Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
858 changes: 840 additions & 18 deletions cmd/hookwise/cli_test.go

Large diffs are not rendered by default.

618 changes: 601 additions & 17 deletions cmd/hookwise/main.go

Large diffs are not rendered by default.

133 changes: 133 additions & 0 deletions docs/retro-status-line-bugs-50.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,133 @@
# Retrospective: Status-Line Pipeline Disconnection (Bug #50+)

**Date:** 2026-03-08
**Severity:** Medium (user-visible but non-blocking)
**Root Cause Category:** Integration gap — components work in isolation but fail end-to-end

## What Happened

The status line showed `session: -- | cost: -- | project: -- | calendar: --` — all placeholder
values despite data being available. Weather (the only live producer) was missing entirely.

## Five Bugs, One Root Cause Pattern

| Bug | Symptom | Root Cause | Layer |
|-----|---------|------------|-------|
| **B1: session: --** | No session count displayed | `dispatch` never called `analytics.StartSession()` — the analytics API was built but never wired to the dispatch pipeline | Integration |
| **B2: cost: --** | No cost displayed | Same as B1 — $0.00 because no sessions recorded | Integration |
| **B3: weather missing** | Weather segment not shown | `hookwise.yaml` segments list omitted `weather` despite weather feed being enabled and producing real data | Config |
| **B4: project/calendar: --** | Always shows `--` | Producers return `source: "placeholder"` — correctly filtered but ships as "done" | Design debt |

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Clarify B4 status — calendar producer was implemented in this PR.

Line 19 states project/calendar producers return placeholders, but the PR objectives indicate that this PR actually implemented a real Google Calendar integration with OAuth support, event handling, and 10 unit tests. The retrospective should distinguish between what was broken before vs. what this PR fixed.

📝 Suggested clarification
-| **B4: project/calendar: --** | Always shows `--` | Producers return `source: "placeholder"` — correctly filtered but ships as "done" | Design debt |
+| **B4: project/calendar: --** | Always shows `--` | Producers return `source: "placeholder"` — correctly filtered but ships as "done" (calendar fixed in this PR, project tracked separately) | Design debt |
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
| **B4: project/calendar: --** | Always shows `--` | Producers return `source: "placeholder"` — correctly filtered but ships as "done" | Design debt |
| **B4: project/calendar: --** | Always shows `--` | Producers return `source: "placeholder"` — correctly filtered but ships as "done" (calendar fixed in this PR, project tracked separately) | Design debt |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@docs/retro-status-line-bugs-50.md` at line 19, Update the B4 line for
project/calendar to reflect that the PR implemented a working Google Calendar
integration (OAuth support, event handling, and 10 unit tests) rather than
stating producers return placeholders; edit the text referencing
"project/calendar" and "producers" so it distinguishes the prior state (returned
placeholder/source: \"placeholder\") from the new state introduced by this PR
(real Google Calendar integration with OAuth, event syncing, and tests), and
ensure the retrospective notes both what was broken before and what this PR
fixed.

| **B5: timezone mismatch** | Same-connection queries return 0 | `StartSession` stores UTC timestamps but `DailySummary` was queried with local date — fails in negative UTC offsets (PST evening → UTC next day) | Data |

## First-Principle Analysis

### Why does each component work in isolation but fail end-to-end?

The hookwise architecture has 4 independent data pipelines:

```text
Pipeline 1: Daemon → Feed JSON → bridge.CollectFeedCache → renderSegment
Pipeline 2: Dispatch → [MISSING] → Dolt → DailySummary → renderBuiltinSegment
Pipeline 3: Config YAML → LoadConfig → StatusLine.Segments → segment loop
Pipeline 4: StartSession(UTC) → Dolt → DailySummary(local date) → mismatch
```

Each pipeline was tested within its own boundary:
- Feed producers have unit tests proving they write correct JSON
- Analytics API has tests proving StartSession/DailySummary work (with UTC-safe fixed dates)
- Config loading has tests proving YAML parsing works
- Segment rendering has tests proving each segment renders correctly

But **no test ever validated the full pipeline from dispatch → Dolt → status-line → screen**.

### The "Mock Confidence Trap" (Pattern #2)

This is the exact same pattern as Bug #29 (weather feed):

> Mock-based tests pass on both sides of a boundary while the real system fails.

**Bug #29:** Go producer writes `unit` → Python TUI reads `temperatureUnit` → both sides' tests pass.
**Bug #50:** Go dispatch has analytics infrastructure → Go status-line reads from Dolt → both sides' tests pass but dispatch never writes.

The mock confidence trap has three variants:

1. **Field mismatch** (Bug #29): Both sides mock the field name they expect
2. **Integration gap** (Bug #50 B1/B2): Both sides work independently but the bridge between them was never built
3. **Format mismatch** (Bug #50 B5): Both sides work with their own format (UTC vs local) but never tested together

### Why didn't tests catch this?

| Testing Layer | What It Validates | What It Misses |
|---------------|-------------------|----------------|
| Unit tests | `StartSession` writes rows; `DailySummary` queries rows | Whether dispatch calls StartSession at all |
| Contract tests | JSON stdout format matches spec | Whether analytics writes happen |
| Integration tests | Dispatch returns correct exit codes | Whether side effects (analytics) fire |
| Architecture tests | Package dependency rules | Whether wiring between packages exists |
| Property-based tests | Invariants within a single domain | Cross-domain data flow |

**The gap:** No test validates the **existence of a connection** between two components, only the correctness of each component in isolation.

### Why did placeholder producers ship?

The project/calendar/pulse/news producers were implemented as placeholders (`source: "placeholder"`) and marked as "done" in the task tracker. The renderer correctly filters placeholders, so the status line shows `--`. But:

1. The spec didn't distinguish "producer skeleton exists" from "producer returns real data"
2. The `feedData()` filter for `source: "placeholder"` was added as a safety net, not as a signal that the feature is incomplete
3. No acceptance test validates that a segment shows **non-placeholder** data

## Fixes Applied

1. **B1/B2:** Added `recordAnalytics()` function in dispatch — writes SessionStart/PostToolUse/SessionEnd to Dolt with commit
2. **B3:** Added `weather` to `hookwise.yaml` segments list and global config
3. **B5:** Changed all `time.Now().Format("2006-01-02")` to `time.Now().UTC().Format("2006-01-02")` in status-line and stats commands to match analytics' UTC storage
4. **B4:** No code fix — producers need real implementations (tracked separately)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Update B4 fix status to reflect calendar producer implementation.

The PR objectives state that a real Google Calendar integration was implemented in this PR with OAuth support, event handling, caching, and 10 unit tests. Stating "No code fix — producers need real implementations" contradicts the actual scope of this PR.

📝 Suggested update
-4. **B4:** No code fix — producers need real implementations (tracked separately)
+4. **B4:** Implemented real CalendarProducer with Google Calendar OAuth integration (project producer tracked separately)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@docs/retro-status-line-bugs-50.md` at line 83, Update the B4 status line in
docs/retro-status-line-bugs-50.md to reflect that the calendar producer was
implemented rather than "No code fix"; replace the current text for **B4:** with
a brief summary noting the Google Calendar integration was added with OAuth
support, event handling, caching, and 10 unit tests (mentioning "calendar
producer implemented" and listing those features), and remove the "producers
need real implementations" claim so the doc matches the PR scope.


## New Tests Added

1. `TestPersistAcrossConnections` — validates Dolt data survives close+reopen (analytics package)
2. `TestRecordAnalytics_SessionStart` — validates dispatch→Dolt→DailySummary pipeline
3. `TestRecordAnalytics_PostToolUse` — validates event recording pipeline
4. All use UTC dates to match production behavior
Comment on lines +85 to +90

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Include calendar producer tests in "New Tests Added" section.

The PR objectives mention "10 unit tests for calendar producer, 3 CLI rendering tests for status-line calendar rendering," but this section only lists analytics-related tests. A retrospective's test inventory should be comprehensive.

📝 Suggested addition
 ## New Tests Added
 
 1. `TestPersistAcrossConnections` — validates Dolt data survives close+reopen (analytics package)
 2. `TestRecordAnalytics_SessionStart` — validates dispatch→Dolt→DailySummary pipeline
 3. `TestRecordAnalytics_PostToolUse` — validates event recording pipeline
-4. All use UTC dates to match production behavior
+4. 10 unit tests for `CalendarProducer` — validates OAuth flow, event parsing, caching, fail-open behavior
+5. 3 CLI rendering tests for status-line calendar segment
+6. All analytics tests use UTC dates to match production behavior
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@docs/retro-status-line-bugs-50.md` around lines 85 - 90, Update the "New
Tests Added" list to include the calendar producer and CLI rendering tests
referenced in the PR summary: add entries for the 10 unit tests for the calendar
producer (e.g., TestCalendarProducer_* or the actual test group name used in the
repo) and the 3 CLI rendering tests for status-line calendar rendering, and note
that they use UTC dates like the analytics tests; edit the section that
currently lists only TestPersistAcrossConnections,
TestRecordAnalytics_SessionStart, and TestRecordAnalytics_PostToolUse to include
these calendar-related test names so the retrospective accurately inventories
all new tests.


## Lessons Learned

### L1: "Infrastructure-ready" ≠ "Wired"

The dispatch command had goroutine infrastructure, 50ms grace period, and side-effect handler patterns — everything EXCEPT the actual analytics call. The comment `// Brief grace period for side-effect goroutines (analytics, coaching)` promised work that didn't exist. **Lesson:** Comments describing intended behavior are not substitutes for code.

### L2: Timezone bugs hide in happy-path tests

All existing analytics tests used `time.Date(2025, 3, 6, 9, 0, 0, 0, time.UTC)` — a UTC timestamp where local and UTC dates are the same. The bug only manifests in negative UTC offsets during evening hours. **Lesson:** Test with edge-case timestamps (midnight, day boundaries, DST transitions).

### L3: Config completeness is untestable without a "full pipeline" smoke test

Weather was enabled in feeds config but absent from segments config. No test validates that enabled feeds appear in the status line. **Lesson:** A single e2e test that runs `hookwise status-line` with a known config and validates all expected segments appear would catch this instantly.

### L4: The Mock Confidence Trap is a recurring pattern

This is the third time (after Bug #29 and the original status-line stub bug) that both sides of a boundary pass all tests while the real system fails. **Lesson:** After shipping any feature that crosses a producer→consumer boundary, add an integration test that validates the full pipeline with real (not mocked) data.

Comment thread
coderabbitai[bot] marked this conversation as resolved.
## Proposed E2E Test

> **Note:** This is pseudocode illustrating the test structure, not a runnable test.

```go
// TestStatusLine_EndToEnd_DispatchThenRender validates the full pipeline:
// dispatch SessionStart → Dolt write → status-line reads → session count appears
func TestStatusLine_EndToEnd_DispatchThenRender(t *testing.T) {
tmpDir := t.TempDir()
// 1. Write config with known segments
// 2. Call recordAnalytics(SessionStart) with tmpDir
// 3. Write weather.json with real data to cacheDir
// 4. Run status-line command
// 5. Assert: session count > 0, weather shows temperature, weather not "--"
}
```
Comment thread
coderabbitai[bot] marked this conversation as resolved.

## Action Items

- [ ] Implement real project producer (git repo detection)
- [ ] Implement real calendar producer (Google Calendar MCP)
Comment on lines +129 to +130

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Mark calendar producer action item as completed or remove it.

The action item "Implement real calendar producer (Google Calendar MCP)" appears to have been completed in this PR according to the PR objectives. Retrospectives should clearly distinguish between work completed in the current PR and future work.

📝 Suggested update
 ## Action Items
 
-- [ ] Implement real project producer (git repo detection)
-- [ ] Implement real calendar producer (Google Calendar MCP)
+- [x] Implement real calendar producer (Google Calendar OAuth integration) — completed in this PR
+- [ ] Implement real project producer (git repo detection)
 - [ ] Add e2e smoke test for status-line pipeline
 - [ ] Add UTC-edge-case timestamp to analytics test suite
 - [ ] Consider adding a CI job that runs `hookwise status-line` with a test config and validates non-empty output
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- [ ] Implement real project producer (git repo detection)
- [ ] Implement real calendar producer (Google Calendar MCP)
- [x] Implement real calendar producer (Google Calendar OAuth integration) — completed in this PR
- [ ] Implement real project producer (git repo detection)
- [ ] Add e2e smoke test for status-line pipeline
- [ ] Add UTC-edge-case timestamp to analytics test suite
- [ ] Consider adding a CI job that runs `hookwise status-line` with a test config and validates non-empty output
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@docs/retro-status-line-bugs-50.md` around lines 129 - 130, The checklist
entry "Implement real calendar producer (Google Calendar MCP)" in the retro
notes is stale; either mark that checkbox as completed or remove the line
entirely. Locate the line containing the exact text "Implement real calendar
producer (Google Calendar MCP)" in docs/retro-status-line-bugs-50.md and update
the checklist to reflect completion (change "- [ ]" to "- [x]") or delete the
bullet so the retrospective only lists true future action items.

- [ ] Add e2e smoke test for status-line pipeline
- [ ] Add UTC-edge-case timestamp to analytics test suite
- [ ] Consider adding a CI job that runs `hookwise status-line` with a test config and validates non-empty output
108 changes: 69 additions & 39 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -3,38 +3,56 @@ module github.com/vishnujayvel/hookwise
go 1.25.5

require (
dagger.io/dagger v0.20.1
github.com/Khan/genqlient v0.8.1
github.com/cenkalti/backoff/v4 v4.3.0
github.com/charmbracelet/lipgloss v1.1.0
github.com/dagger/otel-go v1.41.0
github.com/dolthub/driver v0.2.0
github.com/gobwas/glob v0.2.3
github.com/spf13/cobra v1.10.2
github.com/stretchr/testify v1.11.1
golang.org/x/tools v0.38.0
github.com/vektah/gqlparser/v2 v2.5.32
go.opentelemetry.io/otel v1.42.0
go.opentelemetry.io/otel/sdk v1.41.0
go.opentelemetry.io/otel/trace v1.42.0
golang.org/x/oauth2 v0.36.0
golang.org/x/tools v0.41.0
google.golang.org/api v0.269.0
gopkg.in/yaml.v3 v3.0.1
modernc.org/sqlite v1.46.1
pgregory.net/rapid v1.2.0
)

require (
cloud.google.com/go v0.112.0 // indirect
cloud.google.com/go/compute v1.24.0 // indirect
cloud.google.com/go/compute/metadata v0.2.3 // indirect
cloud.google.com/go/iam v1.1.6 // indirect
cloud.google.com/go/storage v1.38.0 // indirect
cel.dev/expr v0.25.1 // indirect
cloud.google.com/go v0.121.6 // indirect
cloud.google.com/go/auth v0.18.2 // indirect
cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
cloud.google.com/go/compute/metadata v0.9.0 // indirect
cloud.google.com/go/iam v1.5.3 // indirect
cloud.google.com/go/monitoring v1.24.3 // indirect
cloud.google.com/go/storage v1.56.0 // indirect
filippo.io/edwards25519 v1.1.0 // indirect

@coderabbitai coderabbitai Bot Mar 9, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check for newer versions of flagged dependencies
echo "Checking filippo.io/edwards25519..."
go list -m -versions filippo.io/edwards25519 2>/dev/null | head -1

echo "Checking github.com/aws/aws-sdk-go..."
go list -m -versions github.com/aws/aws-sdk-go 2>/dev/null | head -1

Repository: vishnujayvel/hookwise

Length of output: 16581


🏁 Script executed:

# Check if edwards25519 and aws-sdk-go are direct or indirect dependencies
cd /tmp && cat go.mod | head -50

Repository: vishnujayvel/hookwise

Length of output: 103


🌐 Web query:

GO-2026-4503 edwards25519 vulnerability

💡 Result:

GO-2026-4503 is the Go vulnerability record for CVE-2026-26958 affecting filippo.io/edwards25519. Versions < v1.1.1 are affected. [1][2]

What’s the issue

(*Point).MultiScalarMult failed to initialize its receiver, leading to:

  • Incorrect results if called on a non-identity (already-initialized) point.
  • Undefined behavior if called on an uninitialized point; notably, if the receiver is the zero value, it can return an invalid point that compares equal to every point. [1][2][3]

Impact / exposure

This is considered low severity and applies primarily to code that directly uses the advanced API Point.MultiScalarMult; many transitive users are not impacted (e.g., depending on filippo.io/edwards25519 only via github.com/go-sql-driver/mysql). [2][3]

Fix

Upgrade to filippo.io/edwards25519 v1.1.1 or later. [1][2]

References: Go vuln entry and upstream advisory. [1][2]


Sources
[1] Go Vulnerability Database (pkg.go.dev): GO-2026-4503 — affected versions and description
[2] GitHub Security Advisory: GHSA-fw7p-63qq-7hpr — root cause and behavioral details
[3] OSV (Debian CVE record): CVE-2026-26958 — additional impact notes and fix version


🌐 Web query:

GO-2022-0635 aws-sdk-go S3 crypto

💡 Result:

GO-2022-0635 is a Go vulnerability report for CVE-2020-8912 / GHSA-7f33-f4f5-xwgw affecting github.com/aws/aws-sdk-go/service/s3/s3crypto (the AWS SDK for Go v1 “S3 Crypto” / S3 Encryption Client implementation). It’s an in-band key negotiation flaw: an attacker who can write/modify objects in the target S3 bucket can tamper with metadata to change the declared content-encryption algorithm (e.g., from AES-GCM to AES-CTR or AES-CBC). If the attacker also has access to a decryption-oracle signal (an endpoint that reveals decrypt success/failure), this can enable plaintext recovery and/or message forgery, including a path to recover the AES-GCM authentication key in certain scenarios. [1][2]

Fix / mitigation: use S3 Encryption Client / S3 Crypto SDK v2 (which authenticates the algorithm, e.g., via KMS+context key wrapping for new files) and re-encrypt old objects that were encrypted with the vulnerable scheme (notably GCM with the older KMS wrapping option). Note: the Go vuln entry flags the v1 package as “all versions, no known fixed” because the fix is effectively “move to v2 / new client,” not a patch within the v1 package line. [1][2][3]

Sources

  1. Go vulnerability database entry: GO-2022-0635 (pkg.go.dev) [1]
  2. Google Security Research advisory: GHSA-7f33-f4f5-xwgw [2]
  3. AWS Developer Tools Blog (Aug 7, 2020): “Updates to the Amazon S3 Encryption Client” [3]

🏁 Script executed:

cat /workspace/*/go.mod | head -60

Repository: vishnujayvel/hookwise

Length of output: 118


🏁 Script executed:

# Find and display go.mod from root
find . -name "go.mod" -type f | head -1 | xargs cat | head -60

Repository: vishnujayvel/hookwise

Length of output: 2821


🏁 Script executed:

# Check if aws-sdk-go is directly used in the codebase
rg "aws-sdk-go|aws-sdk|s3crypto" --type go -i | head -20

Repository: vishnujayvel/hookwise

Length of output: 47


🏁 Script executed:

# Check what package brings in aws-sdk-go as transitive dependency
rg "aws" go.mod

Repository: vishnujayvel/hookwise

Length of output: 112


🌐 Web query:

GO-2022-0646 aws-sdk-go vulnerability

💡 Result:

GO-2022-0646 is the Go vulnerability ID for CVE-2020-8911 / GHSA-f5pg-7wfw-84q9, a CBC padding-oracle issue in the Amazon S3 “Crypto/Encryption Client” code shipped in github.com/aws/aws-sdk-go/service/s3/s3crypto. It affects uses of NewEncryptionClient / NewDecryptionClient that allow AES-CBC without an integrity check (no MAC), enabling plaintext recovery if an attacker can modify/upload ciphertext in the bucket and observe whether decrypt succeeded/failed. [1][2]

Impact / scope

  • Package: github.com/aws/aws-sdk-go (specifically service/s3/s3crypto) [1]
  • Condition: using the legacy S3 encryption client with AES-CBC (padding-oracle side channel) [1][3]

Fix / remediation

  • Migrate to the “V2” S3 encryption/decryption clients (and re-encrypt affected objects), rather than continuing to use the legacy AES-CBC option. [1][3]
  • In aws-sdk-go v1, the V2 clients (EncryptionClientV2 / DecryptionClientV2) were introduced in release v1.33.0 (2020-07-01) via PR #3403. [4]

References

  • Go/OSV entry (GO-2022-0646) [1]
  • Google security advisory (GHSA-f5pg-7wfw-84q9) [2]
  • AWS blog: “Updates to the Amazon S3 Encryption Client” (describes removal/deprecation of AES-CBC for new objects and the padding-oracle issue) [3]
  • aws-sdk-go PR introducing S3 crypto V2 clients (#3403) [4]

Sources: [1] https://pkg.go.dev/vuln/GO-2022-0646 [2] GHSA-f5pg-7wfw-84q9 [3] https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/ [4] aws/aws-sdk-go#3403


Correct severity classification of transitive security advisories.

Both dependencies are confirmed transitive (indirect):

  • filippo.io/edwards25519 v1.1.0 (GO-2026-4503): LOW severity—affects specific cryptographic edge case. Upgrade to v1.1.1+ available.
  • github.com/aws/aws-sdk-go v1.50.16 (GO-2022-0635, GO-2022-0646): HIGH/CRITICAL severity—padding-oracle and in-band key negotiation flaws enabling plaintext recovery and message forgery in S3 Encryption Client. No patch available in v1.x; migration to V2 clients required.

While hookwise may not directly use S3 Crypto functionality, the aws-sdk-go advisories should not be classified as low-severity. Strongly prioritize migrating away from the affected v1 package or evaluate if S3 Crypto usage can be eliminated.

🧰 Tools
🪛 OSV Scanner (2.3.3)

[LOW] 36-36: filippo.io/edwards25519 1.1.0: Invalid result or undefined behavior in filippo.io/edwards25519

(GO-2026-4503)


[LOW] 36-36: filippo.io/edwards25519 1.1.0: filippo.io/edwards25519 MultiScalarMult produces invalid results or undefined behavior if receiver is not the identity

(GHSA-fw7p-63qq-7hpr)

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 36, The transitive advisories for filippo.io/edwards25519
(GO-2026-4503) and github.com/aws/aws-sdk-go (GO-2022-0635, GO-2022-0646) are
misclassified; update vulnerability metadata and remediation: in go.mod bump
filippo.io/edwards25519 to v1.1.1+ to address GO-2026-4503, and for
github.com/aws/aws-sdk-go identify where the v1 module is pulled (search for
aws-sdk-go imports and any S3 Crypto usage) then either remove/eliminate S3
Crypto usage or plan a migration to AWS SDK Go V2 (no v1 patch exists) and mark
the aws-sdk-go advisory as HIGH/CRITICAL until migration is complete. Ensure
references to these advisories (GO-2026-4503, GO-2022-0635, GO-2022-0646) and
the modules (filippo.io/edwards25519, github.com/aws/aws-sdk-go) are updated in
your security tracking or SBOM entries.

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both are transitive/indirect dependencies pulled in by Dolt's embedded driver:

  • filippo.io/edwards25519 v1.1.0 (GO-2026-4503): Low severity, affects MultiScalarMult edge case. We don't use this API directly. Will bump to v1.1.1 in a dep-update PR.
  • github.com/aws/aws-sdk-go v1.50.16 (GO-2022-0635/0646): S3 Crypto padding-oracle. hookwise has zero S3 usage — this is purely a Dolt transitive dep. No v1 patch exists; the fix is migrating to AWS SDK v2 which is on Dolt's roadmap, not ours. Risk is effectively zero for this codebase.

Will track the edwards25519 bump as a low-priority dep update. The aws-sdk-go issue is upstream and out of our control.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rate Limit Exceeded

@vishnujayvel have exceeded the limit for the number of chat messages per hour. Please wait 1 minutes and 49 seconds before sending another message.

github.com/99designs/gqlgen v0.17.81 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.53.0 // indirect
github.com/HdrHistogram/hdrhistogram-go v1.1.2 // indirect
github.com/aliyun/aliyun-oss-go-sdk v3.0.2+incompatible // indirect
github.com/apache/arrow/go/arrow v0.0.0-20211112161151-bc219186db40 // indirect
github.com/apache/thrift v0.19.0 // indirect
github.com/aws/aws-sdk-go v1.50.16 // indirect
github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
github.com/bcicen/jstream v1.0.1 // indirect
github.com/cespare/xxhash/v2 v2.2.0 // indirect
github.com/cenkalti/backoff/v5 v5.0.3 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc // indirect
github.com/charmbracelet/x/ansi v0.8.0 // indirect
github.com/charmbracelet/x/cellbuf v0.0.13-0.20250311204145-2c3ea96c31dd // indirect
github.com/charmbracelet/x/term v0.2.1 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/denisbrodbeck/machineid v1.0.1 // indirect
github.com/dolthub/dolt/go v0.40.5-0.20240702155756-bcf4dd5f5cc1 // indirect
github.com/dolthub/dolt/go/gen/proto/dolt/services/eventsapi v0.0.0-20240212175631-02e9f99a3a9b // indirect
Expand All @@ -48,22 +66,24 @@ require (
github.com/dolthub/swiss v0.2.1 // indirect
github.com/dolthub/vitess v0.0.0-20240709194214-7926ea9d425d // indirect
github.com/dustin/go-humanize v1.0.1 // indirect
github.com/envoyproxy/go-control-plane/envoy v1.36.0 // indirect
github.com/envoyproxy/protoc-gen-validate v1.3.0 // indirect
github.com/fatih/color v1.16.0 // indirect
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/go-jose/go-jose/v4 v4.1.3 // indirect
github.com/go-kit/kit v0.13.0 // indirect
github.com/go-logr/logr v1.4.1 // indirect
github.com/go-logr/logr v1.4.3 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-sql-driver/mysql v1.7.2-0.20231213112541-0004702b931d // indirect
github.com/goccy/go-json v0.10.2 // indirect
github.com/gofrs/flock v0.8.1 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/protobuf v1.5.3 // indirect
github.com/golang/snappy v0.0.4 // indirect
github.com/google/btree v1.1.2 // indirect
github.com/google/s2a-go v0.1.7 // indirect
github.com/google/s2a-go v0.1.9 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
github.com/googleapis/gax-go/v2 v2.12.0 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.3.12 // indirect
github.com/googleapis/gax-go/v2 v2.17.0 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 // indirect
github.com/hashicorp/golang-lru v1.0.2 // indirect
github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
Expand All @@ -76,7 +96,7 @@ require (
github.com/kylelemons/godebug v1.1.0 // indirect
github.com/lestrrat-go/strftime v1.0.6 // indirect
github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
github.com/mattn/go-colorable v0.1.13 // indirect
github.com/mattn/go-colorable v0.1.14 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/mattn/go-runewidth v0.0.16 // indirect
github.com/mohae/uvarint v0.0.0-20160208145430-c3f9e62bf2b0 // indirect
Expand All @@ -85,48 +105,58 @@ require (
github.com/oracle/oci-go-sdk/v65 v65.55.0 // indirect
github.com/pierrec/lz4/v4 v4.1.21 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
github.com/rivo/uniseg v0.4.7 // indirect
github.com/sergi/go-diff v1.3.1 // indirect
github.com/shopspring/decimal v1.3.1 // indirect
github.com/silvasur/buzhash v0.0.0-20160816060738-9bdec3dec7c6 // indirect
github.com/sirupsen/logrus v1.9.3 // indirect
github.com/sony/gobreaker v0.5.0 // indirect
github.com/sosodev/duration v1.3.1 // indirect
github.com/spf13/pflag v1.0.9 // indirect
github.com/spiffe/go-spiffe/v2 v2.6.0 // indirect
github.com/tetratelabs/wazero v1.6.0 // indirect
github.com/vbauerster/mpb/v8 v8.7.2 // indirect
github.com/xitongsys/parquet-go v1.6.2 // indirect
github.com/xitongsys/parquet-go-source v0.0.0-20240122235623-d6294584ab18 // indirect
github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
github.com/zeebo/xxh3 v1.0.2 // indirect
go.opencensus.io v0.24.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.48.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.48.0 // indirect
go.opentelemetry.io/otel v1.23.1 // indirect
go.opentelemetry.io/otel/metric v1.23.1 // indirect
go.opentelemetry.io/otel/trace v1.23.1 // indirect
go.opentelemetry.io/auto/sdk v1.2.1 // indirect
go.opentelemetry.io/contrib/detectors/gcp v1.39.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.17.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.17.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.41.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.41.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.41.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.41.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.41.0 // indirect
go.opentelemetry.io/otel/log v0.17.0 // indirect
go.opentelemetry.io/otel/metric v1.42.0 // indirect
go.opentelemetry.io/otel/sdk/log v0.17.0 // indirect
go.opentelemetry.io/otel/sdk/metric v1.41.0 // indirect
go.opentelemetry.io/proto/otlp v1.9.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.26.0 // indirect
golang.org/x/crypto v0.43.0 // indirect
golang.org/x/crypto v0.48.0 // indirect
golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
golang.org/x/mod v0.29.0 // indirect
golang.org/x/net v0.46.0 // indirect
golang.org/x/oauth2 v0.17.0 // indirect
golang.org/x/sync v0.17.0 // indirect
golang.org/x/sys v0.37.0 // indirect
golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8 // indirect
golang.org/x/term v0.36.0 // indirect
golang.org/x/text v0.30.0 // indirect
golang.org/x/time v0.5.0 // indirect
golang.org/x/mod v0.32.0 // indirect
golang.org/x/net v0.51.0 // indirect
golang.org/x/sync v0.19.0 // indirect
golang.org/x/sys v0.41.0 // indirect
golang.org/x/telemetry v0.0.0-20260109210033-bd525da824e2 // indirect
golang.org/x/term v0.40.0 // indirect
golang.org/x/text v0.34.0 // indirect
golang.org/x/time v0.14.0 // indirect
golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
google.golang.org/api v0.164.0 // indirect
google.golang.org/appengine v1.6.8 // indirect
google.golang.org/genproto v0.0.0-20240205150955-31a09d347014 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20240205150955-31a09d347014 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240205150955-31a09d347014 // indirect
google.golang.org/grpc v1.61.0 // indirect
google.golang.org/protobuf v1.32.0 // indirect
google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 // indirect
google.golang.org/grpc v1.79.1 // indirect
google.golang.org/protobuf v1.36.11 // indirect
gopkg.in/errgo.v2 v2.1.0 // indirect
gopkg.in/square/go-jose.v2 v2.6.0 // indirect
gopkg.in/src-d/go-errors.v1 v1.0.0 // indirect
Expand Down
Loading