introduce ctx to SPIKE#287
Merged
Merged
Conversation
Adopt `ctx` as an optional, project-scoped AI context layer and clean up the agent-facing repository contract that `ctx init` plus a GitNexus indexing run left inconsistent. Also fixes a release-blocking docs build break and clears the pre-existing govulncheck failures so the audit gate is green. ctx introduction (Spec: specs/introduce-ctx.md): - CLAUDE.md is the canonical agent guide; AGENTS.md reduced to a pointer - GitNexus block extracted to GITNEXUS.md (markers preserved for regeneration); CLAUDE.md keeps a short, optional "Companion Tools" pointer framed as "if installed" - Makefile.ctx moved to makefiles/Ctx.mk to match the makefiles/*.mk convention; root Makefile uses -include ./makefiles/Ctx.mk - .gitignore: ignore .claude/, .context/ingest/, ideas/, inbox/, outbox/, GETTING_STARTED.md, and the regenerated root Makefile.ctx - CONTRIBUTING.md gains an "Optional: AI-Assisted Development Tooling" section (ctx, GitNexus), explicitly optional - commit the .context/ memory tree docs build (Spec: specs/zola-022-highlighting.md): - migrate docs-src/config.toml highlighting to the Zola 0.19+ [markdown.highlighting] table; theme base16-ocean-dark (retired by the 0.22 Giallo highlighter) -> material-theme-ocean - regenerate the published docs/ tree vulnerability remediation (Spec: specs/vuln-remediation.md): - pin toolchain go1.26.4 (patched stdlib) keeping the go 1.25.5 baseline - bump circl v1.6.2->v1.6.3, go-jose/v4 v4.1.3->v4.1.4, x/net v0.48.0->v0.55.0; go mod tidy - govulncheck now reports 0 called vulnerabilities Spec: specs/introduce-ctx.md Spec: specs/zola-022-highlighting.md Spec: specs/vuln-remediation.md Signed-off-by: Volkan Özçelik <volkan.ozcelik@broadcom.com>
Add a low-priority Maintenance task to bump the remaining dependencies whose advisories govulncheck reports but the code does not call. Spec: specs/vuln-remediation.md Signed-off-by: Volkan Özçelik <volkan.ozcelik@broadcom.com>
…ries Bump golang.org/x/crypto v0.51.0 -> v0.52.0 (13 advisories) and google.golang.org/grpc v1.78.0 -> v1.79.3 (GO-2026-4762), clearing the uncalled advisories that remained after the initial remediation. govulncheck now reports zero vulnerabilities total (not just zero called); make test and make audit both pass. Spec: specs/vuln-remediation.md Signed-off-by: Volkan Özçelik <volkan.ozcelik@broadcom.com>
…ify) The Integration Test CI job was red on main: SPIKE Nexus never became ready because the keepers were never seeded with the root-key shares, so Nexus looped forever in InitializeBackingStoreFromKeepers and the startup probe killed it. Adding a bootstrap workload surfaced three more bugs in the bootstrap verify path. Fixes: - ci/integration/minio-rolearn: add a spike-bootstrap Job (+ ServiceAccount and RBAC for its idempotency ConfigMap) that seeds the keepers, and wire it into setup.sh (drop --wait; Nexus cannot be ready pre-seed). - bootstrap: fix a self-deadlock in VerifyInitialization that took a write lock then a read lock on the same non-reentrant RWMutex; use RootKeySeedNoLock. - bootstrap: encrypt the verify probe with the canonical root key (ComputeShares(seed) marshalled) instead of the raw seed, which Nexus's cipher cannot decrypt (the seed is reduced mod the P256 order). - nexus: register /v1/bootstrap/verify in lite mode (routeWithNoBackingStore); it was only registered with a backing store, so lite-mode verify always hit the 400 fallback. Lite mode holds the root key and already exposes the other root-key routes, so verify belongs there too. Verified end to end on kind: bootstrap Job succeeds, idempotency ConfigMap written, Nexus reaches Ready in ~30s with production images. Spec: specs/integration-bootstrap-fix.md Signed-off-by: Volkan Özçelik <volkan.ozcelik@broadcom.com>
Add a task-oriented recipes/ section (problem/TL;DR/workflow/tips/ pitfalls/cross-links/next) with the three Tier-1 recipes that were the hardest gaps in understanding SPIKE: choosing a backend store (memory/lite/sqlite), bootstrapping, and the root-key/keepers/recovery mechanics. Full 14-recipe plan + checklist in specs/recipes-plan.md. Published docs/ regeneration (make docs) and Tiers 2-4 are follow-up. Spec: specs/recipes-plan.md Signed-off-by: Volkan Özçelik <volkan.ozcelik@broadcom.com>
Signed-off-by: Volkan Özçelik <volkan.ozcelik@broadcom.com>
…tion The Integration Test CI job was red, but not because of SPIKE: the whole stack (keepers, Nexus, Pilot, bootstrap) came up healthy. The job died in setup.sh when every MinIO pod hit ImagePullBackOff. Bitnami removed its free docker.io/bitnami/* images from Docker Hub and relocated them to docker.io/bitnamilegacy/*, so the chart's default image tags now 404 and Helm's post-install --wait timed out. Fixes: - minio-values.yaml: redirect all four chart images (image, clientImage, console.image, defaultInitContainers.volumePermissions.image) to bitnamilegacy/*, and set global.security.allowInsecureImages=true since the chart's verification gate rejects non-bitnami/ repositories. - setup.sh: pin the chart to --version 17.0.21 so the image tags stay aligned with the tags mirrored in the frozen legacy repository. Verified: live-registry checks (bitnami/* -> 404, bitnamilegacy/* -> 200), helm template renders cleanly with every image on bitnamilegacy/* and no verification error, make lint-go + make test pass. Spec: specs/minio-bitnami-image-relocation.md Signed-off-by: Volkan Özçelik <volkan.ozcelik@broadcom.com>
Contributor
Author
|
Ignoring the documentation errors; it's a CI workflow bug as it checks the live site which is not published yet. Would require a separate issue to work on. cc: @CoderMungan . |
Contributor
I saw the issue and would like to request that a new issue be opened. I am excited to work on it. |
Contributor
Author
|
Thanks @CoderMungan for your help. I'll check out the PR "soon". |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Introduces
ctxas an optional, project-scoped AI context layer andcleans up the agent-facing repository contract that
ctx initplus aGitNexus indexing run left inconsistent. Also fixes two release-blockers
surfaced along the way: a broken
make docson current Zola, and a redmake audit(govulncheck).ctx introduction —
specs/introduce-ctx.mdCLAUDE.mdis the canonical agent guide;AGENTS.mdreduced to a pointerGITNEXUS.md(managed markers preserved), framed optional / "if installed"Makefile.ctx→makefiles/Ctx.mk(matches themakefiles/*.mkconvention); rootMakefileuses-include ./makefiles/Ctx.mk.gitignore:.claude/,.context/ingest/,ideas//inbox//outbox/,GETTING_STARTED.md,Makefile.ctxCONTRIBUTING.md: new "Optional: AI-Assisted Development Tooling" section.context/memory treeDocs build fix —
specs/zola-022-highlighting.mddocs-src/config.tomlto the Zola 0.22 Giallo[markdown.highlighting]table; themebase16-ocean-dark(retired) →material-theme-oceandocs/treeVulnerability remediation —
specs/vuln-remediation.mdtoolchain go1.26.4(patched stdlib), keeping thego 1.25.5baselinecloudflare/circlv1.6.3,go-jose/v4v4.1.4,golang.org/x/netv0.55.0;go mod tidygovulnchecknow reports 0 called vulnerabilitiesAdditional work in this PR
Beyond introducing ctx, this PR also fixes two pre-existing problems found while getting the branch green:
Security — cleared all govulncheck advisories. Pinned the Go toolchain to 1.26.4 (patched stdlib) and bumped
cloudflare/circl → v1.6.3, go-jose/v4 → v4.1.4, golang.org/x/net → v0.55.0, and x/crypto/grpc (→ v0.52.0 / v1.79.3). make
audit now reports 0 vulnerabilities.
Fixed the minio-rolearn Integration Test (red on main). Root cause: the keepers were never seeded with the root-key shares, so SPIKE Nexus looped forever in InitializeBackingStoreFromKeepers and the startup probe killed it. Adding a
bootstrap workload surfaced three further bugs:
into setup.sh (dropped --wait, since Nexus can't be Ready pre-seed).
to RootKeySeedNoLock.
(ComputeShares(seed) marshalled); the seed is reduced mod the P256 order, so Nexus's cipher could never decrypt it.
through to a 400. Registered it in routeWithNoBackingStore (lite is the encryption-only backend — it holds the root key
and already exposes the cipher/operator routes, so verify belongs there).
Verified end-to-end on a local kind cluster with production images: bootstrap Job succeeds, idempotency ConfigMap written,
Nexus reaches Ready in ~30s. make test + make audit pass.
Verification
make test✅make audit✅ (govulncheck: 0 called vulnerabilities)make docs✅ (Zola 0.22, 59 pages, 0 errors)