-
Notifications
You must be signed in to change notification settings - Fork 2
chore: release prep — repo move, docs, coderabbit #81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
11 commits
Select commit
Hold shift + click to select a range
aa444a7
chore: simplify env vars to empty-value shorthand
robbycochran f715e61
docs: reorder README — coding agent first, trim getting-results section
robbycochran 772337d
docs: mention openshell term for policy management
robbycochran ff0555c
docs: add future work section
robbycochran 28c0951
Clarify harness commands and OpenShell features
robbycochran 0da7162
fix: typos in README
robbycochran 2c305d6
docs: richer agent YAML examples with real default config
robbycochran d2152f9
chore: move module path to github.com/stackrox/harness-openshell
robbycochran edbd596
chore: add coderabbit review config
robbycochran 9c3ac5a
chore: enrich coderabbit config with project knowledge
robbycochran 64aa9dc
docs: add openshell plugin to future work
robbycochran File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,93 @@ | ||
| language: en-US | ||
| reviews: | ||
| profile: chill | ||
| request_changes_workflow: false | ||
| high_level_summary: true | ||
| poem: false | ||
| review_status: true | ||
| collapse_walkthrough: false | ||
| knowledge_base: | ||
| learnings: | ||
| scope: auto | ||
| issues: | ||
| scope: auto | ||
| jira: | ||
| project_keys: [] | ||
| linear: | ||
| team_keys: [] | ||
| path_instructions: | ||
| - path: "**/*.go" | ||
| instructions: | | ||
| This is a Go CLI ("harness") that wraps the OpenShell CLI to deploy | ||
| AI agent sandboxes. The harness orchestrates gateway deployment, | ||
| provider registration, payload upload, and sandbox creation. | ||
|
|
||
| Key architecture: | ||
| - cmd/executor.go: main apply flow (upLocal) | ||
| - cmd/providers.go: provider registration (registerStandard, registerADC, registerGWS) | ||
| - cmd/resolve.go: config resolution, base_agent merging, gateway auto-discovery | ||
| - internal/agent/agent.go: AgentConfig parsing, MergeOver, BuildEnvMap, RenderPayload | ||
| - internal/gateway/: Gateway interface + CLI implementation (shells out to openshell) | ||
|
|
||
| Review focus: | ||
| - Correct error handling (wrap with context, don't swallow) | ||
| - CLI argument construction (exec.Command, not shell) | ||
| - Credential handling (never log secrets, never pass via CLI args if avoidable) | ||
| - Gateway interface usage (code should go through the Gateway interface, not call openshell directly) | ||
| - base_agent merge semantics (overlay wins for scalars, additive for providers/env) | ||
| - repo clone (happens outside sandbox, git creds never enter unless needed) | ||
| - path: "SPEC.md" | ||
| instructions: | | ||
| This is the authoritative behavior spec for the harness CLI. | ||
| All field names, command behavior, and config semantics must | ||
| match the Go implementation. Flag changes in code that aren't | ||
| reflected here, or spec claims that don't match the code. | ||
| - path: "AGENTS.md" | ||
| instructions: | | ||
| Contributor guide. Check that coding conventions, test | ||
| instructions, and upstream references are current. | ||
| - path: "profiles/agent-*.yaml" | ||
| instructions: | | ||
| Agent config files. These define what runs in a sandbox. | ||
| Key fields: name, base_agent, entrypoint, repo, repo_ref, | ||
| providers (with profile refs and env overrides), env, payloads, | ||
| task, gateway, policy, image. Empty env values read from host | ||
| environment. Check consistency with SPEC.md field definitions. | ||
| - path: "profiles/providers/**" | ||
| instructions: | | ||
| OpenShell provider profile YAMLs imported to the gateway. | ||
| These define credential discovery (env_vars), auth style | ||
| (bearer/basic), refresh strategies (oauth2-refresh-token), | ||
| L7 network policy endpoints, and binary allowlists. | ||
| Check that credential env_vars match what cmd/providers.go expects. | ||
| Check that endpoint hosts and ports are correct for the service. | ||
| - path: "profiles/gateways/**" | ||
| instructions: | | ||
| Gateway deployment profiles. Current targets: | ||
| - local-container.yaml (Podman, type: local) | ||
| - helm.yaml (kind cluster, type: remote, service: nodeport) | ||
| - openshift.yaml (OCP, type: remote, service: route) | ||
| New gateways are auto-discovered by scanning this directory. | ||
| - path: "profiles/images/sandbox-default/**" | ||
| instructions: | | ||
| Sandbox image files: Dockerfile, CLAUDE.md (agent instructions), | ||
| claude.json/settings.json (Claude Code config), mcp.json (MCP | ||
| server config for Jira/Confluence), opencode.json, policy.yaml | ||
| (L7 network policy with per-provider endpoint rules). | ||
| These are the defaults — overridable via payloads in agent configs. | ||
| - path: "test/**" | ||
| instructions: | | ||
| Integration test scripts. Gateway names must match current | ||
| naming (local-container, helm, openshift). test-flow.sh is | ||
| the primary e2e test. kind-lifecycle.sh creates its own cluster. | ||
| Check that test assertions match current CLI output format. | ||
| - path: ".github/workflows/**" | ||
| instructions: | | ||
| CI workflows. images.yml pushes to quay.io/rcochran/openshell | ||
| using REGISTRY_QUAY_USER/REGISTRY_QUAY_PASSWORD secrets. | ||
| integration.yml runs test-local (Dockerfile path for image), | ||
| test-kind (Docker build + kind load), and config suite. | ||
| The local job uses HARNESS_OS_IMAGE=profiles/images/sandbox-default | ||
| so openshell builds from Dockerfile directly. | ||
| chat: | ||
| auto_reply: true |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.