[codex] Complete v0.1.0 safety baseline#40
Merged
Conversation
Keep the original plan request and response under docs so the GitHub roadmap import remains auditable without leaving untracked root-level files.\n\nCo-Authored-By: Codex GPT-5 <noreply@openai.com>
Validate rendered candidate configs with the configured mihomo binary before activation. Stage remote config downloads inside the config root, atomically switch active/config.yaml, restore last-good on restart failure, and skip service restarts when config content is unchanged.\n\nVerification:\n- cargo test install_source_from_stage_replaces_source_atomically\n- cargo test restore_last_good_reverts_active_and_compat_config\n- cargo test test_candidate_validation_args_use_runtime_root_and_candidate\n- cargo fmt --all -- --check\n- cargo test --all-targets\n\nRefs #4\n\nCo-Authored-By: Codex GPT-5 <noreply@openai.com>
Default the Mihomo controller to loopback, reject unsafe non-loopback controllers without a secret or explicit env override, write sensitive config files with private modes, and redact credentials, tokens, and secrets from download and validation output.\n\nVerification:\n- cargo test test_default_controller_is_loopback\n- cargo test test_validate_config_rejects_non_loopback_controller_without_secret\n- cargo test test_write_private_file_creates_private_parent_and_file\n- cargo test test_redact_sensitive_hides_credentials_and_tokens\n- cargo fmt --all -- --check\n- cargo test --all-targets\n\nRefs #5\n\nCo-Authored-By: Codex GPT-5 <noreply@openai.com>
Set the crate version to 0.1.0 so the forthcoming v0.1.0 GitHub prerelease and binary metadata align with the safety-baseline milestone.\n\nVerification:\n- cargo check --all-targets\n\nCo-Authored-By: Codex GPT-5 <noreply@openai.com>
There was a problem hiding this comment.
Pull request overview
This PR implements the v0.1.0 “safety baseline” for Mihoro by hardening configuration handling and operational safety: transactional config activation/rollback, safer defaults, secret redaction, and tighter file permissions. It also preserves the roadmap planning docs under docs/ and updates crate metadata for the v0.1.0 prerelease.
Changes:
- Add a config generation store flow with candidate validation, last-good snapshots, atomic-ish writes, and restart-time rollback behavior.
- Harden security defaults (loopback controller by default, reject non-loopback controller without a secret unless explicitly overridden) and redact sensitive data in error paths.
- Tighten config file/directory permissions and update docs + crate version metadata.
Reviewed changes
Copilot reviewed 11 out of 12 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
src/utils.rs |
Adds private directory/file helpers and URL/secret redaction; updates download logging to redact tokens. |
src/systemctl.rs |
Treats non-zero systemctl exits as errors to propagate failures reliably. |
src/mihoro.rs |
Implements candidate validation + activation, staged source install, restart rollback, and avoids restart when config unchanged. |
src/main.rs |
Restarts the service only when config/core changed; uses rollback-aware restart for config-related updates. |
src/init.rs |
Installs mihomo earlier when missing to enable validation; refactors init stage sequencing. |
src/config.rs |
Defaults controller to loopback, enforces controller/secret safety rule, and writes configs with “private” file helper. |
src/config_store.rs |
Adds staged source install, atomic writes for active/config/last-good, and last-good restore support. |
README.md |
Updates default controller and documents the insecure-controller override knob. |
docs/PLAN_RESPONSE.md |
Adds preserved roadmap planning response document under docs/. |
docs/PLAN_REQUEST.md |
Adds preserved roadmap planning request document under docs/. |
Cargo.toml |
Sets crate version to 0.1.0. |
Cargo.lock |
Updates locked package version to 0.1.0. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+80
to
+84
| pub fn write_private_file(path: &Path, bytes: &[u8]) -> Result<()> { | ||
| create_private_parent_dir(path)?; | ||
| fs::write(path, bytes)?; | ||
| set_private_file_permissions(path) | ||
| } |
Comment on lines
130
to
134
| if let Some(active) = active { | ||
| if active != candidate { | ||
| create_parent_dir(&self.paths.last_good_yaml)?; | ||
| fs::write(&self.paths.last_good_yaml, active)?; | ||
| atomic_write(&self.paths.last_good_yaml, &active)?; | ||
| } | ||
| } |
Comment on lines
+174
to
+175
| atomic_write(&self.paths.active_yaml, &last_good)?; | ||
| atomic_write(&self.paths.compat_config_yaml, &last_good)?; |
Comment on lines
+338
to
+342
| let installed_binary_before_config = if !had_binary_before_init { | ||
| match binary_temp.take() { | ||
| None => false, | ||
| Some(temp) => { | ||
| report.begin( |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
docs/.v0.1.0prerelease.Closes #4
Closes #5
Validation
cargo fmt --all -- --checkcargo clippycargo check --all-targetscargo test --all-targetsgit diff --check origin/main..HEAD