Skip to content

harden config and repository metadata checks#7

Merged
iarunsaragadam merged 1 commit into
mainfrom
codex/config-contract-hardening
Jun 2, 2026
Merged

harden config and repository metadata checks#7
iarunsaragadam merged 1 commit into
mainfrom
codex/config-contract-hardening

Conversation

@iarunsaragadam

@iarunsaragadam iarunsaragadam commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Summary

  • reject unsupported or hostless Postgres URLs during config validation
  • redact Postgres passwords carried in URL query parameters without rewriting passwordless URLs
  • remove stale CODEOWNERS entries and add a CI/release guard for missing CODEOWNERS paths
  • pin README go get examples to the current release and correct the VerifyKey.action proto comment

Tests

  • go test -count=1 ./...
  • KEYCHAIN_TEST_POSTGRES_URL=postgres://keychain:keychain@localhost:55432/keychain?sslmode=disable go test -count=1 -race -timeout=600s ./...
  • KEYCHAIN_TEST_POSTGRES_URL=postgres://keychain:keychain@localhost:55432/keychain?sslmode=disable bash scripts/run-coverage.sh && bash scripts/coverage-gate.sh cover.out --config .coverage-gates.yml
  • golangci-lint run --config=.golangci.yml ./...
  • /Users/arun/go/bin/govulncheck ./...
  • actionlint .github/workflows/*.yml
  • bash scripts/check-codeowners.sh
  • bash -n scripts/*.sh test/e2e/*.sh
  • git diff --check
  • go test -tags=smoke -timeout=120s ./tests/smoke/...
  • bash scripts/run-go-fuzz-targets.sh 15s
  • docker build --target server -t keychain:local .
  • test/e2e/run-docker-compose-suite.sh

@github-actions

github-actions Bot commented Jun 2, 2026

Copy link
Copy Markdown

All committers have signed the CLA; thanks.

@iarunsaragadam iarunsaragadam merged commit 75961dc into main Jun 2, 2026
14 checks passed
@iarunsaragadam iarunsaragadam deleted the codex/config-contract-hardening branch June 2, 2026 14:27
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Jun 2, 2026
View reviewed changes

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4a158f6a4b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread internal/config/config.go
Comment on lines +95 to +97
if u.Host == "" {
return errors.New("KEYCHAIN_POSTGRES_URL must include a host")
}

@chatgpt-codex-connector chatgpt-codex-connector Bot Jun 2, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Accept host query parameters for socket URLs

When deployments use the PostgreSQL URI form for Unix sockets, e.g. postgresql:///keychain?host=/var/run/postgresql, the host is intentionally supplied as a query parameter while the URI authority is empty; pgx/libpq accepts that shape, but this new validation rejects it before postgres.New can open the store. This regresses socket-based setups such as local Postgres or Cloud SQL proxy sockets, so the host check should account for host in the parsed query rather than requiring u.Host to be non-empty.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@iarunsaragadam