fix: bump Go to 1.25.11 for stdlib vulns; stop advisory review blocking PRs#11
Merged
Conversation
…ng PRs govulncheck flagged two reachable standard-library vulnerabilities once the dashboard added an HTTP server (internal/web/server.go): - GO-2026-5039 net/textproto (fixed in go1.25.11) - GO-2026-5037 crypto/x509 (fixed in go1.25.11) Bump the go directive 1.25.10 -> 1.25.11. Verified locally with the 1.25.11 toolchain: `go test ./...` passes and `govulncheck ./...` reports 0 vulnerabilities affecting the code. Also mark the `review` job's reviewforge step continue-on-error: it is an advisory AI review, not a required check, but a failure (e.g. an expired AI_API_KEY) leaves a red X and pushes PRs into a BLOCKED/UNSTABLE merge state. This keeps it informational without gating merges. Renewing GEMINI_API_KEY is still needed to actually get reviews back. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
StructLint — All checks passed92 rules validated against
|
machado144
added a commit
that referenced
this pull request
Jun 8, 2026
## What A docs audit + refresh to bring all four user-facing doc surfaces back in sync with what actually ships. Recent PRs (dashboard #9, IPv6 #10, Go bump #11, and earlier masking) added features and changed defaults that never made it into the docs. Kept it useful and tight — no bloat, just fixing what was missing or wrong. ## Gaps fixed | Area | Before | After | |------|--------|-------| | `aigate serve` / web dashboard | undocumented everywhere | documented in README, user guide, AI ref, `help-ai` | | Audit log (`~/.aigate/audit.jsonl`) | undocumented | own section in user guide + `help-ai`, with event examples | | Default config example (user guide) | missing `*.p12`, `terraform.tfstate`, `*.tfvars`, `ncat/netcat/rsync/ftp`, `registry.npmjs.org`, `proxy.golang.org`, and the whole `mask_stdout` block | matches `InitDefaultConfig` | | `aws_secret` preset | absent (docs said "5 presets") | added; correct description (`AWS_SECRET_ACCESS_KEY=` match), "6 presets" | | Go version | badge `1.24+`, "From Source (Go 1.24+)" | `1.25+` (go.mod is 1.25.11) | | README Features | claimed cgroups resource limits are **enforced** | removed — the user guide correctly notes they're *not yet* enforced | | AI architecture map | missing `audit_service.go`, `masker.go`, `internal/web/`, `setup.go`, `help_ai.go`, escape tests | added, plus a note on the append-only audit log + read-only dashboard design | | `help-ai` | no `doctor`, no `serve`/dashboard | added `doctor` to setup + a DASHBOARD & AUDIT LOG section | ## Files - `README.md` - `docs/user/README.md` - `docs/AI/README.md` - `actions/help_ai.go` (the `aigate help-ai` output) ## Verified - `go build ./...` and `go test -short ./...` pass - pre-commit hooks green: structlint, gofmt, govet, golangci-lint 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Two CI-health fixes surfaced while merging #9 and #10:
1.
vulnwas genuinely red — bump Go 1.25.10 → 1.25.11govulncheckfound two reachable stdlib vulnerabilities, newly reachable once #9 added the dashboard HTTP server (internal/web/server.go:75):net/textprotocrypto/x509Bumping the
godirective to1.25.11clears both.2.
reviewstep →continue-on-errorThe
reviewjob (advisoryreviewforgeAI review) has been failing on an expiredGEMINI_API_KEY. It isn't a required check, but a hard failure leaves a red ✗ and pushes PRs intoUNSTABLE/BLOCKEDmerge state. Marking the stepcontinue-on-errorkeeps it informational without gating merges.Verified locally (go1.25.11 toolchain)
go test -short ./...— passgovulncheck ./...— 0 vulnerabilities affecting the code (was 2)Lint/test are unaffected by a go-directive bump and a workflow YAML change.
🤖 Generated with Claude Code