Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

### Security — x/crypto + builder-image Go bump clears 20 HIGH image CVEs (2026-07-04)

- Bumped `golang.org/x/crypto` `v0.48.0` → `v0.52.0` (pulls `golang.org/x/sys` `v0.41.0` → `v0.45.0`; `go.mod` `go` directive `1.24.0` → `1.25.0` per x/crypto's minimum), clearing 8 HIGH CVEs in `x/crypto/ssh` (CVE-2026-39827/-39828/-39829/-39830/-39832/-39835, CVE-2026-42508, CVE-2026-46595/-46597).
- Bumped the Dockerfile builder base image `golang:1.24-alpine` → `golang:1.25-alpine` (digest-pinned, ships Go 1.25.11), clearing 12 HIGH Go stdlib CVEs across net/url, crypto/x509, crypto/tls, net, HTTP/2, net/mail, and mime (CVE-2026-25679, -27145, -32280/-32281/-32283, -33811/-33814, -39820, -39836, -42499, -42504). Root cause: official golang images set `GOTOOLCHAIN=local`, so the `toolchain go1.25.11` directive in `go.mod` (bumped 2026-06-29) was silently ignored inside Docker builds — the shipped binary was still built against the image's Go 1.24.13 stdlib. The builder tag must track the toolchain directive; a Dockerfile comment now documents the trap.
- Surfaced by a trivy image scan in CI (this pipeline has no image-level CVE gate, so these accumulated unseen). All 20 findings had upstream fixes published. The public Docker Hub image refreshes on the next release merge.

### Documentation — accuracy audit fixes (2026-06-29)

- Corrected shipped docs against current code and the live Python SDK. The Python SDK ([`agentwrit`](https://pypi.org/project/agentwrit/) v0.3.0) and both demo apps (MedAssist, Support Tickets — published Docker images) are **live**; removed all "coming soon" banners and a fabricated SDK API from `docs/demos.md` and `docs/python-sdk.md`.
Expand Down
9 changes: 7 additions & 2 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,6 +1,11 @@
# Stage 1: Build broker binary
# Pinned by digest (Dependabot docker ecosystem rotates weekly). Tag: golang:1.24-alpine
FROM golang:1.24-alpine@sha256:8bee1901f1e530bfb4a7850aa7a479d17ae3a18beb6e09064ed54cfd245b7191 AS builder
# Pinned by digest (Dependabot docker ecosystem rotates weekly). Tag: golang:1.25-alpine
# NOTE: official golang images set GOTOOLCHAIN=local, so the go.mod `toolchain`
# directive is ignored in this build — the image's own Go version (1.25.11 at this
# digest) is what the binary's stdlib comes from. Keep this tag in lockstep with
# go.mod's toolchain directive or container scans will flag stdlib CVEs that the
# toolchain directive appears (wrongly) to have already fixed.
FROM golang:1.25-alpine@sha256:523c3effe300580ed375e43f43b1c9b091b68e935a7c3a92bfcc4e7ed55b18c2 AS builder

WORKDIR /app

Expand Down
6 changes: 3 additions & 3 deletions go.mod
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
module github.com/devonartis/agentwrit

go 1.24.0
go 1.25.0

toolchain go1.25.11

require (
github.com/prometheus/client_golang v1.23.2
github.com/spf13/cobra v1.10.2
github.com/spiffe/go-spiffe/v2 v2.6.0
golang.org/x/crypto v0.48.0
golang.org/x/crypto v0.52.0
modernc.org/sqlite v1.46.1
)

Expand All @@ -29,7 +29,7 @@ require (
github.com/spf13/pflag v1.0.9 // indirect
go.yaml.in/yaml/v2 v2.4.2 // indirect
golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
golang.org/x/sys v0.41.0 // indirect
golang.org/x/sys v0.45.0 // indirect
google.golang.org/protobuf v1.36.8 // indirect
modernc.org/libc v1.67.6 // indirect
modernc.org/mathutil v1.7.1 // indirect
Expand Down
8 changes: 4 additions & 4 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -60,17 +60,17 @@ go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
golang.org/x/crypto v0.52.0 h1:RMs7fP2rXdep0CftQlK8Uf+kibLm7qkCcradZWYz988=
golang.org/x/crypto v0.52.0/go.mod h1:1QgfPxDqh0T2M/elOJtp9RvuR95kVjir0e6/BvEmGbc=
golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
Expand Down
Loading