fix: escape newlines in CopyButton JS string

Valid finding from PR review: copy button's JS string could break on values with newlines. Added \n and \r escaping. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
feat: add CopyButton component and copy-to-clipboard across dashboard
2026-03-30 15:03:27 +02:00 · 2026-03-30 14:59:38 +02:00 · 2026-03-30 14:52:44 +02:00 · 2026-03-30 14:14:55 +02:00
14 changed files with 80 additions and 162 deletions
@@ -1,10 +0,0 @@
 [advisories]
 ignore = [
    # hickory-proto 0.25.x pulled in transitively via mongodb → hickory-resolver.
    # MongoDB 3.x has not yet released with hickory-resolver 0.26.x, so we cannot
    # upgrade past this without a mongodb release. Both are DNS-layer DoS vectors
    # requiring a MITM/controlled DNS server against MongoDB's hostname resolution —
    # not a realistic attack surface here. Revisit when mongodb bumps hickory.
    "RUSTSEC-2026-0118", # NSEC3 loop, no fix available upstream
    "RUSTSEC-2026-0119", # O(n²) name compression, fixed in hickory-proto >=0.26.1
 ]
@@ -145,20 +145,13 @@ jobs:
    needs: [detect-changes]
    if: needs.detect-changes.outputs.agent == 'true'
    container:
-      image: docker:27-cli
+      image: alpine:latest
    steps:
-      - name: Build, push and trigger orca redeploy
+      - name: Trigger Coolify deploy
        run: |
-          apk add --no-cache git curl openssl
+          apk add --no-cache curl
-          git init && git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
+          curl -sf "${{ secrets.COOLIFY_WEBHOOK_AGENT }}" \
-          git fetch --depth=1 origin "${GITHUB_SHA}" && git checkout FETCH_HEAD
+            -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"
          IMAGE=registry.meghsakha.com/compliance-agent
          echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login registry.meghsakha.com -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
          docker build -f Dockerfile.agent -t "$IMAGE:latest" -t "$IMAGE:${GITHUB_SHA}" .
          docker push "$IMAGE:latest" && docker push "$IMAGE:${GITHUB_SHA}"
          PAYLOAD=$(printf '{"ref":"refs/heads/main","repository":{"full_name":"sharang/compliance-scanner-agent"},"head_commit":{"id":"%s","message":"deploy agent"}}' "${GITHUB_SHA}")
          SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "${{ secrets.ORCA_WEBHOOK_SECRET }}" | awk '{print $2}')
          RESP=$(curl -fsS -w "\nHTTP %{http_code}" -X POST "http://46.225.100.82:6880/api/v1/webhooks/github" -H "Content-Type: application/json" -H "X-Hub-Signature-256: sha256=$SIG" -d "$PAYLOAD"); echo "$RESP"
  deploy-dashboard:
    name: Deploy Dashboard
@@ -166,20 +159,13 @@ jobs:
    needs: [detect-changes]
    if: needs.detect-changes.outputs.dashboard == 'true'
    container:
-      image: docker:27-cli
+      image: alpine:latest
    steps:
-      - name: Build, push and trigger orca redeploy
+      - name: Trigger Coolify deploy
        run: |
-          apk add --no-cache git curl openssl
+          apk add --no-cache curl
-          git init && git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
+          curl -sf "${{ secrets.COOLIFY_WEBHOOK_DASHBOARD }}" \
-          git fetch --depth=1 origin "${GITHUB_SHA}" && git checkout FETCH_HEAD
+            -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"
          IMAGE=registry.meghsakha.com/compliance-dashboard
          echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login registry.meghsakha.com -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
          docker build -f Dockerfile.dashboard -t "$IMAGE:latest" -t "$IMAGE:${GITHUB_SHA}" .
          docker push "$IMAGE:latest" && docker push "$IMAGE:${GITHUB_SHA}"
          PAYLOAD=$(printf '{"ref":"refs/heads/main","repository":{"full_name":"sharang/compliance-scanner-agent"},"head_commit":{"id":"%s","message":"deploy dashboard"}}' "${GITHUB_SHA}")
          SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "${{ secrets.ORCA_WEBHOOK_SECRET }}" | awk '{print $2}')
          RESP=$(curl -fsS -w "\nHTTP %{http_code}" -X POST "http://46.225.100.82:6880/api/v1/webhooks/github" -H "Content-Type: application/json" -H "X-Hub-Signature-256: sha256=$SIG" -d "$PAYLOAD"); echo "$RESP"
  deploy-docs:
    name: Deploy Docs
@@ -187,20 +173,13 @@ jobs:
    needs: [detect-changes]
    if: needs.detect-changes.outputs.docs == 'true'
    container:
-      image: docker:27-cli
+      image: alpine:latest
    steps:
-      - name: Build, push and trigger orca redeploy
+      - name: Trigger Coolify deploy
        run: |
-          apk add --no-cache git curl openssl
+          apk add --no-cache curl
-          git init && git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
+          curl -sf "${{ secrets.COOLIFY_WEBHOOK_DOCS }}" \
-          git fetch --depth=1 origin "${GITHUB_SHA}" && git checkout FETCH_HEAD
+            -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"
          IMAGE=registry.meghsakha.com/compliance-docs
          echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login registry.meghsakha.com -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
          docker build -f Dockerfile.docs -t "$IMAGE:latest" -t "$IMAGE:${GITHUB_SHA}" .
          docker push "$IMAGE:latest" && docker push "$IMAGE:${GITHUB_SHA}"
          PAYLOAD=$(printf '{"ref":"refs/heads/main","repository":{"full_name":"sharang/compliance-scanner-agent"},"head_commit":{"id":"%s","message":"deploy docs"}}' "${GITHUB_SHA}")
          SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "${{ secrets.ORCA_WEBHOOK_SECRET }}" | awk '{print $2}')
          RESP=$(curl -fsS -w "\nHTTP %{http_code}" -X POST "http://46.225.100.82:6880/api/v1/webhooks/github" -H "Content-Type: application/json" -H "X-Hub-Signature-256: sha256=$SIG" -d "$PAYLOAD"); echo "$RESP"
  deploy-mcp:
    name: Deploy MCP
@@ -208,17 +187,10 @@ jobs:
    needs: [detect-changes]
    if: needs.detect-changes.outputs.mcp == 'true'
    container:
-      image: docker:27-cli
+      image: alpine:latest
    steps:
-      - name: Build, push and trigger orca redeploy
+      - name: Trigger Coolify deploy
        run: |
-          apk add --no-cache git curl openssl
+          apk add --no-cache curl
-          git init && git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
+          curl -sf "${{ secrets.COOLIFY_WEBHOOK_MCP }}" \
-          git fetch --depth=1 origin "${GITHUB_SHA}" && git checkout FETCH_HEAD
+            -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"
          IMAGE=registry.meghsakha.com/compliance-mcp
          echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login registry.meghsakha.com -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
          docker build -f Dockerfile.mcp -t "$IMAGE:latest" -t "$IMAGE:${GITHUB_SHA}" .
          docker push "$IMAGE:latest" && docker push "$IMAGE:${GITHUB_SHA}"
          PAYLOAD=$(printf '{"ref":"refs/heads/main","repository":{"full_name":"sharang/compliance-scanner-agent"},"head_commit":{"id":"%s","message":"deploy mcp"}}' "${GITHUB_SHA}")
          SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "${{ secrets.ORCA_WEBHOOK_SECRET }}" | awk '{print $2}')
          RESP=$(curl -fsS -w "\nHTTP %{http_code}" -X POST "http://46.225.100.82:6880/api/v1/webhooks/github" -H "Content-Type: application/json" -H "X-Hub-Signature-256: sha256=$SIG" -d "$PAYLOAD"); echo "$RESP"
@@ -3524,9 +3524,9 @@ checksum = "224484c5d09285a7b8cb0a0c117e847ebd14cb6e4470ecf68cdb89c503b0edb9"
 [[package]]
 name = "mongodb"
-version = "3.6.0"
+version = "3.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1ef2c933617431ad0246fb5b43c425ebdae18c7f7259c87de0726d93b0e7e91b"
+checksum = "803dd859e8afa084c255a8effd8000ff86f7c8076a50cd6d8c99e8f3496f75c2"
 dependencies = [
 "base64",
 "bitflags",
@@ -3570,9 +3570,9 @@ dependencies = [
 [[package]]
 name = "mongodb-internal-macros"
-version = "3.6.0"
+version = "3.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9e5758dc828eb2d02ec30563cba365609d56ddd833190b192beaee2b475a7bb3"
+checksum = "a973ef3dd3dbc6f6e65bbdecfd9ec5e781b9e7493b0f369a7c62e35d8e5ae2c8"
 dependencies = [
 "macro_magic",
 "proc-macro2",
@@ -4699,9 +4699,9 @@ dependencies = [
 [[package]]
 name = "rustls-webpki"
-version = "0.103.13"
+version = "0.103.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "61c429a8649f110dddef65e2a5ad240f747e85f7758a6bccc7e5777bd33f756e"
+checksum = "df33b2b81ac578cabaf06b89b0631153a3f416b0a886e8a7a1707fb51abbd1ef"
 dependencies = [
 "ring",
 "rustls-pki-types",
@@ -44,4 +44,3 @@ RUN mkdir -p /data/compliance-scanner/ssh
 EXPOSE 3001 3002
 ENTRYPOINT ["compliance-agent"]
@@ -20,4 +20,3 @@ ENV IP=0.0.0.0
 EXPOSE 8080
 ENTRYPOINT ["./compliance-dashboard"]
@@ -12,4 +12,3 @@ RUN rm /etc/nginx/conf.d/default.conf
 COPY docs/nginx.conf /etc/nginx/conf.d/default.conf
 COPY --from=builder /app/.vitepress/dist /usr/share/nginx/html
 EXPOSE 80
@@ -14,4 +14,3 @@ EXPOSE 8090
 ENV MCP_PORT=8090
 ENTRYPOINT ["compliance-mcp"]
@@ -35,16 +35,11 @@ impl ComplianceAgent {
            config.litellm_model.clone(),
            config.litellm_embed_model.clone(),
        ));
        let http = reqwest::Client::builder()
            .timeout(std::time::Duration::from_secs(30))
            .connect_timeout(std::time::Duration::from_secs(10))
            .build()
            .unwrap_or_default();
        Self {
            config,
            db,
            llm,
-            http,
+            http: reqwest::Client::new(),
            session_streams: Arc::new(DashMap::new()),
            session_pause: Arc::new(DashMap::new()),
            session_semaphore: Arc::new(Semaphore::new(DEFAULT_MAX_CONCURRENT_SESSIONS)),
@@ -4,7 +4,7 @@ use compliance_agent::{agent, api, config, database, scheduler, ssh, webhooks};
 async fn main() -> Result<(), Box<dyn std::error::Error>> {
    match dotenvy::dotenv() {
        Ok(path) => eprintln!("[dotenv] Loaded from: {}", path.display()),
-        Err(_) => eprintln!("[dotenv] No .env file found, using environment variables"),
+        Err(e) => eprintln!("[dotenv] FAILED: {e}"),
    }
    let _telemetry_guard = compliance_core::telemetry::init_telemetry("compliance-agent");
@@ -19,9 +19,7 @@ impl Scanner for GitleaksScanner {
    #[tracing::instrument(skip_all)]
    async fn scan(&self, repo_path: &Path, repo_id: &str) -> Result<ScanOutput, CoreError> {
-        let output = tokio::time::timeout(
+        let output = tokio::process::Command::new("gitleaks")
            std::time::Duration::from_secs(300),
            tokio::process::Command::new("gitleaks")
            .args([
                "detect",
                "--source",
@@ -35,13 +33,8 @@ impl Scanner for GitleaksScanner {
                "0",
            ])
            .current_dir(repo_path)
-                .output(),
+            .output()
        )
            .await
        .map_err(|_| CoreError::Scanner {
            scanner: "gitleaks".to_string(),
            source: "timed out after 5 minutes".into(),
        })?
            .map_err(|e| CoreError::Scanner {
                scanner: "gitleaks".to_string(),
                source: Box::new(e),
@@ -174,26 +174,19 @@ impl PipelineOrchestrator {
                k.expose_secret().to_string()
            }),
        );
-        let cve_alerts = match tokio::time::timeout(
+        let cve_alerts = match async {
            std::time::Duration::from_secs(600),
            async {
            cve_scanner
                .scan_dependencies(&repo_id, &mut sbom_entries)
                .await
        }
-            .instrument(tracing::info_span!("stage_cve_scanning")),
+        .instrument(tracing::info_span!("stage_cve_scanning"))
        )
        .await
        {
-            Ok(Ok(alerts)) => alerts,
+            Ok(alerts) => alerts,
-            Ok(Err(e)) => {
+            Err(e) => {
                tracing::warn!("[{repo_id}] CVE scanning failed: {e}");
                Vec::new()
            }
            Err(_) => {
                tracing::warn!("[{repo_id}] CVE scanning timed out after 10 minutes");
                Vec::new()
            }
        };
        // Stage 4: Pattern Scanning (GDPR + OAuth)
@@ -5,22 +5,16 @@ use compliance_core::CoreError;
 #[tracing::instrument(skip_all, fields(repo_id = %repo_id))]
 pub(super) async fn run_syft(repo_path: &Path, repo_id: &str) -> Result<Vec<SbomEntry>, CoreError> {
-    let output = tokio::time::timeout(
+    let output = tokio::process::Command::new("syft")
        std::time::Duration::from_secs(300),
        tokio::process::Command::new("syft")
        .arg(repo_path)
        .args(["-o", "cyclonedx-json"])
        // Enable remote license lookups for all ecosystems
        .env("SYFT_GOLANG_SEARCH_REMOTE_LICENSES", "true")
        .env("SYFT_JAVASCRIPT_SEARCH_REMOTE_LICENSES", "true")
        .env("SYFT_PYTHON_SEARCH_REMOTE_LICENSES", "true")
        .env("SYFT_JAVA_USE_NETWORK", "true")
-            .output(),
+        .output()
    )
        .await
    .map_err(|_| CoreError::Scanner {
        scanner: "syft".to_string(),
        source: "timed out after 5 minutes".into(),
    })?
        .map_err(|e| CoreError::Scanner {
            scanner: "syft".to_string(),
            source: Box::new(e),
@@ -19,26 +19,11 @@ impl Scanner for SemgrepScanner {
    #[tracing::instrument(skip_all)]
    async fn scan(&self, repo_path: &Path, repo_id: &str) -> Result<ScanOutput, CoreError> {
-        let output = tokio::time::timeout(
+        let output = tokio::process::Command::new("semgrep")
-            std::time::Duration::from_secs(600),
+            .args(["--config=auto", "--json", "--quiet"])
            tokio::process::Command::new("semgrep")
                .args([
                    "--config=auto",
                    "--json",
                    "--quiet",
                    "--max-memory",
                    "500",
                    "--jobs",
                    "1",
                ])
            .arg(repo_path)
-                .output(),
+            .output()
        )
            .await
        .map_err(|_| CoreError::Scanner {
            scanner: "semgrep".to_string(),
            source: "timed out after 10 minutes".into(),
        })?
            .map_err(|e| CoreError::Scanner {
                scanner: "semgrep".to_string(),
                source: Box::new(e),
@@ -32,7 +32,7 @@ pub fn AppShell() -> Element {
            // Not authenticated — redirect to Keycloak login
            rsx! {
                document::Script {
-                    "window.location.href = '/auth';"
+                    dangerous_inner_html: "window.location.href = '/auth';"
                }
            }
        }
Author	SHA1	Message	Date
Sharang Parnerkar	8abfec3303	fix: escape newlines in CopyButton JS string CI / Check (pull_request) Successful in 9m38s Details CI / Detect Changes (pull_request) Has been skipped Details CI / Deploy Agent (pull_request) Has been skipped Details CI / Deploy Dashboard (pull_request) Has been skipped Details CI / Deploy Docs (pull_request) Has been skipped Details CI / Deploy MCP (pull_request) Has been skipped Details Valid finding from PR review: copy button's JS string could break on values with newlines. Added \n and \r escaping. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-30 15:03:27 +02:00
Sharang Parnerkar	2534c03e3b	feat: add CopyButton component and copy-to-clipboard across dashboard CI / Detect Changes (pull_request) Has been cancelled Details CI / Deploy Agent (pull_request) Has been cancelled Details CI / Deploy Dashboard (pull_request) Has been cancelled Details CI / Deploy Docs (pull_request) Has been cancelled Details CI / Deploy MCP (pull_request) Has been cancelled Details CI / Check (pull_request) Has been cancelled Details New reusable CopyButton component with checkmark feedback after copy. Added copy buttons to: - SSH public key display (add repo modal) - Webhook URL field (edit repo modal) - Webhook secret field (edit repo modal) - Code snippets in finding detail (via enhanced CodeSnippet component) - Suggested fix code blocks - MCP server endpoint URLs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-30 14:59:38 +02:00
Sharang Parnerkar	0e53072782	feat: add security response headers (HSTS, X-Frame-Options, nosniff, referrer) CI / Check (pull_request) Successful in 9m48s Details CI / Detect Changes (pull_request) Has been skipped Details CI / Deploy Agent (pull_request) Has been cancelled Details CI / Deploy Dashboard (pull_request) Has been cancelled Details CI / Deploy Docs (pull_request) Has been cancelled Details CI / Deploy MCP (pull_request) Has been cancelled Details Defense-in-depth headers added via tower-http SetResponseHeaderLayer: - Strict-Transport-Security: max-age=31536000; includeSubDomains - X-Frame-Options: DENY - X-Content-Type-Options: nosniff - Referrer-Policy: strict-origin-when-cross-origin Primary enforcement should still be at the Traefik/reverse proxy level. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-30 14:52:44 +02:00
Sharang Parnerkar	fabd397478	fix: create CVE notifications during scan, fix help chat doc loading CI / Check (pull_request) Successful in 10m4s Details CI / Detect Changes (pull_request) Has been skipped Details CI / Deploy Agent (pull_request) Has been skipped Details CI / Deploy Dashboard (pull_request) Has been skipped Details CI / Deploy Docs (pull_request) Has been skipped Details CI / Deploy MCP (pull_request) Has been skipped Details Bug fixes: 1. CVE notifications now created during scan pipeline (not just hourly) - Previously, notifications were only created by the scheduled monitor_cves job. Users with 4 CVE alerts saw 0 notifications. - Now the scan pipeline (Stage 3) creates notifications immediately when CVE alerts are discovered, with the same dedup logic. 2. Help chat doc context loading fixed for Docker/production - Added HELP_DOCS_PATH env var for explicit doc root configuration - Added fallback chain: env var → binary location → cwd → Docker paths - Dockerfile.agent now copies README.md and docs/ into /app and sets HELP_DOCS_PATH=/app so the help chat has doc context in production Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-30 14:14:55 +02:00
`@@ -44,4 +44,3 @@ RUN mkdir -p /data/compliance-scanner/ssh`
	`EXPOSE 3001 3002`	`EXPOSE 3001 3002`

	`ENTRYPOINT ["compliance-agent"]`	`ENTRYPOINT ["compliance-agent"]`
`@@ -20,4 +20,3 @@ ENV IP=0.0.0.0`
	`EXPOSE 8080`	`EXPOSE 8080`

	`ENTRYPOINT ["./compliance-dashboard"]`	`ENTRYPOINT ["./compliance-dashboard"]`
`@@ -14,4 +14,3 @@ EXPOSE 8090`
	`ENV MCP_PORT=8090`	`ENV MCP_PORT=8090`

	`ENTRYPOINT ["compliance-mcp"]`	`ENTRYPOINT ["compliance-mcp"]`