Conversation
ss-o
added
ci 🤖
…idy tuned for zsh C; docs: restructure, add site + workflows; code: safer path build, size_t offsets, NOLINT for zsh style
…dations for CMake/zsh/Trunk
…ttings/launch; gitignore: update
… improve syntax highlighting
…gnment; avoid brace expansion; keep FORCE_REBUILD commented
…inor comment tweak
…itives in docs and config
…nstall-system; detect Zi modules dir; copy staged zpmod.so to appropriate targets
…xact load instructions
…lib/.dll) and module_path guidance
…dle/dylib/dll); preserve filename on copy; update messages and tests
…for easy copy-paste (RESOLVED_*)
…heck (zp_icons_enabled) to avoid repeated work
…PMOD_ENABLE_NATIVE with examples
… shared helpers, subcommands, docs, tests; wire CTest; improve staging
…rkdownlint (MD040)
…idy tuned for zsh C; docs: restructure, add site + workflows; code: safer path build, size_t offsets, NOLINT for zsh style
…dations for CMake/zsh/Trunk
…ttings/launch; gitignore: update
… improve syntax highlighting
…gnment; avoid brace expansion; keep FORCE_REBUILD commented
…st_mini.zsh adapter to run ztst-like cases via CTest labels\n- Add docs/how-to/add-ztst-adapter.md with usage and scope\n- Does not affect existing zsh+CTest harness; opt-in via label 'ztst'
…st() helper\n- Register options_mapping, param_hash_semantics, sigcount_shim, emulate_setopt_matrix as label 'ztst'\n- Preserve existing categories and timeouts
…rts -oARG and -o ARG forms; advances argv cursor\n- Used by zpmod subcommands for cleaner parsing
… Add zpmod_emoji.h usage for zwarnnam/usage strings only\n- Use zp_take_opt_with_arg for -f and -d options\n- Minor help text reformat; consistent error icons
ss-o
commented
Aug 23, 2025
Member
Author
ss-o
left a comment
ss-o
left a comment
There was a problem hiding this comment.
Update: compaudit-cache v3 parity slice & migration
Summary
Adds cache format v3 introducing refined security parity (sticky-bit + extended owner allowances) plus automatic migration from legacy v2.
Key Changes
- Cache file renamed: compaudit_v3.zcache (header
version:3). - Security logic: respects sticky bit; treats world/group writable dirs as insecure unless sticky; allows root, EUID, and zsh executable owner; still flags world-writable non-sticky even if owned.
- Executable owner discovery via /proc/self/exe (best-effort, fallback root).
- Automatic migration: if only v2 file found, triggers rebuild to v3 and removes v2.
- Tests added: v3 header verification, migration path; all prior compaudit-cache tests updated implicitly to expect v3.
- Docs: roadmap annotated with v2 vs v3 milestones; new Migration section.
- JSON schema unchanged (reasons array still dir_perms / ancestor_perms / zwc_perms); refined logic only affects which dirs become insecure + reasons composition.
Compatibility & Performance
- Single rebuild cost on first invocation post-upgrade; afterward reuse path identical.
- On-disk entry columns unchanged from late v2 (parent_insecure + zwc_insecure preserved); only version header & filename differ.
- Safe fallback if /proc not accessible: exe owner defaults to 0 (root).
Risk / Mitigations
- Potential edge case: unusual filesystems without sticky semantics—logic falls back cleanly (no extra ops beyond stat).
- v2 unlink is best-effort; failure leaves stale file harmless.
Test Status
- Full suite: 36/36 passing (includes new v3 + migration tests).
Follow-Ups (Not included here)
- Symlink chain explicit lstat traversal & ancestor evaluation.
- Group nuance parity (per-user group / Debian staff handling) mirroring upstream compaudit filters.
- Potential additional reason codes once group nuance implemented.
Let me know if you’d like a separate CHANGELOG or release note entry drafted.
…rd source study - Fix uninitialized variable in zp_build_source_report function - Guard zp_build_source_report behind ZPMOD_HAVE_SOURCE_STUDY to avoid undefined symbols - Add missing zsh internals prototypes for docker builds (dummy_eprog, lineno, pwd, etc) - Remove conflicting PrintTableStats typedef and add arrlen proto for minimal builds - Guard real zsh headers unless ZPMOD_ANALYSIS set - Avoid stub type conflicts and add portable stat fallback for macOS - Include zsh headers conditionally for preload symbols (Shfunc/addhashnode) - Enforce gateway include policy with vendor shims and guards
…push checks via custom action
…hecks - Modify .clang-tidy to disable specific checks for improved linting - Add skip_missing_compile_command option in trunk.yaml for better CI integration - Introduce gen-compile-commands.sh script to ensure compile_commands.json is generated - Remove outdated gen-compile-commands.zsh script - Enhance check_include_order.zsh to disallow direct vendor includes and enforce include order - Add include-order enforcement as a CTest in CMakeLists.txt Signed-off-by: Salvydas Lukosius <ss-o@users.noreply.github.com>
…ainability - Reorganized includes in `rehash_diff.c`, `source.c`, `source_hot.c`, `utils.c`, and `source_study_stub.c` for consistency. - Enhanced formatting and indentation across multiple files for better code clarity. - Added comments to clarify the purpose of certain functions and sections of code. - Improved error handling and memory management in `rehash_diff.c` and `source_hot.c`. - Updated function signatures and added NOLINT comments to suppress specific warnings. - Ensured consistent use of whitespace and line breaks to enhance code readability. Signed-off-by: Salvydas Lukosius <ss-o@users.noreply.github.com>
… order checks Signed-off-by: Salvydas Lukosius <ss-o@users.noreply.github.com>
…alidation logic Signed-off-by: Salvydas Lukosius <ss-o@users.noreply.github.com>
On macOS SDKs, <linux/limits.h> doesn’t exist and PATH_MAX may not be defined depending on headers. Use standard <limits.h> and provide a portable fallback (#61 CI failure). - Remove linux-only include from compaudit_cache.c and bundle_build.c - Add conservative PATH_MAX fallback (4096) after includes - No behavior change on Linux; unblocks native-macos job
Signed-off-by: Salvydas Lukosius <ss-o@users.noreply.github.com>
fix: add missing NOLINTEND comment in bundle_build.c Signed-off-by: Salvydas Lukosius <ss-o@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request makes significant updates to project configuration, documentation, and CI/CD workflows, focusing on modernizing build processes, improving code quality automation, and cleaning up legacy files. The changes transition the project from legacy autoconf/Makefile tooling to CMake-based workflows, introduce new CI pipelines, and enhance developer guidance and code linting standards.
Build System and CI/CD Modernization:
.github/workflows/ci.yml) for building and testing on both Linux and macOS, replacing legacy shell-based workflows. This includes matrix builds, dependency installation, and parallel test execution..github/workflows/docs.yml) using Doxygen and GitHub Pages for automated docs generation and hosting..github/workflows/test-linux.yml,.github/workflows/test-macos.yml). [1] [2]Project Structure and Legacy Cleanup:
.cvsignore,.distfiles,.preconfig), reflecting the move to CMake and cleaning up obsolete build artifacts. [1] [2] [3].gitmodulesto track thevendor/zshsubmodule, formalizing external dependency management.Documentation and Developer Guidance:
.github/copilot-instructions.md) detailing project knowledge graph usage, entity types, relations, and problem-solving workflow for contributors..github/README.md,.github/LICENCE) [1] [2]Code Quality and Linting:
.trunk/configs/.clang-tidywith tailored linting rules for C code, disabling noisy or irrelevant checks and setting zsh module-specific conventions..trunk/configs/.yamllint.yamland added.trunk/configs/.prettierignoreto improve YAML style and ignore build artifacts. [1] [2]Miscellaneous Cleanup:
.github/.cspell/project-ignored.txt,.github/.cspell/project-words.txt,.github/dependabot.yml) [1] [2] [3]