Skip to content

Version/0 48 1 rc3#3846

Merged
mitchell-as merged 25 commits into
betafrom
version/0-48-1-RC3
Jul 17, 2026
Merged

Version/0 48 1 rc3#3846
mitchell-as merged 25 commits into
betafrom
version/0-48-1-RC3

Conversation

@mitchell-as

Copy link
Copy Markdown
Collaborator

No description provided.

mitchell-as and others added 25 commits July 8, 2026 12:58
Added run script for testing encrypted private ingredients.
Run script for testing encrypted private ingredients should not be standalone.
No need to remove existing SSL certs.
Update to Go 1.26.5 to remediate a CVE.
Detect a refused build-log-streamer stream as a distinct StreamDeniedError
rather than an opaque build failure. Both deny shapes from the ENG-1457
gate-policy spike are handled: a hard 401/403 on the Upgrade (a Connect dial
error) and a server soft-close (Upgrade accepted, then closed with no frames).

Because the stream is the only source of artifact download URIs for an
in-progress build, a denial there can't complete the install, so the runtime
now reports a clear authentication/authorization message instead of a raw
error. Genuine build failures and network errors are still surfaced, and an
already-built checkout never opens the stream, so it is unaffected.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
…ssing

Running `state publish --build` against a non-existent source directory crashed
with a nil-pointer panic instead of reporting the bad path. Two fixes:

- Validate the --build directory exists up front and return an InputError naming
  the offending path, before any metadata resolution, key fetch, or wheel build.
- Fix buildWrappedArtifact's error path: the deferred cleanup called the named
  `cleanup` return, which the `return "", nil, err` statements had already set to
  nil, so it called a nil function value and panicked. The deferred cleanup now
  uses a local closure, so an in-build failure returns its real error instead of
  crashing.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
ENG-1979: Fail cleanly when the state publish --build directory is missing
…rtifact is present

Checking out a project with no encrypted private ingredients printed a spurious
"Could not fetch the organization key" warning whenever a key service was
configured, because the key was fetched eagerly regardless of whether the runtime
had anything to decrypt.

The runtime now receives a key-fetch callback (WithDecryptionKey) instead of the
key bytes and invokes it only when it actually encounters an encrypted artifact
during unpack. A runtime with no private artifacts never contacts the key service
— no spurious warning and no fetch latency. The premature warning is removed; the
existing end-of-run notice (skipReporter) already reports any artifacts skipped
because the key was unavailable, which is the only case worth surfacing.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
* Make serve-org-keys work in cmd shell as well as bash

Add a batch twin of serve-org-keys constrained to cmd, and constrain
the existing bash version to non-cmd shells, so the script resolves per
shell the same way install-deps-dev does.

* Run in cmd without openssl or bash

Add --gen-cert to orgkeyserver.py so it generates its own self-signed
cert/key via the cryptography package, removing the openssl dependency
that on Windows only comes from git-bash. Update the cmd/batch variant
to detect the Python interpreter (python, py -3, python3) and pass
--gen-cert instead of shelling out to openssl.

- Quote --org in the no-key branches (bash and batch) so org names with
  spaces or shell metacharacters are passed as data, matching the
  --key branches.
- chmod the generated TLS private key to 0600 so it isn't world-readable.

* Drop openssl entirely and have orgkeyserver.py always generate its self-signed cert.

- Add CERT_DIR="test/ssl" constant; generate_self_signed(host) writes
  cert.pem/key.pem there and returns their paths.
- Remove --tls-cert/--tls-key/--gen-cert; cert generation is now the
  default on every run.
- Assume cryptography is present (bundled in the runtime); drop the
  ImportError guard.
- Simplify both activestate.yaml variants to just run the script with
  --org (and optional --key); remove the openssl/mkdir prep.

Resolve the cert dir to an absolute path in
generate_self_signed(), and print the absolute key_service_ca path on
startup so the value is copy-pasteable regardless of cwd. Docstring
example updated to an absolute /path/to/test/ssl/cert.pem placeholder.

* Bump project runtime commitID

Update to a runtime that bundles cryptography, which serve-org-keys'
orgkeyserver.py relies on for cert generation.

Co-authored-by: Claude Opus 4.8 (1M context) <[email protected]>
ENG-1461: Show a clear error when the build log streamer connection is refused
…ts notice

When private artifacts are skipped because the organization key could not be
obtained, the end-of-run notice now includes the underlying reason (e.g. the
connection or certificate error) instead of leaving it in the debug log. The
fetch is memoized, so retrieving the reason costs no additional key-service call.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
…available

When the build-log-streamer WebSocket is denied for an in-progress build,
complete the build without it: poll the build to completion, read the resolved
artifact download URLs from a re-fetched commit, and drive the existing
download/install path off them. A build that fails during polling is surfaced
as a failure.

The runtime gains a WithBuildPlanPoller option -- a caller-supplied closure, so
pkg/runtime takes no buildplanner dependency -- which the runbits layer wires
for in-progress builds. Together with the graceful-degradation change this sits
on, a denied stream no longer stops state checkout / install from completing.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
* Add environment-variable overrides for all config options

Every registered config option can now be overridden by an environment
variable, so config can be applied machine-wide (all users) without a
shared config file and without sharing auth.

Each option gets a canonical override derived from its key, e.g.
"update.info.endpoint" -> ACTIVESTATE_CONFIG_UPDATE_INFO_ENDPOINT. The
five options that already had bespoke env vars (ACTIVESTATE_API_HOST,
ACTIVESTATE_CLI_ANALYTICS_PIXEL, ACTIVESTATE_NOTIFICATIONS_OVERRIDE,
ACTIVESTATE_TEST_UPDATE_URL, ACTIVESTATE_TEST_UPDATE_INFO_URL) keep
working as aliases; the canonical variable takes precedence when both
are set.

Overrides are resolved in config.Instance.Get (env > stored > default)
so they actually take effect everywhere, not just in display. Values are
coerced to the option's type. Only registered options are eligible, which
keeps credentials (e.g. apiToken, not a registered option) out of scope.

`state config` now reports the effective value and a Source column
showing the overriding env var name, "local", or "default"; JSON output
gains source, env, and envVar fields.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

* Address PR review: validate env override values; add locale strings

- EnvOverride now strictly coerces env values to the option's type and
  ignores invalid ones (unparseable bool/int, out-of-set enum), so a
  mis-typed variable falls back to the stored/default value instead of
  silently becoming a zero value. Mirrors the validation `state config
  set` already performs.
- Add the config_source_local and config_source_default locale strings
  used by the Source column instead of relying on the fallback path.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

* Fix TestList integration test for new Source column

The `*` marker that denoted a locally-set value was replaced by the
Source column, so `state config` now shows "optin.buildscripts true
local" instead of "true*". Update TestList to assert the "local" source
(and the new "Source" header) instead of the removed "true*" marker.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

* Add integration test for environment as config source

TestListEnvSource overrides optin.buildscripts via its canonical env var
(ACTIVESTATE_CONFIG_OPTIN_BUILDSCRIPTS) without running `state config
set`, then asserts the override takes effect and is reported as coming
from the environment.

The human-readable table confirms the non-default value; the source is
asserted via JSON output ("source":"environment" plus the overriding env
var name), which is robust against the table wrapping long variable
names.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

* Address review feedback from mitchell-as

- Fold RegisterOptionWithEnv into RegisterOption via a variadic
  envAliases parameter; drop the separate function. Keep the note that
  envAliases are only for legacy env vars without the ACTIVESTATE_CONFIG_*
  prefix.
- Use real, user-facing config options in doc/test examples (api.host,
  security.prompt.level) instead of the test-only update endpoints.
- Trim the Instance.Get comment to just note env precedence; drop the
  machine-wide framing.
- Remove the unnecessary comment in config get.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <[email protected]>
ENG-1984: Fetch the organization key lazily, only when an encrypted artifact is present
…l/eng-1940

# Conflicts:
#	pkg/runtime/options.go
#	pkg/runtime/setup.go
ENG-1940: Finish an in-progress build when the live build connection is refused
…ler-uac

CS-2357-Declare asInvoker execution level for remote installer
@mitchell-as
mitchell-as merged commit c850bf4 into beta Jul 17, 2026
17 of 18 checks passed
@mitchell-as
mitchell-as deleted the version/0-48-1-RC3 branch July 17, 2026 18:35
@mitchell-as
mitchell-as restored the version/0-48-1-RC3 branch July 17, 2026 18:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants