Skip to content

Review SCM files and security updates #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hyperpolymath merged 1 commit into from
Dec 17, 2025
Merged

Review SCM files and security updates #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 31 additions & 8 deletions STATE.scm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,20 +3,43 @@
;; SPDX-FileCopyrightText: 2025 Jonathan D.A. Jewell

(define metadata
'((version . "0.1.0") (updated . "2025-12-15") (project . "universal-language-server-plugin")))
'((version . "0.1.0") (updated . "2025-12-17") (project . "universal-language-server-plugin")))

(define current-position
'((phase . "v0.1 - Initial Setup")
(overall-completion . 25)
(components ((rsr-compliance ((status . "complete") (completion . 100)))))))
'((phase . "v0.1 - Security Hardening")
(overall-completion . 35)
(components
((rsr-compliance ((status . "complete") (completion . 100)))
(containerfile ((status . "fixed") (completion . 100)))
(flake-nix ((status . "fixed") (completion . 100)))
(ci-security ((status . "in-progress") (completion . 70)))
(client-migration ((status . "pending") (completion . 0)))))))

(define blockers-and-issues '((critical ()) (high-priority ())))
(define blockers-and-issues
'((critical ())
(high-priority
(("SHA-pin CI workflow actions" . "security")
("Convert VS Code client to ReScript" . "rsr-policy")
("Convert Sublime client to ReScript" . "rsr-policy")))))

(define critical-next-actions
'((immediate (("Verify CI/CD" . high))) (this-week (("Expand tests" . medium)))))
'((immediate
(("SHA-pin GitHub Actions" . high)
("Add security.txt" . medium)))
(this-week
(("Client ReScript migration" . high)
("Expand test coverage" . medium)
("Add cargo-audit to CI" . medium)))))

(define session-history
'((snapshots ((date . "2025-12-15") (session . "initial") (notes . "SCM files added")))))
'((snapshots
((date . "2025-12-15") (session . "initial") (notes . "SCM files added"))
((date . "2025-12-17") (session . "security-review")
(notes . "Fixed Containerfile (mixed pkg mgr, wrong base), flake.nix (license, docker refs)")))))

(define state-summary
'((project . "universal-language-server-plugin") (completion . 25) (blockers . 0) (updated . "2025-12-15")))
'((project . "universal-language-server-plugin")
(completion . 35)
(blockers . 0)
(high-priority-issues . 3)
(updated . "2025-12-17")))
38 changes: 20 additions & 18 deletions deployment/Containerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,18 @@
# Universal Language Connector - Dockerfile
# Universal Language Connector - Containerfile
# Multi-stage build for optimal image size
# SPDX-License-Identifier: MIT OR AGPL-3.0-or-later

# Build stage
FROM rust:1.75-slim as builder
# Build stage - use rust:alpine for musl-based static binary
FROM rust:1.83-alpine AS builder

WORKDIR /build

# Install build dependencies
RUN apt-get update && apk add --no-cache -y \
pkg-config \
libssl-dev \
&& rm -rf /var/lib/apt/lists/*
# Install build dependencies (Alpine uses apk)
RUN apk add --no-cache \
musl-dev \
pkgconfig \
openssl-dev \
openssl-libs-static

# Copy manifests
COPY server/Cargo.toml server/Cargo.lock ./
Expand All @@ -24,37 +26,37 @@ RUN mkdir src && \
# Copy source code
COPY server/src ./src

# Build for release
# Build for release with static linking
RUN cargo build --release --bin universal-connector-server

# Runtime stage
FROM cgr.dev/chainguard/wolfi-base:bookworm-slim
# Runtime stage - use wolfi distroless for security
FROM cgr.dev/chainguard/wolfi-base:latest

WORKDIR /app

# Install runtime dependencies
RUN apt-get update && apk add --no-cache -y \
# Install minimal runtime dependencies (wolfi uses apk)
RUN apk add --no-cache \
ca-certificates \
&& rm -rf /var/lib/apt/lists/*
wget

# Copy binary from builder
COPY --from=builder /build/target/release/universal-connector-server /usr/local/bin/

# Copy web UI (optional, for serving static files)
COPY web /app/web

# Create non-root user
RUN useradd -m -u 1000 connector && \
# Create non-root user (wolfi uses adduser)
RUN adduser -D -u 1000 connector && \
chown -R connector:connector /app

USER connector

# Expose ports
EXPOSE 8080 8081

# Health check
# Health check using wget (lighter than curl)
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD ["sh", "-c", "curl -f http://localhost:8080/api/health || exit 1"]
CMD ["sh", "-c", "wget -q --spider http://localhost:8080/api/health || exit 1"]

# Run server
CMD ["universal-connector-server"]
8 changes: 4 additions & 4 deletions flake.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,8 +83,8 @@

meta = with pkgs.lib; {
description = "LSP-based universal plugin architecture for document conversion";
homepage = "https://github.com/universal-connector/universal-language-connector";
license = with licenses; [ mit ];
homepage = "https://github.com/hyperpolymath/universal-language-server-plugin";
license = with licenses; [ mit agpl3Plus ];
maintainers = [ ];
mainProgram = "universal-connector-server";
};
Expand All @@ -107,8 +107,8 @@
rust-analyzer
just
nodejs_20
docker
docker-compose
podman
podman-compose
];

shellHook = ''
Expand Down
Loading