Skip to content

Sync v3.58.0#23

Merged
danielboros merged 31 commits into
bnn-reqfrom
sync-v3.58.0
Jul 1, 2026
Merged

Sync v3.58.0#23
danielboros merged 31 commits into
bnn-reqfrom
sync-v3.58.0

Conversation

@danielboros

Copy link
Copy Markdown
Collaborator

No description provided.

imroc added 30 commits June 27, 2026 11:00
- Add .codebuddy/ project config: CODEBUDDY.md context, loop-engineering.md design doc
- Add skills: dependency-upgrade, ci-triage, ci-fix (project-level under .codebuddy/skills/)
- Add agents: dependency-upgrader, ci-fixer, code-reviewer (implementation/review separation)
- Add GitHub Actions workflows: dependency-upgrade-loop (weekly), ci-fix-loop (on CI failure)
- Add STATE.md for persistent loop state across iterations
- Document modified stdlib/quic-go architecture and upstream sync conventions
- Enforce: gh-cli skill for GitHub ops, no tag/release, English commits
- Add issue-triage skill and issue-triager agent: classify/label/respond to
  issues, flag quic-go and modified-code issues for cautious handling
- Add pr-review skill and pr-reviewer agent: review PRs with special caution
  for internal/http3 (quic-go), internal/http2, and modified stdlib files
- Add upstream-sync skill and upstream-tracker agent: track Go stdlib net/http,
  golang.org/x/net/http2, and quic-go upstream changes; generate sync reports
- Add GitHub Actions workflows for all three new loops
- Update STATE.md with sections for all loops and issue analysis snapshot
- Rewrite loop-engineering.md design doc in English with all 5 loops documented
- All skills are project-level under .codebuddy/skills/
- Remove deprecated ConnectionTracingID/ConnectionTracingKey
- Remove stream hijacking API (StreamHijacker/UniStreamHijacker)
- Replace handleUnidirectionalStreams loop with handleUnidirectionalStream
  per-stream callback, add startUnidirectionalStreamAcceptLoop
- Add RawClientConn for fine-grained stream control (WebTransport etc.)
- Add HandleBidirectionalStream (closes conn per RFC 9114)
- Move rcvdControlStr/rcvdQPACKEncoderStr/rcvdQPACKDecoderStr to Conn struct
- Fix SupportsDatagrams -> SupportsDatagrams.Remote
- Move atomic.Bool tracking from local vars to Conn struct fields

Aligns with quic-go v0.59.0 breaking changes (#5508, #5509, #5512, #5521, #5533).
Fixes imroc#482.

Reviewed PR imroc#485 by DAcodedBEAT, verified modified-code compatibility.
…on cross-domain redirect

Fixes imroc#489. Go's net/http only strips standard sensitive headers
(Authorization, Cookie, Proxy-Authorization) on cross-domain redirects.
Custom auth headers set via SetCommonHeader (e.g. X-API-Key, X-Auth-Token)
were forwarded to redirect targets, leading to credential leakage (CWE-200).

Added SensitiveHeadersRedirectPolicy that strips specified headers when
redirecting to a different domain.
- frames.go: remove unknownFrameHandler/errHijacked, add frameHeaderLen const
- body.go: replace Hijacker interface with Settingser interface
- headers.go: rename processTrailers to extractAnnouncedTrailers, return http.Header
- request_writer.go: add trailer support in writeHeaders (preserves dump customization)

Aligns with quic-go v0.59.0 http3 changes (#5508, #5507).
- frames_test.go: test frame parsing (reserved/unknown types, EOF),
  frame append, settings/goaway round-trip
- headers_test.go: test extractAnnouncedTrailers with various inputs
- transport_test.go: test Transport init, datagram mismatch, RawClientConn
  type check, and QUIC integration test (skipped in short mode)
- dump_test.go: test Dumper sync/async, clone, response body wrapping,
  request body wrapping, context-based dumper retrieval

All tests pass without requiring HTTP/3 network access.
- Add Inner Loop vs Outer Loop distinction (ReAct as inner, orchestration as outer)
- Document adversarial verification principle (code-reviewer as independent evaluator)
- Add cognitive surrender risk section with mitigations
- Add turn limits and English commits to new-loop checklist
For environments where CodeBuddy API is only reachable from internal
network (e.g. TKE private deployment), GitHub Actions cannot call the
API directly. This webhook server runs locally, receives GitHub webhook
events, and triggers codebuddy -p commands to execute loops.

- Listens on configurable port (default 7777)
- Verifies GitHub HMAC signature
- Handles: issues (opened), pull_request (opened/synchronize),
  workflow_run (CI failure)
- Runs codebuddy in background threads with 10min timeout
- Logs to /tmp/loop-webhook-logs/

Usage: python3 .codebuddy/scripts/loop-webhook.py 7777 <webhook-secret>
Since CodeBuddy API is only reachable from internal network (TKE),
GitHub Actions workflows are gated behind CODEBUDDY_ENABLED repo variable
(default: off). Loops now run locally via CodeBuddy's built-in cron.

Added slash commands:
- /start-loops: create all 5 maintenance cron jobs in current session
- /stop-loops: delete all cron jobs
- /loop-status: show loop status and last run results

Usage: open a codebuddy session in the req project, run /start-loops,
and all loops will run on schedule while the session is alive.
Replaces session-bound /loop with system cron + codebuddy -p (headless).
Each run is a fresh session that reads STATE.md, executes, writes back.

Benefits over /loop:
- No 3-day expiration — runs permanently
- No need to keep a session open
- Each run is isolated (fresh context, no drift)

Schedule (daily, Beijing time, staggered):
  01:00  upstream-sync
  02:00  dependency-upgrade
  03:00  ci-fix
  04:00  issue-triage
  05:00  pr-review

Usage: .codebuddy/scripts/install-cron.sh
Remove: .codebuddy/scripts/install-cron.sh --remove
- Rewrite loop-engineering.md with all 3 execution modes:
  1. System cron + headless (primary, for TKE internal API)
  2. GitHub Actions (optional, gated by CODEBUDDY_ENABLED var)
  3. Interactive session (ad-hoc)
- Add install/trigger/log/uninstall instructions
- Update daily schedule table (01:00-05:00 Beijing time)
- Update CODEBUDDY.md maintenance section with cron usage
- Update 'how to add a new loop' checklist for cron-based flow
- Use <repo-root> placeholder instead of absolute paths
- Use $LOOP_LOG_DIR env var instead of hardcoded /tmp/loop-logs
- Scripts use BASH_SOURCE to resolve paths dynamically
- Remove unused loop-webhook.py (replaced by cron approach)
New tests (10 files, 0% -> covered):
- internal/header: IsExcluded, SortKeyValues, constants
- internal/util: IsJSONType, CutString/Bytes, BasicAuth, GetPointer, CreateDirectory
- internal/netutil: AuthorityAddr, AuthorityHostPort, AuthorityKey
- internal/transport: Options.Clone with TLS config
- pkg/altsvc: AltSvcJar set/get/expire/not-found
- http2 root: PriorityParam, SettingID, Setting, PriorityFrame
- internal/compress: GzipReader, DeflateReader, NewCompressReader
- internal/http2/flow: inflow init/take/add, outflow available/take/add
- internal/http2/frame: FrameType, Flags, Framer round-trip (Data, Settings, Ping, WindowUpdate, GoAway)

Test gate:
- pre-push-check.sh: runs go build + vet + test before push
- test-gate skill: full test suite runner for agents
- ci-fixer and dependency-upgrader now load test-gate skill
- git pre-push hook installed

Overall coverage: 31.4% -> 34.6%
Zero-coverage packages: 8 -> 2 (godebug/godebugs only)
Closes imroc#471. Closes PR imroc#472 by @fan-tastic-z.

Chrome's actual accept header includes application/json, which is useful
when impersonating Chrome for API requests that expect JSON responses.
Closes imroc#415. Closes PR imroc#486 by @kaylee595.

Changes cookiejarFactory return type from *cookiejar.Jar to http.CookieJar
interface, allowing users to provide custom cookie jar implementations
instead of being restricted to the standard library's cookiejar.Jar.
Closes PR imroc#491 by @0xuLiang.

When RoundTripOnlyCachedConn returns a GOAWAY error (errClientConnGotGoAway)
or other retryable error, fall through to create a new connection instead
of returning the error directly.

Export canRetryError as CanRetryError in internal/http2 so the modified
transport.go can check retryability.
Addresses imroc#459. utls v1.8.2 is a security update from v1.8.1.
Ensures cron daemon is running and crontab is installed after container
or host restart. Covers three startup scenarios:
1. Manual: run start-loops.sh after restart
2. Semi-auto: add to ~/.bashrc for start on login
3. Full-auto: add to container entrypoint

Updated loop-engineering.md with container restart instructions.
Headless mode (codebuddy -p) does not auto-load sub-agents. Rewrote
prompts to describe tasks directly instead of referencing agent names.
Removed --allowedTools restriction (use -y for all permissions).

Verified: issue-triage loop ran successfully, triaged 10 issues,
created 4 labels, posted 3 comments, updated STATE.md.
- run-loop.sh all: runs upstream-sync -> dependency-upgrade -> ci-fix
  -> issue-triage -> pr-review sequentially with 10s pause between
- install-cron.sh: simplified to single cron entry at 01:00
- One loop failure does not block subsequent loops
Closes PR imroc#465 by @prasad83.

Unmarshal now checks IsErrorState() before attempting to deserialize.
Previously, a 4xx/5xx response body would be deserialized into the
target struct, which is rarely the intended behavior.
Closes PR imroc#477 and imroc#478 by @Shinku-Chen.

Adds SetTLSFingerprintSpec method that accepts a *utls.ClientHelloSpec,
enabling fine-grained TLS fingerprint customization for JA3/JA4 support.
Refactors setTLSFingerprint with an optional uTLSConnApply callback.

Does not include CycleTLS dependency from PR imroc#478 — users can parse JA3
strings themselves and construct ClientHelloSpec directly.
Two issues fixed:

1. cron PATH: cron daemon uses minimal PATH (/usr/sbin:/usr/bin:...)
   which doesn't include codebuddy at /home/linuxbrew/.linuxbrew/bin.
   run-loop.sh now exports full PATH at the top.

2. Persistent crontab: crontab is now written to
   /root/.local/share/loop-crontab (persistent path).
   rc.local loads it on container boot.
   install-cron.sh writes to both persistent file and live crontab.
   start-loops.sh loads from persistent file on startup.
Replace all hardcoded /root paths with $HOME so scripts are portable
across different environments and don't leak local path info.
@danielboros danielboros requested a review from mrandronov July 1, 2026 15:07
@danielboros danielboros merged commit 52d0030 into bnn-req Jul 1, 2026
1 check passed
@danielboros danielboros deleted the sync-v3.58.0 branch July 1, 2026 15:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants