with global flag blocking.
  • Enhanced Orchestration: Corrected backoff logic and implemented total operation timeouts.
  • Canonical Persistence: Updated to use for messages and fixed Git date formatting.
  • Domain Purity: Standardized entity constructors with Zod validation and removed Node-specific dependencies from the main entry point.
  • Full Documentation: Added Design Principles, Security Model, and comprehensive usage examples.

Verification

  • 133 tests passed across all runtimes via Docker Compose.
  • Address all CodeRabbitAI review feedback.

Summary by CodeRabbit

Release Notes

  • New Features

    • Published comprehensive Security Model documentation detailing environment controls, prohibited operations, and resource protection mechanisms
    • Strengthened security validation for command and flag processing

  • Documentation

    • Restructured README around security-first design principles
    • Simplified API examples and updated documentation navigation

  • Bug Fixes

    • Resolved stream handling edge case preventing double-destruction

✏️ Tip: You can customize this high-level summary in your review settings.

@flyingrobots
refactor: final release refinements for v2.7.0
b66025c 
- GitStream: Make destroy() idempotent and reuse TextEncoder
- EnvironmentPolicy: Remove GIT_EXEC_PATH and GIT_TEMPLATE_DIR from default whitelist
- CommandSanitizer: Optimize cache key and treat --version as special-case global
- GitPersistenceService: Use stdin for commit-tree messages and fix date format
- GitRef: Refine @ validation to match git-check-ref-format
- GitTree: Consistently use Zod schema in constructor
- SECURITY.md: Add security model documentation
- README.md: Add Design Principles and Killer Example
@flyingrobots
fix: address all PR review comments and harden stability
8760169 
- GitCommandBuilder: Correct commit-tree argument structure and restore version()
- GitPersistenceService: Fix tree entry type detection and use stdin for commit messages
- GitRefSchema: Better @ validation and control character checks
- ExecutionOrchestrator: Fix backoff off-by-one and add safety throw
- CommandSanitizer: Memory-efficient cache and type validation
- Sync package.json and CHANGELOG versions to 2.7.0
- Address Node compatibility in index.js and fix flaky tests
@coderabbitai
Copy link

coderabbitai bot commented Jan 8, 2026
edited
Loading

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

This PR implements a hardened security model for Git command execution, restructuring flag and environment validation, simplifying message delivery via stdin, enhancing resource cleanup idempotency, and updating documentation to emphasize security-by-default design principles.

Changes

Cohort / File(s) Summary
Documentation & Security Policy
README.md, SECURITY.md		 README refactored to highlight Design Principles (security-by-default, streaming-first, domain purity) over implementation details; extensive sections on runners and streaming removed. SECURITY.md renamed from "Security Policy" to "Security Model" with new sections on Prohibited Flags, Whitelisted Commands, Environment Policy, OOM/Resource Protection, and vulnerability reporting.
Core Security Services
src/domain/services/CommandSanitizer.js, src/domain/services/EnvironmentPolicy.js		 CommandSanitizer restructured: PROHIBITED_FLAGS renamed to PROHIBITED_GLOBAL_FLAGS with new PROHIBITED_COMMAND_FLAGS set; global flags now prohibited anywhere (not just pre-subcommand); cache key strategy optimized using composite key; --version added as special-case allowlist. EnvironmentPolicy: GIT_EXEC_PATH and GIT_TEMPLATE_DIR moved from allowed to blocked list; GIT_CONFIG_PARAMETERS added to blocked keys.
Git Command Infrastructure
src/domain/services/GitPersistenceService.js, src/domain/services/GitCommandBuilder.js, src/domain/services/GitBinaryChecker.js		 GitPersistenceService changes commit message delivery from builder.message() to stdin input stream. GitCommandBuilder documentation clarified (removed shared pretty-print note). GitBinaryChecker comment updated to note sanitizer special-case handling of --version.
Domain Entities & Value Objects
src/domain/entities/GitTree.js, src/domain/value-objects/GitRef.js		 GitTree constructor broadened to accept `GitSha
Stream Infrastructure
src/infrastructure/GitStream.js		 Introduces shared TextEncoder instance and _destroyed flag; optimizes chunk encoding; adds idempotent destroy guard to prevent double destruction.
Test Updates
test/domain/services/CommandSanitizer.test.js, test/domain/services/GitCommandBuilder.test.js		 CommandSanitizer tests broaden to verify global flags blocked anywhere; --version special case isolated; memoization test simplified. GitCommandBuilder test removes .message() call from commitTree chain and updates expected args accordingly.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

Poem

🐰✨ Flags now forbidden far and wide,
Messages flow through stdin's tide,
Security by design, our delight,
Git plumbing wrapped tight—
Hopping toward hardened skies! 🌟

✨ Finishing touches
  • 📝 Generate docstrings
📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2704980 and 8760169.

📒 Files selected for processing (13)
  • README.md
  • SECURITY.md
  • src/combined_files.txt
  • src/domain/entities/GitTree.js
  • src/domain/services/CommandSanitizer.js
  • src/domain/services/EnvironmentPolicy.js
  • src/domain/services/GitBinaryChecker.js
  • src/domain/services/GitCommandBuilder.js
  • src/domain/services/GitPersistenceService.js
  • src/domain/value-objects/GitRef.js
  • src/infrastructure/GitStream.js
  • test/domain/services/CommandSanitizer.test.js
  • test/domain/services/GitCommandBuilder.test.js

Comment @coderabbitai help to get the list of available commands and usage tips.

@flyingrobots flyingrobots merged commit ae578ae into main Jan 8, 2026
2 of 3 checks passed
@flyingrobots flyingrobots deleted the hexagonal-architecture branch January 8, 2026 01:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@flyingrobots