Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
5a24535
fix(security)!: ZRCS Steps 0-1 — RCE fixes + load validation + CI/saf…
aksOps May 29, 2026
41d1329
fix(app): atomic LoadSessions RMW + heal backfill + Closed=>Exited in…
aksOps May 29, 2026
0667151
fix(app,adapter): conditional store mutation on partial failure + orp…
aksOps May 29, 2026
64b80ad
fix(adapter): native --continue resume w/o prompt replay; drop vestig…
aksOps May 29, 2026
2b33c9e
fix(tmux): resilient list parse, server-config ordering, multiline se…
aksOps May 29, 2026
297a773
fix(tui,cli): rename retarget/panic guards, multibyte input, reject f…
aksOps May 29, 2026
132ecc3
fix(tui): width-aware render, PR/state glyphs, peek-follow, message T…
aksOps May 29, 2026
80099ee
fix(store): v1 dead-session reclassify, schema-downgrade guard, enum …
aksOps May 29, 2026
a7343b5
fix(store,app): collision-guard insert, quarantine-safe load, in-dir …
aksOps May 29, 2026
d63c6c3
fix(app,store,tmux): startup prune, kill-all, pr.Check timeout + in-f…
aksOps May 29, 2026
28463ea
perf(app,adapter,tmux): tiered refresh cadence, list cache, capture t…
aksOps May 29, 2026
144caa9
fix(app,cli): single-source adapters, reply mode, default-agent valid…
aksOps May 29, 2026
0eacef6
refactor(adapter,cli): drop dead interface methods/wrappers + cli inp…
aksOps May 29, 2026
b7f113a
chore: testable hook seam, capture-error logging, %w error wrapping (…
aksOps May 29, 2026
cd01601
build: reproducible static build, vendor tree, pinned CI tools, depen…
aksOps May 29, 2026
1daa63a
ci: use golangci-lint v2 to match the v2 .golangci.yml (fix build-vs-…
aksOps May 29, 2026
2a87667
build: drop vendored deps; build resolves from module proxy
aksOps May 29, 2026
1f8d8f7
ci: pin third-party GitHub Actions to commit SHAs
aksOps May 29, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions .github/CODEOWNERS
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# Default owners for everything in the repo.
* @RandomCodeSpace

# Build, release, and CI configuration.
/Makefile @RandomCodeSpace
/.goreleaser.yml @RandomCodeSpace
/.github/ @RandomCodeSpace
/go.mod @RandomCodeSpace
/go.sum @RandomCodeSpace
28 changes: 28 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
version: 2

updates:
- package-ecosystem: gomod
directory: "/"
schedule:
interval: weekly
open-pull-requests-limit: 5
vendor: true
commit-message:
prefix: "chore(deps)"
groups:
charmbracelet:
patterns:
- "github.com/charmbracelet/*"
- "github.com/mattn/go-runewidth"
- "github.com/rivo/uniseg"
golang-x:
patterns:
- "golang.org/x/*"

- package-ecosystem: github-actions
directory: "/"
schedule:
interval: weekly
open-pull-requests-limit: 5
commit-message:
prefix: "chore(ci)"
47 changes: 47 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: CI

on:
push:
pull_request:

permissions:
contents: read

jobs:
build-test-lint:
name: Build, test, and lint
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
cache: true

- name: Build
run: go build ./...

- name: Vet
run: go vet ./...

- name: Check gofmt
run: |
unformatted="$(gofmt -l . | grep -v '^vendor/' || true)"
if [ -n "$unformatted" ]; then
echo "The following files are not gofmt-clean:"
echo "$unformatted"
exit 1
fi

- name: Test
run: go test -race -cover ./...

- name: Lint
uses: golangci/golangci-lint-action@9fae48acfc02a90574d7c304a1758ef9895495fa # v7
with:
version: v2.1.6
install-mode: goinstall
args: ./...
41 changes: 41 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
name: Release

on:
push:
tags:
- "v*"

permissions:
contents: write
id-token: write
packages: read

jobs:
goreleaser:
name: GoReleaser
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
cache: true

- name: Install Syft (SBOM)
uses: anchore/sbom-action/download-syft@df80a981bc6edbc4e220a492d3cbe9f5547a6e75 # v0.17.9

- name: Install Cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

- name: Run GoReleaser
uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6
with:
version: "~> v2"
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
6 changes: 3 additions & 3 deletions .github/workflows/security.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ jobs:
cache: true

- name: Install govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@latest
run: go install golang.org/x/vuln/cmd/govulncheck@v1.3.0

- name: Run govulncheck
run: govulncheck ./...
Expand All @@ -49,10 +49,10 @@ jobs:
cache: true

- name: Install gosec
run: go install github.com/securego/gosec/v2/cmd/gosec@latest
run: go install github.com/securego/gosec/v2/cmd/gosec@v2.26.1

- name: Run gosec
run: gosec -exclude-dir=.claude -fmt=sarif -out=gosec.sarif ./...
run: gosec -exclude-dir=.claude -exclude-dir=vendor -fmt=sarif -out=gosec.sarif ./...

- name: Upload gosec SARIF
if: always()
Expand Down
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
/bin/
/dist/
*.test
*.out
coverage.*
Expand Down
59 changes: 59 additions & 0 deletions .goreleaser.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
version: 2

project_name: uam

before:
hooks:
- go mod download

builds:
- id: uam
main: ./cmd/uam
binary: uam
env:
- CGO_ENABLED=0
flags:
- -trimpath
ldflags:
- -s -w -X github.com/RandomCodeSpace/unified-agent-manager/internal/version.Override={{ .Version }}
goos:
- linux
- darwin
goarch:
- amd64
- arm64

archives:
- id: uam
format: tar.gz
name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"

checksum:
name_template: "SHA256SUMS"
algorithm: sha256

sboms:
- id: archive
artifacts: archive

signs:
- id: checksum-cosign
cmd: cosign
artifacts: checksum
signature: "${artifact}.sig"
certificate: "${artifact}.pem"
args:
- sign-blob
- "--yes"
- "--output-signature=${signature}"
- "--output-certificate=${certificate}"
- "${artifact}"
output: true

release:
draft: false
prerelease: auto

changelog:
use: github
sort: asc
4 changes: 2 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,11 @@ LDFLAGS := -X $(MODULE)/internal/version.Override=$(VERSION)
all: build

build:
go build -ldflags "$(LDFLAGS)" -o bin/$(BINARY) $(CMD)
CGO_ENABLED=0 go build -trimpath -ldflags "-s -w $(LDFLAGS)" -o bin/$(BINARY) $(CMD)

install:
mkdir -p $(GOBIN)
go build -ldflags "$(LDFLAGS)" -o $(GOBIN)/$(BINARY) $(CMD)
CGO_ENABLED=0 go build -trimpath -ldflags "-s -w $(LDFLAGS)" -o $(GOBIN)/$(BINARY) $(CMD)

run: build
./bin/$(BINARY)
Expand Down
11 changes: 6 additions & 5 deletions internal/adapter/adapter.go
Original file line number Diff line number Diff line change
Expand Up @@ -87,9 +87,12 @@ type ResumableAdapter interface {
Resume(ctx Context, req ResumeRequest) (Session, error)
}

type SessionEvent struct {
SessionID string
Kind string
// HasSessionAdapter reports whether the agent's underlying session for id is
// still live. Optional: Service.Stop probes it after a failed kill to avoid
// deleting/flagging a record whose pane is still running (F04). TmuxAgent
// implements it for free, so all tmux-backed providers inherit it.
type HasSessionAdapter interface {
HasSession(ctx Context, id string) bool
}

type DispatchRequest struct {
Expand All @@ -109,6 +112,4 @@ type AgentAdapter interface {
Reply(ctx Context, id, text string) error
Attach(id string) (AttachSpec, error)
Stop(ctx Context, id string) error
Rename(ctx Context, id, newName string) error
Subscribe(ctx Context) (<-chan SessionEvent, error)
}
107 changes: 107 additions & 0 deletions internal/adapter/capture_cadence_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
package adapter

import (
"context"
"os"
"path/filepath"
"strings"
"testing"
"time"

"github.com/RandomCodeSpace/unified-agent-manager/internal/tmux"
)

// newCadenceAgent builds a TmuxAgent over a fake tmux that records every
// invocation (so capture-pane calls can be counted) and reports one live
// session whose pane prints a PR URL.
func newCadenceAgent(t *testing.T) (*TmuxAgent, string) {
t.Helper()
dir := t.TempDir()
tmuxPath := filepath.Join(dir, "tmux")
writeExecutable(t, tmuxPath, `#!/bin/sh
printf '%s\n' "$*" >> "$TMUX_LOG"
case "$*" in
*"list-sessions"*) echo "uam-fake-abc12345|1710000000|0|1|/tmp/repo|fakeagent" ;;
*"capture-pane"*) printf 'Thinking...\ncreated https://github.com/o/r/pull/7\n' ;;
esac
exit 0
`)
t.Setenv("PATH", dir+string(os.PathListSeparator)+os.Getenv("PATH"))
logPath := filepath.Join(dir, "tmux.log")
t.Setenv("TMUX_LOG", logPath)
client := tmux.New("uam")
client.Executable = tmuxPath
ag := NewTmuxAgent("fake", "Fake Agent", []CommandCandidate{{Display: "fakeagent", Args: []string{"fakeagent"}}}, []string{"--yolo"}, client)
return ag, logPath
}

func countCaptures(t *testing.T, logPath string) int {
t.Helper()
b, _ := os.ReadFile(logPath)
n := 0
for _, line := range strings.Split(string(b), "\n") {
if strings.Contains(line, "capture-pane") {
n++
}
}
return n
}

// F16 — capture-pane must NOT run on every List tick. After the first
// discovery, subsequent ticks within the rescan interval must reuse the prior
// result (no new capture), so the dashboard's 2s refresh doesn't fork a
// capture-pane per session per tick.
func TestListDoesNotCapturePerSessionEveryTick(t *testing.T) {
ag, logPath := newCadenceAgent(t)
clock := time.Unix(1710000000, 0)
ag.now = func() time.Time { return clock }

// First List: discovers the session, captures once to scrape the PR.
if _, err := ag.List(context.Background()); err != nil {
t.Fatalf("List 1: %v", err)
}
if got := countCaptures(t, logPath); got != 1 {
t.Fatalf("first List should capture exactly once, got %d", got)
}

// Several more ticks within the rescan interval: no additional capture.
for i := 0; i < 5; i++ {
clock = clock.Add(2 * time.Second)
ag.now = func() time.Time { return clock }
if _, err := ag.List(context.Background()); err != nil {
t.Fatalf("List tick %d: %v", i, err)
}
}
if got := countCaptures(t, logPath); got != 1 {
t.Fatalf("ticks within rescan interval must not re-capture, got %d captures", got)
}
}

// F16 — once the rescan interval elapses, List must re-capture to pick up a PR
// URL that appeared after first discovery.
func TestListRescansForNewPRAfterInterval(t *testing.T) {
ag, logPath := newCadenceAgent(t)
clock := time.Unix(1710000000, 0)
ag.now = func() time.Time { return clock }

if _, err := ag.List(context.Background()); err != nil {
t.Fatalf("List 1: %v", err)
}
if got := countCaptures(t, logPath); got != 1 {
t.Fatalf("first List should capture once, got %d", got)
}

// Advance past the rescan interval.
clock = clock.Add(61 * time.Second)
ag.now = func() time.Time { return clock }
sessions, err := ag.List(context.Background())
if err != nil {
t.Fatalf("List 2: %v", err)
}
if got := countCaptures(t, logPath); got != 2 {
t.Fatalf("List past rescan interval must re-capture, got %d captures", got)
}
if len(sessions) != 1 || sessions[0].PR == nil || sessions[0].PR.Number != 7 {
t.Fatalf("rescan should re-discover PR: %+v", sessions)
}
}
17 changes: 16 additions & 1 deletion internal/adapter/claude/claude.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,21 @@ import (
"github.com/RandomCodeSpace/unified-agent-manager/internal/tmux"
)

// sessionArgs appends claude's `--continue` flag on resume so picking "Resume"
// on an Exited claude row reattaches to the agent's most recent session instead
// of relaunching a fresh one. claude has no flag for presetting its session ID
// at dispatch, so uam can't resume by uam-id directly; `--continue` picks
// claude's last session for the current cwd. The uam UUID is never passed.
func sessionArgs(_ adapter.ResumeRequest, activity string) []string {
if activity == "resumed" {
return []string{"--continue"}
}
return nil
}

func New(client *tmux.Client) adapter.AgentAdapter {
return adapter.NewTmuxAgent("claude", "Claude Code", []adapter.CommandCandidate{{Display: "claude", Args: []string{"claude"}}}, []string{"--dangerously-skip-permissions"}, client)
a := adapter.NewTmuxAgent("claude", "Claude Code", []adapter.CommandCandidate{{Display: "claude", Args: []string{"claude"}}}, []string{"--dangerously-skip-permissions"}, client)
a.SessionArgs = sessionArgs
a.SkipPromptOnResume = true
return a
}
Loading
Loading