diff --git a/.coderabbit.yaml b/.coderabbit.yaml index 9f8395d..2ad1470 100644 --- a/.coderabbit.yaml +++ b/.coderabbit.yaml @@ -39,7 +39,7 @@ reviews: - path: "src/core/feeds/**" instructions: > - Feed platform (cache bus, registry, 5 producers, daemon manager). + Feed platform (cache bus, registry, 8 producers, daemon manager). Review against these architecture rules: 1. Producers must be stateless — all persistence goes through the @@ -61,7 +61,7 @@ reviews: - path: "src/core/status-line/**" instructions: > - Status line segments (19 segments across 5 feed producers). + Status line segments (21 segments across 8 feed producers). Check that: 1. Segment output conforms to the status line format contract. @@ -140,7 +140,7 @@ reviews: User-facing documentation. Check for: 1. Architecture descriptions match current code (v1.2, feed platform, - 19 segments, 5 producers). Flag stale version references. + 21 segments, 8 producers). Flag stale version references. 2. Code examples must be runnable — no pseudo-code without labeling. 3. Links to source files must use relative paths and point to files that exist. diff --git a/.github/ISSUE_TEMPLATE/security_vulnerability.md b/.github/ISSUE_TEMPLATE/security_vulnerability.md index f6b066e..251540c 100644 --- a/.github/ISSUE_TEMPLATE/security_vulnerability.md +++ b/.github/ISSUE_TEMPLATE/security_vulnerability.md @@ -10,23 +10,29 @@ labels: security Only use this template for low-severity or already-patched security concerns. ## Vulnerability Type + ## Affected Component + ## Description + A clear description of the vulnerability and its potential impact. ## Reproduction Steps + 1. Configuration or setup required 2. Command or action to trigger 3. Observable result ## Suggested Fix + If you have a recommendation for how to fix this. ## Environment + - hookwise version: (run `hookwise --version`) - Node.js version: - OS: diff --git a/README.md b/README.md index bd72663..3fbff60 100644 --- a/README.md +++ b/README.md @@ -203,6 +203,4 @@ Key design choices: parameterized SQL everywhere, safe YAML parsing only, restri `git clone`, `go test -race ./...`, `task pr`. See [CONTRIBUTING.md](CONTRIBUTING.md). -[MIT](LICENSE) -- Built by [Vishnu](https://github.com/vishnujayvel). *Born from the gap between how fast AI makes you feel — and how fast you actually are.* - - \ No newline at end of file +[MIT](LICENSE) -- Built by [Vishnu](https://github.com/vishnujayvel). *Born from the gap between how fast AI makes you feel — and how fast you actually are.* \ No newline at end of file diff --git a/SECURITY.md b/SECURITY.md index 6c2bc11..3b758fd 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -12,8 +12,8 @@ If you discover a security vulnerability, please report it responsibly: -1. **Do not** open a public issue -2. Email **vishnu@hookwise.dev** with a description, reproduction steps, and impact assessment +1. **For sensitive vulnerabilities**, email **vishnu@hookwise.dev** with a description, reproduction steps, and impact assessment. Do not open a public issue for exploitable or unpatched vulnerabilities. +2. **For low-severity or already-patched issues**, you may use the [Security Vulnerability issue template](https://github.com/vishnujayvel/hookwise/issues/new?template=security_vulnerability.md). 3. You will receive an acknowledgment within 48 hours 4. We aim to release a fix within 7 days for confirmed vulnerabilities diff --git a/docs/architecture.md b/docs/architecture.md index 31c1a5d..60a8a91 100644 --- a/docs/architecture.md +++ b/docs/architecture.md @@ -32,7 +32,8 @@ Any unhandled exception anywhere in the dispatch pipeline results in `exit 0`. h ## Feed Platform Architecture -> **Diagram source:** feed-platform.excalidraw (in docs/assets/) -- open in [Excalidraw](https://excalidraw.com) for an editable hand-drawn version. +> **Diagram:** Feed platform showing 8 producers polling data sources on staggered intervals, writing to an atomic cache bus, consumed by 21 status line segments. +> **Source:** [feed-platform.excalidraw](assets/feed-platform.excalidraw) -- open in [Excalidraw](https://excalidraw.com) for an editable hand-drawn version. ```mermaid graph LR @@ -95,9 +96,9 @@ src/ tui/ # Interactive TUI (Python Textual) hookwise_tui/ # App, tabs, widgets, data readers -tests/ # 1440+ tests across 61 test files +tests/ # 1400+ tests across 61 test files core/ # Unit tests for each module - integration/ # End-to-end dispatch flow tests + integration/ # Mock-based integration tests (dispatch flow, pipeline wiring) performance/ # Benchmarks and import boundary tests cli/ # CLI command tests diff --git a/docs/cli.md b/docs/cli.md index d16425a..1a2ee7e 100644 --- a/docs/cli.md +++ b/docs/cli.md @@ -46,7 +46,7 @@ hookwise migrate Migrate from Python hookwise (v0.1.0) | Preset | What you get | |--------|-------------| | `minimal` | Guards only -- just the safety rails | -| `coaching` | Guards + metacognition + builder's trap + status line | +| `coaching` | Guards + metacognition + builder's trap + communication | | `analytics` | Guards + SQLite session tracking | | `full` | Everything enabled | diff --git a/scripts/calendar-feed.py b/scripts/calendar-feed.py index c36e258..97eebf5 100755 --- a/scripts/calendar-feed.py +++ b/scripts/calendar-feed.py @@ -77,13 +77,19 @@ def main(): sys.exit(1) SCOPES = ["https://www.googleapis.com/auth/calendar.readonly"] + COMPATIBLE_SCOPES = { + "https://www.googleapis.com/auth/calendar", + "https://www.googleapis.com/auth/calendar.readonly", + } creds = None if os.path.exists(TOKEN_PATH): - # Load without scope restriction — token may have been granted with - # full calendar scope (e.g., shared with Google Calendar MCP). + # Load with requested scopes so the library can validate them. # Both calendar and calendar.readonly work for read-only queries. - creds = Credentials.from_authorized_user_file(TOKEN_PATH) + creds = Credentials.from_authorized_user_file(TOKEN_PATH, scopes=SCOPES) + # Verify loaded scopes are compatible (exact URI match) + if creds and creds.scopes and not COMPATIBLE_SCOPES.intersection(creds.scopes): + creds = None # Incompatible scopes — re-trigger OAuth if not creds or not creds.valid: if creds and creds.expired and creds.refresh_token: