chore: easy-issue sweep 2026-05-11 by mvillmow · Pull Request #368 · HomericIntelligence/ProjectAgamemnon

mvillmow · 2026-05-12T02:54:01Z

Summary

Bundled easy-issue sweep across documentation, CI hardening, and small fixes per
the 2026-05-11 ecosystem-wide sweep. 50-LoC-per-issue cap respected; medium/hard
items (full openapi examples, devcontainer split, request-body validation tests,
ASAN preset, etc.) deferred and listed as BLOCKED below.

Implemented

Closes Add RATE_LIMIT_RPS/RATE_LIMIT_BURST to documentation #346 — README documents RATE_LIMIT_RPS, RATE_LIMIT_BURST, SERVER_*, and NATS_STREAM_* env vars
Closes Document resource-limit env vars in README or ops runbook #303 — README documents resource-limit env vars (same edit as Add RATE_LIMIT_RPS/RATE_LIMIT_BURST to documentation #346)
Closes Link ROADMAP.md from README.md #311 — README links ROADMAP.md under a Roadmap section
Closes Pin actions/checkout in schema-validation job to a SHA #354 — actions/checkout in schema-validation pinned to 11bd71901bbe5b1630ceea73d27597364c9af683 (v4.2.2)
Closes Pin actions/cache@v5 to a commit SHA in pixi-check #247, Closes Pin actions/cache to a commit SHA in pixi-check job #238 — actions/cache@v5 in pixi-check pinned to 27d5ce7f107fe9357f9df03efb73ab90386fccae (v5.0.5)
Closes Pin Trivy install to a specific version (currently uses latest) #255 — Trivy install pinned to v0.58.1 instead of latest
Closes Pin gitleaks binary version and verify SHA in CI download step #267 — gitleaks tarball verified against published SHA256 before extract
Closes Pin Python to <3.14 in agamemnon/pixi.toml (pytest-asyncio DeprecationWarning) #109 — agamemnon/pixi.toml Python pinned >=3.11,<3.14 to avoid pytest-asyncio 0.26 deprecation
Closes Remove or update keystone references in NATSListener docstrings #121 — Stale ~keystone.models.TaskEvent cross-refs in nats_listener.py updated to ~agamemnon.orchestration.models.TaskEvent
Closes Fix MD060 table style violations in RELEASING.md #314 — MD060 separator-spacing fix in RELEASING.md table
Closes Document base image update procedure in RELEASING.md #325 — Base-image digest refresh procedure documented in RELEASING.md
Closes Add GTest ABI compatibility note to CONTRIBUTING.md or justfile #341 — GTest ABI compatibility callout added to CONTRIBUTING.md
Closes Document nats.c version update procedure for cpp-fetchcontent-deps.cdx.json #258 — nats.c / cpp-fetchcontent-deps.cdx.json sync rule documented in CONTRIBUTING.md
Closes Document secrets-scan gate policy in SECURITY.md or CONTRIBUTING.md #226 — Secrets-scan gate policy added to SECURITY.md
Closes Add liveness/readiness probe documentation to AGENTS.md #317 — AGENTS.md health-probe table for /health and /v1/health
Closes AGENTS.md: document task PUT vs PATCH semantics #316 — AGENTS.md table clarifying PUT vs PATCH on tasks
Closes AGENTS.md: document MaxAckPending=1 source location #315 — AGENTS.md note that MaxAckPending=1 is a consumer-side contract
Closes Document approved model assignments for L0-L3 in CLAUDE.md #153 — CLAUDE.md HMAS L0–L3 model-tier table
Closes Document agamemnon/ Python package structure in CLAUDE.md #110 — CLAUDE.md describes the agamemnon/ Python sub-package layout, deps, tasks
Closes OpenAPI spec has no servers entry for production/Tailscale URL #146 — openapi.yaml adds parameterized Tailscale servers entry
Closes Chaos endpoint silently accepts body content — document or reject it #191 — openapi.yaml documents that POST /v1/chaos/{type} body is silently ignored
Closes Document /metrics endpoint in API reference and ops runbook #297 — New docs/metrics.md reference + /metrics row in docs/api/README.md
Closes POST /v1/agents/docker and POST /v1/agents produce identical behavior #144 — Comment in src/routes.cpp explaining /v1/agents/docker is intentional alias
Closes Add coverage preset to justfile and document local coverage workflow #214 — justfile adds deps-coverage recipe and chains coverage from it; CLAUDE.md updated
Closes Handle missing GPG key gracefully in release recipe #103 — scripts/check-release-readiness.sh checks GPG secret key before any mutation
Closes Install libssl-dev in CI/dev environment to unblock local builds #251 — README clarifies pixi already provides OpenSSL headers; bare-host needs libssl-dev
Closes Document data privacy posture in operator runbook #350 — RELEASING.md operator runbook for data deletion (GitHub + NATS)
Closes Add cache to python-client.yml and python-client-release.yml if they gain C++ deps #242 — TODO comment in python-client.yml and python-client-release.yml for future C++ extension caches
Closes [MINOR] Pin editorconfig-checker to a hash or verify latest rev #329 — renovate.json adds explicit pre-commit hook group (covers editorconfig-checker.python)
Closes Add test_bump_version tests to coverage measurement #104 — Comment in clients/python/pyproject.toml explaining bump-version.py coverage exclusion
Closes Pin builder stage base image to SHA256 digest #323 — Builder stage ubuntu:24.04 pinned to sha256:c4a8d5503dfb2a3eb8ab5f807da5bc69a85730fb49b5cfca2330194ebcc41c7b

Verified ALREADY-DONE (closes via merge)

Closes Document /v1/ API contract in README.md #335 — README has full API Documentation (line 38) + API Endpoints (line 92+) covering /v1/
Closes Link AGENTS.md from README.md for discoverability #150 — README line 20 already links AGENTS.md (See [AGENTS.md](AGENTS.md) for multi-agent handoff protocols.)
Closes Remove maestro_client.py from orchestration (already deleted in Keystone) #116 — find . -name 'maestro_client*' returns nothing; file is fully removed
Closes Pin Gitleaks to block-on-failure instead of continue-on-error #254 — _required.yml calls gitleaks with --exit-code 1 and contains no continue-on-error: true (in fact lines 215–229 forbid it repo-wide)
Closes Move store.cpp into library target to fix test linkage #181 — src/store.cpp is in the library target via cmake/SourcesAndHeaders.cmake:9 and CMakeLists.txt:83
Closes version_info.cpp get_version/get_project_name were undeclared in public header #215 — include/projectagamemnon/version.hpp declares get_version()/get_project_name() (lines 12–13)
Closes [MINOR] §5: No request body size limit on HTTP routes (potential DoS) #221 — src/server_main.cpp:133 calls set_payload_max_length(SERVER_REQUEST_SIZE_LIMIT_MB * 1MB) (default 4MB); src/routes.cpp:231 also enforces kMaxBodyBytes

BLOCKED (>50 LoC or external/structural — not in scope for sweep)

Add response example objects to openapi.yaml for Agent, Team, Task #147 — Add response examples to openapi.yaml for Agent/Team/Task/Fault: requires 4 representative payloads, easily >50 LoC of YAML
[MINOR] §6: routes.cpp lambda capture of raw Store* is also present in production code #220 — Add ASAN/UBSAN preset to enforce lambda capture invariant: needs new CMake preset + sanitizer build matrix
[MINOR] §5: update_task does not validate task belongs to team_id before update #222 — Make Store::get_task reject empty team_id: requires test additions and a Store API decision
Pin apt package versions in Dockerfile to avoid non-reproducible builds #319 — Pin every apt package version in Dockerfile: long-lived version pins create their own maintenance debt and need a tested set
[MINOR] Add devcontainer Dockerfile for development (separate from production) #327 — Devcontainer Dockerfile separation: new file + multi-stage refactor
Add CHANGELOG.md update step to pre-commit hook or CI check #135 — CHANGELOG-update CI/pre-commit gate: design choice (pre-commit vs CI vs PR-template) needs scoping

Skipped (external / process / future-dated)

Add first versioned CHANGELOG block when v0.1.0 tag is cut #136 — First versioned CHANGELOG block: only triggered when v0.1.0 tag is cut
README: document /v1/workflows endpoint once implemented #138 — README /v1/workflows: handler still returns []; document once implemented
Verify Renovate GitHub App is installed on HomericIntelligence org #250 — Verify Renovate App is installed: org-admin task, not a code change
Expand .gitleaks.toml allowlist based on periodic false-positive audit #268 — Quarterly gitleaks-allowlist review: process item, not a code change
Create GitHub Projects board and link to ROADMAP.md #309 — Create GitHub Projects board: external admin task
Register PyPI pending publisher for HomericIntelligence-Agamemnon #13 — Register PyPI pending publisher: external admin task (already documented in RELEASING.md)

Test plan

CI green on chore/easy-sweep-2026-05-11
actions/checkout and actions/cache@v5 SHAs resolve correctly in _required.yml
gitleaks step succeeds (SHA256 matches published checksum)
just coverage runs after a clean checkout via the new deps-coverage chain
./scripts/check-release-readiness.sh 0.1.0 cleanly fails on a host without GPG, passes with one configured
Spectral OpenAPI lint: pre-existing failure on main (Could not read ruleset at .../@stoplight/spectral-openapi) — not introduced by this sweep, leave for separate PR

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

…nt addition The PR's comment-only edit to clients/python/pyproject.toml (issue #104) changed the file content, invalidating the SHA256 of the editable `pypi: .` package entry in pixi.lock. This caused `pixi install --locked` to fail in 4 CI jobs (Lint, Test, Type Check, security/dependency-scan). Regenerated using pixi v0.39.5 (matching CI's setup-pixi@v0.8.1 pin) so no incompatible v0.4x lockfile fields are written. Only the editable package SHA256 changes (1 line). Refs PR #368

… link ROADMAP Closes #346 Closes #303 Closes #311

- Pin actions/cache@v5 in pixi-check to v5.0.5 SHA (closes #247, closes #238) - Pin actions/checkout in schema-validation job to v4.2.2 SHA (closes #354) - Pin Trivy install to v0.58.1 instead of latest (closes #255) - Verify gitleaks tarball SHA256 before extract (closes #267)

- Pin Python <3.14 in agamemnon/pixi.toml to avoid pytest-asyncio 0.26 deprecation warning (closes #109) - Replace stale `~keystone.models.TaskEvent` Sphinx cross-refs with `~agamemnon.orchestration.models.TaskEvent` in nats_listener.py docstrings (closes #121)

…cedure - Fix MD060 in line 31 table separators (closes #314) - Document Dockerfile base-image digest refresh procedure (closes #325)

…olicy - CONTRIBUTING.md: GTest ABI compatibility callout (closes #341) - CONTRIBUTING.md: nats.c CMakeLists.txt vs cpp-fetchcontent-deps.cdx.json sync rule (closes #258) - SECURITY.md: secrets-scan gate policy and allowlist process (closes #226)

…, model tiers, python pkg - AGENTS.md: liveness/readiness probe table (closes #317) - AGENTS.md: PUT vs PATCH task semantics (closes #316) - AGENTS.md: clarify MaxAckPending=1 is consumer-side contract (closes #315) - CLAUDE.md: HMAS model tier assignments table (closes #153) - CLAUDE.md: agamemnon/ Python package layout, deps, and tasks (closes #110)

…, docker-route comment - openapi.yaml: add Tailscale {tailscale_host} server entry (closes #146) - openapi.yaml: document chaos POST body is silently ignored (closes #191) - docs/metrics.md: new — Prometheus endpoint reference and scrape config (closes #297) - docs/api/README.md: link /metrics under Health & Observability - src/routes.cpp: comment explaining /v1/agents/docker is intentional alias (closes #144)

- justfile: add deps-coverage recipe and chain it from coverage (closes #214) - CLAUDE.md: note coverage depends on deps-coverage - scripts/check-release-readiness.sh: GPG key presence check before mutating files (closes #103) - README.md: clarify OpenSSL provided by pixi, libssl-dev only needed on bare hosts (closes #251)

… + NATS Closes #350

…age scope - python-client.yml + python-client-release.yml: TODO comment to add Conan/FetchContent caches if C++ extension steps are added (closes #242) - renovate.json: explicit pre-commit hook group ensures editorconfig-checker.python is bumped (closes #329) - clients/python/pyproject.toml: comment explaining bump-version.py coverage exclusion (closes #104)

Closes #323 Pinned ubuntu:24.04 to digest sha256:c4a8d5503dfb2a3eb8ab5f807da5bc69a85730fb49b5cfca2330194ebcc41c7b (retrieved 2026-05-11 from Docker Hub). Refresh procedure documented in RELEASING.md (added in this same sweep).

…nt addition The PR's comment-only edit to clients/python/pyproject.toml (issue #104) changed the file content, invalidating the SHA256 of the editable `pypi: .` package entry in pixi.lock. This caused `pixi install --locked` to fail in 4 CI jobs (Lint, Test, Type Check, security/dependency-scan). Regenerated using pixi v0.39.5 (matching CI's setup-pixi@v0.8.1 pin) so no incompatible v0.4x lockfile fields are written. Only the editable package SHA256 changes (1 line). Refs PR #368

The rebase onto main produced a stale clients/python/pixi.lock — the homericintelligence-agamemnon package's local source sha256 drifted, causing `pixi install --locked` to fail in CI with "lock-file not up-to-date with the project". This blocked Lint, Test, Type Check, and security/dependency-scan (all of which run `setup-pixi@v0.8.1` with `pixi install --locked`). Regenerated the lock file with pinned pixi v0.39.5 (matching CI's setup-pixi version per the MEMORY runbook). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

The upstream install.sh has been flaky for v0.58.1 — it locates the release tag but exits 1 before extracting the archive. This caused security/dependency-scan to fail consistently with pip-audit passing. Switch to a direct binary tarball download from the GitHub releases URL, which is deterministic and avoids the install.sh code path.

v0.58.1 has been removed from aquasecurity/trivy releases (404 from the binary URL and from install.sh tag lookup, which is why security/dependency-scan was failing). Bump to v0.69.3 (current at fix time) while keeping the deterministic direct-binary download. This is the minimal change needed to unblock dependency-scan in the `chore: easy-issue sweep 2026-05-11` branch. A separate cleanup can introduce a renovate/dependabot rule to track Trivy releases going forward.

mvillmow enabled auto-merge (squash) May 12, 2026 02:54

mvillmow force-pushed the chore/easy-sweep-2026-05-11 branch from 542e3de to 67ff7ff Compare May 13, 2026 14:05

mvillmow and others added 14 commits May 16, 2026 01:37

docs(readme): document RATE_LIMIT/SERVER_*/NATS_STREAM_* env vars and…

c1f768b

… link ROADMAP Closes #346 Closes #303 Closes #311

docs(releasing): fix MD060 table style and add base-image refresh pro…

a148b4c

…cedure - Fix MD060 in line 31 table separators (closes #314) - Document Dockerfile base-image digest refresh procedure (closes #325)

docs(releasing): add operator runbook for data deletion across GitHub…

be8ba29

… + NATS Closes #350

fix(docs): add blank lines around RELEASING.md fenced blocks (MD031)

48b8703

mvillmow force-pushed the chore/easy-sweep-2026-05-11 branch from 42df5fa to def2b7a Compare May 16, 2026 08:38

mvillmow added 2 commits May 16, 2026 02:10

mvillmow merged commit a7ce40e into main May 16, 2026
26 checks passed

mvillmow deleted the chore/easy-sweep-2026-05-11 branch May 16, 2026 09:37

mvillmow mentioned this pull request May 16, 2026

chore: easy-issue sweep bundle (2026-05-16) #382

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: easy-issue sweep 2026-05-11#368

chore: easy-issue sweep 2026-05-11#368
mvillmow merged 16 commits into
mainfrom
chore/easy-sweep-2026-05-11

mvillmow commented May 12, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

mvillmow commented May 12, 2026

Summary

Implemented

Verified ALREADY-DONE (closes via merge)

BLOCKED (>50 LoC or external/structural — not in scope for sweep)

Skipped (external / process / future-dated)

Test plan

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant