Release v2.1.x: Penguin-DAL migration, centralized libs, and test suite overhaul#46
Open
PenguinzTech wants to merge 84 commits intomainfrom
Open
Release v2.1.x: Penguin-DAL migration, centralized libs, and test suite overhaul#46PenguinzTech wants to merge 84 commits intomainfrom
PenguinzTech wants to merge 84 commits intomainfrom
Conversation
Version files added (all at v1.0.0):
- dns-client-go/.version - Go DNS client
- dns-server/.version - DNS server
- dns-client/.version - Python DNS client (docker-client)
- dns-server/flask_app/.version - Web console (webui)
Workflow updates:
- Go client workflow now uses dns-client-go/.version
- Build triggers only when component's .version changes
- Added Windows ARM64 to build targets (6 platforms total)
- Release tags now use format: v{VERSION}-go-client
Release notes reorganized with sections for each package:
- go-client, dns-server, docker-client, webui
- Each with independent versioning and changelogs
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add .version file monitoring to all build workflows - Implement epoch64 timestamp-based naming (alpha/beta-<epoch64>) - Add version-based release naming (vX.X.X-alpha/beta) - Add auto pre-release creation on .version changes - Add security scanning (gosec for Go, bandit for Python, npm audit for Node.js) - Create comprehensive docs/WORKFLOWS.md - Update docs/STANDARDS.md with CI/CD section - Update CLAUDE.md with CI/CD section and pre-commit checklist 🤖 Generated with Claude Code Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Backend: - Add DHCP models (pools, leases, reservations, servers) with PyDAL - Add Time models (servers, sync logs, clients, config) with PTP/NTP support - Add full REST API for DHCP pool management and lease tracking - Add full REST API for time server management and sync operations - Fix RBAC middleware: add check_team_access function - Fix team model: remove unsupported PyDAL unique constraint Frontend: - Add TypeScript types for DHCP and Time services - Add DHCPPools management component with utilization visualization - Add TimeServers management component with PTP/NTP protocol selection - Integrate new tabs into Management page Go Client: - Add NTP client package with automatic server failover - Add NTP forwarder to intercept OS time requests (port 123) - Add time configuration with environment variable support - Add CLI commands: time query, time forward, time status - Add comprehensive unit and integration tests Documentation: - Update API.md with DHCP and Time API endpoints - Update ARCHITECTURE.md with network services diagrams - Update STANDARDS.md with service-specific guidelines 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Restructure from server-side templates to a three-container architecture: - Flask backend serves JSON-only REST API with JWT + Flask-Login auth - React WebUI (Vite + TypeScript + Tailwind) as separate nginx container - DNS server unchanged Flask changes: add Flask-JWT-Extended, Flask-CORS, Flask-Limiter; convert all dashboard routes to /api/v1/ JSON endpoints; add safe PyDAL row serialization (exact type checks to exclude RecordUpdater/LazySet); enforce auth on all API endpoints. Docker: add Dockerfile.api for Flask, dns-webui service with nginx reverse proxy, update docker-compose.yml with new services. Tests: add comprehensive smoke test suite (130 tests) covering container health, API endpoints, JWT auth flows, pagination, and response formats. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fixes Dependabot alerts #33 and #34: - CVE: Next.js HTTP request deserialization DoS (high) - CVE: Next.js Image Optimizer DoS (medium) Also fixes js-yaml prototype pollution via npm audit fix. Remaining 2 moderate alerts (eslint stack overflow, Next.js PPR memory) require breaking major version upgrades and have no stable patches. quic-go alerts (#28-30) are already resolved on this branch (v0.59.0 includes all patches). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The root Dockerfile's dns-server and dns-client stages both COPY docs/ into the image. The .dockerignore was excluding the docs directory, which would cause the CI docker-multi-build job to fail. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
This commit addresses all identified security vulnerabilities across Python, Node.js, and Go components, and adds extensive smoke test coverage for both alpha (local) and beta (K8s) environments to ensure production readiness. Security Fixes: - Python: Update cryptography (41→44), PyMySQL (1.1.0→1.1.1), Pillow (10→11), aiohttp (3.9→3.11.11), add defusedxml for XXE prevention - Node.js: Update react-router-dom (6→7), eslint (8→9), vite (5→7), next (15→16) to fix XSS, DoS, and stack overflow vulnerabilities - Go: Fix integer overflow in NTP time handling, replace math/rand with crypto/rand, enforce TLS 1.2+ minimum, update quic-go to v0.59.0 New Features: - Add version management script (scripts/version/update-version.sh) supporting major/minor/patch/build version increments - Add 150 mock tests for isolated component testing (DNS client/server, Manager API, database operations) - Add 79 comprehensive smoke tests covering security, edge cases, integration, and user experience for alpha and beta environments Test Coverage: - Security: 32 tests (auth, authorization, input validation, injection prevention, CORS, TLS, data isolation) - Edge Cases: 37 tests (boundaries, special chars, concurrency, large datasets, error recovery) - Integration: 39 tests (component communication, data flow, K8s integration, monitoring) - User Experience: 24 tests (page loads, forms, navigation, error messages) - Mock Tests: 150 tests (fast, isolated, no network/database dependencies) Version: Bump to v2.1.1.1770072428 (patch increment for security fixes) Resolves: Critical PyMySQL SQL injection, XSS in react-router, integer overflow in Go NTP client, weak RNG in HTTP backoff, TLS misconfiguration Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Install shared/react_libs dependencies before webui build to resolve zod module import error during vite build. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Update dal2-beta cluster deployment to use the pre-existing penguintech-wildcard-tls certificate from cert-manager instead of generating a new certificate. Changes: - Create comprehensive K8s manifests in k8s/manifests/ - Configure ingress for squawk.penguintech.io with proper TLS - Use pre-existing Cloudflare wildcard certificate (penguintech-wildcard-tls) - Deploy DNS server, Flask API, WebUI, and Valkey services - Add health checks, resource limits, and HA configuration (2 replicas) - Configure proper routing: / → webui, /api/v1 → flask-api, /dns-query → dns-server Ingress Configuration: - Host: squawk.penguintech.io - TLS Secret: penguintech-wildcard-tls (Cloudflare wildcard cert) - SSL redirect enabled - NGINX ingress class Deployed to: dal2-beta cluster, squawk namespace Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Remove restrictive security contexts and add emptyDir volumes for directories that need write access (database logs, nginx cache). Fixes: - flask-api: Health check path /api/v1/health → /health - flask-api: Add volume mount for /app/flask_app/databases - webui: Add volume mounts for nginx cache and run directories - All: Remove runAsUser/runAsNonRoot to allow containers to start properly Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Change @penguin/react_libs reference from local file path to GitHub repository to ensure consistent versioning across all PenguinTech projects. - Update package.json to reference github:penguintechinc/penguin-libs#main - Install @penguintechinc/react-libs from main branch - Remove dependency on local shared/react_libs copy Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace local copies of shared libraries with git-referenced dependencies from github.com/penguintechinc/penguin-libs. This ensures consistent versioning across all PenguinTech projects. - Remove entire shared/ directory (react_libs, node_libs, go_libs, py_libs, licensing, database) including duplicate shared/shared/ nested copy - Update Dockerfile to remove COPY shared/react_libs build steps - Update tailwind.config.js content path to node_modules dist - Update all imports from @penguin/react_libs to @penguintechinc/react-libs Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…-pytest from service requirements penguin-pytest is a test utility and belongs only in tests/requirements.in, not in production service requirements. Version constraints in .in files should express minimum intent with >= per pip-tools convention. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…in-pytest constraint pytest/pytest-flask/pytest-cov do not belong in production service requirements; they were orphaned from a previous state. penguin-pytest constraint in tests/requirements.in updated to >= per pip-tools .in file convention. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Test framework packages belong only in tests/requirements.in, not in production service requirements.
Defines all 9 dns-server tables as SQLAlchemy metadata objects (schema.py). Alembic configured to create/migrate schema. This is the prerequisite for migrating from PyDAL to penguin-dal (which auto-reflects existing tables).
…er schema - Remove unused Index import (flake8 F401) - Remove unused pytest import from test_schema.py (flake8 F401) - Fix bind= keyword removed in SQLAlchemy 2.0 (use positional arg) - Add offline migration mode to alembic/env.py Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- database.py now uses penguin_dal.DB with auto-reflection - models.py repurposed as developer reference documentation - test_flask_database.py updated for penguin-dal API differences - test_flask_models.py rewritten to test schema.py instead of PyDAL - flask_app/tests/conftest.py created to set up test database before imports - tests/conftest.py updated to create schema before flask_app imports - api.py and dashboard.py updated for penguin-dal query syntax penguin-dal requires WHERE clauses for all queries, so updated db(db.table_name).select() to db(db.table_name.id > 0).select() throughout the codebase. Test results: 195 passing, 13 failing (due to undefined dynamic tables in dashboard tests - dns_group, dns_zone, dns_record, etc. which are not defined in schema.py or Alembic migrations) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…usage Adds dns_group, dns_zone, dns_record, dns_permission, blocked_query tables to schema.py. Removes db.define_table() calls (PyDAL API, not penguin-dal). Fixes bare TableProxy queries in tests and dashboard.py (must use field comparisons like db.table.id > 0, not bare db.table). Removes distinct=True parameter from select() calls (penguin-dal doesn't support it; set() already deduplicates). Updates test_schema.py to expect 14 tables instead of 9.
- Replace tempfile.mktemp() with mkstemp() for secure temporary file handling - Add type annotations to all fixture and hook functions (Generator, Engine, DB, Any) - Add isolation comment to clean_db_tables explaining test_flask_database.py bypass - Add required imports (Generator, Any, Engine, DB) All 208 tests pass.
…ersion in manager/frontend - Replace custom Login.tsx with LoginPageBuilder component - Replace custom Sidebar.tsx with SidebarMenu component from react-libs - Add AppConsoleVersion to App.tsx for console logging - Update package.json with @penguintechinc/react-libs dependency - Fix TypeScript version to 5.9.3 for compatibility - Add @types/recharts for type safety - Build succeeds with all components properly typed Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add vitest test dependencies (@testing-library/react, @testing-library/jest-dom, jsdom) - Create vitest.config.ts with jsdom environment and 90% coverage thresholds - Create src/setupTests.ts for jest-dom matchers - Add Login.test.tsx covering LoginPageBuilder rendering with correct branding - Add Sidebar.test.tsx covering SidebarMenu categories and logo text (4 tests) - Add ProtectedRoute.test.tsx covering authenticated/loading/unauthenticated states (3 tests) - All 8 tests pass with 80.95% overall coverage (81.81% statements) - ProtectedRoute has 100% coverage; Sidebar 83.33%; Login 62.5% Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Fix dns-server/flask_app/tests/test_schema.py import path (flask_app → relative) - Add manager/backend/tests/test_app.py (96% app/__init__.py coverage) - Add manager/backend/tests/test_db.py (100% app/db.py coverage) - Add manager/backend/tests/test_config.py (100% app/config.py coverage) - Add manager/backend/tests/test_models.py (verify all 17 tables created) - Update TestingConfig to disable Redis for tests (RATELIMIT_STORAGE_URL=None) Coverage results: - dns-server/flask_app: 93% (208 tests pass) - manager/backend/app: 31% overall - app/__init__.py: 96% - app/db.py: 100% - app/config.py: 100% - app/schema.py: 100% Total: 236 tests pass (208 + 28) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Enhanced Login.test.tsx with tests for handleSuccess callback - Test successful auth flow with token validation - Test email fallback to ID when email is null - Test fallback to empty string when both email and ID missing - Test no navigation when token or user missing - Enhanced Sidebar.test.tsx with permission-based filtering tests - Test all menu items visible when permissions granted - Test individual items hidden based on specific permissions - Test multiple permission combinations - Test navigation callback integration - Updated vitest.config.ts to include all three components in coverage - Login.tsx (100% statements, branches, functions, lines) - Sidebar.tsx (100% statements, branches, functions, lines) - ProtectedRoute.tsx (100% statements, branches, functions, lines) All 23 tests passing with 100% coverage across all files.
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request merges the v2.1.x branch into main, representing a significant modernization and consolidation of the Squawk codebase.
Key Changes
1. Architectural Consolidation
2. Frontend Modernization
3. Testing & Quality Assurance
4. Infrastructure & Deployment
5. Documentation & Standards