Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/CODEOWNERS
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
* @aytzey
45 changes: 45 additions & 0 deletions .github/ISSUE_TEMPLATE/bug_report.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
name: Bug report
description: Report reproducible incorrect behavior in showagent
title: "bug: "
labels: [bug]
body:
- type: markdown
attributes:
value: Do not include real transcripts, credentials, or private paths. Use the Security tab for vulnerabilities.
- type: input
id: version
attributes:
label: showagent version
placeholder: v0.9.0
validations:
required: true
- type: dropdown
id: os
attributes:
label: Operating system
options: [Linux, macOS, Windows, Other]
validations:
required: true
- type: input
id: providers
attributes:
label: Agent CLI and version
placeholder: codex-cli 0.144.0
- type: textarea
id: reproduction
attributes:
label: Reproduction
description: Minimal steps using fabricated session data where possible.
validations:
required: true
- type: textarea
id: expected
attributes:
label: Expected and actual behavior
validations:
required: true
- type: textarea
id: diagnostics
attributes:
label: Redacted diagnostics
description: Include relevant stderr or CI output; remove secrets and personal paths.
5 changes: 5 additions & 0 deletions .github/ISSUE_TEMPLATE/config.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
blank_issues_enabled: false
contact_links:
- name: Security vulnerability
url: https://github.com/aytzey/showagent/security/advisories/new
about: Report vulnerabilities and sensitive data exposure privately.
28 changes: 28 additions & 0 deletions .github/ISSUE_TEMPLATE/feature_request.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
name: Feature request
description: Propose a focused improvement or provider integration
title: "feat: "
labels: [enhancement]
body:
- type: textarea
id: problem
attributes:
label: Problem
description: What workflow is blocked or unnecessarily difficult?
validations:
required: true
- type: textarea
id: proposal
attributes:
label: Proposed behavior
validations:
required: true
- type: textarea
id: evidence
attributes:
label: Provider or ecosystem evidence
description: Link upstream format/CLI documentation when the request concerns an agent provider.
- type: textarea
id: safety
attributes:
label: Data and safety considerations
description: Note writes, deletion, network access, credentials, or transcript exposure.
21 changes: 21 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
version: 2
updates:
- package-ecosystem: gomod
directory: /
schedule:
interval: weekly
day: monday
groups:
go-dependencies:
patterns: ["*"]
open-pull-requests-limit: 5

- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
day: monday
groups:
github-actions:
patterns: ["*"]
open-pull-requests-limit: 5
16 changes: 16 additions & 0 deletions .github/pull_request_template.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
## Summary

<!-- What user-visible problem does this solve? -->

## Verification

- [ ] `go test ./... -race`
- [ ] `go vet ./...`
- [ ] `golangci-lint run`
- [ ] Documentation updated when behavior or trust boundaries changed

## Provider safety

- [ ] Existing sessions are not modified unexpectedly
- [ ] Tests use temporary provider homes, not real local session stores
- [ ] Format claims identify the upstream CLI version or source reference
31 changes: 28 additions & 3 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,13 +17,36 @@ jobs:
persist-credentials: false
- uses: actions/setup-go@v6.4.0
with:
go-version: "1.25.x"
go-version-file: go.mod
cache: true
- run: go vet ./...
- name: Workflow lint
run: go run github.com/rhysd/actionlint/cmd/actionlint@v1.7.12
- name: Shell lint
run: shellcheck scripts/*.sh demo/fixtures/*.sh demo/bin/*
- uses: golangci/golangci-lint-action@v9.3.0
with:
version: v2.12.2
- run: go test ./... -race
- name: Test with race detector and coverage
run: |
set -o pipefail
go test ./... -race -shuffle=on -covermode=atomic -coverprofile=coverage.out | tee test-output.txt
- name: Enforce coverage floors (total 80%, per package 75%)
# The per-package floor sits below the total floor on purpose: several
# packages hover just above 80%, and a floor equal to the current
# value turns any small refactor into a red build.
run: |
set -eu
total="$(go tool cover -func=coverage.out | awk '$1 == "total:" { gsub("%", "", $3); print $3 }')"
test -n "$total"
printf 'total coverage: %s%%\n' "$total"
awk -v total="$total" 'BEGIN { exit !(total + 0 >= 80) }'
sed -n 's/.*coverage: \([0-9][0-9.]*\)%.*/\1/p' test-output.txt | while IFS= read -r package_coverage; do
printf 'package coverage: %s%%\n' "$package_coverage"
awk -v coverage="$package_coverage" 'BEGIN { exit !(coverage + 0 >= 75) }'
done
Comment on lines +34 to +47

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Per-package coverage floor can be silently bypassed by packages with no test files.

The sed extraction at line 44 only matches lines containing coverage: from go test output. Packages without any test files produce no coverage line, so they are silently excluded from the per-package 75% floor check. This means a package could regress to 0% coverage without failing CI.

Consider adding an explicit check for packages that appear in go list ./... but are missing from the coverage output.

🛡️ Suggested addition to detect untested packages
       - name: Enforce coverage floors (total 80%, per package 75%)
         # The per-package floor sits below the total floor on purpose: several
         # packages hover just above 80%, and a floor equal to the current
         # value turns any small refactor into a red build.
         run: |
           set -eu
           total="$(go tool cover -func=coverage.out | awk '$1 == "total:" { gsub("%", "", $3); print $3 }')"
           test -n "$total"
           printf 'total coverage: %s%%\n' "$total"
           awk -v total="$total" 'BEGIN { exit !(total + 0 >= 80) }'
+          # Fail if any package with test files is missing from coverage output
+          covered="$(sed -n 's/^\(ok\|FAIL\)\s\+\S\+.*coverage: \([0-9][0-9.]*\)%.*/\1/p' test-output.txt | sort -u)"
           sed -n 's/.*coverage: \([0-9][0-9.]*\)%.*/\1/p' test-output.txt | while IFS= read -r package_coverage; do
             printf 'package coverage: %s%%\n' "$package_coverage"
             awk -v coverage="$package_coverage" 'BEGIN { exit !(coverage + 0 >= 75) }'
           done
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 34 - 47, The per-package coverage
enforcement in the CI workflow is only checking `go test` output lines matched
by the `sed` pipeline, so packages with no test files are skipped and can bypass
the 75% floor. Update the coverage check in the workflow step that uses `go list
./...`, `go test`, and the `sed`/`awk` loop so it explicitly compares all listed
packages against the packages present in `test-output.txt` and fails if any
package is missing a coverage entry. Ensure the logic still reports coverage per
package and uses the existing `coverage.out`/`test-output.txt` flow.

- name: Vulnerability scan
run: go run golang.org/x/vuln/cmd/govulncheck@v1.6.0 ./...
- run: go build ./cmd/showagent

cross-compile:
Expand All @@ -33,6 +56,8 @@ jobs:
include:
- goos: linux
goarch: amd64
- goos: linux
goarch: arm64
- goos: darwin
goarch: amd64
- goos: darwin
Expand All @@ -45,7 +70,7 @@ jobs:
persist-credentials: false
- uses: actions/setup-go@v6.4.0
with:
go-version: "1.25.x"
go-version-file: go.mod
cache: true
- name: Build for ${{ matrix.goos }}/${{ matrix.goarch }}
env:
Expand Down
35 changes: 31 additions & 4 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,35 @@ on:
- "v*"

permissions:
contents: write
id-token: write
attestations: write
contents: read

jobs:
verify:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7.0.0
with:
fetch-depth: 0
persist-credentials: false
- name: Verify release tag and ancestry
env:
TAG: ${{ github.ref_name }}
run: |
set -eu
printf '%s' "$TAG" | grep -Eq '^v[0-9]+\.[0-9]+\.[0-9]+$'
git fetch --no-tags origin main
git merge-base --is-ancestor "$GITHUB_SHA" origin/main
- uses: actions/setup-go@v6.4.0
with:
go-version-file: go.mod
cache: true
- run: go vet ./...
- run: go test ./... -race -shuffle=on
- name: Vulnerability scan
run: go run golang.org/x/vuln/cmd/govulncheck@v1.6.0 ./...

build:
needs: verify
runs-on: ubuntu-latest
strategy:
matrix:
Expand All @@ -32,7 +55,7 @@ jobs:
persist-credentials: false
- uses: actions/setup-go@v6.4.0
with:
go-version: "1.25.x"
go-version-file: go.mod
cache: true
- name: Build and package
env:
Expand Down Expand Up @@ -65,6 +88,10 @@ jobs:
release:
runs-on: ubuntu-latest
needs: build
permissions:
contents: write
id-token: write
attestations: write
steps:
- uses: actions/checkout@v7.0.0
with:
Expand Down
11 changes: 11 additions & 0 deletions CODE_OF_CONDUCT.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# Code of Conduct

This project follows the [Contributor Covenant 2.1](https://www.contributor-covenant.org/version/2/1/code_of_conduct/).

Be respectful, assume good faith, keep technical disagreement focused on the
work, and do not publish another person's private session data or credentials.
Unacceptable behavior may be reported privately through the repository's
Security reporting flow when it involves sensitive information; otherwise,
contact the maintainer through their GitHub profile. Reports will be reviewed
promptly and handled consistently with the Contributor Covenant enforcement
guidelines.
40 changes: 40 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
# Contributing to showagent

Thanks for helping improve showagent. Keep changes focused and preserve the
core safety contract: existing sessions are never modified by branch or
convert operations, and destructive actions require explicit user intent.

## Development setup

Requirements: Go 1.25.12 or newer.

```sh
git clone https://github.com/aytzey/showagent.git
cd showagent
go test ./... -race
go vet ./...
go run golang.org/x/vuln/cmd/govulncheck@v1.6.0 ./...
```

Run `golangci-lint run` with the version configured in
`.github/workflows/ci.yml` before opening a pull request.

## Provider changes

A provider implements `session.ProviderImpl` and is registered in
`internal/session/provider.go`. Provider tests must use temporary homes through
the provider's environment override; never read, write, or delete the
developer's real agent store from the unit suite.

For format changes, include fixtures for discovery, transcript extraction,
branching, conversion, malformed input, and secret-safe previews. Describe the
upstream CLI version or source commit used to verify the format.

## Pull requests

- Add regression tests for behavior changes.
- Update `README.md` when CLI flags, keybindings, providers, or trust
boundaries change.
- Keep generated binaries, real transcripts, credentials, and local paths out
of commits.
- Explain manual verification for changes that touch a real provider CLI.
Loading