Skip to content

add non-interactive template and migrate flows; harden deps freeze; bump deps#35

Open
bsummers-tc wants to merge 9 commits into
ThreatConnect-Inc:mainfrom
bsummers-tc:main
Open

add non-interactive template and migrate flows; harden deps freeze; bump deps#35
bsummers-tc wants to merge 9 commits into
ThreatConnect-Inc:mainfrom
bsummers-tc:main

Conversation

@bsummers-tc

Copy link
Copy Markdown
Contributor

No description provided.

added initial claude code configuration - WIP
Build
- Loosen and bump runtime pins in pyproject.toml: arrow 1.4, black 26.5.1,
  isort 8.0.1, jmespath 1.1, pydantic 1.10.26, pyyaml 6.0.3, requests 2.34.2,
  rich 15.0.0, typer >=0.26.7, wrapt 2.2.1; switch fakeredis to >= floor
- Bump dev/test tool floors: bandit 1.9.4, pre-commit 4.6.0, pyupgrade 3.21.2,
  ruff 0.15.16, ty 0.0.43, pytest-cov 7.1.0
- Regenerate uv.lock to match the new constraints

Config
- Drop the [tool.ty.rules] override block (invalid-attribute-override and
  invalid-method-override no longer ignored)
- Expand the Bash git deny list in .claude/settings.json to block commit,
  push, pull, merge, rebase, reset, restore, revert, stash, cherry-pick,
  branch/tag mutation, worktree add/remove/prune, submodule update/deinit,
  and other history-rewriting commands

Submodules
- Bump app/config, pleb, requests_tc, and util pointers to their
  "linting and general cleanup" commits
…ump deps

Template
- update: honor each template.yaml `template_files` as template-owned and
  reconcile them against the template hash on every update (restoring local
  edits), independent of the manifest `last_commit`
- update: add `--no-prompt` for a fully non-interactive run; modified
  non-template files are preserved and reported, never clobbered
- template_cli: add `_collect_template_file_keys` (union `template_files` across
  the parent chain; map `gitignore` -> `.gitignore`)
- template_cli: fix `_build_merged_template` so the renamed `.gitignore` manifest
  entry is computed from the file actually written (manifest/content consistency)
- planner: `build()` gains `force_keys`; `apply()` gains `no_prompt` and returns
  the preserved-file list

Migrate
- migrate: replace `--update-code` with dry-run-by-default `--apply/--no-apply`
  (keeps `--update-code` as an alias); preview shows changes without writing
- migrate: add `--prompt/--no-prompt` (`--apply --no-prompt` applies all changes
  unattended) and a scanned/proposed/applied/changed run summary
- migrate_cli: skip any dot-directory (.git, .venv, .claude) and skip-dir during
  the walk; correct the "tcex migrate" exception label

Deps
- deps_cli: run `pip freeze` via uv/python with `shell=False` list args instead
  of `shell=True` (B603-justified), removing the shell-injection surface
- deps_cli: hard-fail instead of writing an empty requirements.lock; always write
  a trailing newline

Tests
- template: add test_template_files_force.py and test_gitignore_merge.py; update
  test_template_commands.py for the new template-ownership contract
- template: refresh tcex-app-templates-v2.zip fixture to add `gitignore` to the
  _app_common `template_files` (match upstream v2)
- migrate: add tests/migrate/test_migrate_cli.py
- deps: update test_tcex_deps.py; pin `tcex>=4.0.9` in app_1 requirements

Build / Config
- bump version 1.0.6-dev2 -> 1.0.6-dev3; refresh uv.lock dependency pins
- gitignore: ignore the extracted `tcex-app-templates-2` template directory
- settings: clear the `permissions.allow` list
- scripts: mark enforce_*.sh executable (100644 -> 100755)
@bsummers-tc bsummers-tc self-assigned this Jun 20, 2026
CLI
- Add --authenticate opt-in flag to init, list, and update template commands
- TemplateCli.__init__ now accepts authenticate (default False); session only
  applies HTTPBasicAuth when authenticate is True and both GITHUB_USER and
  GITHUB_PAT are set
- Render a warning when --authenticate is passed but credentials are missing,
  continuing unauthenticated (60 requests/hour limit)
- Document GITHUB_USER and GITHUB_PAT in the init/list/update help text

Tests
- Add TestSessionAuth covering the session auth gating: no auth when
  authenticate is False, HTTPBasicAuth when authenticate is True with creds,
  and warning + no auth when a credential is missing

Config
- Move enforcement hooks from .claude/scripts/ to .claude/hooks/ and repoint
  the PreToolUse hook commands in settings.json
- Drop the CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS env var from settings.json
- Add tcex-plan-reviewer agent and update tcex-orchestrator agent

Docs
- Update CLAUDE.md: Claude never stages (git add) nor commits; leave changes
  unstaged for the operator to review, stage, and commit
- Reflect the new .claude/hooks/ location and add tcex-plan-reviewer to the
  agents table
Run
- Add app_inputs.d/ multi-config support: RunCli.resolve_config picks an
  explicit --config, then app_inputs.json, then a selection menu over
  app_inputs.d/*.json; RunCli.run owns resolution and passes the resolved path
  to every Launch* arm
- Change run.py --config to default None (typer Option) and thread the raw
  value through; expand the command docstring with a Configuration & secrets
  section (precedence, ${env.X} and .env BaseSettings fallback, shared .env)
- LaunchPlaybook.validate_inputs: cross-check #App: variable references in
  inputs against stage.kvstore before staging; hard-fail (panel) on referenced-
  but-unstaged with a "did you mean" suggestion, warn on staged-but-unreferenced
- Exclude tc_playbook_out_variables (declared outputs, not reads) from the
  staged-variable check via OUTPUT_VARIABLE_INPUTS
- LaunchABC._validate_env_variables: fail with a panel naming each undefined
  ${env.NAME} (with difflib "did you mean"); extract shared ENV_VAR_PATTERN and
  validate before substitution/json.loads in construct_model_inputs
- Replace the bare print on a malformed config with a Render.panel.failure JSON
  error panel naming the config file

Security
- Derive the local AES-CBC key in create_input_config with secrets.choice
  instead of random.choice; drop the blanket nosec
- Scope the tc_token nosec to "# nosec B107" with justification

App Inputs / Packaging
- tcex app-inputs writes app_inputs.d/<name>.json (creating the dir) with
  typer prompt --name/--description, a path-safe slug, and a top-level
  description field; CommonAppInputModel gains optional description
- package: exclude the app_inputs.d/ directory from build (_build_excludes_base)

Render
- Add table_app_inputs_d helper to render the app_inputs.d selection menu

Tests
- Add tests/run, tests/app_input, tests/package packages covering config
  resolution + menu, staged-variable and env-variable validation, slug
  sanitization, the description field, and the package exclude
…uild fixture

Template
- planner.py: replace the force_keys mechanism with a managed_only mode in
  Planner.build(); add _classify_managed_key() — managed runs hash-compare
  template-managed entries (skip when identical, else auto_update), skip
  non-managed keys, and never delete project files
- planner.py: add NotRequired 'managed' bool to the FileMeta TypedDict
- planner.py: drop no_prompt/preserved from Planner.apply(); it now returns None
- template_cli.py: replace the update() no_prompt parameter with managed; remove
  the now-unused _collect_template_file_keys()
- template_cli.py: fix the renamed gitignore merged-manifest entry — compute
  sha256 from the file actually written (self.hasher.sha256_file(dest)) instead
  of the stray parent '.gitignore' entry, falling back to 'unknown' last_commit
- update.py: replace the --no-prompt option with --managed (silent, non-
  interactive update of only template-managed files; nothing deleted)

Run
- launch_abc.py: redact the token value in the using-token setup log line

Tests
- add test_managed.py covering managed-mode plan classification and apply
- remove obsolete test_template_files_force.py (force_keys behavior)
- trim test_template_commands.py and test_gitignore_merge.py of removed
  force_keys / no_prompt paths
- conftest.py: collapse TemplateCli construction to a single line

Fixtures / Scripts
- add .claude/scripts/build_template_fixture.py to rebuild the GitHub-style
  fixture from git-tracked template files under a single tcex-app-templates-2/
  wrapper (dry-run by default, --commit to write)
- rebuild tests/template/fixtures/tcex-app-templates-v2.zip with the correct
  single top-level wrapper (was rooted at a leaked absolute path)

Docs / Config
- release_notes.md: reword APP-5299 for --managed; add APP-5305/5306/5307 for
  run app_inputs.d multi-config, ${env.VAR} validation, and kvstore input checks
- CLAUDE.md: condense the commit-policy wording
- .claude/agents/tcex-orchestrator.md: expand the orchestrator tools list
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant