Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
50 commits
Select commit Hold shift + click to select a range
113174f
chore: bootstrap harness-engineered workflow structure
sidmohan0 Feb 23, 2026
2c27d26
docs: add datafog-api go mvp spec
sidmohan0 Feb 23, 2026
791d9dd
feat: add go datafog-api runtime with policy and policy persistence
sidmohan0 Feb 23, 2026
8d14b5c
chore: migrate docs, ci, and container to go service
sidmohan0 Feb 23, 2026
5d1532c
chore: remove legacy python app surface
sidmohan0 Feb 23, 2026
6e506a4
test: add policy validation and scan golden vector coverage
sidmohan0 Feb 23, 2026
77d84d6
fix: normalize policy entity keys in evaluator
sidmohan0 Feb 23, 2026
c762005
test(server): add endpoint contracts and validation cases
sidmohan0 Feb 23, 2026
6a39470
feat(server): add idempotency-aware decide handling
sidmohan0 Feb 23, 2026
3517000
feat(server): add idempotency to scan transform anonymize
sidmohan0 Feb 23, 2026
4890a9c
feat(datafog-api): add decide integrity metadata to receipts
sidmohan0 Feb 23, 2026
a05be51
fix(server): include action context in decide input hash
sidmohan0 Feb 23, 2026
a0a5727
fix(policy): apply precedence after full rule evaluation
sidmohan0 Feb 23, 2026
a3f7fbc
test(server): lock response content-type and request id contract
sidmohan0 Feb 23, 2026
dcb673a
fix(server): return JSON not_found for unmapped routes
sidmohan0 Feb 23, 2026
3b86c06
docs(api): add contract docs and malformed UTF-8 scan safety test
sidmohan0 Feb 23, 2026
80b9da2
feat(api): enforce JSON content-type and request size limits
sidmohan0 Feb 23, 2026
08c095e
test(api): accept charset on JSON content-type
sidmohan0 Feb 23, 2026
68908ed
feat(policy): tighten policy schema validation and loading checks
sidmohan0 Feb 23, 2026
b7f5fc8
feat(receipts): harden store load and append durability
sidmohan0 Feb 23, 2026
9cf7974
fix(policy): normalize required-entity matching keys
sidmohan0 Feb 23, 2026
f6e09e2
feat(server): add request-id propagation and transform mode guards
sidmohan0 Feb 23, 2026
e37d15c
docs(contract): document request-id and transform validation behavior
sidmohan0 Feb 23, 2026
165061e
feat(server): add metrics endpoint with request telemetry
sidmohan0 Feb 23, 2026
7f9b087
chore(server): add configurable HTTP timeouts and header limits
sidmohan0 Feb 23, 2026
f242f9f
chore(production): add graceful shutdown and hardening backlog updates
sidmohan0 Feb 23, 2026
e56b16a
feat: add optional API token enforcement
sidmohan0 Feb 23, 2026
bc3ffcc
feat: add optional request rate limiting
sidmohan0 Feb 23, 2026
f821762
chore: document deployment and harden default container runtime settings
sidmohan0 Feb 23, 2026
48d2db1
docs: restore security and reliability guidance
sidmohan0 Feb 23, 2026
c6db082
chore: enable hardening checks and secure local artifacts
sidmohan0 Feb 23, 2026
7286d9f
chore: enforce strict vuln scanning and bump CI Go toolchain
sidmohan0 Feb 23, 2026
08a615a
feat: add command-sensitive policy matching and runtime shim gate
sidmohan0 Feb 23, 2026
918adc3
feat(shim): add adapter hooks and enforcement boundary
sidmohan0 Feb 23, 2026
fb9954b
feat(shim): add adapter registry with inference and listing
sidmohan0 Feb 23, 2026
e90644b
fix(shim): resolve Windows pathLookup test and add Scalar API docs
sidmohan0 Feb 24, 2026
cdc5c51
feat(server): add CORS support for local API docs
sidmohan0 Feb 24, 2026
140771f
docs(spec): 2026-02-24-feat-interactive-demo-ui draft
sidmohan0 Feb 24, 2026
da03857
docs(spec): 2026-02-24-feat-v2-mvp-complete draft
sidmohan0 Feb 24, 2026
01bf196
feat(scan): expand to 8 entity types with Luhn/IP validation
sidmohan0 Feb 24, 2026
50c5410
feat(scan): add Go-native NER for person/organization/location
sidmohan0 Feb 24, 2026
bb765a6
feat(transform): add replace/pseudonymize and hash anonymization modes
sidmohan0 Feb 24, 2026
75dba1c
feat(shim): enforce transform plans on allow_with_redaction
sidmohan0 Feb 24, 2026
dab2716
feat(adapters): wire adapter registry into policy with claude/codex
sidmohan0 Feb 24, 2026
8b20f66
feat(events): add GET /v1/events endpoint and receipt rotation
sidmohan0 Feb 24, 2026
c29ae5b
feat(demo): add real execution demo with shim enforcement
sidmohan0 Feb 24, 2026
6a0fb8f
feat(adapters): integrate v2-claude and v2-codex setup scripts
sidmohan0 Feb 24, 2026
b6e5f31
style: normalize formatting with gofmt
sidmohan0 Feb 24, 2026
b021590
feat(demo): scenario explorer UI with seed endpoint and policy fixes
sidmohan0 Feb 24, 2026
5191c42
docs(spec): v2.1 optional NER sidecar with GLiNER2
sidmohan0 Feb 24, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions .github/workflows/harness-docs.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: Harness Docs

on:
pull_request:
types: [opened, synchronize, reopened]

jobs:
docs_lint:
name: Docs Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Lint harness docs
run: |
bash scripts/ci/he-docs-lint.sh
bash scripts/ci/he-specs-lint.sh
bash scripts/ci/he-plans-lint.sh
bash scripts/ci/he-spikes-lint.sh

docs_drift:
name: Docs Drift Gate
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Enforce doc updates on relevant changes
run: bash scripts/ci/he-docs-drift.sh
34 changes: 21 additions & 13 deletions .github/workflows/main-cicd.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
# This workflow will install Python dependencies, run tests and lint with a single version of Python
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python
# Go-based build + test pipeline for datafog-api

name: Main CICD datafog-api app

Expand All @@ -14,21 +13,30 @@ permissions:

jobs:
build:

runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4
- name: Set up Python 3.11
uses: actions/setup-python@v3
- name: Set up Go
uses: actions/setup-go@v5
with:
python-version: "3.11"
- name: Install dependencies
go-version: "1.24.13"
- name: Run gofmt check
run: |
python -m pip install --upgrade pip
pip install -r app/requirements-dev.txt
- name: Test with pytest with coverage minimum
test -z "$(gofmt -l cmd internal | tee /tmp/gofmt-diff.txt)" || {
echo "Run gofmt on:"
cat /tmp/gofmt-diff.txt
exit 1
}
- name: Run tests
run: go test ./...
- name: Lint (go vet)
run: go vet ./...
- name: Security checks
run: |
cd app && pytest
- name: Build the Docker image
run: docker build . --file Dockerfile --tag datafog-api:$(date +%s)
go install github.com/securego/gosec/v2/cmd/gosec@latest
go install golang.org/x/vuln/cmd/govulncheck@latest
gosec -severity medium -confidence medium ./...
govulncheck ./...
- name: Build container image
run: docker build . --file Dockerfile --tag datafog-api:$(date +%s)
3 changes: 2 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -28,4 +28,5 @@ db.sqlite3

# ignore local datafog-python
datafog-python/
*.coverage
datafog_receipts.jsonl
*.coverage
28 changes: 28 additions & 0 deletions AGENTS.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# AGENTS.md

## Start Here

This file is a map, not an encyclopedia.

The system of record is `docs/`. Keep durable knowledge (specs, plans, logs, decisions, checklists) there and link to it from here.

## Golden Principles

- Prove it works: never claim completion without running the most relevant validation (tests, build, or a small end-to-end check) or explicitly recording why it could not be run.
- Keep AGENTS.md minimal and stable; detailed procedure belongs in `docs/runbooks/`.

## Source Of Truth (Table Of Contents)

- Workflow contract + artifact rules: `docs/PLANS.md`
- Specs (intent): `docs/specs/`
- Spikes (investigation findings): `docs/spikes/`
- Plans (execution + evidence): `docs/plans/`
- Runbooks (process checklists): `docs/runbooks/`
- Generated context (scratchpad/reference): `docs/generated/`
- Architecture (if present): `ARCHITECTURE.md`

## Workflow (Phases)

intake -> spike (optional) -> plan -> implement -> review -> verify-release -> learn

If this file grows beyond a compact index, move detailed guidance into `docs/` and keep links here.
47 changes: 47 additions & 0 deletions ARCHITECTURE.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# Architecture

This file is a compact map to answer: "Where do I change code to do X?"

Write only stable facts. Do not include procedures, external links, or volatile implementation details.

Keep this file small:

- Prefer bullets over paragraphs
- Keep each bullet concise
- If it grows, move detail to `docs/` and keep only pointers here

## Purpose

2-4 bullets, max 6 lines total:

- System purpose: <what this repo/system does>
- Primary users/actors: <who uses it>
- Main runtime pieces: <CLI/API/worker/UI/etc>
- Primary flows: <highest-value flows>

## Codemap (Where To Change Code)

4-8 bullets plus one flow line, max 14 lines total:

- `path/or/module` -> owns <what>; key types: <TypeA>, <TypeB>
- `path/or/module` -> owns <what>; key types: <TypeC>

Flow: `<entry>` -> `<layer>` -> `<layer>` -> `<store/service>`

## Invariants (Must Remain True)

3-7 bullets, max 10 lines total:

- `X` must not depend on `Y`.
- Side effects occur only in `<boundary/module>`.
- Business rules live in `<layer>` and not in `<layer>`.
- Security/data boundary: `<what is sensitive and where it may flow>`.

## Details Live Elsewhere

3-6 pointers, max 8 lines total. Use path + short label only:

- `docs/PLANS.md` - workflow and artifact contract
- `docs/runbooks/` - procedures and checklists
- `docs/<DOMAIN>.md` - domain-specific guardrails
- `docs/generated/` - generated context snapshots
36 changes: 22 additions & 14 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,20 +1,28 @@
FROM ubuntu:22.04
ENV PYTHONUNBUFFERED=1
ENV DEBIAN_FRONTEND=noninteractive
FROM golang:1.22 AS build

EXPOSE 8000
WORKDIR /workspace

RUN apt-get update && apt-get install -y \
vim \
git \
python3-pip \
python3.11 \
wget
COPY go.mod ./
COPY cmd ./cmd
COPY internal ./internal
COPY config ./config

ADD app /root/app
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o /out/datafog-api ./cmd/datafog-api
RUN mkdir -p /workspace/var/lib/datafog && chmod 0777 /workspace/var/lib/datafog

RUN python3.11 -m pip install -r /root/app/requirements.txt
FROM gcr.io/distroless/base-debian11

WORKDIR /app
COPY --from=build /out/datafog-api /usr/local/bin/datafog-api
COPY --from=build /workspace/config/policy.json /app/config/policy.json
COPY --from=build /workspace/var/lib/datafog /var/lib/datafog

WORKDIR /root/app
ENTRYPOINT ["python3.11", "-m", "uvicorn", "--host=0.0.0.0","main:app"]
ENV DATAFOG_POLICY_PATH=/app/config/policy.json
ENV DATAFOG_RECEIPT_PATH=/var/lib/datafog/datafog_receipts.jsonl
ENV DATAFOG_ADDR=:8080

USER 65532:65532

EXPOSE 8080

ENTRYPOINT ["/usr/local/bin/datafog-api"]
Loading